Return-path: Received: from mail-la0-f50.google.com ([209.85.215.50]:32799 "EHLO mail-la0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752515AbbERRiW (ORCPT ); Mon, 18 May 2015 13:38:22 -0400 Received: by lagr1 with SMTP id r1so149004412lag.0 for ; Mon, 18 May 2015 10:38:21 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <555A05DC.8080704@lwfinger.net> References: <55575AC8.2060301@lwfinger.net> <5557844B.4040108@lwfinger.net> <55586D8D.7040407@gmail.com> <555A05DC.8080704@lwfinger.net> Date: Mon, 18 May 2015 20:38:20 +0300 Message-ID: (sfid-20150518_193826_439571_302C753D) Subject: Re: kernel page fault in r8712u From: Haggai Eran To: Larry Finger Cc: Arend van Spriel , Florian Schilhabel , linux-wireless@vger.kernel.org Content-Type: text/plain; charset=UTF-8 Sender: linux-wireless-owner@vger.kernel.org List-ID: On 18 May 2015 at 18:31, Larry Finger wrote: > On 05/17/2015 02:22 PM, Haggai Eran wrote: >> >> I added some debugging prints, trying to see more details about the >> packet that fails the r8712_validate_recv_frame. I noticed I'm getting >> many packets where recv_decache returns _FAIL. However, the last two >> packets before the crash fail for different reasons. The first has the >> ver field set to 3 (instead of zero). The second (the one that get's >> freed and cause the crash apparently) has an unknown type (12). If I'm >> not mistaken, 12 = WIFI_CTRL_TYPE | WIFI_DATA_TYPE. Is that possible? >> >> It could be that the packet headers are garbled though. > > > I think the headers are garbled. Did you log the address of the skb at > precvframe->u.hdr.pkt in r8712_free_recvframe() or orig_prframe->u.hdr.pct > in recv_func(). I haven't. I'll print that. > > I am still dubious of the cast "prframe = (union recv_frame *)pcontext;" in > recv_func(). Why? As far as I can see, recv_func is called only at one place (r8712_recv_entry), where it is passed a union recv_frame * as the pcontext parameter. Haggai