Re: [Bugme-new] [Bug 9179] New: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver

All of lore.kernel.org
 help / color / mirror / Atom feed

* Re: [Bugme-new] [Bug 9179] New: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
       [not found] <bug-9179-10286@http.bugzilla.kernel.org/>
@ 2007-10-17 20:27 ` Andrew Morton
  2007-10-17 20:46     ` Dan Williams
  2007-10-17 21:10   ` [PATCH] zd1201: avoid null ptr access of skb->dev John W. Linville
  0 siblings, 2 replies; 6+ messages in thread
From: Andrew Morton @ 2007-10-17 20:27 UTC (permalink / raw)
  To: Arnaldo Carvalho de Melo; +Cc: bugme-daemon, netdev, linux-wireless, zairasai

On Wed, 17 Oct 2007 11:34:57 -0700 (PDT)
bugme-daemon@bugzilla.kernel.org wrote:

> http://bugzilla.kernel.org/show_bug.cgi?id=9179
> 
>            Summary: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
>            Product: Drivers
>            Version: 2.5
>      KernelVersion: 2.6.23.1
>           Platform: All
>         OS/Version: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: network-wireless
>         AssignedTo: drivers_network-wireless@kernel-bugs.osdl.org
>         ReportedBy: zairasai@googlemail.com
> 
> 
> [1.] One line summary of the problem:
> 
> 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
> 
> 
> 
> 
> [2.] Full description of the problem:
> 
> The zd1201-driver (symbol: USB_ZD1201) triggers a kernel panic during
> initialization of the WLAN device, showing the following message:
> 
> EIP: [<e095e1d1>] zd1201_usbrx+0x6e1/0xbb0 [zd1201] SS:ESP 0068:c0469d7c
> Kernel panic - not syncing: Fatal exception in interrupt
> 
> According to the init output during bootup, the panic seems to occur right when
> the WLAN device receives an IP address from the DHCP-Server of the
> WLAN/DSL-Router. The WLAN device is (in my case) a 'Belkin F5D6051' based on
> the ZyDAS 1201 chip.
> 
> As far as i know, the only recent change in 'drivers/net/wireless/zd1201.c' was
> done in patch-2.6.22, so the bug probably affects all kernel versions later
> than 2.6.21.7, but at least the ones i've tested (which are listed in the
> summary below). It also recently came up in some different
> distribution-specific forums/bugtrackers, so it does not seem to be specific to
> my machine/setup. A link to another report on this problem is included at the
> end of this report.
> 
> Below is an extract of patch-2.6.22, showing that the lines 330 and 388 have
> been removed from 'drivers/net/wireless/zd1201.c'. I put those two lines back,
> which made things work as expected again; however, that is only meant as a
> hint, since i don't know why they were taken out or what other implications my
> change might have.
> 
> patch-2.6.22, lines 586509-586528:
> {{{
> diff --git a/drivers/net/wireless/zd1201.c b/drivers/net/wireless/zd1201.c
> index 6cb66a3..935b144 100644
> --- a/drivers/net/wireless/zd1201.c
> +++ b/drivers/net/wireless/zd1201.c
> @@ -327,7 +327,6 @@ static void zd1201_usbrx(struct urb *urb)
>                         memcpy(skb_put(skb, 6), &data[datalen-8], 6);
>                         memcpy(skb_put(skb, 2), &data[datalen-24], 2);
>                         memcpy(skb_put(skb, len), data, len);
> -                       skb->dev = zd->dev;
>                         skb->dev->last_rx = jiffies;
>                         skb->protocol = eth_type_trans(skb, zd->dev);
>                         zd->stats.rx_packets++;
> @@ -385,7 +384,6 @@ static void zd1201_usbrx(struct urb *urb)
>                         memcpy(skb_put(skb, 2), &data[6], 2);
>                         memcpy(skb_put(skb, len), data+8, len);
>                 }
> -               skb->dev = zd->dev;
>                 skb->dev->last_rx = jiffies;
>                 skb->protocol = eth_type_trans(skb, zd->dev);
>                 zd->stats.rx_packets++;
> }}}
> 

Arnaldo, we have a pretty solid report here that your
4c13eb6657fe9ef7b4dc8f1a405c902e9e5234e0 made this driver go crash.


