* Re: [Bugme-new] [Bug 9179] New: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
[not found] <bug-9179-10286@http.bugzilla.kernel.org/>
@ 2007-10-17 20:27 ` Andrew Morton
[not found] ` <20071017132740.eebaed9d.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2007-10-17 21:10 ` [PATCH] zd1201: avoid null ptr access of skb->dev John W. Linville
0 siblings, 2 replies; 4+ messages in thread
From: Andrew Morton @ 2007-10-17 20:27 UTC (permalink / raw)
To: Arnaldo Carvalho de Melo; +Cc: bugme-daemon, netdev, linux-wireless, zairasai
On Wed, 17 Oct 2007 11:34:57 -0700 (PDT)
bugme-daemon@bugzilla.kernel.org wrote:
> http://bugzilla.kernel.org/show_bug.cgi?id=9179
>
> Summary: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
> Product: Drivers
> Version: 2.5
> KernelVersion: 2.6.23.1
> Platform: All
> OS/Version: Linux
> Tree: Mainline
> Status: NEW
> Severity: normal
> Priority: P1
> Component: network-wireless
> AssignedTo: drivers_network-wireless@kernel-bugs.osdl.org
> ReportedBy: zairasai@googlemail.com
>
>
> [1.] One line summary of the problem:
>
> 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
>
>
>
>
> [2.] Full description of the problem:
>
> The zd1201-driver (symbol: USB_ZD1201) triggers a kernel panic during
> initialization of the WLAN device, showing the following message:
>
> EIP: [<e095e1d1>] zd1201_usbrx+0x6e1/0xbb0 [zd1201] SS:ESP 0068:c0469d7c
> Kernel panic - not syncing: Fatal exception in interrupt
>
> According to the init output during bootup, the panic seems to occur right when
> the WLAN device receives an IP address from the DHCP-Server of the
> WLAN/DSL-Router. The WLAN device is (in my case) a 'Belkin F5D6051' based on
> the ZyDAS 1201 chip.
>
> As far as i know, the only recent change in 'drivers/net/wireless/zd1201.c' was
> done in patch-2.6.22, so the bug probably affects all kernel versions later
> than 2.6.21.7, but at least the ones i've tested (which are listed in the
> summary below). It also recently came up in some different
> distribution-specific forums/bugtrackers, so it does not seem to be specific to
> my machine/setup. A link to another report on this problem is included at the
> end of this report.
>
> Below is an extract of patch-2.6.22, showing that the lines 330 and 388 have
> been removed from 'drivers/net/wireless/zd1201.c'. I put those two lines back,
> which made things work as expected again; however, that is only meant as a
> hint, since i don't know why they were taken out or what other implications my
> change might have.
>
> patch-2.6.22, lines 586509-586528:
> {{{
> diff --git a/drivers/net/wireless/zd1201.c b/drivers/net/wireless/zd1201.c
> index 6cb66a3..935b144 100644
> --- a/drivers/net/wireless/zd1201.c
> +++ b/drivers/net/wireless/zd1201.c
> @@ -327,7 +327,6 @@ static void zd1201_usbrx(struct urb *urb)
> memcpy(skb_put(skb, 6), &data[datalen-8], 6);
> memcpy(skb_put(skb, 2), &data[datalen-24], 2);
> memcpy(skb_put(skb, len), data, len);
> - skb->dev = zd->dev;
> skb->dev->last_rx = jiffies;
> skb->protocol = eth_type_trans(skb, zd->dev);
> zd->stats.rx_packets++;
> @@ -385,7 +384,6 @@ static void zd1201_usbrx(struct urb *urb)
> memcpy(skb_put(skb, 2), &data[6], 2);
> memcpy(skb_put(skb, len), data+8, len);
> }
> - skb->dev = zd->dev;
> skb->dev->last_rx = jiffies;
> skb->protocol = eth_type_trans(skb, zd->dev);
> zd->stats.rx_packets++;
> }}}
>
Arnaldo, we have a pretty solid report here that your
4c13eb6657fe9ef7b4dc8f1a405c902e9e5234e0 made this driver go crash.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Bugme-new] [Bug 9179] New: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
[not found] ` <20071017132740.eebaed9d.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
@ 2007-10-17 20:46 ` Dan Williams
[not found] ` <1192654011.15090.3.camel-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
