On Wed, 2009-12-02 at 13:42 +0800, Zhu Yi wrote: > On Tue, 2009-12-01 at 17:28 +0800, Zhu Yi wrote: > > On Tue, 2009-12-01 at 06:35 +0800, Maxim Levitsky wrote: > > > 0x000000000001668e <iwl3945_rx_reply_tx+302>: lea 0x38(%r8),%rdi > > > 0x0000000000016692 <iwl3945_rx_reply_tx+306>: lea 0x4f(%r8),%rax > > > > When this happened, from your previous post, r8 is 0x0 and rdi is 0x38. > > Since "info" is %rdi (see below), this means > > txq->txb[txq->q.read_ptr].skb[0], aka. r8 is 0. > > > > > rate_idx = iwl3945_hwrate_to_plcp_idx(tx_resp->rate); > > > > > > 0x0000000000016696 <iwl3945_rx_reply_tx+310>: movb $0x0,0x9(%rdi) <---------- RIP > > > 0x000000000001669a <iwl3945_rx_reply_tx+314>: movb $0x0,0xc(%rdi) > > > 0x000000000001669e <iwl3945_rx_reply_tx+318>: movb $0x0,0xf(%rdi) > > > 0x00000000000166a2 <iwl3945_rx_reply_tx+322>: movb $0x0,0x12(%rdi) > > > 0x00000000000166a6 <iwl3945_rx_reply_tx+326>: movb $0x0,0x15(%rdi) > > > > This equals to below code in ieee80211_tx_info_clear_status(). "info" is > > %rdi, which is 0x38. That matches NULL pointer dereference at 0x41 in > > your oops header. > > > > for (i = 0; i < IEEE80211_TX_MAX_RATES; i++) > > info->status.rates[i].count = 0; > > > > I guess there is a race for txq->q.read_ptr somewhere. Haven't checked > > though. > > OK. 3945 updated write_ptr without regard to read_ptr on the Tx path. > This messes up our TFD on high load. The patch should fix your problem. > > Signed-off-by: Zhu Yi <yi.zhu@xxxxxxxxx> > > diff --git a/drivers/net/wireless/iwlwifi/iwl3945-base.c b/drivers/net/wireless/iwlwifi/iwl3945-base.c > index 994db4a..b31b34c 100644 > --- a/drivers/net/wireless/iwlwifi/iwl3945-base.c > +++ b/drivers/net/wireless/iwlwifi/iwl3945-base.c > @@ -548,6 +548,9 @@ static int iwl3945_tx_skb(struct iwl_priv *priv, struct sk_buff *skb) > txq = &priv->txq[txq_id]; > q = &txq->q; > > + if ((iwl_queue_space(q) < q->high_mark)) > + goto drop; > + > spin_lock_irqsave(&priv->lock, flags); > > idx = get_cmd_index(q, q->write_ptr, 0); > > I applied that patch, everything works. I let you know if I see another kernel panic (I can capture any panic on that system, I set up everything for that) Best regards, Maxim Levitsky -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