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Bugme-new] [Bug 9179] New: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
@ 2007-10-17 20:46     ` Dan Williams
  0 siblings, 0 replies; 6+ messages in thread
From: Dan Williams @ 2007-10-17 20:46 UTC (permalink / raw)
  To: Andrew Morton
  Cc: Arnaldo Carvalho de Melo, bugme-daemon, netdev, linux-wireless,
	zairasai

On Wed, 2007-10-17 at 13:27 -0700, Andrew Morton wrote:
> On Wed, 17 Oct 2007 11:34:57 -0700 (PDT)
> bugme-daemon@bugzilla.kernel.org wrote:
> 
> > http://bugzilla.kernel.org/show_bug.cgi?id=9179
> > 
> >            Summary: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
> >            Product: Drivers
> >            Version: 2.5
> >      KernelVersion: 2.6.23.1
> >           Platform: All
> >         OS/Version: Linux
> >               Tree: Mainline
> >             Status: NEW
> >           Severity: normal
> >           Priority: P1
> >          Component: network-wireless
> >         AssignedTo: drivers_network-wireless@kernel-bugs.osdl.org
> >         ReportedBy: zairasai@googlemail.com
> > 
> > 
> > [1.] One line summary of the problem:
> > 
> > 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
> > 
> > 
> > 
> > 
> > [2.] Full description of the problem:
> > 
> > The zd1201-driver (symbol: USB_ZD1201) triggers a kernel panic during
> > initialization of the WLAN device, showing the following message:
> > 
> > EIP: [<e095e1d1>] zd1201_usbrx+0x6e1/0xbb0 [zd1201] SS:ESP 0068:c0469d7c
> > Kernel panic - not syncing: Fatal exception in interrupt
> > 
> > According to the init output during bootup, the panic seems to occur right when
> > the WLAN device receives an IP address from the DHCP-Server of the
> > WLAN/DSL-Router. The WLAN device is (in my case) a 'Belkin F5D6051' based on
> > the ZyDAS 1201 chip.
> > 
> > As far as i know, the only recent change in 'drivers/net/wireless/zd1201.c' was
> > done in patch-2.6.22, so the bug probably affects all kernel versions later
> > than 2.6.21.7, but at least the ones i've tested (which are listed in the
> > summary below). It also recently came up in some different
> > distribution-specific forums/bugtrackers, so it does not seem to be specific to
> > my machine/setup. A link to another report on this problem is included at the
> > end of this report.
> > 
> > Below is an extract of patch-2.6.22, showing that the lines 330 and 388 have
> > been removed from 'drivers/net/wireless/zd1201.c'. I put those two lines back,
> > which made things work as expected again; however, that is only meant as a
> > hint, since i don't know why they were taken out or what other implications my
> > change might have.
> > 
> > patch-2.6.22, lines 586509-586528:
> > {{{
> > diff --git a/drivers/net/wireless/zd1201.c b/drivers/net/wireless/zd1201.c
> > index 6cb66a3..935b144 100644
> > --- a/drivers/net/wireless/zd1201.c
> > +++ b/drivers/net/wireless/zd1201.c
> > @@ -327,7 +327,6 @@ static void zd1201_usbrx(struct urb *urb)
> >                         memcpy(skb_put(skb, 6), &data[datalen-8], 6);
> >                         memcpy(skb_put(skb, 2), &data[datalen-24], 2);
> >                         memcpy(skb_put(skb, len), data, len);
> > -                       skb->dev = zd->dev;
> >                         skb->dev->last_rx = jiffies;
> >                         skb->protocol = eth_type_trans(skb, zd->dev);
> >                         zd->stats.rx_packets++;
> > @@ -385,7 +384,6 @@ static void zd1201_usbrx(struct urb *urb)
> >                         memcpy(skb_put(skb, 2), &data[6], 2);
> >                         memcpy(skb_put(skb, len), data+8, len);
> >                 }
> > -               skb->dev = zd->dev;
> >                 skb->dev->last_rx = jiffies;
> >                 skb->protocol = eth_type_trans(skb, zd->dev);
> >                 zd->stats.rx_packets++;
> > }}}
> > 
> 
> Arnaldo, we have a pretty solid report here that your
> 4c13eb6657fe9ef7b4dc8f1a405c902e9e5234e0 made this driver go crash.

