Bug 9179
Summary: | 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver | ||
---|---|---|---|
Product: | Drivers | Reporter: | bugzillakernelorg.aut |
Component: | network-wireless | Assignee: | drivers_network-wireless (drivers_network-wireless) |
Status: | CLOSED CODE_FIX | ||
Severity: | normal | CC: | acme, mcgrabowski |
Priority: | P1 | ||
Hardware: | All | ||
OS: | Linux | ||
Kernel Version: | 2.6.23.1 | Subsystem: | |
Regression: | Yes | Bisected commit-id: | |
Attachments: | 0001-zd1201-avoid-null-ptr-access-of-skb-dev.patch |
Description
bugzillakernelorg.aut
2007-10-17 11:34:52 UTC
Reply-To: akpm@linux-foundation.org On Wed, 17 Oct 2007 11:34:57 -0700 (PDT) bugme-daemon@bugzilla.kernel.org wrote: > http://bugzilla.kernel.org/show_bug.cgi?id=9179 > > Summary: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver > Product: Drivers > Version: 2.5 > KernelVersion: 2.6.23.1 > Platform: All > OS/Version: Linux > Tree: Mainline > Status: NEW > Severity: normal > Priority: P1 > Component: network-wireless > AssignedTo: drivers_network-wireless@kernel-bugs.osdl.org > ReportedBy: zairasai@googlemail.com > > > [1.] One line summary of the problem: > > 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver > > > > > [2.] Full description of the problem: > > The zd1201-driver (symbol: USB_ZD1201) triggers a kernel panic during > initialization of the WLAN device, showing the following message: > > EIP: [<e095e1d1>] zd1201_usbrx+0x6e1/0xbb0 [zd1201] SS:ESP 0068:c0469d7c > Kernel panic - not syncing: Fatal exception in interrupt > > According to the init output during bootup, the panic seems to occur right > when > the WLAN device receives an IP address from the DHCP-Server of the > WLAN/DSL-Router. The WLAN device is (in my case) a 'Belkin F5D6051' based on > the ZyDAS 1201 chip. > > As far as i know, the only recent change in 'drivers/net/wireless/zd1201.c' > was > done in patch-2.6.22, so the bug probably affects all kernel versions later > than 2.6.21.7, but at least the ones i've tested (which are listed in the > summary below). It also recently came up in some different > distribution-specific forums/bugtrackers, so it does not seem to be specific > to > my machine/setup. A link to another report on this problem is included at the > end of this report. > > Below is an extract of patch-2.6.22, showing that the lines 330 and 388 have > been removed from 'drivers/net/wireless/zd1201.c'. I put those two lines > back, > which made things work as expected again; however, that is only meant as a > hint, since i don't know why they were taken out or what other implications > my > change might have. > > patch-2.6.22, lines 586509-586528: > {{{ > diff --git a/drivers/net/wireless/zd1201.c b/drivers/net/wireless/zd1201.c > index 6cb66a3..935b144 100644 > --- a/drivers/net/wireless/zd1201.c > +++ b/drivers/net/wireless/zd1201.c > @@ -327,7 +327,6 @@ static void zd1201_usbrx(struct urb *urb) > memcpy(skb_put(skb, 6), &data[datalen-8], 6); > memcpy(skb_put(skb, 2), &data[datalen-24], 2); > memcpy(skb_put(skb, len), data, len); > - skb->dev = zd->dev; > skb->dev->last_rx = jiffies; > skb->protocol = eth_type_trans(skb, zd->dev); > zd->stats.rx_packets++; > @@ -385,7 +384,6 @@ static void zd1201_usbrx(struct urb *urb) > memcpy(skb_put(skb, 2), &data[6], 2); > memcpy(skb_put(skb, len), data+8, len); > } > - skb->dev = zd->dev; > skb->dev->last_rx = jiffies; > skb->protocol = eth_type_trans(skb, zd->dev); > zd->stats.rx_packets++; > }}} > Arnaldo, we have a pretty solid report here that your 4c13eb6657fe9ef7b4dc8f1a405c902e9e5234e0 made this driver go crash. Reply-To: dcbw@redhat.com On Wed, 2007-10-17 at 13:27 -0700, Andrew Morton wrote: > On Wed, 17 Oct 2007 11:34:57 -0700 (PDT) > bugme-daemon@bugzilla.kernel.org wrote: > > > http://bugzilla.kernel.org/show_bug.cgi?id=9179 > > > > Summary: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver > > Product: Drivers > > Version: 2.5 > > KernelVersion: 2.6.23.1 > > Platform: All > > OS/Version: Linux > > Tree: Mainline > > Status: NEW > > Severity: normal > > Priority: P1 > > Component: network-wireless > > AssignedTo: drivers_network-wireless@kernel-bugs.osdl.org > > ReportedBy: zairasai@googlemail.com > > > > > > [1.] One line summary of the problem: > > > > 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver > > > > > > > > > > [2.] Full description of the problem: > > > > The zd1201-driver (symbol: USB_ZD1201) triggers a kernel panic during > > initialization of the WLAN device, showing the following message: > > > > EIP: [<e095e1d1>] zd1201_usbrx+0x6e1/0xbb0 [zd1201] SS:ESP 0068:c0469d7c > > Kernel panic - not syncing: Fatal exception in interrupt > > > > According to the init output during bootup, the panic seems to occur right > when > > the WLAN device receives an IP address from the DHCP-Server of the > > WLAN/DSL-Router. The WLAN device is (in my case) a 'Belkin F5D6051' based > on > > the ZyDAS 1201 chip. > > > > As far as i know, the only recent change in 'drivers/net/wireless/zd1201.c' > was > > done in patch-2.6.22, so the bug probably affects all kernel versions later > > than 2.6.21.7, but at least the ones i've tested (which are listed in the > > summary below). It also recently came up in some different > > distribution-specific forums/bugtrackers, so it does not seem to be > specific to > > my machine/setup. A link to another report on this problem is included at > the > > end of this report. > > > > Below is an extract of patch-2.6.22, showing that the lines 330 and 388 > have > > been removed from 'drivers/net/wireless/zd1201.c'. I put those two lines > back, > > which made things work as expected again; however, that is only meant as a > > hint, since i don't know why they were taken out or what other implications > my > > change might have. > > > > patch-2.6.22, lines 586509-586528: > > {{{ > > diff --git a/drivers/net/wireless/zd1201.c b/drivers/net/wireless/zd1201.c > > index 6cb66a3..935b144 100644 > > --- a/drivers/net/wireless/zd1201.c > > +++ b/drivers/net/wireless/zd1201.c > > @@ -327,7 +327,6 @@ static void zd1201_usbrx(struct urb *urb) > > memcpy(skb_put(skb, 6), &data[datalen-8], 6); > > memcpy(skb_put(skb, 2), &data[datalen-24], 2); > > memcpy(skb_put(skb, len), data, len); > > - skb->dev = zd->dev; > > skb->dev->last_rx = jiffies; > > skb->protocol = eth_type_trans(skb, zd->dev); > > zd->stats.rx_packets++; > > @@ -385,7 +384,6 @@ static void zd1201_usbrx(struct urb *urb) > > memcpy(skb_put(skb, 2), &data[6], 2); > > memcpy(skb_put(skb, len), data+8, len); > > } > > - skb->dev = zd->dev; > > skb->dev->last_rx = jiffies; > > skb->protocol = eth_type_trans(skb, zd->dev); > > zd->stats.rx_packets++; > > }}} > > > > Arnaldo, we have a pretty solid report here that your > 4c13eb6657fe9ef7b4dc8f1a405c902e9e5234e0 made this driver go crash. In 2.6.22 and later, eth_type_trans() sets skb->dev. It looks like the lines tha tset last_rx in the patch above should be moved below the eth_type_trans() lines, otherwise they'll likely oops. Something like this is probably in order? diff --git a/drivers/net/wireless/zd1201.c b/drivers/net/wireless/zd1201.c index 6cb66a3..935b144 100644 --- a/drivers/net/wireless/zd1201.c +++ b/drivers/net/wireless/zd1201.c @@ -327,7 +327,6 @@ static void zd1201_usbrx(struct urb *urb) memcpy(skb_put(skb, 6), &data[datalen-8], 6); memcpy(skb_put(skb, 2), &data[datalen-24], 2); memcpy(skb_put(skb, len), data, len); - skb->dev = zd->dev; - skb->dev->last_rx = jiffies; skb->protocol = eth_type_trans(skb, zd->dev); + skb->dev->last_rx = jiffies; zd->stats.rx_packets++; @@ -385,7 +384,6 @@ static void zd1201_usbrx(struct urb *urb) memcpy(skb_put(skb, 2), &data[6], 2); memcpy(skb_put(skb, len), data+8, len); } - skb->dev = zd->dev; - skb->dev->last_rx = jiffies; skb->protocol = eth_type_trans(skb, zd->dev); + skb->dev->last_rx = jiffies; zd->stats.rx_packets++; Dan Created attachment 13190 [details]
0001-zd1201-avoid-null-ptr-access-of-skb-dev.patch
Same idea...
