From: Larry Finger <Larry.Finger@lwfinger.net>
To: Mario 'BitKoenig' Holbe <Mario.Holbe@TU-Ilmenau.DE>,
LKML <linux-kernel@vger.kernel.org>,
wireless <linux-wireless@vger.kernel.org>,
b43-dev <b43-dev@lists.infradead.org>
Subject: 2.6.37-rc7: Regression: b43: crashes in hwrng_register()
Date: Thu, 30 Dec 2010 12:37:21 -0600 [thread overview]
Message-ID: <4D1CD161.4040107@lwfinger.net> (raw)
In-Reply-To: <20101230143406.GA23219@darkside.kls.lan>
On 12/30/2010 08:34 AM, Mario 'BitKoenig' Holbe wrote:
> On Wed, Dec 29, 2010 at 08:37:10PM -0600, Larry Finger wrote:
>> No, don't bother. I do have a different request. The byte counts for my 32-bit
>> system do not match yours. Could you please use the following command to find
>> the instructions that are failing?
>>
>> objdump -l -d drivers/char/hw_random/core.o | less
>>
>> Use the search to find the start of hwrng_register, then add 0x4c to the
>> starting address. Once I see hte instruction that is failing, I should be able
>> to find where the failure occurs.
>
> Alright, here we go...
>
> [ 30.012695] BUG: unable to handle kernel paging request at 4b28f458
> [ 30.012708] IP: [<f90703cc>] hwrng_register+0x4c/0x139 [rng_core]
>
> 00000380 <hwrng_register>:
> hwrng_register():
> /tmp/1/linux-source-2.6.37-rc7/drivers/char/hw_random/core.c:299
> 380: 56 push %esi
> 381: 53 push %ebx
> ...
> /tmp/1/linux-source-2.6.37-rc7/drivers/char/hw_random/core.c:312
> 3c6: 8b 76 1c mov 0x1c(%esi),%esi
> 3c9: 83 ee 1c sub $0x1c,%esi
> prefetch():
> /tmp/1/linux-source-2.6.37-rc7/arch/x86/include/asm/processor.h:837
> 3cc: 8b 46 1c mov 0x1c(%esi),%eax
> 3cf: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
> hwrng_register():
> /tmp/1/linux-source-2.6.37-rc7/drivers/char/hw_random/core.c:312
> 3d3: 81 fe f8 ff ff ff cmp $0xfffffff8,%esi
> 3d9: 75 d4 jne 3af <hwrng_register+0x2f>
> /tmp/1/linux-source-2.6.37-rc7/drivers/char/hw_random/core.c:319
>
> 312 list_for_each_entry(tmp, &rng_list, list) {
> 313 if (strcmp(tmp->name, rng->name) == 0)
> 314 goto out_unlock;
> 315 }
>
> This is btw. the same data that is accessed in the cat rng_available
> crash via hwrng_attr_available_show():
>
> [ 389.303538] BUG: unable to handle kernel paging request at 288dcb5b
> [ 389.303553] IP: [<f8dda34c>] hwrng_attr_available_show+0x5c/0x90 [rng_core]
>
> 000002f0 <hwrng_attr_available_show>:
> hwrng_attr_available_show():
> /tmp/1/linux-source-2.6.37-rc7/drivers/char/hw_random/core.c:236
> 2f0: 55 push %ebp
> ...
> /tmp/1/linux-source-2.6.37-rc7/drivers/char/hw_random/core.c:245
> 346: 8b 5b 1c mov 0x1c(%ebx),%ebx
> 349: 83 eb 1c sub $0x1c,%ebx
> prefetch():
> /tmp/1/linux-source-2.6.37-rc7/arch/x86/include/asm/processor.h:837
> 34c: 8b 43 1c mov 0x1c(%ebx),%eax
> 34f: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
> hwrng_attr_available_show():
> /tmp/1/linux-source-2.6.37-rc7/drivers/char/hw_random/core.c:245
>
> 245 list_for_each_entry(rng, &rng_list, list) {
> 246 strncat(buf, rng->name, PAGE_SIZE - ret - 1);
> 247 ret += strlen(rng->name);
> 248 strncat(buf, " ", PAGE_SIZE - ret - 1);
> 249 ret++;
> 250 }
The head of the rng_list is damaged. It is initialized at compile time and
should be OK. To help discover the order in which hwrng_register() is called,
apply the attached patch. Run it once with commit 84c164a34ffe67908a installed,
and once with it reverted.