In 2.6.22 and later, eth_type_trans() sets skb->dev.  It looks like the
lines tha tset last_rx in the patch above should be moved below the
eth_type_trans() lines, otherwise they'll likely oops.

Something like this is probably in order?

diff --git a/drivers/net/wireless/zd1201.c b/drivers/net/wireless/zd1201.c
index 6cb66a3..935b144 100644
--- a/drivers/net/wireless/zd1201.c
+++ b/drivers/net/wireless/zd1201.c
@@ -327,7 +327,6 @@ static void zd1201_usbrx(struct urb *urb)
                        memcpy(skb_put(skb, 6), &data[datalen-8], 6);
                        memcpy(skb_put(skb, 2), &data[datalen-24], 2);
                        memcpy(skb_put(skb, len), data, len);
-                       skb->dev = zd->dev;
-                       skb->dev->last_rx = jiffies;
                        skb->protocol = eth_type_trans(skb, zd->dev);
+                       skb->dev->last_rx = jiffies;
                        zd->stats.rx_packets++;
@@ -385,7 +384,6 @@ static void zd1201_usbrx(struct urb *urb)
                        memcpy(skb_put(skb, 2), &data[6], 2);
                        memcpy(skb_put(skb, len), data+8, len);
                }
-               skb->dev = zd->dev;
-               skb->dev->last_rx = jiffies;
                skb->protocol = eth_type_trans(skb, zd->dev);
+               skb->dev->last_rx = jiffies;
                zd->stats.rx_packets++;

Dan


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [Bugme-new] [Bug 9179] New: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
@ 2007-10-17 20:46     ` Dan Williams
  0 siblings, 0 replies; 6+ messages in thread
From: Dan Williams @ 2007-10-17 20:46 UTC (permalink / raw)
  To: Andrew Morton
  Cc: Arnaldo Carvalho de Melo,
	bugme-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r,
	netdev-u79uwXL29TY76Z2rM5mHXA,
	linux-wireless-u79uwXL29TY76Z2rM5mHXA,
	zairasai-gM/Ye1E23mwN+BqQ9rBEUg

