From: Christian Lamparter <chunkeey@web.de>
To: Manuel Lauss <mano@roarinelk.homelinux.net>
Cc: linux-wireless@vger.kernel.org
Subject: Re: [p54]: oops in p54_rx
Date: Mon, 8 Dec 2008 15:48:32 +0100 [thread overview]
Message-ID: <200812081548.32362.chunkeey@web.de> (raw)
In-Reply-To: <200812081509.43402.chunkeey@web.de>
[-- Attachment #1: Type: text/plain, Size: 5001 bytes --]
On Monday 08 December 2008 15:09:43 Christian Lamparter wrote:
> On Monday 08 December 2008 14:26:03 Manuel Lauss wrote:
> > Hallo Christian,
> >
> > On Mon, Dec 08, 2008 at 02:08:36PM +0100, Christian Lamparter wrote:
> > > On Monday 08 December 2008 08:49:04 Manuel Lauss wrote:
> > > > Hello,
> > >
> > > Hello!
> > >
> > > > The following oops occurs when udev loads p54pci driver (device is an early
> > > > SM2802W V2 PCI with the isl3886 "softmac" chip; 2.6.28-rc7, firmware
> > > > 2.13.1.0.arm). This is transcribed from a rather bad photo (please see
> > > > http://mlau.at/pix/p54oops.jpg ):
> > > >
> > > > BUG: Unable to handle kernel NULL pointer dereference at 0000000000000000
> > > > IP: [<ffffffffa0016b66>] p54_rx+0xc6/0x490 [p54common]
> > > > PGD 12e433067 PUD 12e46f067 PMD 0
> > > > Oops: 0000 [#1] PREEMPT SMP
> > > > last sysfs file: /sys/devices/pci0000:00/0000:00:1f.2/host0/target0:0:0:0/....
> > > > CPU 0
> > > > Modules linked in: usb_storage ohci1394(+) ieee1394 p54pci(+) p54common ahci...
> > > > Pid: 0, comm: swapper Not tainted 2.6.28-rc7-00091-gf6f7b52 #1
> > > > RIP: 0010:[<ffffffffa0016b66>] [<ffffffffa0016b66>] p54_rx+0xc6/0x490 [p54common]
> > > > RSP: 0018:ffffffff80ab3df0 EFLAGS: 00010207
> > > > RAX: 0000000074e9fed0 RBX: ffff08012e4f1940 RCX: 0000000000002e10
> > > > RDX: 0000000000000000 RSI: 00000000000000f1 RDI: ffff80012e4f0000
> > > > RBP: ffff80012e077010 R08: ffff80012e077000 R09: ffff80012e04?000
> > > > R10: 0000000000000001 R11: ffffffff00221320 R12: ffff80012e4f1900
> > > > R13: ffff80012e4f0300 R14: 000000000000732e R15: ffff80012e4f19??
> > > >
> > > > (gdb) list *p54_rx+0xc6
> > > > 0x1b66 is in p54_rx (/usr/src/linux-2.6.git/drivers/net/wireless/p54/p54common.c:502).
> > > > 497
> > > > 498 rx_status.signal = p54_rssi_to_dbm(dev, hdr->rssi);
> > > > 499 rx_status.noise = priv->noise;
> > > > 500 /* XX correct? */
> > > > 501 rx_status.qual = (100 * hdr->rssi) / 127;
> > > > 502 rx_status.rate_idx = (dev->conf.channel->band == IEEE80211_BAND_2GHZ ?
> > > > 503 hdr->rate : (hdr->rate - 4)) & 0xf;
> > > That's right, dev->conf.channel isn't set at the time we're reading the eeprom.
> > > But, then we didn't initialize the radio, dcf and mac/bb yet, so where did the data frames came
> > > from?
> >
> > Booted firmware in need of attention? ;-) The other device on irq 17 is
> > a jmicron pata controller with no disks attached.
> the device has a ring-buffer with a counting index => so the firmware must have
> incremented/corrupted the index.
>
> > One more datapoint: this oops only seems to occur if udev loads p54 _and_
> > firmware is present. Without firmware the driver (obviously) does nothing
> > an later I can happily modprobe/rmmod it when firmware is in place without
> > incident (with the timeout error below).
> >
> Well, that's tricky... I've no idea why it's sending "data" frames in the first place.
>
> But what I can do is to stop the driver from oopsing...
>
> I guess a check to see if the device mode is set to something else than
> "NL80211_IFTYPE_UNSPECIFIED" and in p54_rx(_data) should prevent the oops.
> maybe we I should add a hex_dump as well.
patch attached... tell me what it does on your dev.
Regards,
Chr
[-- Attachment #2: p54common-free.diff --]
[-- Type: text/x-diff, Size: 794 bytes --]
diff -Nurp linux-2.6.28-rc7/drivers/net/wireless/p54/p54common.c linux-2.6.28-rc8/drivers/net/wireless/p54/p54common.c
--- linux-2.6.28-rc7/drivers/net/wireless/p54/p54common.c 2008-12-08 15:35:51.655503446 +0100
+++ linux-2.6.28-rc8/drivers/net/wireless/p54/p54common.c 2008-12-08 15:30:58.583619238 +0100
@@ -488,6 +488,13 @@ static int p54_rx_data(struct ieee80211_
size_t header_len = sizeof(*hdr);
u32 tsf32;
+ if (priv->mode == NL80211_IFTYPE_UNSPECIFIED) {
+ printk(KERN_ERR "%s: received bogus data\n", wiphy_name(dev->wiphy));
+ print_hex_dump(KERN_ERR, "raw data: ", DUMP_PREFIX_ADDRESS,
+ 16, 1, skb->data, skb->len, 1);
+ return 0;
+ }
+
if (!(hdr->magic & cpu_to_le16(0x0001))) {
if (priv->filter_flags & FIF_FCSFAIL)
rx_status.flag |= RX_FLAG_FAILED_FCS_CRC;
next prev parent reply other threads:[~2008-12-08 14:48 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-08 7:49 [p54]: oops in p54_rx Manuel Lauss
2008-12-08 13:08 ` Christian Lamparter
2008-12-08 13:26 ` Manuel Lauss
2008-12-08 14:09 ` Christian Lamparter
2008-12-08 14:48 ` Christian Lamparter [this message]
2008-12-08 14:47 ` Manuel Lauss
2008-12-08 15:24 ` Christian Lamparter
2008-12-08 15:32 ` Manuel Lauss
2008-12-08 15:50 ` Christian Lamparter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200812081548.32362.chunkeey@web.de \
--to=chunkeey@web.de \
--cc=linux-wireless@vger.kernel.org \
--cc=mano@roarinelk.homelinux.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.