Return-path: Received: from www.piware.de ([213.9.93.70]:53768 "EHLO www.piware.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751721AbaCLRes (ORCPT ); Wed, 12 Mar 2014 13:34:48 -0400 Date: Wed, 12 Mar 2014 18:34:46 +0100 From: Martin Pitt To: Fengguang Wu Cc: Johannes Berg , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [mac80211_hwsim] BUG: unable to handle kernel paging request at ce1db404 Message-ID: <20140312173446.GD2983@piware.de> (sfid-20140312_183527_470530_A724A671) References: <20140305125703.GA7193@localhost> <20140305132317.GB10880@localhost> <20140308121138.GA8359@localhost> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="3siQDZowHQqNOShm" In-Reply-To: <20140308121138.GA8359@localhost> Sender: linux-wireless-owner@vger.kernel.org List-ID: --3siQDZowHQqNOShm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Fengguang Wu [2014-03-08 20:11 +0800]: > [ 4.429993] mac80211_hwsim: ieee80211_register_hw failed (-2) > [...] > [ 4.431924] [] get_device+0xf/0x17 > [ 4.431924] [] driver_detach+0x38/0x8f > [ 4.431924] [] bus_remove_driver+0x53/0x66 > [ 4.431924] [] driver_unregister+0x38/0x3d > [ 4.431924] [] platform_driver_unregister+0xb/0xd > [ 4.431924] [] init_mac80211_hwsim+0x3a5/0x3b6 So that first message is from http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers= /net/wireless/mac80211_hwsim.c?id=3D9ea927748#n2428 At this point we registered the platform driver and the class, and it should have created two devices (at least for the default radios=3D2). What's odd is that I don't see this printk in your kernel log: mac80211_hwsim: Initializing radio %d If for some reasons "radio" is 0, it would not show this and not initialize data->dev, but then you shouldn't get to ieee80211_register_hw() either as it's in the same loop. So that's a bit of a mystery to me. On failure, above ieee80211_register_hw() jumps to the cleanup: | failed_hw: | device_unregister(data->dev); | failed_drvdata: | ieee80211_free_hw(hw); | failed: | mac80211_hwsim_free(); | failed_unregister_driver: | driver_unregister(&mac80211_hwsim_driver); | return err; | } The mac80211_hwsim_free() function again calls device_unregister(data->dev) for a list (not sure which, I'm not certain how to interpret list_for_each_entry_safe(data, tmpdata, &tmplist, list) ) Could that be the double free causing the memory corruption? If you are in a position to do quick builds and tests, does the crash go away with this? printk(KERN_DEBUG "mac80211_hwsim: device_bind_driver failed (%d)\n", err); - goto failed_hw; + goto failed_drvdata; } (I'm not claiming that this is correct, just taking a stab at understanding what happens) If not, does it go away with changing the goto to failed_unregister_driver()? Thanks, Martin --=20 Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) --3siQDZowHQqNOShm Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJTIJq2AAoJENFO8V2v4RNHA/8P/0BtuaxdqeAdJtkjKXXuSKCT WZNcimLWbKr0jf7miXzhRaMonkBo9iBnYwCGytu9ELKWUkvFfdu6SHM9GOGKmy9o B92qHFbHNy1wAeGo0Oblay9gVhmDU2+PgNySlKFW5u24DDd3Ym2sYpcsl3PI+BfP cOA1tQYEGOEYdoSEAt92Rf2sP8FQoH/YwHAE/y1exE7wEgToXmdbdLDcI3nHY571 SVtw6le28BSlXnOYUPxiTWpVSe/9GDnjU3wxQfelVEAmzlzCtUDDXYBnaCxgU/Tc LV1z76K3nDbfyFwfecurxOwKFG8+Em7v6b9CeN+MZP3A9xstu2zDQ8LNbGoHR2vp ba1XYdsMsu+jHl63BwClgfwN4AWg7MvK5675u1ePXmHU2KIbB0Uj93m95ydYRQ0D f5bYLXQjMleoOwPk/X2ostgI8DxYrq8wQpUYGHTfY+dGjsHTyddZ5TemrMxNnM3s Sf12e1bsmFCBQeu6ZA2TdIt/Vg6O97tnuZ62x3yWWW7ti94rgvogMqbtJD9+vFKi Cy5FsU8yO6pmWpwVUkFq2o9C/IIW0IrOhVq8JQdBV34MzvXXhDf8KsEX8Zy74Hox 92cbLAOgE06rSv2Iz7MaSsZHc1JPjfvG4Nx+plmjEmmj1Ebp7I+6gla4Q+9EtxwV FS9gf4rf8R6G0oieWJ2Z =uieF -----END PGP SIGNATURE----- --3siQDZowHQqNOShm--