On Wed, 2007-10-17 at 13:27 -0700, Andrew Morton wrote:
> On Wed, 17 Oct 2007 11:34:57 -0700 (PDT)
> bugme-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org wrote:
> 
> > http://bugzilla.kernel.org/show_bug.cgi?id=9179
> > 
> >            Summary: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
> >            Product: Drivers
> >            Version: 2.5
> >      KernelVersion: 2.6.23.1
> >           Platform: All
> >         OS/Version: Linux
> >               Tree: Mainline
> >             Status: NEW
> >           Severity: normal
> >           Priority: P1
> >          Component: network-wireless
> >         AssignedTo: drivers_network-wireless-ztI5WcYan/vQLgFONoPN62D2FQJk+8+b@public.gmane.org
> >         ReportedBy: zairasai-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org
> > 
> > 
> > [1.] One line summary of the problem:
> > 
> > 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
> > 
> > 
> > 
> > 
> > [2.] Full description of the problem:
> > 
> > The zd1201-driver (symbol: USB_ZD1201) triggers a kernel panic during
> > initialization of the WLAN device, showing the following message:
> > 
> > EIP: [<e095e1d1>] zd1201_usbrx+0x6e1/0xbb0 [zd1201] SS:ESP 0068:c0469d7c
> > Kernel panic - not syncing: Fatal exception in interrupt
> > 
> > According to the init output during bootup, the panic seems to occur right when
> > the WLAN device receives an IP address from the DHCP-Server of the
> > WLAN/DSL-Router. The WLAN device is (in my case) a 'Belkin F5D6051' based on
> > the ZyDAS 1201 chip.
> > 
> > As far as i know, the only recent change in 'drivers/net/wireless/zd1201.c' was
> > done in patch-2.6.22, so the bug probably affects all kernel versions later
> > than 2.6.21.7, but at least the ones i've tested (which are listed in the
> > summary below). It also recently came up in some different
> > distribution-specific forums/bugtrackers, so it does not seem to be specific to
> > my machine/setup. A link to another report on this problem is included at the
> > end of this report.
> > 
> > Below is an extract of patch-2.6.22, showing that the lines 330 and 388 have
> > been removed from 'drivers/net/wireless/zd1201.c'. I put those two lines back,
> > which made things work as expected again; however, that is only meant as a
> > hint, since i don't know why they were taken out or what other implications my
> > change might have.
> > 
> > patch-2.6.22, lines 586509-586528:
> > {{{
> > diff --git a/drivers/net/wireless/zd1201.c b/drivers/net/wireless/zd1201.c
> > index 6cb66a3..935b144 100644
> > --- a/drivers/net/wireless/zd1201.c
> > +++ b/drivers/net/wireless/zd1201.c
> > @@ -327,7 +327,6 @@ static void zd1201_usbrx(struct urb *urb)
> >                         memcpy(skb_put(skb, 6), &data[datalen-8], 6);
> >                         memcpy(skb_put(skb, 2), &data[datalen-24], 2);
> >                         memcpy(skb_put(skb, len), data, len);
> > -                       skb->dev = zd->dev;
> >                         skb->dev->last_rx = jiffies;
> >                         skb->protocol = eth_type_trans(skb, zd->dev);
> >                         zd->stats.rx_packets++;
> > @@ -385,7 +384,6 @@ static void zd1201_usbrx(struct urb *urb)
> >                         memcpy(skb_put(skb, 2), &data[6], 2);
> >                         memcpy(skb_put(skb, len), data+8, len);
> >                 }
> > -               skb->dev = zd->dev;
> >                 skb->dev->last_rx = jiffies;
> >                 skb->protocol = eth_type_trans(skb, zd->dev);
> >                 zd->stats.rx_packets++;
> > }}}
> > 
> 
> Arnaldo, we have a pretty solid report here that your
> 4c13eb6657fe9ef7b4dc8f1a405c902e9e5234e0 made this driver go crash.

In 2.6.22 and later, eth_type_trans() sets skb->dev.  It looks like the
lines tha tset last_rx in the patch above should be moved below the
eth_type_trans() lines, otherwise they'll likely oops.

Something like this is probably in order?

diff --git a/drivers/net/wireless/zd1201.c b/drivers/net/wireless/zd1201.c
index 6cb66a3..935b144 100644
--- a/drivers/net/wireless/zd1201.c
+++ b/drivers/net/wireless/zd1201.c
@@ -327,7 +327,6 @@ static void zd1201_usbrx(struct urb *urb)
                        memcpy(skb_put(skb, 6), &data[datalen-8], 6);
                        memcpy(skb_put(skb, 2), &data[datalen-24], 2);
                        memcpy(skb_put(skb, len), data, len);
-                       skb->dev = zd->dev;
-                       skb->dev->last_rx = jiffies;
                        skb->protocol = eth_type_trans(skb, zd->dev);
+                       skb->dev->last_rx = jiffies;
                        zd->stats.rx_packets++;
@@ -385,7 +384,6 @@ static void zd1201_usbrx(struct urb *urb)
                        memcpy(skb_put(skb, 2), &data[6], 2);
                        memcpy(skb_put(skb, len), data+8, len);
                }
-               skb->dev = zd->dev;
-               skb->dev->last_rx = jiffies;
                skb->protocol = eth_type_trans(skb, zd->dev);
+               skb->dev->last_rx = jiffies;
                zd->stats.rx_packets++;

Dan

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [Bugme-new] [Bug 9179] New: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
@ 2007-10-17 22:49       ` Arnaldo Carvalho de Melo
  0 siblings, 0 replies; 6+ messages in thread
From: Arnaldo Carvalho de Melo @ 2007-10-17 22:49 UTC (permalink / raw)
  To: Dan Williams
  Cc: Andrew Morton, bugme-daemon, netdev, linux-wireless, zairasai

