Getting NULL pointer exception when removing broadcom wifi driver

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
Anonymous
Not applicable

We using linux kernel version 4.1 and brcmfmac wifi driver. Getting following exception when removing wifi driver through modprobe.

2p-dev-wlan0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD

p2p-dev-wlan0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=US

[ 1541.339249] Unable to handle kernel NULL pointer dereference at virtual address 00000080

[ 1541.366204] pgd = c77f0000

[ 1541.376562] [00000080] pgd=843b5831, pte=00000000, *ppte=00000000

[ 1541.385011] Internal error: Oops: 17 [#1] PREEMPT ARM

[ 1541.390109] Modules linked in: brcmfmac(-) cfg80211 brcmutil [last unloaded: cfg80211]

[ 1541.398157] CPU: 0 PID: 1060 Comm: modprobe Tainted: G        W       4.1.18-gbbe8cfc #40

[ 1541.406384] Hardware name: Generic AM33XX (Flattened Device Tree)

[ 1541.412522] task: c4078480 ti: c38ac000 task.ti: c38ac000

[ 1541.417995] PC is at mutex_lock+0x10/0x34

[ 1541.422276] LR is at brcmf_fil_bsscfg_data_set+0x30/0x100 [brcmfmac]

[ 1541.428679] pc : [<c066a790>]    lr : [<bf05af2c>]    psr: 600f0113

[ 1541.428679] sp : c38add70  ip : c38add80  fp : c38add7c

[ 1541.440226] r10: 00000000  r9 : c38addba  r8 : bf074a6c

[ 1541.445486] r7 : 00000080  r6 : 00000006  r5 : 00000000  r4 : c7612f00

[ 1541.452056] r3 : 00000006  r2 : c38addba  r1 : bf074a6c  r0 : 00000080

[ 1541.458629] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user

[ 1541.465811] Control: 10c5387d  Table: 877f0019  DAC: 00000015

[ 1541.471597] Process modprobe (pid: 1060, stack limit = 0xc38ac210)

[ 1541.477817] Stack: (0xc38add70 to 0xc38ae000)

[ 1541.482215] dd60:                                     c38addb4 c38add80 bf05af2c c066a78c

[ 1541.490453] dd80: c38ac000 c38adda4 bf0764f8 c38add84 00000000 00000000 00000000 c7612f00

[ 1541.498691] dda0: c000fa24 c38ac000 c38adddc c38addb8 bf05ece4 bf05af08 c00090dc 00000000

[ 1541.506929] ddc0: c7612f00 c7027000 c421af40 c73df03c c38addf4 c38adde0 bf05ff7c bf05eca0

[ 1541.515167] dde0: c43203a8 c7027000 c38ade0c c38addf8 bf061254 bf05ff64 c43203a0 c408c000

[ 1541.523405] de00: c38ade24 c38ade10 bf058c00 bf06123c ffffffff c408c000 c38ade44 c38ade28

[ 1541.531644] de20: bf063f24 bf058bc8 c4567400 c456761c bf0794a0 c73df03c c38ade5c c38ade48

[ 1541.539882] de40: bf06b494 bf063ecc c4566c00 c421af40 c38ade74 c38ade60 bf06c320 bf06b460

[ 1541.548119] de60: c4566c00 c421af40 c38ade8c c38ade78 bf06c5fc bf06c30c c73df008 c73df000

[ 1541.556357] de80: c38adeac c38ade90 c04a3af8 bf06c580 c73df008 bf0794a0 bf0794a0 c73df03c

[ 1541.564596] dea0: c38adec4 c38adeb0 c03f2640 c04a3acc c73df008 c38ac000 c38adee4 c38adec8

[ 1541.572834] dec0: c03f2ea8 c03f25d4 bf0794a0 0003be94 00000800 00000081 c38adefc c38adee8

[ 1541.581073] dee0: c03f2368 c03f2d90 bf0794a0 0003be94 c38adf14 c38adf00 c03f3538 c03f2320

[ 1541.589311] df00: bf07953c 0003be94 c38adf24 c38adf18 c04a3e54 c03f3514 c38adf34 c38adf28

[ 1541.597549] df20: bf06e1e4 c04a3e40 c38adf44 c38adf38 bf06e594 bf06e1b0 c38adfa4 c38adf48

[ 1541.605787] df40: c008e034 bf06e588 c38adf64 6d637262 63616d66 00000000 c38adf8c c38adf68

