On Tue, 2009-12-01 at 06:35 +0800, Maxim Levitsky wrote:
> 0x000000000001668e <iwl3945_rx_reply_tx+302>: lea 0x38(%r8),%rdi
> 0x0000000000016692 <iwl3945_rx_reply_tx+306>: lea 0x4f(%r8),%rax
When this happened, from your previous post, r8 is 0x0 and rdi is 0x38.
Since "info" is %rdi (see below), this means
txq->txb[txq->q.read_ptr].skb[0], aka. r8 is 0.
> rate_idx = iwl3945_hwrate_to_plcp_idx(tx_resp->rate);
>
> 0x0000000000016696 <iwl3945_rx_reply_tx+310>: movb $0x0,0x9(%rdi) <---------- RIP
> 0x000000000001669a <iwl3945_rx_reply_tx+314>: movb $0x0,0xc(%rdi)
> 0x000000000001669e <iwl3945_rx_reply_tx+318>: movb $0x0,0xf(%rdi)
> 0x00000000000166a2 <iwl3945_rx_reply_tx+322>: movb $0x0,0x12(%rdi)
> 0x00000000000166a6 <iwl3945_rx_reply_tx+326>: movb $0x0,0x15(%rdi)
This equals to below code in ieee80211_tx_info_clear_status(). "info" is
%rdi, which is 0x38. That matches NULL pointer dereference at 0x41 in
your oops header.
for (i = 0; i < IEEE80211_TX_MAX_RATES; i++)
info->status.rates[i].count = 0;
I guess there is a race for txq->q.read_ptr somewhere. Haven't checked
though.
Thanks,
-yi
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