Em Wed, Oct 17, 2007 at 04:46:51PM -0400, Dan Williams escreveu:
> On Wed, 2007-10-17 at 13:27 -0700, Andrew Morton wrote:
> > On Wed, 17 Oct 2007 11:34:57 -0700 (PDT)
> > bugme-daemon@bugzilla.kernel.org wrote:
> > 
> > > http://bugzilla.kernel.org/show_bug.cgi?id=9179
> > > 
> > >            Summary: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
> > >            Product: Drivers
> > >            Version: 2.5
> > >      KernelVersion: 2.6.23.1
> > >           Platform: All
> > >         OS/Version: Linux
> > >               Tree: Mainline
> > >             Status: NEW
> > >           Severity: normal
> > >           Priority: P1
> > >          Component: network-wireless
> > >         AssignedTo: drivers_network-wireless@kernel-bugs.osdl.org
> > >         ReportedBy: zairasai@googlemail.com
> > > 
> > > 
> > > [1.] One line summary of the problem:
> > > 
> > > 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
> > > 
> > > 
> > > 
> > > 
> > > [2.] Full description of the problem:
> > > 
> > > The zd1201-driver (symbol: USB_ZD1201) triggers a kernel panic during
> > > initialization of the WLAN device, showing the following message:
> > > 
> > > EIP: [<e095e1d1>] zd1201_usbrx+0x6e1/0xbb0 [zd1201] SS:ESP 0068:c0469d7c
> > > Kernel panic - not syncing: Fatal exception in interrupt
> > > 
> > > According to the init output during bootup, the panic seems to occur right when
> > > the WLAN device receives an IP address from the DHCP-Server of the
> > > WLAN/DSL-Router. The WLAN device is (in my case) a 'Belkin F5D6051' based on
> > > the ZyDAS 1201 chip.
> > > 
> > > As far as i know, the only recent change in 'drivers/net/wireless/zd1201.c' was
> > > done in patch-2.6.22, so the bug probably affects all kernel versions later
> > > than 2.6.21.7, but at least the ones i've tested (which are listed in the
> > > summary below). It also recently came up in some different
> > > distribution-specific forums/bugtrackers, so it does not seem to be specific to
> > > my machine/setup. A link to another report on this problem is included at the
> > > end of this report.
> > > 
> > > Below is an extract of patch-2.6.22, showing that the lines 330 and 388 have
> > > been removed from 'drivers/net/wireless/zd1201.c'. I put those two lines back,
> > > which made things work as expected again; however, that is only meant as a
> > > hint, since i don't know why they were taken out or what other implications my
> > > change might have.
> > > 
> > > patch-2.6.22, lines 586509-586528:
> > > {{{
> > > diff --git a/drivers/net/wireless/zd1201.c b/drivers/net/wireless/zd1201.c
> > > index 6cb66a3..935b144 100644
> > > --- a/drivers/net/wireless/zd1201.c
> > > +++ b/drivers/net/wireless/zd1201.c
> > > @@ -327,7 +327,6 @@ static void zd1201_usbrx(struct urb *urb)
> > >                         memcpy(skb_put(skb, 6), &data[datalen-8], 6);
> > >                         memcpy(skb_put(skb, 2), &data[datalen-24], 2);
> > >                         memcpy(skb_put(skb, len), data, len);
> > > -                       skb->dev = zd->dev;
> > >                         skb->dev->last_rx = jiffies;
> > >                         skb->protocol = eth_type_trans(skb, zd->dev);
> > >                         zd->stats.rx_packets++;
> > > @@ -385,7 +384,6 @@ static void zd1201_usbrx(struct urb *urb)
> > >                         memcpy(skb_put(skb, 2), &data[6], 2);
> > >                         memcpy(skb_put(skb, len), data+8, len);
> > >                 }
> > > -               skb->dev = zd->dev;
> > >                 skb->dev->last_rx = jiffies;
> > >                 skb->protocol = eth_type_trans(skb, zd->dev);
> > >                 zd->stats.rx_packets++;
> > > }}}
> > > 
> > 
> > Arnaldo, we have a pretty solid report here that your
> > 4c13eb6657fe9ef7b4dc8f1a405c902e9e5234e0 made this driver go crash.
> 
> In 2.6.22 and later, eth_type_trans() sets skb->dev.  It looks like the
> lines tha tset last_rx in the patch above should be moved below the
> eth_type_trans() lines, otherwise they'll likely oops.
> 
> Something like this is probably in order?