0 siblings, 1 reply; 4+ messages in thread
From: Dan Williams @ 2007-10-17 20:46 UTC (permalink / raw)
To: Andrew Morton
Cc: Arnaldo Carvalho de Melo,
bugme-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r,
netdev-u79uwXL29TY76Z2rM5mHXA,
linux-wireless-u79uwXL29TY76Z2rM5mHXA,
zairasai-gM/Ye1E23mwN+BqQ9rBEUg
On Wed, 2007-10-17 at 13:27 -0700, Andrew Morton wrote:
> On Wed, 17 Oct 2007 11:34:57 -0700 (PDT)
> bugme-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org wrote:
>
> > http://bugzilla.kernel.org/show_bug.cgi?id=9179
> >
> > Summary: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
> > Product: Drivers
> > Version: 2.5
> > KernelVersion: 2.6.23.1
> > Platform: All
> > OS/Version: Linux
> > Tree: Mainline
> > Status: NEW
> > Severity: normal
> > Priority: P1
> > Component: network-wireless
> > AssignedTo: drivers_network-wireless-ztI5WcYan/vQLgFONoPN62D2FQJk+8+b@public.gmane.org
> > ReportedBy: zairasai-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org
> >
> >
> > [1.] One line summary of the problem:
> >
> > 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
> >
> >
> >
> >
> > [2.] Full description of the problem:
> >
> > The zd1201-driver (symbol: USB_ZD1201) triggers a kernel panic during
> > initialization of the WLAN device, showing the following message:
> >
> > EIP: [<e095e1d1>] zd1201_usbrx+0x6e1/0xbb0 [zd1201] SS:ESP 0068:c0469d7c
> > Kernel panic - not syncing: Fatal exception in interrupt
> >
> > According to the init output during bootup, the panic seems to occur right when
> > the WLAN device receives an IP address from the DHCP-Server of the
> > WLAN/DSL-Router. The WLAN device is (in my case) a 'Belkin F5D6051' based on
> > the ZyDAS 1201 chip.
> >
> > As far as i know, the only recent change in 'drivers/net/wireless/zd1201.c' was
> > done in patch-2.6.22, so the bug probably affects all kernel versions later
> > than 2.6.21.7, but at least the ones i've tested (which are listed in the
> > summary below). It also recently came up in some different
> > distribution-specific forums/bugtrackers, so it does not seem to be specific to
> > my machine/setup. A link to another report on this problem is included at the
> > end of this report.
> >
> > Below is an extract of patch-2.6.22, showing that the lines 330 and 388 have
> > been removed from 'drivers/net/wireless/zd1201.c'. I put those two lines back,
> > which made things work as expected again; however, that is only meant as a
> > hint, since i don't know why they were taken out or what other implications my
> > change might have.
> >
> > patch-2.6.22, lines 586509-586528:
> > {{{
> > diff --git a/drivers/net/wireless/zd1201.c b/drivers/net/wireless/zd1201.c
> > index 6cb66a3..935b144 100644
> > --- a/drivers/net/wireless/zd1201.c
> > +++ b/drivers/net/wireless/zd1201.c
> > @@ -327,7 +327,6 @@ static void zd1201_usbrx(struct urb *urb)
> > memcpy(skb_put(skb, 6), &data[datalen-8], 6);
> > memcpy(skb_put(skb, 2), &data[datalen-24], 2);
> > memcpy(skb_put(skb, len), data, len);
> > - skb->dev = zd->dev;
> > skb->dev->last_rx = jiffies;
> > skb->protocol = eth_type_trans(skb, zd->dev);
> > zd->stats.rx_packets++;
> > @@ -385,7 +384,6 @@ static void zd1201_usbrx(struct urb *urb)
> > memcpy(skb_put(skb, 2), &data[6], 2);
> > memcpy(skb_put(skb, len), data+8, len);
> > }
> > - skb->dev = zd->dev;
> > skb->dev->last_rx = jiffies;
> > skb->protocol = eth_type_trans(skb, zd->dev);
> > zd->stats.rx_packets++;
> > }}}
> >
>
> Arnaldo, we have a pretty solid report here that your
> 4c13eb6657fe9ef7b4dc8f1a405c902e9e5234e0 made this driver go crash.
In 2.6.22 and later, eth_type_trans() sets skb->dev. It looks like the
lines tha tset last_rx in the patch above should be moved below the
eth_type_trans() lines, otherwise they'll likely oops.
