Ubuntu
linux package

[iwl_eeprom_query16] Kernel general protection fault w/ NetworkManager/iwl4965

Bug #288437 reported by jbj
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Linux
Fix Released
Medium
linux (Ubuntu)
Invalid
Medium
Jim Lieb

Bug Description

Every so often (particularly when dealing with roaming between access points it seems) NetworkManager activity seems to induce a fairly regular general protection fault in the current (as of 10/23) set of packages in Intrepid.

$ uname -r
2.6.27-7-generic

Excerpt from dmesg (don't have a complete one at this second):
[ 2131.272599] ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 2131.340151] iwlagn 0000:03:00.0: PCI INT A -> GSI 17 (level, low) -> IRQ 17
[ 2131.351058] general protection fault: 0000 [1] SMP
[ 2131.351062] CPU 1
[ 2131.351063] Modules linked in: aes_x86_64 aes_generic af_packet binfmt_misc rfcomm bnep sco l2cap ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 xt_state nf_conntrack ipt_REJECT xt_tcpudp bridge stp kvm_intel kvm ppdev tun ipv6 acpi_cpufreq cpufreq_ondemand cpufreq_conservative cpufreq_powersave cpufreq_stats freq_table cpufreq_userspace container pci_slot sbs sbshc iptable_filter ip_tables x_tables sbp2 parport_pc lp parport joydev pcmcia thinkpad_acpi snd_hda_intel arc4 evdev nvram ecb snd_pcm_oss dm_multipath psmouse snd_mixer_oss crypto_blkcipher yenta_socket scsi_dh serio_raw snd_pcm pcspkr rsrc_nonstatic sdhci_pci sdhci ricoh_mmc pcmcia_core snd_seq_dummy mmc_core iTCO_wdt iTCO_vendor_support snd_seq_oss iwlagn iwlcore snd_seq_midi rfkill snd_rawmidi snd_seq_midi_event snd_seq led_class snd_timer snd_seq_device mac80211 snd btusb cfg80211 soundcore snd_page_alloc battery bluetooth ac nvidia(P) i2c_core video output wmi button shpchp pci_hotplug intel_agp ext3 jbd mbcache sr_mod cdrom sd_mod crc_t10dif sg ata_piix pata_acpi ahci ata_generic libata ohci1394 scsi_mod ieee1394 ehci_hcd uhci_hcd usbcore e1000e dock dm_mirror dm_log dm_snapshot dm_mod thermal processor fan fbcon tileblit font bitblit softcursor fuse
[ 2131.351138] Pid: 5813, comm: NetworkManager Tainted: P 2.6.27-7-generic #1
[ 2131.351139] RIP: 0010:[<ffffffffa0a90360>] [<ffffffffa0a90360>] iwl_eeprom_query16+0x10/0x20 [iwlcore]
[ 2131.351152] RSP: 0018:ffff8800740b7738 EFLAGS: 00010046
[ 2131.351153] RAX: 7fff8800375a0400 RBX: ffff88007b401a00 RCX: 00000000800300f0
[ 2131.351155] RDX: ffffc2000035803c RSI: 0000000000000090 RDI: ffff88007b401a00
[ 2131.351157] RBP: ffff8800740b7738 R08: 0000000000000001 R09: ffff8800740b770c
[ 2131.351158] R10: 0000000000000000 R11: ffff8800740b76f8 R12: ffff88007b402448
[ 2131.351160] R13: 0000000000000246 R14: ffff88007b402b50 R15: ffff88007b400060
[ 2131.351162] FS: 00007fefa9f72730(0000) GS:ffff88007e802880(0000) knlGS:0000000000000000
[ 2131.351164] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2131.351166] CR2: 00007fcf815a5d70 CR3: 0000000074086000 CR4: 00000000000026a0