[ 1541.614026] df60: c004f00c c0668cbc c38ac000 c38adfb0 c000fa24 00000000 c000fa24 c38ac000

[ 1541.622264] df80: c38adfac 008adf90 c0012804 0003be58 0003be94 0003be58 00000000 c38adfa8

[ 1541.630502] dfa0: c000f880 c008df2c 0003be58 0003be94 0003be94 00000800 b6ef4bd0 00000000

[ 1541.638740] dfc0: 0003be58 0003be94 0003be58 00000081 00000001 0003be58 becbbf94 0003b008

[ 1541.646978] dfe0: b6ecd861 becbab1c 0001f4d0 b6ecd866 80080030 0003be94 00000000 00000000

[ 1541.655197] Backtrace:

[ 1541.657816] [<c066a780>] (mutex_lock) from [<bf05af2c>] (brcmf_fil_bsscfg_data_set+0x30/0x100 [brcmfmac])

[ 1541.667679] [<bf05aefc>] (brcmf_fil_bsscfg_data_set [brcmfmac]) from [<bf05ece4>] (brcmf_p2p_set_discover_state+0x50/0x64 [brcmfmac])

[ 1541.679745]  r9:c38ac000 r8:c000fa24 r7:c7612f00 r6:00000000 r5:00000000 r4:00000000

[ 1541.687855] [<bf05ec94>] (brcmf_p2p_set_discover_state [brcmfmac]) from [<bf05ff7c>] (brcmf_p2p_cancel_remain_on_channel+0x24/0x38 [brcmfmac])

[ 1541.700703]  r7:c73df03c r6:c421af40 r5:c7027000 r4:c7612f00

[ 1541.706710] [<bf05ff58>] (brcmf_p2p_cancel_remain_on_channel [brcmfmac]) from [<bf061254>] (brcmf_p2p_detach+0x24/0x4c [brcmfmac])

[ 1541.718511]  r5:c7027000 r4:c43203a8

[ 1541.722367] [<bf061230>] (brcmf_p2p_detach [brcmfmac]) from [<bf058c00>] (brcmf_cfg80211_detach+0x44/0x80 [brcmfmac])

[ 1541.733035]  r5:c408c000 r4:c43203a0

[ 1541.736899] [<bf058bbc>] (brcmf_cfg80211_detach [brcmfmac]) from [<bf063f24>] (brcmf_detach+0x64/0xc0 [brcmfmac])

[ 1541.747218]  r5:c408c000 r4:ffffffff

[ 1541.751144] [<bf063ec0>] (brcmf_detach [brcmfmac]) from [<bf06b494>] (brcmf_sdio_remove+0x40/0x104 [brcmfmac])

[ 1541.761200]  r7:c73df03c r6:bf0794a0 r5:c456761c r4:c4567400

[ 1541.767261] [<bf06b454>] (brcmf_sdio_remove [brcmfmac]) from [<bf06c320>] (brcmf_sdiod_remove+0x20/0xb8 [brcmfmac])

[ 1541.777755]  r5:c421af40 r4:c4566c00

[ 1541.781692] [<bf06c300>] (brcmf_sdiod_remove [brcmfmac]) from [<bf06c5fc>] (brcmf_ops_sdio_remove+0x88/0xe0 [brcmfmac])

[ 1541.792534]  r5:c421af40 r4:c4566c00

[ 1541.796330] [<bf06c574>] (brcmf_ops_sdio_remove [brcmfmac]) from [<c04a3af8>] (sdio_bus_remove+0x38/0xf8)

[ 1541.805951]  r5:c73df000 r4:c73df008

[ 1541.809605] [<c04a3ac0>] (sdio_bus_remove) from [<c03f2640>] (__device_release_driver+0x78/0xec)

[ 1541.818440]  r7:c73df03c r6:bf0794a0 r5:bf0794a0 r4:c73df008

[ 1541.824204] [<c03f25c8>] (__device_release_driver) from [<c03f2ea8>] (driver_detach+0x124/0x130)

[ 1541.833038]  r5:c38ac000 r4:c73df008

[ 1541.836680] [<c03f2d84>] (driver_detach) from [<c03f2368>] (bus_remove_driver+0x54/0xa8)

[ 1541.844816]  r7:00000081 r6:00000800 r5:0003be94 r4:bf0794a0

[ 1541.850580] [<c03f2314>] (bus_remove_driver) from [<c03f3538>] (driver_unregister+0x30/0x50)

