Bug 240214

Summary: removing and reinserting bcm4306 pcmcia card causes kernel oops
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: kernelAssignee: John W. Linville <linville>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: cebbert, davej
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.6.22.1-27.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-07-24 23:06:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2007-05-15 19:35:13 UTC 
Description of problem:

Removing and re-inserting my wireless pcmcia card resulted in:

pccard: CardBus card inserted into slot 0
PCI: Enabling device 0000:03:00.0 (0000 -> 0002)
ACPI: PCI Interrupt 0000:03:00.0[A] -> Link [LNKD] -> GSI 11 (level, low) -> IRQ 11
PCI: Setting latency timer of device 0000:03:00.0 to 64
ssb: Sonics Silicon Backplane found on PCI device <NULL>
ssb: Core 0 found: ChipCommon (cc 0x800, rev 0x04, vendor 0x4243)
ssb: Core 1 found: IEEE 802.11 (cc 0x812, rev 0x05, vendor 0x4243)
ssb: Core 2 found: PCMCIA (cc 0x80D, rev 0x02, vendor 0x4243)
ssb: Core 3 found: V90 (cc 0x807, rev 0x02, vendor 0x4243)
ssb: Core 4 found: PCI (cc 0x804, rev 0x09, vendor 0x4243)
ssb: Switching to ChipCommon core, index 0
ssb: Switching to PCI core, index 4
bcm43xx_mac80211: Broadcom 4306 WLAN found
ssb: Switching to IEEE 802.11 core, index 1
bcm43xx_mac80211: Radio turned off
wmaster0: Selected rate control algorithm 'simple'
ieee80211_crypt: registered algorithm 'NULL'
ieee80211: 802.11 data/management/control stack, git-1.1.13
ieee80211: Copyright (C) 2004-2005 Intel Corporation <jketreno.com>
bcm43xx driver
pccard: card ejected from slot 0
ACPI: PCI interrupt for device 0000:03:00.0 disabled
pccard: CardBus card inserted into slot 1
PCI: Enabling device 0000:07:00.0 (0000 -> 0002)
ACPI: PCI Interrupt 0000:07:00.0[A] -> Link [LNKD] -> GSI 11 (level, low) -> IRQ 11
PCI: Setting latency timer of device 0000:07:00.0 to 64
ssb: Sonics Silicon Backplane found on PCI device <NULL>
ssb: Core 0 found: ChipCommon (cc 0x800, rev 0x04, vendor 0x4243)
ssb: Core 1 found: IEEE 802.11 (cc 0x812, rev 0x05, vendor 0x4243)
ssb: Core 2 found: PCMCIA (cc 0x80D, rev 0x02, vendor 0x4243)
ssb: Core 3 found: V90 (cc 0x807, rev 0x02, vendor 0x4243)
ssb: Core 4 found: PCI (cc 0x804, rev 0x09, vendor 0x4243)
ssb: Switching to ChipCommon core, index 0
ssb: Switching to PCI core, index 4
bcm43xx_mac80211: Broadcom 4306 WLAN found
ssb: Switching to IEEE 802.11 core, index 1
bcm43xx_mac80211: Radio turned off
BUG: unable to handle kernel NULL pointer dereference at virtual address 00000194
 printing eip:
f8d1a5c9
*pde = 00000000
Oops: 0000 [#1]
SMP
last sysfs file: /devices/system/cpu/cpu0/cpufreq/scaling_setspeed
Modules linked in: bcm43xx ieee80211softmac ieee80211 ieee80211_crypt arc4 ecb
blkcipher rc80211_simple bcm43xx_mac80211 ssb mac80211 cfg80211 nfs lockd
nfs_acl autofs4 hidp rfcomm l2cap bluetooth sunrpc dm_mirror dm_multipath dm_mod
video sbs i2c_ec i2c_core button dock battery ac radeon drm ipv6 lp loop
parport_pc snd_intel8x0m snd_intel8x0 parport snd_ac97_codec ac97_bus
snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq rtc_cmos rtc_core rtc_lib
snd_seq_device snd_pcm_oss snd_mixer_oss iTCO_wdt iTCO_vendor_support pcspkr