Thanks,
Larry
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: hwrng_debug
URL: <http://lists.infradead.org/pipermail/b43-dev/attachments/20101230/ff939067/attachment.ksh>
WARNING: multiple messages have this Message-ID (diff)
From: Larry Finger <Larry.Finger@lwfinger.net>
To: Mario 'BitKoenig' Holbe <Mario.Holbe@TU-Ilmenau.DE>,
LKML <linux-kernel@vger.kernel.org>,
wireless <linux-wireless@vger.kernel.org>,
b43-dev <b43-dev@lists.infradead.org>
Subject: Re: 2.6.37-rc7: Regression: b43: crashes in hwrng_register()
Date: Thu, 30 Dec 2010 12:37:21 -0600 [thread overview]
Message-ID: <4D1CD161.4040107@lwfinger.net> (raw)
In-Reply-To: <20101230143406.GA23219@darkside.kls.lan>
[-- Attachment #1: Type: text/plain, Size: 3281 bytes --]
On 12/30/2010 08:34 AM, Mario 'BitKoenig' Holbe wrote:
> On Wed, Dec 29, 2010 at 08:37:10PM -0600, Larry Finger wrote:
>> No, don't bother. I do have a different request. The byte counts for my 32-bit
>> system do not match yours. Could you please use the following command to find
>> the instructions that are failing?
>>
>> objdump -l -d drivers/char/hw_random/core.o | less
>>
>> Use the search to find the start of hwrng_register, then add 0x4c to the
>> starting address. Once I see hte instruction that is failing, I should be able
>> to find where the failure occurs.
>
> Alright, here we go...
>
> [ 30.012695] BUG: unable to handle kernel paging request at 4b28f458
> [ 30.012708] IP: [<f90703cc>] hwrng_register+0x4c/0x139 [rng_core]
>
> 00000380 <hwrng_register>:
> hwrng_register():
> /tmp/1/linux-source-2.6.37-rc7/drivers/char/hw_random/core.c:299
> 380: 56 push %esi
> 381: 53 push %ebx
> ...
> /tmp/1/linux-source-2.6.37-rc7/drivers/char/hw_random/core.c:312
> 3c6: 8b 76 1c mov 0x1c(%esi),%esi
> 3c9: 83 ee 1c sub $0x1c,%esi
> prefetch():
> /tmp/1/linux-source-2.6.37-rc7/arch/x86/include/asm/processor.h:837
> 3cc: 8b 46 1c mov 0x1c(%esi),%eax
> 3cf: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
> hwrng_register():
> /tmp/1/linux-source-2.6.37-rc7/drivers/char/hw_random/core.c:312
> 3d3: 81 fe f8 ff ff ff cmp $0xfffffff8,%esi
> 3d9: 75 d4 jne 3af <hwrng_register+0x2f>
> /tmp/1/linux-source-2.6.37-rc7/drivers/char/hw_random/core.c:319
>
> 312 list_for_each_entry(tmp, &rng_list, list) {
> 313 if (strcmp(tmp->name, rng->name) == 0)
> 314 goto out_unlock;
> 315 }
>
> This is btw. the same data that is accessed in the cat rng_available
> crash via hwrng_attr_available_show():
>
> [ 389.303538] BUG: unable to handle kernel paging request at 288dcb5b
> [ 389.303553] IP: [<f8dda34c>] hwrng_attr_available_show+0x5c/0x90 [rng_core]
>
> 000002f0 <hwrng_attr_available_show>:
> hwrng_attr_available_show():
> /tmp/1/linux-source-2.6.37-rc7/drivers/char/hw_random/core.c:236
> 2f0: 55 push %ebp
> ...
> /tmp/1/linux-source-2.6.37-rc7/drivers/char/hw_random/core.c:245
> 346: 8b 5b 1c mov 0x1c(%ebx),%ebx
> 349: 83 eb 1c sub $0x1c,%ebx
> prefetch():
> /tmp/1/linux-source-2.6.37-rc7/arch/x86/include/asm/processor.h:837
> 34c: 8b 43 1c mov 0x1c(%ebx),%eax
> 34f: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
> hwrng_attr_available_show():
> /tmp/1/linux-source-2.6.37-rc7/drivers/char/hw_random/core.c:245
>
> 245 list_for_each_entry(rng, &rng_list, list) {
> 246 strncat(buf, rng->name, PAGE_SIZE - ret - 1);
> 247 ret += strlen(rng->name);
> 248 strncat(buf, " ", PAGE_SIZE - ret - 1);
> 249 ret++;
> 250 }
The head of the rng_list is damaged. It is initialized at compile time and
should be OK. To help discover the order in which hwrng_register() is called,
apply the attached patch. Run it once with commit 84c164a34ffe67908a installed,
and once with it reverted.