[ 1541.859064]  r5:0003be94 r4:bf0794a0

[ 1541.862704] [<c03f3508>] (driver_unregister) from [<c04a3e54>] (sdio_unregister_driver+0x20/0x28)

[ 1541.871626]  r5:0003be94 r4:bf07953c

[ 1541.875430] [<c04a3e34>] (sdio_unregister_driver) from [<bf06e1e4>] (brcmf_sdio_exit+0x40/0x58 [brcmfmac])

[ 1541.885446] [<bf06e1a4>] (brcmf_sdio_exit [brcmfmac]) from [<bf06e594>] (brcmfmac_module_exit+0x18/0x24 [brcmfmac])

[ 1541.896091] [<bf06e57c>] (brcmfmac_module_exit [brcmfmac]) from [<c008e034>] (SyS_delete_module+0x114/0x1d8)

[ 1541.906001] [<c008df20>] (SyS_delete_module) from [<c000f880>] (ret_fast_syscall+0x0/0x3c)

[ 1541.914311]  r6:0003be58 r5:0003be94 r4:0003be58

[ 1541.919007] Code: e1a0c00d e92dd800 e24cb004 f5d0f000 (e1902f9f)

0 Likes
1 Solution

Hi Manoj,

Thanks for getting the kernel log for us.

In the log, bus->watchdog_tsk->cred was not NULL before brcmfmac passed the watchdog_tsk pointer to kthread_stop.

Because r2 and r0 were NULL, it looks like the cred and real_cred were set to NULL before calling exit_cred.

Refer to back trace as below, please add the logs in your kernel and check which function set those pointers to NULL.

The pointer cred should be set to NULL before doing exit_creds.

[   70.721243] [<c0052944>] (exit_creds) from [<c0034234>] (__put_task_struct+0x50/0xe0)

[   70.729177]  r5:c75e9b08 r4:c75e9b00

[   70.732971] [<c00341e4>] (__put_task_struct) from [<c0050e48>] (kthread_stop+0x98/0xa0)

[   70.741074]  r5:c75e9b08 r4:c75e9b00

[   70.745830] [<c0050db0>] (kthread_stop) from [<bf1060d8>] (brcmf_sdio_bus_stop+0x80/0x210 [brcmfmac])

[   70.755173]  r7:c73df03c r6:c767e280 r5:c766bc00 r4:c761c800

Regards,

Wright

View solution in original post

16 Replies
MichaelF_56
Moderator
Moderator
Moderator
250 sign-ins 25 comments on blog 10 comments on blog

Moving to the Linux forum, adding chln​ and vens

0 Likes
Anonymous
Not applicable

Hi chln

After applying above patch, still I'm getting NULL pointer exception but with different backtrace

[ 1147.118804] Unable to handle kernel NULL pointer dereference at virtual address 00000000

[ 1147.188169] pgd = c457c000

[ 1147.192033] [00000000] pgd=87691831, pte=00000000, *ppte=00000000

[ 1147.227155] Internal error: Oops: 17 [#1] PREEMPT ARM

[ 1147.232367] Modules linked in: brcmfmac(-) cfg80211 brcmutil [last unloaded: cfg80211]

[ 1147.240662] CPU: 0 PID: 1239 Comm: modprobe Not tainted 4.1.18-gbbe8cfc #40

[ 1147.247737] Hardware name: Generic AM33XX (Flattened Device Tree)

[ 1147.253946] task: c7251200 ti: c40ca000 task.ti: c40ca000

[ 1147.259558] PC is at exit_creds+0x1c/0x80

[ 1147.263751] LR is at __put_task_struct+0x50/0xe0

[ 1147.268479] pc : [<c0052960>]    lr : [<c0034234>]    psr: 80000013

[ 1147.268479] sp : c40cbdb0  ip : c40cbdc8  fp : c40cbdc4

[ 1147.280102] r10: 00000000  r9 : c40ca000  r8 : c000fa24

[ 1147.285426] r7 : c73df03c  r6 : 00000000  r5 : c3856d08  r4 : c3856d00

[ 1147.292059] r3 : 00000000  r2 : 00000000  r1 : 00000000  r0 : 00000000

[ 1147.298699] Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user

[ 1147.305950] Control: 10c5387d  Table: 8457c019  DAC: 00000015

[ 1147.311797] Process modprobe (pid: 1239, stack limit = 0xc40ca210)

[ 1147.318086] Stack: (0xc40cbdb0 to 0xc40cc000)

[ 1147.322559] bda0:                                     c3856d00 c3856d08 c40cbddc c40cbdc8