snd_pcm serio_raw snd_timer 3c59x snd soundcore mii snd_page_alloc sr_mod cdrom
floppy sg ata_generic ata_piix libata sd_mod scsi_mod ext3 jbd mbcache ehci_hcd
ohci_hcd uhci_hcd
CPU:    0
EIP:    0060:[<f8d1a5c9>]    Not tainted VLI
EFLAGS: 00010246   (2.6.21-1.3142.fc7 #1)
EIP is at ieee80211_register_hw+0x2f/0x1d6 [mac80211]
eax: 00000000   ebx: d0bee2e0   ecx: 00000000   edx: 00000001
esi: fffffff4   edi: f01b3a14   ebp: f7c22c2c   esp: f7c22c1c
ds: 007b   es: 007b   fs: 00d8  gs: 0000  ss: 0068
Process pccardd (pid: 308, ti=f7c22000 task=f7c3cac0 task.ti=f7c22000)
Stack: f68ef444 f68ef444 f68ef444 00000000 f7c22c8c f8d3c5ca 6f0a7dee 00004306
       f7c22c44 00000246 c06a01b2 f01b3a14 d0bef0c0 00000000 00000001 f7c22c88
       f68ef95c d0bef1a8 efa67184 f01b3904 d0bef0c0 00000001 f68ef454 d0bee2e0
Call Trace:
 [<c04061e9>] show_trace_log_lvl+0x1a/0x2f
 [<c0406299>] show_stack_log_lvl+0x9b/0xa3
 [<c0406459>] show_registers+0x1b8/0x289
 [<c0406657>] die+0x12d/0x242
 [<c061886e>] do_page_fault+0x3ee/0x4ba
 [<c0617004>] error_code+0x7c/0x84
 [<f8d3c5ca>] bcm43xx_probe+0x5e3/0x648 [bcm43xx_mac80211]
 [<f8c98142>] ssb_device_probe+0x32/0x49 [ssb]
 [<c0562ba1>] really_probe+0xc7/0x150
 [<c0562cbf>] driver_probe_device+0x95/0xa1
 [<c0562cd3>] __device_attach+0x8/0xa
 [<c0562091>] bus_for_each_drv+0x3a/0x65
 [<c0562d5c>] device_attach+0x68/0x7d
 [<c0562000>] bus_attach_device+0x21/0x45
 [<c0560f11>] device_add+0x3a4/0x62e
 [<c05611ad>] device_register+0x12/0x15
 [<f8c973d2>] ssb_attach_queued_buses+0x153/0x21a [ssb]
 [<f8c97e53>] ssb_bus_register+0xfa/0x142 [ssb]
 [<f8c97f6d>] ssb_bus_pcibus_register+0x3e/0x44 [ssb]
 [<f8c9971d>] ssb_pcihost_probe+0x61/0x8c [ssb]
 [<c04fdae1>] pci_device_probe+0x39/0x5b
 [<c0562ba1>] really_probe+0xc7/0x150
 [<c0562cbf>] driver_probe_device+0x95/0xa1
 [<c0562cd3>] __device_attach+0x8/0xa
 [<c0562091>] bus_for_each_drv+0x3a/0x65
 [<c0562d5c>] device_attach+0x68/0x7d
 [<c0562000>] bus_attach_device+0x21/0x45
 [<c0560f11>] device_add+0x3a4/0x62e
 [<c04f9199>] pci_bus_add_device+0xf/0x4f
 [<c04f91f4>] pci_bus_add_devices+0x1b/0xfe
 [<c056c078>] cb_alloc+0xa4/0xb7
 [<c05690a7>] socket_insert+0xc0/0xe7
 [<c056957c>] pccardd+0x13d/0x1e6
 [<c04382fb>] kthread+0xb3/0xdc
 [<c0405cd3>] kernel_thread_helper+0x7/0x10
 =======================
Code: 53 89 c3 83 ec 08 8b 00 e8 b1 bd f1 ff 85 c0 89 c6 0f 88 b3 01 00 00 8b 03
31 c9 ba 01 00 00 00 be f4 ff ff ff 8b 80 e0 00 00 00 <8b> 80 94 01 00 00 8b 00
e8 f0 ae 71 c7 85 c0 89 43 58 0f 84 80
EIP: [<f8d1a5c9>] ieee80211_register_hw+0x2f/0x1d6 [mac80211] SS:ESP 0068:f7c22c1c

Version-Release number of selected component (if applicable):
2.6.21-1.3142.fc7

How reproducible:
haven't tried yet.
Comment 1 Orion Poplawski 2007-05-15 22:02:09 UTC 
Note that this is without any firmware installed on the system yet.  I'll try to
get some installed and see if that affects the oops.
Comment 2 John W. Linville 2007-07-17 20:33:25 UTC 
Is this still a problem with current rawhide (or F-7) kernels?
Comment 3 Orion Poplawski 2007-07-24 23:06:52 UTC 
Appears to be fixed with 2.6.22.1-27.fc7 (and possibly earlier, haven't been
testing).  I do get the "bcm43xx_mac80211: ERROR: bbatt(11) >= size of LO array"
message though, see new Bug #249483