* Pulling rt73 USB stick oopses the kernel
@ 2009-07-29 10:24 Michael Buesch
2009-07-29 18:44 ` Pavel Roskin
0 siblings, 1 reply; 2+ messages in thread
From: Michael Buesch @ 2009-07-29 10:24 UTC (permalink / raw)
To: linux-wireless
Pulling a rt73 USB stick in operation (packets were injected into the monitor)
does oops the kernel as follows:
[ 630.304883] rt73usb 2-6:1.0: firmware: requesting rt73.bin
[ 630.417740] ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 700.489876] ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 743.571488] device wlan1 entered promiscuous mode
[ 829.207708] usb 2-6: USB disconnect, address 4
[ 829.208272] phy1 -> rt2x00usb_vendor_request: Error - Vendor Request 0x07 failed for offset 0x3040 with error -19.
[ 829.208355] phy1 -> rt2x00usb_vendor_request: Error - Vendor Request 0x06 failed for offset 0x3040 with error -19.
[ 829.208436] phy1 -> rt2x00usb_vendor_request: Error - Vendor Request 0x06 failed for offset 0x3028 with error -19.
[ 829.208516] phy1 -> rt2x00usb_vendor_request: Error - Vendor Request 0x06 failed for offset 0x3064 with error -19.
[ 829.208595] phy1 -> rt2x00usb_vendor_request: Error - Vendor Request 0x0c failed for offset 0x0000 with error -19.
[ 829.208687] phy1 -> rt2x00usb_vendor_request: Error - Vendor Request 0x0a failed for offset 0x0000 with error -19.
[ 829.209622] phy1 -> rt2x00usb_vendor_request: Error - Vendor Request 0x0a failed for offset 0x0000 with error -19.
[ 829.209832] phy1 -> rt2x00usb_vendor_request: Error - Vendor Request 0x0a failed for offset 0x0000 with error -19.
[ 829.210187] phy1 -> rt2x00usb_vendor_request: Error - Vendor Request 0x0a failed for offset 0x0000 with error -19.
[ 829.223337] phy1 -> rt2x00usb_vendor_request: Error - Vendor Request 0x07 failed for offset 0x3040 with error -19.
[ 829.223424] phy1 -> rt2x00usb_vendor_request: Error - Vendor Request 0x06 failed for offset 0x3040 with error -19.
[ 829.269467] =============================================================================
[ 829.269554] BUG kmalloc-16: Redzone overwritten
[ 829.269615] -----------------------------------------------------------------------------
[ 829.269618]
[ 829.269746] INFO: 0xf56c4b50-0xf56c4b53. First byte 0xb instead of 0xcc
[ 829.269821] INFO: Allocated in rt2x00usb_probe+0xb5/0x1c1 [rt2x00usb] age=104615 cpu=0 pid=3965
[ 829.269902] INFO: Slab 0xc20bc880 objects=64 used=53 fp=0xf56c4b80 flags=0x40000083
[ 829.269940] INFO: Object 0xf56c4b40 @offset=2880 fp=0xf56c4b80
[ 829.269940]
[ 829.269940] Bytes b4 0xf56c4b30: 00 00 00 00 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ
[ 829.269940] Object 0xf56c4b40: 00 00 00 00 0c 2c 00 00 86 07 00 00 51 a2 06 00 .....,......Q¢..
[ 829.269940] Redzone 0xf56c4b50: 0b 2a 0d 00 .*..
[ 829.269940] Padding 0xf56c4b78: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
[ 829.269940] Pid: 810, comm: khubd Not tainted 2.6.31-rc4-wl #2
[ 829.269940] Call Trace:
[ 829.269940] [<c10bff6b>] print_trailer+0xd3/0x108
[ 829.269940] [<c10c0066>] check_bytes_and_report+0xc6/0xe3
[ 829.269940] [<c10c010f>] check_object+0x53/0x1ea
[ 829.269940] [<c10c1d28>] __slab_free+0x1e7/0x2c8
[ 829.269940] [<c10c2120>] kfree+0xc9/0x137
[ 829.269940] [<f86fb05f>] ? rt2x00usb_free_reg+0x11/0x48 [rt2x00usb]
[ 829.269940] [<f86fb05f>] ? rt2x00usb_free_reg+0x11/0x48 [rt2x00usb]
[ 829.269940] [<f86fb05f>] rt2x00usb_free_reg+0x11/0x48 [rt2x00usb]
[ 829.269940] [<f86fb0b5>] rt2x00usb_disconnect+0x1f/0x40 [rt2x00usb]
[ 829.269940] [<f8063357>] usb_unbind_interface+0xdf/0x116 [usbcore]
[ 829.269940] [<c11f7247>] __device_release_driver+0x53/0x96
[ 829.269940] [<c11f732a>] device_release_driver+0x18/0x23
[ 829.269940] [<c11f6992>] bus_remove_device+0x70/0x94
[ 829.269940] [<c11f4fff>] device_del+0x103/0x186
[ 829.269940] [<f8060462>] usb_disable_device+0x79/0xe4 [usbcore]
[ 829.269940] [<f805b69f>] usb_disconnect+0x8a/0xee [usbcore]
[ 829.269940] [<f805c804>] hub_thread+0x691/0x125d [usbcore]
[ 829.269940] [<c1020100>] ? chk_conflict+0x13e/0x16c
[ 829.269940] [<c12dbdab>] ? _spin_unlock_irqrestore+0x39/0x68
[ 829.269940] [<c1057cdb>] ? trace_hardirqs_on_caller+0x102/0x146
[ 829.269940] [<c1047699>] ? autoremove_wake_function+0x0/0x3a
[ 829.269940] [<f805c173>] ? hub_thread+0x0/0x125d [usbcore]
[ 829.269940] [<c104738c>] kthread+0x6f/0x75
[ 829.269940] [<c104731d>] ? kthread+0x0/0x75
[ 829.269940] [<c1003977>] kernel_thread_helper+0x7/0x1a
[ 829.269940] FIX kmalloc-16: Restoring 0xf56c4b50-0xf56c4b53=0xcc
--
Greetings, Michael.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Pulling rt73 USB stick oopses the kernel
2009-07-29 10:24 Pulling rt73 USB stick oopses the kernel Michael Buesch
@ 2009-07-29 18:44 ` Pavel Roskin
0 siblings, 0 replies; 2+ messages in thread
From: Pavel Roskin @ 2009-07-29 18:44 UTC (permalink / raw)
To: Michael Buesch; +Cc: linux-wireless
On Wed, 2009-07-29 at 12:24 +0200, Michael Buesch wrote:
> Pulling a rt73 USB stick in operation (packets were injected into the monitor)
> does oops the kernel as follows:
...
> [ 829.269554] BUG kmalloc-16: Redzone overwritten
There are some memory corruption issues with the removal of rt73usb and
rt61pci, but they are hard to track down. Using kmemcheck allows to
catch the first invalid memory access.
That's what I got (that's unloading rt73usb with rmmod while the
interface is up in station mode):
usbcore: deregistering interface driver rt73usb
WARNING: kmemcheck: Caught 64-bit read from freed memory (ffff88012f36b4c0)
58f97781ffffffff58f97781ffffffff4c71000001000000e0e00481ffffffff
f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f
^
Modules linked in: rt2x00usb rt2x00lib mac80211 cfg80211 [last unloaded: rt73usb]
Pid: 2043, comm: hald Not tainted 2.6.31-rc4-wl #185 G31T-M
RIP: 0010:[<ffffffff8124b476>] [<ffffffff8124b476>] __list_add+0x26/0xa0
RSP: 0018:ffff88012f8f7da0 EFLAGS: 00010046
RAX: ffffffff8177f480 RBX: ffff8800280305a0 RCX: 00000000000004c0
RDX: ffffffff8177f958 RSI: ffff88012f36b4c0 RDI: ffff8800280305a0
RBP: ffff88012f8f7dc0 R08: ffff88012f36b4c0 R09: ffff880028022000
R10: 00000000ffffffff R11: 0000000000000000 R12: ffffffff8177f958
R13: ffff88012f36b4c0 R14: 000000010000714c R15: ffffffff8177f480
FS: 00007ff62a5316f0(0000) GS:ffff880028022000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88012f890ea8 CR3: 000000012f21e000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
[<ffffffff810461f5>] internal_add_timer+0xb5/0x110
[<ffffffff810468b1>] mod_timer+0xe1/0x130
[<ffffffff81046913>] add_timer+0x13/0x20
[<ffffffff8104e03b>] queue_delayed_work_on+0x8b/0xc0
[<ffffffff8104e34c>] queue_delayed_work+0x1c/0x30
[<ffffffff8104e376>] schedule_delayed_work+0x16/0x20
[<ffffffff81081dc8>] vmstat_update+0x38/0x40
[<ffffffff8104dbb4>] worker_thread+0xe4/0x190
[<ffffffff81051816>] kthread+0x96/0xa0
[<ffffffff8100c2ba>] child_rip+0xa/0x20
[<ffffffffffffffff>] 0xffffffffffffffff
__list_add+0x26 corresponds to line 27 in lib/list_debug.c:
WARN(prev->next != next,
"list_add corruption. prev->next should be "
"next (%p), but was %p. (prev=%p).\n",
next, prev->next, prev);
next and prev are accessed in the previous statement, so apparently it's
prev->next that is invalid.
rt73usb is already unloaded at this point. Perhaps it left some timers
registered.
--
Regards,
Pavel Roskin
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2009-07-29 18:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-07-29 10:24 Pulling rt73 USB stick oopses the kernel Michael Buesch
2009-07-29 18:44 ` Pavel Roskin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).