Something like this is probably in order?
diff --git a/drivers/net/wireless/zd1201.c b/drivers/net/wireless/zd1201.c
index 6cb66a3..935b144 100644
--- a/drivers/net/wireless/zd1201.c
+++ b/drivers/net/wireless/zd1201.c
@@ -327,7 +327,6 @@ static void zd1201_usbrx(struct urb *urb)
memcpy(skb_put(skb, 6), &data[datalen-8], 6);
memcpy(skb_put(skb, 2), &data[datalen-24], 2);
memcpy(skb_put(skb, len), data, len);
- skb->dev = zd->dev;
- skb->dev->last_rx = jiffies;
skb->protocol = eth_type_trans(skb, zd->dev);
+ skb->dev->last_rx = jiffies;
zd->stats.rx_packets++;
@@ -385,7 +384,6 @@ static void zd1201_usbrx(struct urb *urb)
memcpy(skb_put(skb, 2), &data[6], 2);
memcpy(skb_put(skb, len), data+8, len);
}
- skb->dev = zd->dev;
- skb->dev->last_rx = jiffies;
skb->protocol = eth_type_trans(skb, zd->dev);
+ skb->dev->last_rx = jiffies;
zd->stats.rx_packets++;
Dan
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH] zd1201: avoid null ptr access of skb->dev
2007-10-17 20:27 ` [Bugme-new] [Bug 9179] New: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver Andrew Morton
[not found] ` <20071017132740.eebaed9d.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
@ 2007-10-17 21:10 ` John W. Linville
1 sibling, 0 replies; 4+ messages in thread
From: John W. Linville @ 2007-10-17 21:10 UTC (permalink / raw)
To: Andrew Morton
Cc: Arnaldo Carvalho de Melo, netdev, linux-wireless, zairasai,
John W. Linville
skb->dev is not set until eth_type_trans is called...
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---
drivers/net/wireless/zd1201.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/zd1201.c b/drivers/net/wireless/zd1201.c
index 935b144..d5c0c66 100644
--- a/drivers/net/wireless/zd1201.c
+++ b/drivers/net/wireless/zd1201.c
@@ -327,8 +327,8 @@ static void zd1201_usbrx(struct urb *urb)
memcpy(skb_put(skb, 6), &data[datalen-8], 6);
memcpy(skb_put(skb, 2), &data[datalen-24], 2);
memcpy(skb_put(skb, len), data, len);
- skb->dev->last_rx = jiffies;
skb->protocol = eth_type_trans(skb, zd->dev);
+ skb->dev->last_rx = jiffies;
zd->stats.rx_packets++;
zd->stats.rx_bytes += skb->len;
netif_rx(skb);
@@ -384,8 +384,8 @@ static void zd1201_usbrx(struct urb *urb)
memcpy(skb_put(skb, 2), &data[6], 2);
memcpy(skb_put(skb, len), data+8, len);
}
- skb->dev->last_rx = jiffies;
skb->protocol = eth_type_trans(skb, zd->dev);
+ skb->dev->last_rx = jiffies;
zd->stats.rx_packets++;
zd->stats.rx_bytes += skb->len;
netif_rx(skb);
--
1.5.2.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Bugme-new] [Bug 9179] New: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
[not found] ` <1192654011.15090.3.camel-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
@ 2007-10-17 22:49 ` Arnaldo Carvalho de Melo
0 siblings, 0 replies; 4+ messages in thread
From: Arnaldo Carvalho de Melo @ 2007-10-17 22:49 UTC (permalink / raw)
To: Dan Williams
Cc: Andrew Morton, bugme-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r,
netdev-u79uwXL29TY76Z2rM5mHXA,
linux-wireless-u79uwXL29TY76Z2rM5mHXA,
zairasai-gM/Ye1E23mwN+BqQ9rBEUg
Em Wed, Oct 17, 2007 at 04:46:51PM -0400, Dan Williams escreveu:
> On Wed, 2007-10-17 at 13:27 -0700, Andrew Morton wrote:
> > On Wed, 17 Oct 2007 11:34:57 -0700 (PDT)
> > bugme-daemon-590EEB7GvNiWaY/ihj7yzEB+6BGkLq7r@public.gmane.org wrote:
> >
> > > http://bugzilla.kernel.org/show_bug.cgi?id=9179
> > >
> > > Summary: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
> > > Product: Drivers
> > > Version: 2.5
> > > KernelVersion: 2.6.23.1
> > > Platform: All
> > > OS/Version: Linux
> > > Tree: Mainline
> > > Status: NEW
> > > Severity: normal
> > > Priority: P1
> > > Component: network-wireless
> > > AssignedTo: drivers_network-wireless-ztI5WcYan/vQLgFONoPN62D2FQJk+8+b@public.gmane.org
> > > ReportedBy: zairasai-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org
> > >
> > >
> > > [1.] One line summary of the problem:
> > >
> > > 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
> > >
> > >
> > >
> > >
> > > [2.] Full description of the problem:
> > >
> > > The zd1201-driver (symbol: USB_ZD1201) triggers a kernel panic during
> > > initialization of the WLAN device, showing the following message:
> > >
> > > EIP: [<e095e1d1>] zd1201_usbrx+0x6e1/0xbb0 [zd1201] SS:ESP 0068:c0469d7c
> > > Kernel panic - not syncing: Fatal exception in interrupt
> > >
> > > According to the init output during bootup, the panic seems to occur right when
> > > the WLAN device receives an IP address from the DHCP-Server of the
> > > WLAN/DSL-Router. The WLAN device is (in my case) a 'Belkin F5D6051' based on
> > > the ZyDAS 1201 chip.