I think so, its strange that this bisects to me, but Dan's change should
fix it.

- Arnaldo

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Bugme-new] [Bug 9179] New: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
@ 2007-10-17 22:49       ` Arnaldo Carvalho de Melo
  0 siblings, 0 replies; 6+ messages in thread
From: Arnaldo Carvalho de Melo @ 2007-10-17 22:49 UTC (permalink / raw)
  To: Dan Williams
  Cc: Andrew Morton, bugme-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r,
	netdev-u79uwXL29TY76Z2rM5mHXA,
	linux-wireless-u79uwXL29TY76Z2rM5mHXA,
	zairasai-gM/Ye1E23mwN+BqQ9rBEUg

Em Wed, Oct 17, 2007 at 04:46:51PM -0400, Dan Williams escreveu:
> On Wed, 2007-10-17 at 13:27 -0700, Andrew Morton wrote:
> > On Wed, 17 Oct 2007 11:34:57 -0700 (PDT)
> > bugme-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org wrote:
> > 
> > > http://bugzilla.kernel.org/show_bug.cgi?id=9179
> > > 
> > >            Summary: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
> > >            Product: Drivers
> > >            Version: 2.5
> > >      KernelVersion: 2.6.23.1
> > >           Platform: All
> > >         OS/Version: Linux
> > >               Tree: Mainline
> > >             Status: NEW
> > >           Severity: normal
> > >           Priority: P1
> > >          Component: network-wireless
> > >         AssignedTo: drivers_network-wireless-ztI5WcYan/vQLgFONoPN62D2FQJk+8+b@public.gmane.org
> > >         ReportedBy: zairasai-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org
> > > 
> > > 
> > > [1.] One line summary of the problem:
> > > 
> > > 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
> > > 
> > > 
> > > 
> > > 
> > > [2.] Full description of the problem:
> > > 
> > > The zd1201-driver (symbol: USB_ZD1201) triggers a kernel panic during
> > > initialization of the WLAN device, showing the following message:
> > > 
> > > EIP: [<e095e1d1>] zd1201_usbrx+0x6e1/0xbb0 [zd1201] SS:ESP 0068:c0469d7c
> > > Kernel panic - not syncing: Fatal exception in interrupt
> > > 
> > > According to the init output during bootup, the panic seems to occur right when
> > > the WLAN device receives an IP address from the DHCP-Server of the
> > > WLAN/DSL-Router. The WLAN device is (in my case) a 'Belkin F5D6051' based on
> > > the ZyDAS 1201 chip.
> > > 
> > > As far as i know, the only recent change in 'drivers/net/wireless/zd1201.c' was
> > > done in patch-2.6.22, so the bug probably affects all kernel versions later
> > > than 2.6.21.7, but at least the ones i've tested (which are listed in the
> > > summary below). It also recently came up in some different
> > > distribution-specific forums/bugtrackers, so it does not seem to be specific to
> > > my machine/setup. A link to another report on this problem is included at the
> > > end of this report.
> > > 
> > > Below is an extract of patch-2.6.22, showing that the lines 330 and 388 have
> > > been removed from 'drivers/net/wireless/zd1201.c'. I put those two lines back,
> > > which made things work as expected again; however, that is only meant as a
> > > hint, since i don't know why they were taken out or what other implications my
> > > change might have.
> > > 
> > > patch-2.6.22, lines 586509-586528:
> > > {{{
> > > diff --git a/drivers/net/wireless/zd1201.c b/drivers/net/wireless/zd1201.c
> > > index 6cb66a3..935b144 100644
> > > --- a/drivers/net/wireless/zd1201.c
> > > +++ b/drivers/net/wireless/zd1201.c
> > > @@ -327,7 +327,6 @@ static void zd1201_usbrx(struct urb *urb)
> > >                         memcpy(skb_put(skb, 6), &data[datalen-8], 6);
> > >                         memcpy(skb_put(skb, 2), &data[datalen-24], 2);
> > >                         memcpy(skb_put(skb, len), data, len);
> > > -                       skb->dev = zd->dev;
> > >                         skb->dev->last_rx = jiffies;
> > >                         skb->protocol = eth_type_trans(skb, zd->dev);
> > >                         zd->stats.rx_packets++;
> > > @@ -385,7 +384,6 @@ static void zd1201_usbrx(struct urb *urb)
> > >                         memcpy(skb_put(skb, 2), &data[6], 2);
> > >                         memcpy(skb_put(skb, len), data+8, len);
> > >                 }
> > > -               skb->dev = zd->dev;
> > >                 skb->dev->last_rx = jiffies;
> > >                 skb->protocol = eth_type_trans(skb, zd->dev);
> > >                 zd->stats.rx_packets++;
> > > }}}
> > > 
> > 
> > Arnaldo, we have a pretty solid report here that your
> > 4c13eb6657fe9ef7b4dc8f1a405c902e9e5234e0 made this driver go crash.
> 
> In 2.6.22 and later, eth_type_trans() sets skb->dev.  It looks like the
> lines tha tset last_rx in the patch above should be moved below the
> eth_type_trans() lines, otherwise they'll likely oops.
> 
> Something like this is probably in order?

I think so, its strange that this bisects to me, but Dan's change should
fix it.

- Arnaldo

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH] zd1201: avoid null ptr access of skb->dev
  2007-10-17 20:27 ` [Bugme-new] [Bug 9179] New: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver Andrew Morton
  2007-10-17 20:46     ` Dan Williams
@ 2007-10-17 21:10   ` John W. Linville
  1 sibling, 0 replies; 6+ messages in thread
From: John W. Linville @ 2007-10-17 21:10 UTC (permalink / raw)
  To: Andrew Morton
  Cc: Arnaldo Carvalho de Melo, netdev, linux-wireless, zairasai,
	John W. Linville

skb->dev is not set until eth_type_trans is called...

Signed-off-by: John W. Linville <linville@tuxdriver.com>
---
 drivers/net/wireless/zd1201.c        |    4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/wireless/zd1201.c b/drivers/net/wireless/zd1201.c
index 935b144..d5c0c66 100644
--- a/drivers/net/wireless/zd1201.c
+++ b/drivers/net/wireless/zd1201.c
@@ -327,8 +327,8 @@ static void zd1201_usbrx(struct urb *urb)
 			memcpy(skb_put(skb, 6), &data[datalen-8], 6);
 			memcpy(skb_put(skb, 2), &data[datalen-24], 2);
 			memcpy(skb_put(skb, len), data, len);
-			skb->dev->last_rx = jiffies;
 			skb->protocol = eth_type_trans(skb, zd->dev);
+			skb->dev->last_rx = jiffies;
 			zd->stats.rx_packets++;
 			zd->stats.rx_bytes += skb->len;
 			netif_rx(skb);
@@ -384,8 +384,8 @@ static void zd1201_usbrx(struct urb *urb)
 			memcpy(skb_put(skb, 2), &data[6], 2);
 			memcpy(skb_put(skb, len), data+8, len);
 		}
-		skb->dev->last_rx = jiffies;
 		skb->protocol = eth_type_trans(skb, zd->dev);
+		skb->dev->last_rx = jiffies;
 		zd->stats.rx_packets++;
 		zd->stats.rx_bytes += skb->len;
 		netif_rx(skb);
-- 
1.5.2.4


^ permalink raw reply related	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2007-10-17 22:49 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <bug-9179-10286@http.bugzilla.kernel.org/>
2007-10-17 20:27 ` [Bugme-new] [Bug 9179] New: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver Andrew Morton
2007-10-17 20:46   ` Dan Williams
2007-10-17 20:46     ` Dan Williams
2007-10-17 22:49     ` Arnaldo Carvalho de Melo
2007-10-17 22:49       ` Arnaldo Carvalho de Melo
2007-10-17 21:10   ` [PATCH] zd1201: avoid null ptr access of skb->dev John W. Linville

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.