BUG: oops when "rmmod ipw2200"

BUG: oops when "rmmod ipw2200"

[Holger Schurig]

This happened on wireless-testing v2.6.32-rc6-41575-g5e68bfb. I
modprobed ipw2200, put it into monitor mode, used tshark a while to
monitor, then I stopped tshark, "ifconfig eth2 down" and finally
"rmmod ipw2200", and voila:

[  917.189620] ------------[ cut here ]------------
[  917.189717] kernel BUG at net/wireless/core.c:543!
[  917.189805] invalid opcode: 0000 [#1] PREEMPT SMP
[  917.190002] last sysfs file: /sys/devices/pci0000:00/0000:00:1e.0/0000:02:0d.0/firmware/0000:02:0d.0/loading
[  917.190136] Modules linked in: lib80211_crypt_wep ipw2200(-) libipw lib80211 ath5k mac80211 ath cfg80211 psmouse uhci_hcd
[  917.190680]
[  917.190759] Pid: 1763, comm: rmmod Not tainted (2.6.32-rc6-wl #26) Amilo M1425
[  917.190886] EIP: 0060:[<f8accf34>] EFLAGS: 00010202 CPU: 0
[  917.190992] EIP is at wiphy_unregister+0xd3/0x175 [cfg80211]
[  917.191083] EAX: f601d4c4 EBX: 00000000 ECX: 00000000 EDX: f79e8600
[  917.191176] ESI: f601d400 EDI: f95b4350 EBP: f6009eb4 ESP: f6009e8c
[  917.191269]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[  917.191360] Process rmmod (pid: 1763, ti=f6008000 task=f79e8130 task.ti=f6008000)
[  917.191486] Stack:
[  917.191562]  f601d5a0 f601d484 f6460e98 f6009ea0 c01407ee f6009eb8 00000246 f64604c0
[  917.191916] <0> f6460e5c f95b4350 f6009ec0 f94fd030 f6460e98 f6009edc f95a9d4f f787bc00
[  917.192100] <0> f787bc58 f787bc00 f95b4350 f95b4350 f6009ee8 c0207fca f787bc58 f6009ef8
[  917.192100] Call Trace:
[  917.192100]  [<c01407ee>] ? trace_hardirqs_on+0xb/0xd
[  917.192100]  [<f94fd030>] ? unregister_ieee80211+0xe/0x27 [libipw]
[  917.192100]  [<f95a9d4f>] ? ipw_pci_remove+0x59/0x227 [ipw2200]
[  917.192100]  [<c0207fca>] ? pci_device_remove+0x19/0x39
[  917.192100]  [<c02b93a4>] ? __device_release_driver+0x59/0x9d
[  917.192100]  [<c02b944f>] ? driver_detach+0x67/0x85
[  917.192100]  [<c02b88d6>] ? bus_remove_driver+0x69/0x85
[  917.192100]  [<c02b9878>] ? driver_unregister+0x4d/0x54
[  917.192100]  [<c02081c3>] ? pci_unregister_driver+0x28/0x71
[  917.192100]  [<f95a9cf4>] ? ipw_exit+0x1c/0x1e [ipw2200]
[  917.192100]  [<c0148e2b>] ? sys_delete_module+0x192/0x1ef
[  917.192100]  [<c0162cdb>] ? remove_vma+0x52/0x58
[  917.192100]  [<c01028bb>] ? sysenter_exit+0xf/0x18
[  917.192100]  [<c0102888>] ? sysenter_do_call+0x12/0x36
[  917.192100] Code: 74 07 e8 81 bc 8c c7 eb c8 8d 55 e0 89 f8 e8 d6 6d 66 c7 8b 45 dc 31 d2 e8 81 cc 8c c7 8d 86 c4 00 00 00 39 86 c4 00 00 00 74 04 <0f> 0b eb fe 8b 45 dc 8d 5e 0c e8 5a cc 8c c7 8b 86 94 03 00 00
[  917.192100] EIP: [<f8accf34>] wiphy_unregister+0xd3/0x175 [cfg80211] SS:ESP 0068:f6009e8c
[  917.203718] ---[ end trace bcaaf449945a5100 ]---