Em Wed, Oct 17, 2007 at 04:46:51PM -0400, Dan Williams escreveu:
> On Wed, 2007-10-17 at 13:27 -0700, Andrew Morton wrote:
> > On Wed, 17 Oct 2007 11:34:57 -0700 (PDT)
> > bugme-daemon@bugzilla.kernel.org wrote:
> >
> > > http://bugzilla.kernel.org/show_bug.cgi?id=9179
> > >
> > > Summary: 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201
> driver
> > > Product: Drivers
> > > Version: 2.5
> > > KernelVersion: 2.6.23.1
> > > Platform: All
> > > OS/Version: Linux
> > > Tree: Mainline
> > > Status: NEW
> > > Severity: normal
> > > Priority: P1
> > > Component: network-wireless
> > > AssignedTo: drivers_network-wireless@kernel-bugs.osdl.org
> > > ReportedBy: zairasai@googlemail.com
> > >
> > >
> > > [1.] One line summary of the problem:
> > >
> > > 2.6.23.1 / USB_ZD1201: Kernel panic with zd1201 driver
> > >
> > >
> > >
> > >
> > > [2.] Full description of the problem:
> > >
> > > The zd1201-driver (symbol: USB_ZD1201) triggers a kernel panic during
> > > initialization of the WLAN device, showing the following message:
> > >
> > > EIP: [<e095e1d1>] zd1201_usbrx+0x6e1/0xbb0 [zd1201] SS:ESP 0068:c0469d7c
> > > Kernel panic - not syncing: Fatal exception in interrupt
> > >
> > > According to the init output during bootup, the panic seems to occur
> right when
> > > the WLAN device receives an IP address from the DHCP-Server of the
> > > WLAN/DSL-Router. The WLAN device is (in my case) a 'Belkin F5D6051' based
> on
> > > the ZyDAS 1201 chip.
> > >
> > > As far as i know, the only recent change in
> 'drivers/net/wireless/zd1201.c' was
> > > done in patch-2.6.22, so the bug probably affects all kernel versions
> later
> > > than 2.6.21.7, but at least the ones i've tested (which are listed in the
> > > summary below). It also recently came up in some different
> > > distribution-specific forums/bugtrackers, so it does not seem to be
> specific to
> > > my machine/setup. A link to another report on this problem is included at
> the
> > > end of this report.
> > >
> > > Below is an extract of patch-2.6.22, showing that the lines 330 and 388
> have
> > > been removed from 'drivers/net/wireless/zd1201.c'. I put those two lines
> back,
> > > which made things work as expected again; however, that is only meant as
> a
> > > hint, since i don't know why they were taken out or what other
> implications my
> > > change might have.
> > >
> > > patch-2.6.22, lines 586509-586528:
> > > {{{
> > > diff --git a/drivers/net/wireless/zd1201.c
> b/drivers/net/wireless/zd1201.c
> > > index 6cb66a3..935b144 100644
> > > --- a/drivers/net/wireless/zd1201.c
> > > +++ b/drivers/net/wireless/zd1201.c
> > > @@ -327,7 +327,6 @@ static void zd1201_usbrx(struct urb *urb)
> > > memcpy(skb_put(skb, 6), &data[datalen-8], 6);
> > > memcpy(skb_put(skb, 2), &data[datalen-24], 2);
> > > memcpy(skb_put(skb, len), data, len);
> > > - skb->dev = zd->dev;
> > > skb->dev->last_rx = jiffies;
> > > skb->protocol = eth_type_trans(skb, zd->dev);
> > > zd->stats.rx_packets++;
> > > @@ -385,7 +384,6 @@ static void zd1201_usbrx(struct urb *urb)
> > > memcpy(skb_put(skb, 2), &data[6], 2);
> > > memcpy(skb_put(skb, len), data+8, len);
> > > }
> > > - skb->dev = zd->dev;
> > > skb->dev->last_rx = jiffies;
> > > skb->protocol = eth_type_trans(skb, zd->dev);
> > > zd->stats.rx_packets++;
> > > }}}
> > >
> >
> > Arnaldo, we have a pretty solid report here that your
> > 4c13eb6657fe9ef7b4dc8f1a405c902e9e5234e0 made this driver go crash.
>
> In 2.6.22 and later, eth_type_trans() sets skb->dev. It looks like the
> lines tha tset last_rx in the patch above should be moved below the
> eth_type_trans() lines, otherwise they'll likely oops.
>
> Something like this is probably in order?
I think so, its strange that this bisects to me, but Dan's change should
fix it.
- Arnaldo
(In reply to comment #3) > Created an attachment (id=13190) [details] > 0001-zd1201-avoid-null-ptr-access-of-skb-dev.patch > > Same idea... I've been testing this patch with 2.6.23.1 for several hours of normal use now; everything works perfectly so far. Thanks from my side. Any word on when this fix might be implemented? My friend is experiencing this problem. And with both of us being a little newer to Linux, I'd prefer not to get into re-compiling the Kernel if we don't have to. Thanks. |