[ 2131.351167] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2131.351169] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 2131.351171] Process NetworkManager (pid: 5813, threadinfo ffff8800740b6000, task ffff88007c5b0000)
[ 2131.351173] Stack: ffff8800740b7778 ffffffffa0ab40ab ffffffff805025e8 0000000000000246
[ 2131.351177] 43ff88007b401a00 0000000000000246 ffff88007b401a00 ffff88007b402448
[ 2131.351180] ffff8800740b77a8 ffffffffa0a8edbb 0000000000000000 ffff88007b401a00
[ 2131.351183] Call Trace:
[ 2131.351192] [<ffffffffa0ab40ab>] iwl4965_nic_config+0x7b/0x150 [iwlagn]
[ 2131.351200] [<ffffffff805025e8>] ? _spin_unlock_irqrestore+0x18/0x30
[ 2131.351207] [<ffffffffa0a8edbb>] iwl_hw_nic_init+0x9b/0x160 [iwlcore]
[ 2131.351213] [<ffffffffa0aade3a>] __iwl4965_up+0xba/0x2d0 [iwlagn]
[ 2131.351218] [<ffffffffa0aae544>] iwl4965_mac_start+0xe4/0x350 [iwlagn]
[ 2131.351222] [<ffffffff80485c78>] ? __nla_reserve+0x58/0x70
[ 2131.351233] [<ffffffffa0a0e6a2>] ieee80211_open+0x152/0x690 [mac80211]
[ 2131.351237] [<ffffffff8045c2bd>] ? skb_put+0xd/0xa0
[ 2131.351240] [<ffffffff80466b42>] dev_open+0xb2/0xf0
[ 2131.351242] [<ffffffff8046620b>] dev_change_flags+0x9b/0x1e0
[ 2131.351245] [<ffffffff80470574>] do_setlink+0x214/0x3b0
[ 2131.351247] [<ffffffff8046fd96>] ? rtnl_fill_ifinfo+0x2f6/0x420
[ 2131.351249] [<ffffffff8048609b>] ? nla_parse+0x3b/0x110
[ 2131.351251] [<ffffffff80470825>] rtnl_setlink+0x115/0x160
[ 2131.351255] [<ffffffff80234059>] ? __phys_addr+0x9/0x50
[ 2131.351257] [<ffffffff8046f7ee>] rtnetlink_rcv_msg+0x18e/0x240
[ 2131.351259] [<ffffffff8046f660>] ? rtnetlink_rcv_msg+0x0/0x240
[ 2131.351261] [<ffffffff804845c9>] netlink_rcv_skb+0x89/0xb0
[ 2131.351263] [<ffffffff8046f64c>] rtnetlink_rcv+0x2c/0x40
[ 2131.351265] [<ffffffff804842d5>] netlink_unicast+0x2c5/0x2e0
[ 2131.351268] [<ffffffff80485594>] netlink_sendmsg+0x204/0x2f0
[ 2131.351271] [<ffffffff80383700>] ? aa_revalidate_sk+0x20/0xd0
[ 2131.351274] [<ffffffff80456cbc>] sock_sendmsg+0x10c/0x140
[ 2131.351277] [<ffffffff80267050>] ? autoremove_wake_function+0x0/0x40
[ 2131.351280] [<ffffffff804565ac>] ? move_addr_to_kernel+0x5c/0x60
[ 2131.351282] [<ffffffff8045f444>] ? verify_iovec+0x44/0xd0
[ 2131.351284] [<ffffffff80456e7e>] sys_sendmsg+0x18e/0x320
[ 2131.351287] [<ffffffff8021425e>] ? math_state_restore+0xe/0xb0
[ 2131.351290] [<ffffffff805005b4>] ? thread_return+0x37/0x3c3
[ 2131.351294] [<ffffffff8021285a>] system_call_fastpath+0x16/0x1b
[ 2131.351295]
[ 2131.351296]
[ 2131.351297] Code: 47 23 78 df 48 8b 47 18 48 8b 40 18 48 8b 00 ff 90 00 01 00 00 c9 c3 0f 1f 40 00 55 48 89 e5 e8 27 23 78 df 48 8b 87 30 23 01 00 <0f> b6 54 30 01 0f b6 04 30 c9 c1 e2 08 09 d0 c3 55 48 89 e5 41
[ 2131.351324] RIP [<ffffffffa0a90360>] iwl_eeprom_query16+0x10/0x20 [iwlcore]
[ 2131.351331] RSP <ffff8800740b7738>
[ 2131.351334] ---[ end trace cee6c435733078f4 ]---