--
http://www.holgerschurig.de

Re: BUG: oops when "rmmod ipw2200"

[John W. Linville]

On Thu, Nov 05, 2009 at 03:59:16PM +0100, Holger Schurig wrote:
> This happened on wireless-testing v2.6.32-rc6-41575-g5e68bfb. I
> modprobed ipw2200, put it into monitor mode, used tshark a while to
> monitor, then I stopped tshark, "ifconfig eth2 down" and finally
> "rmmod ipw2200", and voila:
> 
> [  917.189620] ------------[ cut here ]------------
> [  917.189717] kernel BUG at net/wireless/core.c:543!
> [  917.189805] invalid opcode: 0000 [#1] PREEMPT SMP
> [  917.190002] last sysfs file: /sys/devices/pci0000:00/0000:00:1e.0/0000:02:0d.0/firmware/0000:02:0d.0/loading
> [  917.190136] Modules linked in: lib80211_crypt_wep ipw2200(-) libipw lib80211 ath5k mac80211 ath cfg80211 psmouse uhci_hcd

<snip>

Crud...this has to be the following:

commit e6c5fc53d0f44a772398402ee8a1879818e42b4e
Author: Zhu Yi <yi.zhu@intel.com>
Date:   Thu Oct 15 14:50:28 2009 +0800

    ipw2200: fix oops on missing firmware
    
    For non-monitor interfaces, the syntax for alloc_ieee80211/free_80211
    is wrong. Because alloc_ieee80211 only creates (wiphy_new) a wiphy, but
    free_80211() does wiphy_unregister() also. This is only correct when
    the later wiphy_register() is called successfully, which apparently
    is not the case for your fw doesn't exist one.
    
    Signed-off-by: Zhu Yi <yi.zhu@intel.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>

Can you revert that and attempt to recreate?

John
-- 
John W. Linville		Someday the world will need a hero, and you
linville@tuxdriver.com			might be all we have.  Be ready.

Re: BUG: oops when "rmmod ipw2200"

[Holger Schurig]

At Thu, 5 Nov 2009 10:33:29 -0500,
> Crud...this has to be the following:
> 
> commit e6c5fc53d0f44a772398402ee8a1879818e42b4e
...
 
> Can you revert that and attempt to recreate?

After reverting this, the oops went away.


I just get some leak message, but I can ignore this message for now (I
use this device only for monitoring the other devices ...).

[ 2935.225315] lib80211: common routines for IEEE802.11 drivers
[ 2935.225447] lib80211_crypt: registered algorithm 'NULL'
[ 2935.233860] ieee80211: 802.11 data/management/control stack, git-1.1.13
[ 2935.233911] ieee80211: Copyright (C) 2004-2005 Intel Corporation <jketreno@linux.intel.com>
[ 2935.244407] ipw2200: Intel(R) PRO/Wireless 2200/2915 Network Driver, 1.2.2kmpr
[ 2935.244459] ipw2200: Copyright(c) 2003-2006 Intel Corporation
[ 2935.244637] ipw2200 0000:02:0d.0: PCI INT A -> Link[LNKA] -> GSI 11 (level, low) -> IRQ 11
[ 2935.245503] ipw2200: Detected Intel PRO/Wireless 2200BG Network Connection
[ 2935.245910] ipw2200 0000:02:0d.0: firmware: requesting ipw2200-bss.fw
[ 2935.433770] ipw2200: Detected geography ZZR (14 802.11bg channels, 0 802.11a channels)
[ 2935.606417] lib80211_crypt: registered algorithm 'WEP'
[ 2937.377928] ipw2200 0000:02:0d.0: firmware: requesting ipw2200-sniffer.fw
[ 2939.391363] warning: `tshark' uses 32-bit capabilities (legacy support in use)
[ 2941.657345] device eth2 entered promiscuous mode
[ 2943.028308] device eth2 left promiscuous mode
[ 2948.818739] __dev_addr_discard: address leakage! da_users=1
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[ 2949.076876] ipw2200 0000:02:0d.0: PCI INT A disable