Thanks,
Larry
[-- Attachment #2: hwrng_debug --]
[-- Type: text/plain, Size: 822 bytes --]
Index: wireless-testing/drivers/char/hw_random/core.c
===================================================================
--- wireless-testing.orig/drivers/char/hw_random/core.c
+++ wireless-testing/drivers/char/hw_random/core.c
@@ -49,11 +49,11 @@
static struct hwrng *current_rng;
-static LIST_HEAD(rng_list);
static DEFINE_MUTEX(rng_mutex);
static int data_avail;
static u8 rng_buffer[SMP_CACHE_BYTES < 32 ? 32 : SMP_CACHE_BYTES]
__cacheline_aligned;
+static LIST_HEAD(rng_list);
static inline int hwrng_init(struct hwrng *rng)
{
@@ -305,6 +305,9 @@ int hwrng_register(struct hwrng *rng)
(rng->data_read == NULL && rng->read == NULL))
goto out;
+ printk(KERN_INFO "Calling hwrng_register\n");
+ dump_stack();
+
mutex_lock(&rng_mutex);
/* Must not register two RNGs with the same name. */
next prev parent reply other threads:[~2010-12-30 18:37 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-29 0:34 2.6.37-rc7: Regression: b43: crashes in hwrng_register() Larry Finger
2010-12-29 0:34 ` Larry Finger
2010-12-29 19:54 ` Mario 'BitKoenig' Holbe
2010-12-30 0:30 ` Larry Finger
2010-12-30 0:30 ` Larry Finger
2010-12-30 1:20 ` Mario 'BitKoenig' Holbe
2010-12-30 2:37 ` Larry Finger
2010-12-30 2:37 ` Larry Finger
2010-12-30 14:34 ` Mario 'BitKoenig' Holbe
2010-12-30 18:37 ` Larry Finger [this message]
2010-12-30 18:37 ` Larry Finger
2010-12-30 20:45 ` Mario 'BitKoenig' Holbe
2010-12-30 22:49 ` Larry Finger
2010-12-30 23:17 ` Mario 'BitKoenig' Holbe
2010-12-31 0:37 ` Herbert Xu
2010-12-31 0:37 ` Herbert Xu
2010-12-31 0:46 ` Larry Finger
2010-12-31 0:46 ` Larry Finger
2010-12-31 2:25 ` Mario 'BitKoenig' Holbe
2010-12-31 2:46 ` Herbert Xu
2010-12-31 2:46 ` Herbert Xu
2010-12-31 8:51 ` Mario 'BitKoenig' Holbe
2011-01-04 4:33 ` Herbert Xu
2011-01-04 4:33 ` Herbert Xu
2011-01-04 12:19 ` Mario 'BitKoenig' Holbe
2011-01-04 12:38 ` Herbert Xu
2011-01-04 12:38 ` Herbert Xu
2011-01-04 12:57 ` Mario 'BitKoenig' Holbe
2011-01-04 22:42 ` Herbert Xu
2011-01-04 22:42 ` Herbert Xu
2011-01-04 23:06 ` Mario 'BitKoenig' Holbe
2011-01-04 23:26 ` Larry Finger
2011-01-04 23:26 ` Larry Finger
2011-01-04 23:35 ` Mario 'BitKoenig' Holbe
2011-01-04 23:35 ` Mario 'BitKoenig' Holbe
2011-01-05 0:30 ` Herbert Xu
2011-01-05 0:30 ` Herbert Xu
2011-01-05 1:45 ` Mario 'BitKoenig' Holbe
2011-01-05 3:52 ` Mario 'BitKoenig' Holbe
2011-01-05 5:47 ` Herbert Xu
2011-01-05 5:47 ` Herbert Xu
2011-01-05 13:16 ` Mario 'BitKoenig' Holbe
2011-01-06 6:12 ` Herbert Xu
2011-01-06 13:15 ` Mario 'BitKoenig' Holbe
2011-01-06 13:35 ` Herbert Xu
2011-01-06 13:35 ` Herbert Xu
2011-01-06 13:56 ` Larry Finger
2011-01-06 13:56 ` Larry Finger
2011-01-06 14:42 ` Mario 'BitKoenig' Holbe
2011-01-07 3:49 ` Herbert Xu
2011-01-07 3:49 ` Herbert Xu
2011-01-07 3:54 ` crypto: padlock - Move padlock.h into include/crypto Herbert Xu
2011-01-07 3:54 ` Herbert Xu
2011-01-07 3:55 ` hwrng: via_rng - Fix memory scribbling on some CPUs Herbert Xu
2011-01-07 3:55 ` Herbert Xu
2011-01-06 6:12 ` 2.6.37-rc7: Regression: b43: crashes in hwrng_register() Herbert Xu
2011-01-05 0:14 ` Larry Finger
2011-01-05 0:14 ` Larry Finger
2011-01-05 0:19 ` Herbert Xu
2011-01-05 0:19 ` Herbert Xu
2011-01-05 1:38 ` Larry Finger
2011-01-05 1:38 ` Larry Finger
2010-12-31 1:57 ` Michael Büsch
2010-12-31 1:57 ` Michael Büsch
2010-12-31 2:25 ` Larry Finger
2010-12-31 2:25 ` Larry Finger
-- strict thread matches above, loose matches on Subject: below --
2010-12-28 13:32 Mario 'BitKoenig' Holbe
2010-12-29 10:30 ` Maciej Rutecki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D1CD161.4040107@lwfinger.net \
--to=larry.finger@lwfinger.net \
--cc=Mario.Holbe@TU-Ilmenau.DE \
--cc=b43-dev@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.