521274 – dma-debug error message from RTL8139 network driver (8139cp.c)

Bug 521274 - dma-debug error message from RTL8139 network driver (8139cp.c)

Summary: dma-debug error message from RTL8139 network driver (8139cp.c)

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Kernel Maintainer List
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-09-04 15:46 UTC by conny seidel
Modified:	2009-10-12 07:37 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-10-12 07:37:26 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description conny seidel 2009-09-04 15:46:53 UTC

Description of problem:
DMA bug in RTL8139 network driver, observed by DMA debug facility
During network transfers using a RTL8139 NIC, the DMA debug API
discovers illegal frees and dumps this in dmesg

Version-Release number of selected component (if applicable):
OS version    : FC12-alpha
Kernel version: 2.6.31-0.125.4.2.rc5.git2.fc12.i686.PAE

How reproducible:
- use QEMU (Xen HVM, KVM, or pure userspace emulation show all the bug)

Steps to Reproduce:
1. qemu -net nic,model=rtl8139 -net user -hda fedora12_rc.img
2. do some network load (copying files over ssh from guest to host,
   ping flood from guest to host)
3. observe debug message in dmesg

Actual results:
------------[ cut here ]------------
WARNING: at lib/dma-debug.c:803 check_unmap+0x1f9/0x515() (Tainted: G        W )
Hardware name: HVM domU
8139cp 0000:00:04.0: DMA-API: device driver frees DMA memory with different size [device address=0x0000000035d0b972] [map size=1536 bytes] [unmap size=1538 bytes]
Modules linked in: ipv6 ppdev 8139too parport_pc parport joydev floppy i2c_piix4 8139cp mii i2c_core ata_generic pata_acpi [last unloaded: scsi_wait_scan]
Pid: 0, comm: swapper Tainted: G        W  2.6.31-0.125.4.2.rc5.git2.fc12.i686.PAE #1
Call Trace:
 [<c044cc00>] warn_slowpath_common+0x7b/0xa3
 [<c0610f33>] ? check_unmap+0x1f9/0x515
 [<c044cc91>] warn_slowpath_fmt+0x34/0x48
 [<c0610f33>] check_unmap+0x1f9/0x515
 [<c0611450>] debug_dma_unmap_page+0x6e/0x87
 [<f7e6e1c2>] dma_unmap_single_attrs.clone.2+0x67/0x83 [8139cp]
 [<f7e6e332>] cp_rx_poll+0x154/0x323 [8139cp]
 [<c07936f4>] net_rx_action+0xa7/0x1d3
 [<c045345f>] ? __do_softirq+0x60/0x192
 [<c04534c7>] __do_softirq+0xc8/0x192
 [<c04535da>] do_softirq+0x49/0x7f
 [<c045372e>] irq_exit+0x48/0x8c
 [<c040c6f1>] do_IRQ+0x92/0xb7
 [<c040afd5>] common_interrupt+0x35/0x3c
 [<c042d284>] ? native_safe_halt+0xa/0xc
 [<c0411e73>] default_idle+0x55/0x98
 [<c0411fc6>] c1e_idle+0x110/0x126
 [<c0409923>] cpu_idle+0xac/0xcd
 [<c081d24a>] rest_init+0x66/0x79
 [<c0a94af1>] start_kernel+0x36f/0x385
 [<c0a9408f>] i386_start_kernel+0x7e/0x96
---[ end trace a7919e7f17c0a727 ]---
Mapped at:
 [<c06117e6>] debug_dma_map_page+0x86/0x16c
 [<f7e6dd04>] dma_map_single_attrs.clone.1+0x7f/0x9c [8139cp]
 [<f7e6e810>] cp_init_rings+0xad/0x13e [8139cp]
 [<f7e6e925>] cp_open+0x84/0x154 [8139cp]
 [<c079504b>] dev_open+0x99/0xe4

Comment 1 Chuck Ebbert 2009-10-12 07:37:26 UTC

fixed in 2.6.31

Note You need to log in before you can comment on or make changes to this bug.