Re: BUG: oops when "rmmod ipw2200"

[Zhu Yi]

On Thu, 2009-11-05 at 23:33 +0800, John W. Linville wrote:
> On Thu, Nov 05, 2009 at 03:59:16PM +0100, Holger Schurig wrote:
> > This happened on wireless-testing v2.6.32-rc6-41575-g5e68bfb. I
> > modprobed ipw2200, put it into monitor mode, used tshark a while to
> > monitor, then I stopped tshark, "ifconfig eth2 down" and finally
> > "rmmod ipw2200", and voila:
> > 
> > [  917.189620] ------------[ cut here ]------------
> > [  917.189717] kernel BUG at net/wireless/core.c:543!
> > [  917.189805] invalid opcode: 0000 [#1] PREEMPT SMP
> > [  917.190002] last sysfs file: /sys/devices/pci0000:00/0000:00:1e.0/0000:02:0d.0/firmware/0000:02:0d.0/loading
> > [  917.190136] Modules linked in: lib80211_crypt_wep ipw2200(-) libipw lib80211 ath5k mac80211 ath cfg80211 psmouse uhci_hcd
> 
> <snip>
> 
> Crud...this has to be the following:
> 
> commit e6c5fc53d0f44a772398402ee8a1879818e42b4e
> Author: Zhu Yi <yi.zhu@intel.com>
> Date:   Thu Oct 15 14:50:28 2009 +0800
> 
>     ipw2200: fix oops on missing firmware
>     
>     For non-monitor interfaces, the syntax for alloc_ieee80211/free_80211
>     is wrong. Because alloc_ieee80211 only creates (wiphy_new) a wiphy, but
>     free_80211() does wiphy_unregister() also. This is only correct when
>     the later wiphy_register() is called successfully, which apparently
>     is not the case for your fw doesn't exist one.
>     
>     Signed-off-by: Zhu Yi <yi.zhu@intel.com>
>     Signed-off-by: John W. Linville <linville@tuxdriver.com>
> 
> Can you revert that and attempt to recreate?

I forgot to remember wiphy has to be unregistered _after_ netdev. Here
is a fix patch. Please test.

>From 4581a7ea7146040b1b9ee8a1d45e63561a900e1d Mon Sep 17 00:00:00 2001
From: Zhu Yi <chuyee@octavia.(none)>
Date: Mon, 9 Nov 2009 17:49:21 +0800
Subject: [PATCH V2] ipw2200: fix oops on missing firmware

For non-monitor interfaces, the syntax for alloc_ieee80211/free_80211
is wrong. Because alloc_ieee80211 only creates (wiphy_new) a wiphy, but
free_80211() does wiphy_unregister() also. This is only correct when
the later wiphy_register() is called successfully, which apparently
is not the case for the fw doesn't exist one.

Signed-off-by: Zhu Yi <yi.zhu@intel.com>
---
V2: fix a BUG_ON reported by Holger Schurig

 drivers/net/wireless/ipw2x00/ipw2100.c       |    5 ++++-
 drivers/net/wireless/ipw2x00/ipw2200.c       |    2 ++
 drivers/net/wireless/ipw2x00/libipw.h        |    1 +
 drivers/net/wireless/ipw2x00/libipw_module.c |   14 +++++++++-----
 4 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/drivers/net/wireless/ipw2x00/ipw2100.c b/drivers/net/wireless/ipw2x00/ipw2100.c
index 240cff1..faec9d3 100644
--- a/drivers/net/wireless/ipw2x00/ipw2100.c
+++ b/drivers/net/wireless/ipw2x00/ipw2100.c
@@ -6325,8 +6325,10 @@ static int ipw2100_pci_init_one(struct pci_dev *pci_dev,
 
       fail:
 	if (dev) {
-		if (registered)
+		if (registered) {
 			unregister_netdev(dev);
+			unregister_ieee80211(priv->ieee);
+		}
 
 		ipw2100_hw_stop_adapter(priv);
 
