• Finn Thain's avatar
    block/swim3: Fix regression on PowerBook G3 · a36d7f03
    Finn Thain authored
    [ Upstream commit 427c5ce4 ]
    
    As of v4.20, the swim3 driver crashes when loaded on a PowerBook G3
    (Wallstreet).
    
    MacIO PCI driver attached to Gatwick chipset
    MacIO PCI driver attached to Heathrow chipset
    swim3 0.00015000:floppy: [fd0] SWIM3 floppy controller in media bay
    0.00013020:ch-a: ttyS0 at MMIO 0xf3013020 (irq = 16, base_baud = 230400) is a Z85c30 ESCC - Serial port
    0.00013000:ch-b: ttyS1 at MMIO 0xf3013000 (irq = 17, base_baud = 230400) is a Z85c30 ESCC - Infrared port
    macio: fixed media-bay irq on gatwick
    macio: fixed left floppy irqs
    swim3 1.00015000:floppy: [fd1] Couldn't request interrupt
    Unable to handle kernel paging request for data at address 0x00000024
    Faulting instruction address: 0xc02652f8
    Oops: Kernel access of bad area, sig: 11 [#1]
    BE SMP NR_CPUS=2 PowerMac
    Modules linked in:
    CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.20.0 #2
    NIP:  c02652f8 LR: c026915c CTR: c0276d1c
    REGS: df43ba10 TRAP: 0300   Not tainted  (4.20.0)
    MSR:  00009032 <EE,ME,IR,DR,RI>  CR: 28228288  XER: 00000100
    DAR: 00000024 DSISR: 40000000
    GPR00: c026915c df43bac0 df439060 c0731524 df494700 00000000 c06e1c08 00000001
    GPR08: 00000001 00000000 df5ff220 00001032 28228282 00000000 c0004ca4 00000000
    GPR16: 00000000 00000000 00000000 c073144c dfffe064 c0731524 00000120 c0586108
    GPR24: c073132c c073143c c073143c 00000000 c0731524 df67cd70 df494700 00000001
    NIP [c02652f8] blk_mq_free_rqs+0x28/0xf8
    LR [c026915c] blk_mq_sched_tags_teardown+0x58/0x84
    Call Trace:
    [df43bac0] [c0045f50] flush_workqueue_prep_pwqs+0x178/0x1c4 (unreliable)
    [df43bae0] [c026915c] blk_mq_sched_tags_teardown+0x58/0x84
    [df43bb00] [c02697f0] blk_mq_exit_sched+0x9c/0xb8
    [df43bb20] [c0252794] elevator_exit+0x84/0xa4
    [df43bb40] [c0256538] blk_exit_queue+0x30/0x50
    [df43bb50] [c0256640] blk_cleanup_queue+0xe8/0x184
    [df43bb70] [c034732c] swim3_attach+0x330/0x5f0
    [df43bbb0] [c034fb24] macio_device_probe+0x58/0xec
    [df43bbd0] [c032ba88] really_probe+0x1e4/0x2f4
    [df43bc00] [c032bd28] driver_probe_device+0x64/0x204
    [df43bc20] [c0329ac4] bus_for_each_drv+0x60/0xac
    [df43bc50] [c032b824] __device_attach+0xe8/0x160
    [df43bc80] [c032ab38] bus_probe_device+0xa0/0xbc
    [df43bca0] [c0327338] device_add+0x3d8/0x630
    [df43bcf0] [c0350848] macio_add_one_device+0x444/0x48c
    [df43bd50] [c03509f8] macio_pci_add_devices+0x168/0x1bc
    [df43bd90] [c03500ec] macio_pci_probe+0xc0/0x10c
    [df43bda0] [c02ad884] pci_device_probe+0xd4/0x184
    [df43bdd0] [c032ba88] really_probe+0x1e4/0x2f4
    [df43be00] [c032bd28] driver_probe_device+0x64/0x204
    [df43be20] [c032bfcc] __driver_attach+0x104/0x108
    [df43be40] [c0329a00] bus_for_each_dev+0x64/0xb4
    [df43be70] [c032add8] bus_add_driver+0x154/0x238
    [df43be90] [c032ca24] driver_register+0x84/0x148
    [df43bea0] [c0004aa0] do_one_initcall+0x40/0x188
    [df43bf00] [c0690100] kernel_init_freeable+0x138/0x1d4
    [df43bf30] [c0004cbc] kernel_init+0x18/0x10c
    [df43bf40] [c00121e4] ret_from_kernel_thread+0x14/0x1c
    Instruction dump:
    5484d97e 4bfff4f4 9421ffe0 7c0802a6 bf410008 7c9e2378 90010024 8124005c
    2f890000 419e0078 81230004 7c7c1b78 <81290024> 2f890000 419e0064 81440000
    ---[ end trace 12025ab921a9784c ]---
    
    Reverting commit 8ccb8cb1 ("swim3: convert to blk-mq") resolves the
    problem.
    
    That commit added a struct blk_mq_tag_set to struct floppy_state and
    initialized it with a blk_mq_init_sq_queue() call. Unfortunately, there
    is a memset() in swim3_add_device() that subsequently clears the
    floppy_state struct. That means fs->tag_set->ops is a NULL pointer, and
    it gets dereferenced by blk_mq_free_rqs() which gets called in the
    request_irq() error path. Move the memset() to fix this bug.
    
    BTW, the request_irq() failure for the left mediabay floppy (fd1) is not
    a regression. I don't know why it happens. The right media bay floppy
    (fd0) works fine however.
    Reported-and-tested-by: 's avatarStan Johnson <userm57@yahoo.com>
    Fixes: 8ccb8cb1 ("swim3: convert to blk-mq")
    Cc: linuxppc-dev@lists.ozlabs.org
    Signed-off-by: 's avatarFinn Thain <fthain@telegraphics.com.au>
    Signed-off-by: 's avatarJens Axboe <axboe@kernel.dk>
    Signed-off-by: 's avatarSasha Levin <sashal@kernel.org>
    a36d7f03
Name
Last commit
Last update
..
aoe Loading commit data...
drbd Loading commit data...
mtip32xx Loading commit data...
paride Loading commit data...
rsxx Loading commit data...
xen-blkback Loading commit data...
zram Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
amiflop.c Loading commit data...
ataflop.c Loading commit data...
brd.c Loading commit data...
cryptoloop.c Loading commit data...
floppy.c Loading commit data...
loop.c Loading commit data...
loop.h Loading commit data...
nbd.c Loading commit data...
null_blk.h Loading commit data...
null_blk_main.c Loading commit data...
null_blk_zoned.c Loading commit data...
pktcdvd.c Loading commit data...
ps3disk.c Loading commit data...
ps3vram.c Loading commit data...
rbd.c Loading commit data...
rbd_types.h Loading commit data...
skd_main.c Loading commit data...
skd_s1120.h Loading commit data...
sunvdc.c Loading commit data...
swim.c Loading commit data...
swim3.c Loading commit data...
swim_asm.S Loading commit data...
sx8.c Loading commit data...
umem.c Loading commit data...
umem.h Loading commit data...
virtio_blk.c Loading commit data...
xen-blkfront.c Loading commit data...
xsysace.c Loading commit data...
z2ram.c Loading commit data...