I've also seen:
 8568.851449] wlan0: deauthenticated
[ 8568.981059] mac80211-phy0: failed to remove key (0, 00:17:0f:e8:5c:e0) from hardware (-22)
[ 8568.981646] mac80211-phy0: failed to remove key (0, 00:17:0f:e4:5d:00) from hardware (-16)
[ 8568.982044] mac80211-phy0: failed to remove key (0, 00:17:0f:3a:e1:40) from hardware (-22)
[ 8568.982436] mac80211-phy0: failed to remove key (0, 00:12:7f:6f:69:f0) from hardware (-22)
[ 8568.982864] mac80211-phy0: failed to remove key (0, 00:17:0f:36:e1:60) from hardware (-22)
[ 8571.115531] iwlagn 0000:03:00.0: PCI INT A disabled
[ 8571.460561] general protection fault: 0000 [1] SMP
[ 8571.460566] CPU 0
[ 8571.460567] Modules linked in: aes_x86_64 aes_generic af_packet binfmt_misc rfcomm bnep sco l2cap ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 xt_state nf_conntrack ipt_REJECT xt_tcpudp bridge stp kvm_intel kvm ppdev tun ipv6 acpi_cpufreq cpufreq_ondemand cpufreq_conservative cpufreq_powersave cpufreq_stats freq_table cpufreq_userspace container pci_slot sbs sbshc iptable_filter ip_tables x_tables sbp2 parport_pc lp parport joydev snd_hda_intel arc4 ecb snd_pcm_oss crypto_blkcipher pcmcia snd_mixer_oss thinkpad_acpi iwlagn(-) iwlcore snd_pcm sdhci_pci rfkill iTCO_wdt yenta_socket rsrc_nonstatic led_class psmouse dm_multipath btusb snd_seq_dummy sdhci iTCO_vendor_support evdev mac80211 serio_raw pcmcia_core nvram mmc_core scsi_dh pcspkr bluetooth ricoh_mmc nvidia(P) snd_seq_oss cfg80211 snd_seq_midi snd_rawmidi i2c_core video battery ac output snd_seq_midi_event snd_seq wmi snd_timer snd_seq_device snd button intel_agp soundcore shpchp pci_hotplug snd_page_alloc ext3 jbd mbcache sr_mod cdrom sd_mod crc_t10dif sg ata_piix pata_acpi ohci1394 ahci ieee1394 ata_generic libata scsi_mod ehci_hcd uhci_hcd usbcore e1000e dock dm_mirror dm_log dm_snapshot dm_mod thermal processor fan fbcon tileblit font bitblit softcursor fuse
[ 8571.460640] Pid: 12911, comm: rmmod Tainted: P 2.6.27-7-generic #1
[ 8571.460642] RIP: 0010:[<ffffffff802e21b9>] [<ffffffff802e21b9>] kfree+0x49/0x100
[ 8571.460649] RSP: 0018:ffff88000f023d48 EFLAGS: 00010216
[ 8571.460650] RAX: 0200000001f11700 RBX: 01ffe20001f11700 RCX: 0000000000000000
[ 8571.460652] RDX: ffffe20000000000 RSI: 0000000000000246 RDI: 7fff88007c45c400
[ 8571.460654] RBP: ffff88000f023d78 R08: 0000000000000000 R09: ffff88007cc306b0
[ 8571.460656] R10: 0000000000000002 R11: ffff8800fc823fff R12: ffff88007cc21a00
[ 8571.460657] R13: 7fff88007c45c400 R14: ffff88007cc30160 R15: ffffffffa0b6ba18
[ 8571.460660] FS: 00007f72da98b6e0(0000) GS:ffffffff806e1a80(0000) knlGS:0000000000000000
[ 8571.460661] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 8571.460663] CR2: 0000000001ab3e88 CR3: 000000000ed1a000 CR4: 00000000000026e0
[ 8571.460665] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 8571.460667] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 8571.460669] Process rmmod (pid: 12911, threadinfo ffff88000f022000, task ffff88001c0f59c0)
[ 8571.460670] Stack: ffff88000f023d68 ffff88007cc21a00 ffff88007cc21a00 ffff88007e1e9000
[ 8571.460675] ffff88007cc30160 ffffffffa0b6ba18 ffff88000f023d98 ffffffffa0b395ed
[ 8571.460679] ffff88007cc21a00 ffff88007cc22448 ffff88000f023dc8 ffffffffa0b6226a
[ 8571.460682] Call Trace:
[ 8571.460695] [<ffffffffa0b395ed>] iwl_eeprom_free+0x1d/0x30 [iwlcore]
[ 8571.460703] [<ffffffffa0b6226a>] iwl4965_pci_remove+0x12a/0x1b4 [iwlagn]
[ 8571.460709] [<ffffffff803bbfc4>] pci_device_remove+0x34/0x70
[ 8571.460713] [<ffffffff80430222>] __device_release_driver+0xa2/0xe0
[ 8571.460716] [<ffffffff80430338>] driver_detach+0xd8/0xe0
[ 8571.460721] [<ffffffff8042f2d6>] bus_remove_driver+0x96/0xd0
[ 8571.460725] [<ffffffff804308c7>] driver_unregister+0x47/0x50
[ 8571.460730] [<ffffffff803bc32c>] pci_unregister_driver+0x3c/0xb0
[ 8571.460736] [<ffffffffa0b62139>] iwl4965_exit+0x15/0x1c [iwlagn]
[ 8571.460739] [<ffffffff8027b9a7>] sys_delete_module+0x1c7/0x2a0
[ 8571.460743] [<ffffffff803a7c88>] ? __up_write+0x68/0x140
[ 8571.460748] [<ffffffff8021285a>] system_call_fastpath+0x16/0x1b
[ 8571.460750]
[ 8571.460750]
[ 8571.460751] Code: 04 f3 ff 48 83 ff 10 49 89 fd 0f 86 85 00 00 00 e8 ad 1e f5 ff 48 c1 e8 0c 48 ba 00 00 00 00 00 e2 ff ff 48 c1 e0 06 48 8d 1c 10 <48> 8b 03 f6 c4 40 74 07 48 8b 5b 10 48 8b 03 84 c0 0f 89 87 00
[ 8571.460778] RIP [<ffffffff802e21b9>] kfree+0x49/0x100
[ 8571.460781] RSP <ffff88000f023d48>
[ 8571.460786] ---[ end trace 292fd72d1829818d ]---

