Return-path: Received: from mog.warmcat.com ([62.193.232.24]:56530 "EHLO mailserver.mog.warmcat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1754810AbXGaTpH (ORCPT ); Tue, 31 Jul 2007 15:45:07 -0400 Received: from armbox7.home.warmcat.com (cpc1-nthc5-0-0-cust289.nrth.cable.ntl.com [82.29.29.34]) by mailserver.mog.warmcat.com (Postfix) with ESMTP id 25D9C8CAD8 for ; Tue, 31 Jul 2007 21:44:59 +0200 (CEST) Received: from meerkat.home.warmcat.com (localhost [127.0.0.1]) by armbox7.home.warmcat.com (Postfix) with ESMTP id 36153FD14 for ; Tue, 31 Jul 2007 19:45:10 +0000 (UTC) Message-ID: <46AF913F.9010006@warmcat.com> Date: Tue, 31 Jul 2007 20:45:03 +0100 From: Andy Green MIME-Version: 1.0 To: linux-wireless@vger.kernel.org Subject: libertas: blows chunks on failed firmware load Content-Type: text/plain; charset=ISO-8859-1 Sender: linux-wireless-owner@vger.kernel.org List-ID: Hi folks - I realize I am slightly pushing my luck, but I added this el-cheapo 88W8338 -based "Compoint EVWL-GI-700S" USB stick's USB ID "0x1286, 0x1fab" to libertas/usb8xxx.c and chanced my arm. I was rewarded with PM: Adding info for No Bus:msh0 PM: Adding info for No Bus:5-4 PM: Removing info for No Bus:5-4 libertas: request_firmware() failed with 0xfffffffe libertas: firmware usb8388.bin not found libertas: firmware init failed PM: Removing info for No Bus:msh0 kfree_debugcheck: out of range ptr 6b6b6b6bh. ------------[ cut here ]------------ kernel BUG at mm/slab.c:2825! invalid opcode: 0000 [#1] SMP Modules linked in: usb8xxx libertas ieee80211 ieee80211_crypt iwl3945 rt73usb rt2x00usb rt2x00lib rfkill input_polldev crc_itu_t mac80211 cfg80211 vfat fat vmnet(P) vmmon(P) snd_rtctimer usb_storage autofs4 aes nf_conntrack_netbios_ns ipt_REJECT nf_conntrack_ipv4 xt_state nf_conntrack nfnetlink xt_tcpudp iptable_filter ip_tables x_tables cpufreq_ondemand acpi_cpufreq video output sbs button dock battery ac lp loop snd_hda_intel snd_seq_dummy arc4 snd_seq_oss ecb blkcipher snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss sr_mod snd_mixer_oss snd_pcm rtc_cmos cdrom snd_timer snd b44 ssb parport iTCO_wdt iTCO_vendor_support soundcore serio_raw ata_piix rtc_core rtc_lib ata_generic snd_page_alloc mii sg ahci libata sd_mod scsi_mod ext3 jbd mbcache ehci_hcd ohci_hcd uhci_hcd CPU: 1 EIP: 0060:[] Tainted: P VLI EFLAGS: 00010086 (2.6.23-rc1 #1) EIP is at kfree_debugcheck+0x29/0x2f eax: 00000031 ebx: f48c2600 ecx: c0422e7d edx: c8ea9060 esi: ea1d1338 edi: 6b6b6b6b ebp: e3a0ed6c esp: e3a0ed64 ds: 007b es: 007b fs: 00d8 gs: 0033 ss: 0068 Process modprobe (pid: 6761, ti=e3a0e000 task=c8ea9060 task.ti=e3a0e000) Stack: c06c7131 6b6b6b6b e3a0ed84 c047ba96 00000202 f48c2600 ea1d1338 ea1d12e0 e3a0edc0 f8dd4b28 f8dd00d8 ffffff10 c0447a00 f8dd6ec8 e3a0edb0 c0579b2d f8dd6ec8 ee3602c0 d9a926b8 ed449e38 ee3602c0 f8dd6d40 f8dd6d90 e3a0edd0 Call Trace: [] show_trace_log_lvl+0x1a/0x2f [] show_stack_log_lvl+0x9b/0xa3 [] show_registers+0x1b8/0x289 [] die+0x113/0x246 [] do_trap+0x8a/0xa3 [] do_invalid_op+0x88/0x92 [] error_code+0x72/0x78 [] kfree+0x25/0xdb [] if_usb_probe+0x412/0x427 [usb8xxx] [] usb_probe_interface+0x6a/0xa0 [] driver_probe_device+0xe9/0x16a [] __driver_attach+0x76/0xaf [] bus_for_each_dev+0x3a/0x5f [] driver_attach+0x19/0x1b [] bus_add_driver+0x79/0x181 [] driver_register+0x67/0x6c [] usb_register_driver+0x7e/0xe5 [] if_usb_init_module+0x76/0xcc [usb8xxx] [] sys_init_module+0x13b5/0x1503 [] sysenter_past_esp+0x5f/0x99 ======================= Code: 5d c3 55 89 c2 8d 80 00 00 00 40 89 e5 c1 e8 0c 83 ec 08 3b 05 04 33 a8 c0 72 14 89 54 24 04 c7 04 24 31 71 6c c0 e8 a8 ff fa ff <0f> 0b eb fe c9 c3 55 89 e5 57 31 ff 56 89 c6 53 89 d3 83 ec 10 EIP: [] kfree_debugcheck+0x29/0x2f SS:ESP 0068:e3a0ed64 Basically the error path for "can't load firmware" seems to double free? It seems that by the time we arrive at kfree(priv->adapter); at if_usb.c:234 in if_usb_probe(), priv has already been freed or crapped on to point to somewhere that has been freed. I had a quick look around, it looked to me like there might be a mistake in main.c:867, in int libertas_activate_card(wlan_private *priv, char *fw_name) where it might jump to the wrong level of error unpicking code, but it didn't fix it. if (priv->hw_register_dev(priv) < 0) { lbs_pr_err("failed to register WLAN device\n"); goto err_registerdev; } /* init FW and HW */ if (fw_name && libertas_init_fw(priv, fw_name)) { lbs_pr_err("firmware init failed\n"); // goto err_registerdev; // !!! <--- seems wrong goto err_init_fw; } if (register_netdev(dev)) { lbs_pr_err("cannot register ethX device\n"); goto err_init_fw; } lbs_pr_info("%s: Marvell WLAN 802.11 adapter\n", dev->name); libertas_debugfs_init_one(priv, dev); ret = 0; goto done; err_init_fw: priv->hw_unregister_dev(priv); err_registerdev: destroy_workqueue(priv->assoc_thread); /* Stop the thread servicing the interrupts */ Even when I provided it with firmware, it dropped dead the same way just with this additional info before: PM: Adding info for No Bus:msh0 PM: Adding info for No Bus:5-4 PM: Removing info for No Bus:5-4 usb8xxx: failed to load fw, resetting device! usb 5-4: reset high speed USB device using ehci_hcd and address 3 usb 5-4: device descriptor read/64, error -71 usb 5-4: device descriptor read/64, error -71 usb 5-4: reset high speed USB device using ehci_hcd and address 3 usb 5-4: device descriptor read/64, error -71 usb 5-4: device descriptor read/64, error -71 usb 5-4: reset high speed USB device using ehci_hcd and address 3 usb 5-4: device descriptor read/8, error 0 usb 5-4: device descriptor read/8, error 0 usb 5-4: reset high speed USB device using ehci_hcd and address 3 usb 5-4: device descriptor read/8, error 0 usb 5-4: device descriptor read/8, error 0 usb 5-4: USB disconnect, address 3 libertas: firmware init failed PM: Removing info for No Bus:msh0 kfree_debugcheck: out of range ptr 6b6b6b6bh. ------------[ cut here ]------------ kernel BUG at mm/slab.c:2825! ... Of course this can be due to the luck-pushing, but it seemed it might also be a genuine problem with the error handling. -Andy