@@ -6384,6 +6386,7 @@ static void __devexit ipw2100_pci_remove_one(struct pci_dev *pci_dev)
 		 * being called if the device is open.  If we free storage
 		 * first, then close() will crash. */
 		unregister_netdev(dev);
+		unregister_ieee80211(priv->ieee);
 
 		/* ipw2100_down will ensure that there is no more pending work
 		 * in the workqueue's, so we can safely remove them now. */
diff --git a/drivers/net/wireless/ipw2x00/ipw2200.c b/drivers/net/wireless/ipw2x00/ipw2200.c
index 827824d..ae846a7 100644
--- a/drivers/net/wireless/ipw2x00/ipw2200.c
+++ b/drivers/net/wireless/ipw2x00/ipw2200.c
@@ -11823,6 +11823,7 @@ static int __devinit ipw_pci_probe(struct pci_dev *pdev,
 			IPW_ERROR("Failed to register promiscuous network "
 				  "device (error %d).\n", err);
 			unregister_netdev(priv->net_dev);
+			unregister_ieee80211(priv->ieee);
 			goto out_remove_sysfs;
 		}
 	}
@@ -11873,6 +11874,7 @@ static void __devexit ipw_pci_remove(struct pci_dev *pdev)
 	mutex_unlock(&priv->mutex);
 
 	unregister_netdev(priv->net_dev);
+	unregister_ieee80211(priv->ieee);
 
 	if (priv->rxq) {
 		ipw_rx_queue_free(priv, priv->rxq);
diff --git a/drivers/net/wireless/ipw2x00/libipw.h b/drivers/net/wireless/ipw2x00/libipw.h
index bf45391..f42ade6 100644
--- a/drivers/net/wireless/ipw2x00/libipw.h
+++ b/drivers/net/wireless/ipw2x00/libipw.h
@@ -1020,6 +1020,7 @@ static inline int libipw_is_cck_rate(u8 rate)
 /* ieee80211.c */
 extern void free_ieee80211(struct net_device *dev, int monitor);
 extern struct net_device *alloc_ieee80211(int sizeof_priv, int monitor);
+extern void unregister_ieee80211(struct libipw_device *ieee);
 extern int libipw_change_mtu(struct net_device *dev, int new_mtu);
 
 extern void libipw_networks_age(struct libipw_device *ieee,
diff --git a/drivers/net/wireless/ipw2x00/libipw_module.c b/drivers/net/wireless/ipw2x00/libipw_module.c
index a0e9f6a..be5b809 100644
--- a/drivers/net/wireless/ipw2x00/libipw_module.c
+++ b/drivers/net/wireless/ipw2x00/libipw_module.c
@@ -235,16 +235,19 @@ void free_ieee80211(struct net_device *dev, int monitor)
 	libipw_networks_free(ieee);
 
 	/* free cfg80211 resources */
-	if (!monitor) {
-		wiphy_unregister(ieee->wdev.wiphy);
-		kfree(ieee->a_band.channels);
-		kfree(ieee->bg_band.channels);
+	if (!monitor)
 		wiphy_free(ieee->wdev.wiphy);
-	}
 
 	free_netdev(dev);
 }
 
+void unregister_ieee80211(struct libipw_device *ieee)
+{
+	wiphy_unregister(ieee->wdev.wiphy);
+	kfree(ieee->a_band.channels);
+	kfree(ieee->bg_band.channels);
+}
+
 #ifdef CONFIG_LIBIPW_DEBUG
 
 static int debug = 0;
@@ -330,3 +333,4 @@ module_init(libipw_init);
 
 EXPORT_SYMBOL(alloc_ieee80211);
 EXPORT_SYMBOL(free_ieee80211);
+EXPORT_SYMBOL(unregister_ieee80211);
-- 
1.5.3.6