$ lspci -n
00:00.0 0600: 8086:2a00 (rev 0c)
00:01.0 0604: 8086:2a01 (rev 0c)
00:19.0 0200: 8086:1049 (rev 03)
00:1a.0 0c03: 8086:2834 (rev 03)
00:1a.1 0c03: 8086:2835 (rev 03)
00:1a.7 0c03: 8086:283a (rev 03)
00:1b.0 0403: 8086:284b (rev 03)
00:1c.0 0604: 8086:283f (rev 03)
00:1c.1 0604: 8086:2841 (rev 03)
00:1c.2 0604: 8086:2843 (rev 03)
00:1c.3 0604: 8086:2845 (rev 03)
00:1c.4 0604: 8086:2847 (rev 03)
00:1d.0 0c03: 8086:2830 (rev 03)
00:1d.1 0c03: 8086:2831 (rev 03)
00:1d.2 0c03: 8086:2832 (rev 03)
00:1d.7 0c03: 8086:2836 (rev 03)
00:1e.0 0604: 8086:2448 (rev f3)
00:1f.0 0601: 8086:2811 (rev 03)
00:1f.1 0101: 8086:2850 (rev 03)
00:1f.2 0106: 8086:2829 (rev 03)
00:1f.3 0c05: 8086:283e (rev 03)
01:00.0 0300: 10de:040c (rev a1)
03:00.0 0280: 8086:4230 (rev 61)
15:00.0 0607: 1180:0476 (rev ba)
15:00.1 0c00: 1180:0832 (rev 04)
15:00.2 0805: 1180:0822 (rev 21)
15:00.3 0880: 1180:0843 (rev ff)
15:00.4 0880: 1180:0592 (rev 11)
15:00.5 0880: 1180:0852 (rev 11)

