Bug 597 – Missing kmalloc return value check causes oops when suspending.

Bug 597 - Missing kmalloc return value check causes oops when suspending.

Summary:

Missing kmalloc return value check causes oops when suspending.

Status:	VERIFIED FIXED

Product:	IPW2200
Component:	Power Management
Version:	1.0.1
Platform:	All All

Importance:	P2 normal
Assigned To:	James Ketrenos
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2005-03-06 05:23 by Bernard Blackham
Modified:	2005-10-06 16:46 (History)

Attachments
Check return value of kmalloc (368 bytes, patch) 2005-03-06 05:24, Bernard Blackham	Details \| Diff
NULL out skb after being freed (529 bytes, patch) 2005-03-10 08:44, James Ketrenos	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Bernard Blackham 2005-03-06 05:23:00

I got a kernel panic recently when trying to suspend my machine (with software
suspend 2) that was caused by ipw2200 (version 0.22), and repeated again on 1.0.1.
 
The oops is at http://dagobah.ucc.asn.au/ipw2200-oops/dscf1521.jpg
And some prior dmesg at http://dagobah.ucc.asn.au/ipw2200-oops/dscf1522.jpg
The interesting bits from the dmesg read something like:
 
Software Suspend 2.1.7: Initiating a software suspend cycle.
ipw2200: Firmware error detected.  Restarting.
ipw2200: Firmware error detected.  Restarting.
wlan0: Can not allocate SKB buffers. <- wlan0 is the ipw2200
ipw2200: Unable to load boot firmware.
*an Oops involving kfree in ipw_rx_queue_free*

This was tracked down to a missing kmalloc return value check in
ipw_rx_queue_alloc(). Patch to follow.

------- Comment #1 From Bernard Blackham 2005-03-06 05:24:01 -------

Created an attachment (id=275) [details]
Check return value of kmalloc

This appears to fix the bug for me. It was an intermittent bug, and I haven't
had an oops on suspending yet with this patch.

------- Comment #2 From Zhu Yi 2005-03-09 19:41:10 -------

Patch is valid, but I can hardly see how it fixed this problem.

------- Comment #3 From Bernard Blackham 2005-03-09 20:56:14 -------

You're right that it really doesn't seem related. I guess the bug is just
sufficiently intermittent enough to be deceptive. I got the oops at least a
couple of times in a week without the patch, and haven't had it once yet with
the patch - seems it's just luck.

More likely a candidate - does ipw_rx_queue_reset need to set the skb pointer to
NULL after calling dev_kfree_skb?

------- Comment #4 From James Ketrenos 2005-03-10 08:44:33 -------

Created an attachment (id=280) [details]
NULL out skb after being freed

This patch NULLs out the skb after it is freed to keep it from being freed
again if ipw_rx_queue_reset is called before replenish reallocates the skbs.

------- Comment #5 From James Ketrenos 2005-03-10 08:45:03 -------

Please try the NULL out patch and see if it corrects the oops behavior.

------- Comment #6 From Bernard Blackham 2005-03-11 07:21:09 -------

A day of usage with about 20 or 30 suspends, and I haven't hit the bug. It might
just be luck, as I haven't noticed the same sequence of error messages that led
up to the original oops. But I do think this has patch nailed it.

------- Comment #7 From Xiong Crystal 2005-03-23 23:24:47 -------

The bug is possibly fixed by this patch, and the patch is in ipw2200 1.0.2. 
Please use the latest version of the driver.

Mark the bug as fixed and verified, since submitter didn't get the problem 
after applying the patch. If it happens again with 1.0.2, please reopen it.