I added some debugging prints, trying to see more details about the
packet that fails the r8712_validate_recv_frame. I noticed I'm getting
many packets where recv_decache returns _FAIL. However, the last two
packets before the crash fail for different reasons. The first has the
ver field set to 3 (instead of zero). The second (the one that get's
freed and cause the crash apparently) has an unknown type (12). If I'm
not mistaken, 12 = WIFI_CTRL_TYPE | WIFI_DATA_TYPE. Is that possible?
It could be that the packet headers are garbled though.
Haggai
On 17 May 2015 at 20:20, Haggai Eran <haggai.eran@xxxxxxxxx> wrote:
> On 17 May 2015 at 13:29, Arend van Spriel <aspriel@xxxxxxxxx> wrote:
>> On 17-05-15 06:25, Haggai Eran wrote:
>>>
>>> On 16 May 2015 at 20:54, Larry Finger <Larry.Finger@xxxxxxxxxxxx> wrote:
>>>>
>>>> Another location needed from gdb is "l *recv_func+0x8c".
>>>
>>>
>>> Here it is:
>>> (gdb) l *recv_func+0x8c
>>> 0x17094 is in recv_func (drivers/staging/rtl8712/rtl8712_recv.c:1004).
>>> 999 r8712_free_recvframe(orig_prframe,
>>> pfree_recv_queue);
>>> 1000 goto _exit_recv_func;
>>> 1001 }
>>> 1002 _exit_recv_func:
>>> 1003 return retval;
>>> 1004 }
>>> 1005
>>> 1006 static int recvbuf2recvframe(struct _adapter *padapter, struct
>>> sk_buff *pskb)
>>> 1007 {
>>> 1008 u8 *pbuf, shift_sz = 0;
>>>
>>> I don't think this means the relevant call is the one at line 999. I
>>> think it is an earlier call, after r8712_validate_recv_frame. Here's
>>> the disassembly:
>>
>>
>> can you provide the address of recv_func as well to determine the exact
>> location in assembly.
>
> Yes, it is in offset 0x17008 in the module:
>> 00017008 <recv_func>:
>
> Regards,
> Haggai
>
>>
>>> /* check the frame crtl field and decache */
>>> retval = r8712_validate_recv_frame(padapter, prframe);
>>> 17070: e1a00004 mov r0, r4
>>> 17074: e1a01005 mov r1, r5
>>> 17078: ebfffffe bl 17bc0 <r8712_validate_recv_frame>
>>> if (retval != _SUCCESS) {
>>> 1707c: e3500001 cmp r0, #1
>>> r8712_free_recvframe(orig_prframe,
>>> pfree_recv_queue);
>>> goto _exit_recv_func;
>>> }
>>> }
>>> /* check the frame crtl field and decache */
>>> retval = r8712_validate_recv_frame(padapter, prframe);
>>> 17080: e1a06000 mov r6, r0
>>> if (retval != _SUCCESS) {
>>> 17084: 0a000005 beq 170a0 <recv_func+0x98>
>>> /* free this recv_frame */
>>> r8712_free_recvframe(orig_prframe, pfree_recv_queue);
>>> 17088: e1a00005 mov r0, r5
>>> 1708c: e1a01007 mov r1, r7
>>> 17090: ebfffffe bl 166e8 <r8712_free_recvframe>
>>> r8712_free_recvframe(orig_prframe, pfree_recv_queue);
>>> goto _exit_recv_func;
>>> }
>>> _exit_recv_func:
>>> return retval;
>>> }
>>> 17094: e1a00006 mov r0, r6
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