> > >
> > > As far as i know, the only recent change in 'drivers/net/wireless/zd1201.c' was
> > > done in patch-2.6.22, so the bug probably affects all kernel versions later
> > > than 2.6.21.7, but at least the ones i've tested (which are listed in the
> > > summary below). It also recently came up in some different
> > > distribution-specific forums/bugtrackers, so it does not seem to be specific to
> > > my machine/setup. A link to another report on this problem is included at the
> > > end of this report.
> > >
> > > Below is an extract of patch-2.6.22, showing that the lines 330 and 388 have
> > > been removed from 'drivers/net/wireless/zd1201.c'. I put those two lines back,
> > > which made things work as expected again; however, that is only meant as a
> > > hint, since i don't know why they were taken out or what other implications my
> > > change might have.
> > >
> > > patch-2.6.22, lines 586509-586528:
> > > {{{
> > > diff --git a/drivers/net/wireless/zd1201.c b/drivers/net/wireless/zd1201.c
> > > index 6cb66a3..935b144 100644
> > > --- a/drivers/net/wireless/zd1201.c
> > > +++ b/drivers/net/wireless/zd1201.c
> > > @@ -327,7 +327,6 @@ static void zd1201_usbrx(struct urb *urb)
> > > memcpy(skb_put(skb, 6), &data[datalen-8], 6);
> > > memcpy(skb_put(skb, 2), &data[datalen-24], 2);
> > > memcpy(skb_put(skb, len), data, len);
> > > - skb->dev = zd->dev;
> > > skb->dev->last_rx = jiffies;
> > > skb->protocol = eth_type_trans(skb, zd->dev);
> > > zd->stats.rx_packets++;
> > > @@ -385,7 +384,6 @@ static void zd1201_usbrx(struct urb *urb)
> > > memcpy(skb_put(skb, 2), &data[6], 2);
> > > memcpy(skb_put(skb, len), data+8, len);
> > > }
> > > - skb->dev = zd->dev;
> > > skb->dev->last_rx = jiffies;
> > > skb->protocol = eth_type_trans(skb, zd->dev);
> > > zd->stats.rx_packets++;
> > > }}}
> > >
> >
> > Arnaldo, we have a pretty solid report here that your
> > 4c13eb6657fe9ef7b4dc8f1a405c902e9e5234e0 made this driver go crash.
>
> In 2.6.22 and later, eth_type_trans() sets skb->dev. It looks like the
> lines tha tset last_rx in the patch above should be moved below the
> eth_type_trans() lines, otherwise they'll likely oops.
>
> Something like this is probably in order?
I think so, its strange that this bisects to me, but Dan's change should
fix it.
- Arnaldo
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-10-17 22:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <bug-9179-10286@http.bugzilla.kernel.org/>
2007-10-17 20:27 ` [Bugme-new] [Bug 9179] New: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver Andrew Morton
[not found] ` <20071017132740.eebaed9d.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2007-10-17 20:46 ` Dan Williams
[not found] ` <1192654011.15090.3.camel-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2007-10-17 22:49 ` Arnaldo Carvalho de Melo
2007-10-17 21:10 ` [PATCH] zd1201: avoid null ptr access of skb->dev John W. Linville
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).