BUG in rt2x00lib_txdone() with 2.6.37-rc8

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Stephen Boyd <bebarino@gmail.com>
To: users@rt2x00.serialmonkey.com
Cc: Ivo van Doorn <IvDoorn@gmail.com>,
	linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: BUG in rt2x00lib_txdone() with 2.6.37-rc8
Date: Fri, 31 Dec 2010 02:23:06 -0800	[thread overview]
Message-ID: <4D1DAF0A.40000@gmail.com> (raw)

Hi,

I think I'm hitting a rare bug in rt2x00lib_txdone(). Usually I can't
capture it since a second or third bug hits immediately after and
everything wraps off the screen. I'm fairly certain the same bug is
hitting on rc8, but I only got the oops in my logs with an rc7 kernel
including the latest net tree merge. Reproducing the bug is hit or miss
and I don't know a good way to trigger it.

I have an rt73usb device on an x86_64 machine, lsusb shows:

Bus 001 Device 004: ID 050d:705a Belkin Components F5D7050 Wireless G
Adapter v3000 [Ralink RT2573]

This is all of the oops that I could recover.

[ 9085.714105] BUG: unable to handle kernel NULL pointer dereference at
00000000000000a4
[ 9085.714816] IP: [<ffffffffa0025458>] rt2x00lib_txdone+0x36/0x249
[rt2x00lib]
[ 9085.715017] PGD 215fd067 PUD 292f4067 PMD 0
[ 9085.715017] Oops: 0000 [#1] SMP
[ 9085.715017] last sysfs file:
/sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq
[ 9085.715017] CPU 1
[ 9085.715017] Modules linked in: usb_storage thermal snd_seq_oss
snd_seq_midi snd_seq_dummy snd_pcm_oss snd_mixer_oss snd_hrtimer
snd_emu10k1_synth snd_emux_synth snd_seq_virmidi snd_seq_midi_event
snd_seq_midi_emul snd_seq scsi_wait_scan powernow_k8 mperf i2c_i801 fuse
fan snd_emu10k1 snd_rawmidi snd_ac97_codec ac97_bus snd_pcm
snd_seq_device snd_timer snd_page_alloc snd_util_mem rt73usb crc_itu_t
rt2x00usb snd_hwdep snd processor r8169 via82cxxx rt2x00lib soundcore
mii button k8temp
[ 9085.715017]
[ 9085.715017] Pid: 11513, comm: kworker/1:0 Not tainted 2.6.37-rc7+ #27
MS-7094/MS-7094
[ 9085.715017] RIP: 0010:[<ffffffffa0025458>]  [<ffffffffa0025458>]
rt2x00lib_txdone+0x36/0x249 [rt2x00lib]
[ 9085.715017] RSP: 0000:ffff880000057ca0  EFLAGS: 00010286
[ 9085.715017] RAX: 0000000000000030 RBX: ffff88003b64e3c0 RCX:
ffff880000057ca0
[ 9085.715017] RDX: 0000000000000006 RSI: ffff880000057d00 RDI:
0000000000000000
[ 9085.715017] RBP: ffff880000057cf0 R08: ffff88003c7c7110 R09:
0000000000000001
[ 9085.715017] R10: ffffffff81df3c10 R11: 0000000000000282 R12:
ffff88003c586280
[ 9085.715017] R13: 0000000000000000 R14: 0000000000000028 R15:
ffff880000057d00
[ 9085.715017] FS:  00002b41e037b160(0000) GS:ffff88003f

I think the entry or skb in the entry is NULL, but I'm not sure how
that's possible. Here's an objdump of the erroring code if that helps.

0000000000000422 <rt2x00lib_txdone>:
     422:       55                      push   %rbp
     423:       48 89 e5                mov    %rsp,%rbp
     426:       41 57                   push   %r15
     428:       41 56                   push   %r14
     42a:       41 55                   push   %r13
     42c:       41 54                   push   %r12
     42e:       53                      push   %rbx
     42f:       48 83 ec 28             sub    $0x28,%rsp
     433:       e8 00 00 00 00          callq  438 <rt2x00lib_txdone+0x16>
     438:       4c 8b 6f 10             mov    0x10(%rdi),%r13
     43c:       48 8b 47 08             mov    0x8(%rdi),%rax
     440:       49 89 fc                mov    %rdi,%r12
     443:       49 89 f7                mov    %rsi,%r15
     446:       48 8b 18                mov    (%rax),%rbx
     449:       49 8d 45 30             lea    0x30(%r13),%rax
     44d:       4c 89 ef                mov    %r13,%rdi
     450:       4d 8d 75 28             lea    0x28(%r13),%r14
     454:       48 89 45 c8             mov    %rax,-0x38(%rbp)
     458:       41 8b 95 a4 00 00 00    mov    0xa4(%r13),%edx  <--- here
     45f:       66 89 55 c2             mov    %dx,-0x3e(%rbp)
     463:       e8 00 00 00 00          callq  468 <rt2x00lib_txdone+0x46>
     468:       89 45 c4                mov    %eax,-0x3c(%rbp)
     46b:       41 8a 45 30             mov    0x30(%r13),%al

next             reply	other threads:[~2010-12-31 10:23 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-12-31 10:23 Stephen Boyd [this message]
2011-01-01 10:28 ` BUG in rt2x00lib_txdone() with 2.6.37-rc8 Heinz Diehl
2011-01-01 21:35   ` Stephen Boyd
  -- strict thread matches above, loose matches on Subject: below --
2011-01-12 22:34 Michele Ballabio
2011-01-13 12:36 Ingo Brunberg
2011-01-13 13:23 ` Helmut Schaa
2011-01-15 13:34   ` Ivo Van Doorn
2011-01-16  1:59     ` Helmut Schaa
2011-01-16  2:58     ` Ingo Brunberg
2011-01-17 20:36       ` Ivo Van Doorn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4D1DAF0A.40000@gmail.com \
    --to=bebarino@gmail.com \
    --cc=IvDoorn@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=users@rt2x00.serialmonkey.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox