From 37b12dd2b07b4d7dc222a5f7f88b25cec532b2aa Mon Sep 17 00:00:00 2001 From: Larry Finger Date: Wed, 4 Nov 2009 00:00:25 -0600 Subject: rtl8187: Fix kernel oops when device is removed when LEDS enabled As reported by Rick Farina (sidhayn@gmail.com), removing the RTL8187 USB stick, or unloading the driver rtl8187 using rmmod will cause a kernel oops. There are at least two forms of the failure, (1) BUG: Scheduling while atomic, and (2) a fatal kernel page fault. This problem is reported in Bugzilla #14539. This problem does not occur for kernel 2.6.31, but does for 2.6.32-rc2, thus it is technically a regression; however, bisection did not locate any faulty patch. The fix was found by comparing the faulty code in rtl8187 with p54usb. My interpretation is that the handling of work queues in mac80211 changed enough to the LEDs to be unregistered before tasks on the work queues are cancelled. Previously, these actions could be done in either order. (Herton Ronaldo Krzesinski reports that the code is the same in 2.6.31, so this may be a candidate for 2.6.31.x. -- JWL) Signed-off-by: Larry Finger Reported-by: Rick Farina Tested-by: Rick Farina Cc: stable@kernel.org Signed-off-by: John W. Linville --- drivers/net/wireless/rtl818x/rtl8187_leds.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'drivers/net/wireless') diff --git a/drivers/net/wireless/rtl818x/rtl8187_leds.c b/drivers/net/wireless/rtl818x/rtl8187_leds.c index a1c670fc155..cf8a4a40fdf 100644 --- a/drivers/net/wireless/rtl818x/rtl8187_leds.c +++ b/drivers/net/wireless/rtl818x/rtl8187_leds.c @@ -210,10 +210,10 @@ void rtl8187_leds_exit(struct ieee80211_hw *dev) /* turn the LED off before exiting */ ieee80211_queue_delayed_work(dev, &priv->led_off, 0); - cancel_delayed_work_sync(&priv->led_off); - cancel_delayed_work_sync(&priv->led_on); rtl8187_unregister_led(&priv->led_rx); rtl8187_unregister_led(&priv->led_tx); + cancel_delayed_work_sync(&priv->led_off); + cancel_delayed_work_sync(&priv->led_on); } #endif /* def CONFIG_RTL8187_LED */ -- cgit v1.2.3-70-g09d2 From 143d40f3ab8fbd8ca2fe712ec8e072d687142804 Mon Sep 17 00:00:00 2001 From: "John W. Linville" Date: Fri, 6 Nov 2009 12:58:20 -0500 Subject: Revert "ipw2200: fix oops on missing firmware" This reverts commit e6c5fc53d0f44a772398402ee8a1879818e42b4e. Based on this regression report: Date: Thu, 05 Nov 2009 15:59:16 +0100 From: Holger Schurig To: linux-wireless@vger.kernel.org Subject: BUG: oops when "rmmod ipw2200" This happened on wireless-testing v2.6.32-rc6-41575-g5e68bfb. I modprobed ipw2200, put it into monitor mode, used tshark a while to monitor, then I stopped tshark, "ifconfig eth2 down" and finally "rmmod ipw2200", and voila: [ 917.189620] ------------[ cut here ]------------ [ 917.189717] kernel BUG at net/wireless/core.c:543! [ 917.189805] invalid opcode: 0000 [#1] PREEMPT SMP [ 917.190002] last sysfs file: /sys/devices/pci0000:00/0000:00:1e.0/0000:02:0d.0/firmware/0000:02:0d.0/loading [ 917.190136] Modules linked in: lib80211_crypt_wep ipw2200(-) libipw lib80211 ath5k mac80211 ath cfg80211 psmouse uhci_hcd [ 917.190680] [ 917.190759] Pid: 1763, comm: rmmod Not tainted (2.6.32-rc6-wl #26) Amilo M1425 [ 917.190886] EIP: 0060:[] EFLAGS: 00010202 CPU: 0 [ 917.190992] EIP is at wiphy_unregister+0xd3/0x175 [cfg80211] [ 917.191083] EAX: f601d4c4 EBX: 00000000 ECX: 00000000 EDX: f79e8600 [ 917.191176] ESI: f601d400 EDI: f95b4350 EBP: f6009eb4 ESP: f6009e8c [ 917.191269] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 [ 917.191360] Process rmmod (pid: 1763, ti=f6008000 task=f79e8130 task.ti=f6008000) [ 917.191486] Stack: [ 917.191562] f601d5a0 f601d484 f6460e98 f6009ea0 c01407ee f6009eb8 00000246 f64604c0 [ 917.191916] <0> f6460e5c f95b4350 f6009ec0 f94fd030 f6460e98 f6009edc f95a9d4f f787bc00 [ 917.192100] <0> f787bc58 f787bc00 f95b4350 f95b4350 f6009ee8 c0207fca f787bc58 f6009ef8 [ 917.192100] Call Trace: [ 917.192100] [] ? trace_hardirqs_on+0xb/0xd [ 917.192100] [] ? unregister_ieee80211+0xe/0x27 [libipw] [ 917.192100] [] ? ipw_pci_remove+0x59/0x227 [ipw2200] [ 917.192100] [] ? pci_device_remove+0x19/0x39 [ 917.192100] [] ? __device_release_driver+0x59/0x9d [ 917.192100] [] ? driver_detach+0x67/0x85 [ 917.192100] [] ? bus_remove_driver+0x69/0x85 [ 917.192100] [] ? driver_unregister+0x4d/0x54 [ 917.192100] [] ? pci_unregister_driver+0x28/0x71 [ 917.192100] [] ? ipw_exit+0x1c/0x1e [ipw2200] [ 917.192100] [] ? sys_delete_module+0x192/0x1ef [ 917.192100] [] ? remove_vma+0x52/0x58 [ 917.192100] [] ? sysenter_exit+0xf/0x18 [ 917.192100] [] ? sysenter_do_call+0x12/0x36 [ 917.192100] Code: 74 07 e8 81 bc 8c c7 eb c8 8d 55 e0 89 f8 e8 d6 6d 66 c7 8b 45 dc 31 d2 e8 81 cc 8c c7 8d 86 c4 00 00 00 39 86 c4 00 00 00 74 04 <0f> 0b eb fe 8b 45 dc 8d 5e 0c e8 5a cc 8c c7 8b 86 94 03 00 00 [ 917.192100] EIP: [] wiphy_unregister+0xd3/0x175 [cfg80211] SS:ESP 0068:f6009e8c [ 917.203718] ---[ end trace bcaaf449945a5100 ]--- Signed-off-by: John W. Linville --- drivers/net/wireless/ipw2x00/ipw2100.c | 5 +---- drivers/net/wireless/ipw2x00/ipw2200.c | 2 -- drivers/net/wireless/ipw2x00/libipw.h | 1 - drivers/net/wireless/ipw2x00/libipw_module.c | 14 +++++--------- 4 files changed, 6 insertions(+), 16 deletions(-) (limited to 'drivers/net/wireless') diff --git a/drivers/net/wireless/ipw2x00/ipw2100.c b/drivers/net/wireless/ipw2x00/ipw2100.c index a741d37fd96..240cff1e697 100644 --- a/drivers/net/wireless/ipw2x00/ipw2100.c +++ b/drivers/net/wireless/ipw2x00/ipw2100.c @@ -6325,10 +6325,8 @@ static int ipw2100_pci_init_one(struct pci_dev *pci_dev, fail: if (dev) { - if (registered) { - unregister_ieee80211(priv->ieee); + if (registered) unregister_netdev(dev); - } ipw2100_hw_stop_adapter(priv); @@ -6385,7 +6383,6 @@ static void __devexit ipw2100_pci_remove_one(struct pci_dev *pci_dev) /* Unregister the device first - this results in close() * being called if the device is open. If we free storage * first, then close() will crash. */ - unregister_ieee80211(priv->ieee); unregister_netdev(dev); /* ipw2100_down will ensure that there is no more pending work diff --git a/drivers/net/wireless/ipw2x00/ipw2200.c b/drivers/net/wireless/ipw2x00/ipw2200.c index 04341a2a619..8d58e6ed4e7 100644 --- a/drivers/net/wireless/ipw2x00/ipw2200.c +++ b/drivers/net/wireless/ipw2x00/ipw2200.c @@ -11821,7 +11821,6 @@ static int __devinit ipw_pci_probe(struct pci_dev *pdev, if (err) { IPW_ERROR("Failed to register promiscuous network " "device (error %d).\n", err); - unregister_ieee80211(priv->ieee); unregister_netdev(priv->net_dev); goto out_remove_sysfs; } @@ -11872,7 +11871,6 @@ static void __devexit ipw_pci_remove(struct pci_dev *pdev) mutex_unlock(&priv->mutex); - unregister_ieee80211(priv->ieee); unregister_netdev(priv->net_dev); if (priv->rxq) { diff --git a/drivers/net/wireless/ipw2x00/libipw.h b/drivers/net/wireless/ipw2x00/libipw.h index f42ade6c2d3..bf45391172f 100644 --- a/drivers/net/wireless/ipw2x00/libipw.h +++ b/drivers/net/wireless/ipw2x00/libipw.h @@ -1020,7 +1020,6 @@ static inline int libipw_is_cck_rate(u8 rate) /* ieee80211.c */ extern void free_ieee80211(struct net_device *dev, int monitor); extern struct net_device *alloc_ieee80211(int sizeof_priv, int monitor); -extern void unregister_ieee80211(struct libipw_device *ieee); extern int libipw_change_mtu(struct net_device *dev, int new_mtu); extern void libipw_networks_age(struct libipw_device *ieee, diff --git a/drivers/net/wireless/ipw2x00/libipw_module.c b/drivers/net/wireless/ipw2x00/libipw_module.c index be5b809ec97..a0e9f6aed7d 100644 --- a/drivers/net/wireless/ipw2x00/libipw_module.c +++ b/drivers/net/wireless/ipw2x00/libipw_module.c @@ -235,19 +235,16 @@ void free_ieee80211(struct net_device *dev, int monitor) libipw_networks_free(ieee); /* free cfg80211 resources */ - if (!monitor) + if (!monitor) { + wiphy_unregister(ieee->wdev.wiphy); + kfree(ieee->a_band.channels); + kfree(ieee->bg_band.channels); wiphy_free(ieee->wdev.wiphy); + } free_netdev(dev); } -void unregister_ieee80211(struct libipw_device *ieee) -{ - wiphy_unregister(ieee->wdev.wiphy); - kfree(ieee->a_band.channels); - kfree(ieee->bg_band.channels); -} - #ifdef CONFIG_LIBIPW_DEBUG static int debug = 0; @@ -333,4 +330,3 @@ module_init(libipw_init); EXPORT_SYMBOL(alloc_ieee80211); EXPORT_SYMBOL(free_ieee80211); -EXPORT_SYMBOL(unregister_ieee80211); -- cgit v1.2.3-70-g09d2 From 66f84d6594729c866c0c03fe97159a987dad7d84 Mon Sep 17 00:00:00 2001 From: Sean Cross Date: Thu, 5 Nov 2009 20:22:03 +0100 Subject: rt2x00: Don't queue ieee80211 work after USB removal MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This prevents the rt2x00 driver from queueing ieee80211 work after the   USB card has been removed, preventing a kernel panic. Signed-off-by: Sean Cross Signed-off-by: Ivo van Doorn Signed-off-by: John W. Linville --- drivers/net/wireless/rt2x00/rt2x00dev.c | 4 ++-- drivers/net/wireless/rt2x00/rt2x00link.c | 11 +++++++---- drivers/net/wireless/rt2x00/rt2x00usb.c | 9 ++++++++- 3 files changed, 17 insertions(+), 7 deletions(-) (limited to 'drivers/net/wireless') diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c index 71761b34383..73bbec58341 100644 --- a/drivers/net/wireless/rt2x00/rt2x00dev.c +++ b/drivers/net/wireless/rt2x00/rt2x00dev.c @@ -815,6 +815,8 @@ int rt2x00lib_probe_dev(struct rt2x00_dev *rt2x00dev) mutex_init(&rt2x00dev->csr_mutex); + set_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags); + /* * Make room for rt2x00_intf inside the per-interface * structure ieee80211_vif. @@ -871,8 +873,6 @@ int rt2x00lib_probe_dev(struct rt2x00_dev *rt2x00dev) rt2x00leds_register(rt2x00dev); rt2x00debug_register(rt2x00dev); - set_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags); - return 0; exit: diff --git a/drivers/net/wireless/rt2x00/rt2x00link.c b/drivers/net/wireless/rt2x00/rt2x00link.c index c64db0ba7f4..c708d0be915 100644 --- a/drivers/net/wireless/rt2x00/rt2x00link.c +++ b/drivers/net/wireless/rt2x00/rt2x00link.c @@ -362,8 +362,9 @@ void rt2x00link_start_tuner(struct rt2x00_dev *rt2x00dev) rt2x00link_reset_tuner(rt2x00dev, false); - ieee80211_queue_delayed_work(rt2x00dev->hw, - &link->work, LINK_TUNE_INTERVAL); + if (test_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags)) + ieee80211_queue_delayed_work(rt2x00dev->hw, + &link->work, LINK_TUNE_INTERVAL); } void rt2x00link_stop_tuner(struct rt2x00_dev *rt2x00dev) @@ -469,8 +470,10 @@ static void rt2x00link_tuner(struct work_struct *work) * Increase tuner counter, and reschedule the next link tuner run. */ link->count++; - ieee80211_queue_delayed_work(rt2x00dev->hw, - &link->work, LINK_TUNE_INTERVAL); + + if (test_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags)) + ieee80211_queue_delayed_work(rt2x00dev->hw, + &link->work, LINK_TUNE_INTERVAL); } void rt2x00link_register(struct rt2x00_dev *rt2x00dev) diff --git a/drivers/net/wireless/rt2x00/rt2x00usb.c b/drivers/net/wireless/rt2x00/rt2x00usb.c index 501544882c2..f02b48a9059 100644 --- a/drivers/net/wireless/rt2x00/rt2x00usb.c +++ b/drivers/net/wireless/rt2x00/rt2x00usb.c @@ -47,6 +47,8 @@ int rt2x00usb_vendor_request(struct rt2x00_dev *rt2x00dev, (requesttype == USB_VENDOR_REQUEST_IN) ? usb_rcvctrlpipe(usb_dev, 0) : usb_sndctrlpipe(usb_dev, 0); + if (!test_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags)) + return -ENODEV; for (i = 0; i < REGISTER_BUSY_COUNT; i++) { status = usb_control_msg(usb_dev, pipe, request, requesttype, @@ -60,8 +62,10 @@ int rt2x00usb_vendor_request(struct rt2x00_dev *rt2x00dev, * -ENODEV: Device has disappeared, no point continuing. * All other errors: Try again. */ - else if (status == -ENODEV) + else if (status == -ENODEV) { + clear_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags); break; + } } ERROR(rt2x00dev, @@ -161,6 +165,9 @@ int rt2x00usb_regbusy_read(struct rt2x00_dev *rt2x00dev, { unsigned int i; + if (!test_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags)) + return -ENODEV; + for (i = 0; i < REGISTER_BUSY_COUNT; i++) { rt2x00usb_register_read_lock(rt2x00dev, offset, reg); if (!rt2x00_get_field32(*reg, field)) -- cgit v1.2.3-70-g09d2