$ lspci
00:00.0 Host bridge: Intel Corporation Mobile PM965/GM965/GL960 Memory Controller Hub (rev 0c)
00:01.0 PCI bridge: Intel Corporation Mobile PM965/GM965/GL960 PCI Express Root Port (rev 0c)
00:19.0 Ethernet controller: Intel Corporation 82566MM Gigabit Network Connection (rev 03)
00:1a.0 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #4 (rev 03)
00:1a.1 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #5 (rev 03)
00:1a.7 USB Controller: Intel Corporation 82801H (ICH8 Family) USB2 EHCI Controller #2 (rev 03)
00:1b.0 Audio device: Intel Corporation 82801H (ICH8 Family) HD Audio Controller (rev 03)
00:1c.0 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 1 (rev 03)
00:1c.1 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 2 (rev 03)
00:1c.2 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 3 (rev 03)
00:1c.3 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 4 (rev 03)
00:1c.4 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 5 (rev 03)
00:1d.0 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #1 (rev 03)
00:1d.1 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #2 (rev 03)
00:1d.2 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #3 (rev 03)
00:1d.7 USB Controller: Intel Corporation 82801H (ICH8 Family) USB2 EHCI Controller #1 (rev 03)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev f3)
00:1f.0 ISA bridge: Intel Corporation 82801HBM (ICH8M-E) LPC Interface Controller (rev 03)
00:1f.1 IDE interface: Intel Corporation 82801HBM/HEM (ICH8M/ICH8M-E) IDE Controller (rev 03)
00:1f.2 SATA controller: Intel Corporation 82801HBM/HEM (ICH8M/ICH8M-E) SATA AHCI Controller (rev 03)
00:1f.3 SMBus: Intel Corporation 82801H (ICH8 Family) SMBus Controller (rev 03)
01:00.0 VGA compatible controller: nVidia Corporation Quadro FX 570M (rev a1)
03:00.0 Network controller: Intel Corporation PRO/Wireless 4965 AG or AGN [Kedron] Network Connection (rev 61)
15:00.0 CardBus bridge: Ricoh Co Ltd RL5c476 II (rev ba)
15:00.1 FireWire (IEEE 1394): Ricoh Co Ltd R5C832 IEEE 1394 Controller (rev 04)
15:00.2 SD Host controller: Ricoh Co Ltd R5C822 SD/SDIO/MMC/MS/MSPro Host Adapter (rev 21)
15:00.3 System peripheral: Ricoh Co Ltd R5C843 MMC Host Controller (rev ff)
15:00.4 System peripheral: Ricoh Co Ltd R5C592 Memory Stick Bus Host Adapter (rev 11)
15:00.5 System peripheral: Ricoh Co Ltd xD-Picture Card Controller (rev 11)

This is a Thinkpad T61p.

Revision history for this message
Leann Ogasawara (leannogasawara) wrote :

Hi jbj,

This seems like it might be a duplicate of bug 286370 which was resolved by installing linux-backports-modules. Care to see if this helps? Thanks.

Changed in linux:
status: New → Incomplete
Bug Watch Updater (bug-watch-updater)
Changed in linux:
status: Unknown → In Progress
Kai Kasurinen (kai-kasurinen)
Changed in linux:
status: Incomplete → Confirmed
Revision history for this message
Kai Kasurinen (kai-kasurinen) wrote :

Fixed in upstream:

iwlwifi: clean key table in iwl_clear_stations_table function

This patch cleans uCode key table bit map iwl_clear_stations_table
since all stations are cleared also the key table must be.

Since the keys are not removed properly on suspend by mac80211
this may result in exhausting key table on resume leading
to memory corruption during removal

This patch also fixes a memory corruption problem reported in
http://marc.info/?l=linux-wireless&m=122641417231586&w=2 and tracked in
http://bugzilla.kernel.org/show_bug.cgi?id=12040.

When the key is removed a second time the offset is set to 255 - this
index is not valid for the ucode_key_table and corrupts the eeprom pointer
(which is 255 bits from ucode_key_table).

Signed-off-by: Tomas Winkler <email address hidden>
Signed-off-by: Zhu Yi <email address hidden>
Reported-by: Carlos R. Mafra <email address hidden>
Reported-by: Lukas Hejtmanek <email address hidden>

<http://git.kernel.org/?p=linux/kernel/git/iwlwifi/iwlwifi-2.6.git;a=commit;h=24e8b9a24de9326fa83464c2505465893c538113>

Leann Ogasawara (leannogasawara)
Changed in linux:
assignee: nobody → ubuntu-kernel-team
importance: Undecided → Medium
status: Confirmed → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in linux:
status: In Progress → Fix Released
Jim Lieb (lieb)
Changed in linux:
assignee: ubuntu-kernel-team → lieb
status: Triaged → In Progress
Revision history for this message
Jim Lieb (lieb) wrote :

The patch referenced in comment #2 is part of the backport of the driver done for bug 286370.
This bug has been marked as invalid because it is a duplicate of 286370 and that bug has already been
fixed before intrepid release.

If this bug continues to occur, please file a new bug with stack traces etc. from the released kernel.

Changed in linux:
status: In Progress → Invalid
Bug Watch Updater (bug-watch-updater)
Changed in linux:
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.