[ 1147.330880] bdc0: c0034234 c0052950 c3856d00 c3856d08 c40cbdfc c40cbde0 c0050e48 c00341f0

[ 1147.339201] bde0: c772d800 c772c800 c77db840 c73df03c c40cbe24 c40cbe00 bf21e0a4 c0050dbc

[ 1147.347527] be00: c40cbe24 c40cbe24 bf22baa8 ffffffff c4538000 c77db840 c40cbe44 c40cbe28

[ 1147.355845] be20: bf21a010 bf21e064 c772d800 c772da1c bf22f370 c73df03c c40cbe5c c40cbe48

[ 1147.364166] be40: bf221584 bf219f78 c772c800 00000000 c40cbe74 c40cbe60 bf222418 bf221550

[ 1147.372488] be60: c772c800 c77db840 c40cbe8c c40cbe78 bf2226f0 bf2223fc c73df008 c73df000

[ 1147.380809] be80: c40cbeac c40cbe90 c04a3af8 bf222674 c73df008 bf22f370 bf22f370 c73df03c

[ 1147.389123] bea0: c40cbec4 c40cbeb0 c03f2640 c04a3acc c73df008 c40ca000 c40cbee4 c40cbec8

[ 1147.397452] bec0: c03f2ea8 c03f25d4 bf22f370 0003be94 00000800 00000081 c40cbefc c40cbee8

[ 1147.405765] bee0: c03f2368 c03f2d90 bf22f370 0003be94 c40cbf14 c40cbf00 c03f3538 c03f2320

[ 1147.414090] bf00: bf22f40c 0003be94 c40cbf24 c40cbf18 c04a3e54 c03f3514 c40cbf34 c40cbf28

[ 1147.422412] bf20: bf2242d8 c04a3e40 c40cbf44 c40cbf38 bf22459c bf2242a4 c40cbfa4 c40cbf48

[ 1147.430733] bf40: c008e034 bf224590 c40cbf64 6d637262 63616d66 00000000 c40cbf8c c40cbf68

[ 1147.439055] bf60: c004f00c c0668cbc c40ca000 c40cbfb0 c000fa24 00000000 c000fa24 c40ca000

[ 1147.447377] bf80: c40cbfac 000cbf90 c0012804 0003be58 0003be94 0003be58 00000000 c40cbfa8

[ 1147.455695] bfa0: c000f880 c008df2c 0003be58 0003be94 0003be94 00000800 b6f30bd0 00000000

[ 1147.464024] bfc0: 0003be58 0003be94 0003be58 00000081 00000001 0003be58 bede1ed2 0003b008

[ 1147.472337] bfe0: b6f09861 bede0a1c 0001f4d0 b6f09866 80080030 0003be94 00000000 00000000

[ 1147.480614] Backtrace:

[ 1147.483243] [<c0052944>] (exit_creds) from [<c0034234>] (__put_task_struct+0x50/0xe0)

[ 1147.491174]  r5:c3856d08 r4:c3856d00

[ 1147.494958] [<c00341e4>] (__put_task_struct) from [<c0050e48>] (kthread_stop+0x98/0xa0)

[ 1147.503065]  r5:c3856d08 r4:c3856d00

[ 1147.507826] [<c0050db0>] (kthread_stop) from [<bf21e0a4>] (brcmf_sdio_bus_stop+0x4c/0x1bc [brcmfmac])

[ 1147.517165]  r7:c73df03c r6:c77db840 r5:c772c800 r4:c772d800

[ 1147.523976] [<bf21e058>] (brcmf_sdio_bus_stop [brcmfmac]) from [<bf21a010>] (brcmf_detach+0xa4/0xd4 [brcmfmac])

[ 1147.534180]  r6:c77db840 r5:c4538000 r4:ffffffff

[ 1147.539891] [<bf219f6c>] (brcmf_detach [brcmfmac]) from [<bf221584>] (brcmf_sdio_remove+0x40/0x104 [brcmfmac])

[ 1147.550012]  r7:c73df03c r6:bf22f370 r5:c772da1c r4:c772d800

[ 1147.556845] [<bf221544>] (brcmf_sdio_remove [brcmfmac]) from [<bf222418>] (brcmf_sdiod_remove+0x28/0xbc [brcmfmac])

[ 1147.567399]  r5:00000000 r4:c772c800

[ 1147.572082] [<bf2223f0>] (brcmf_sdiod_remove [brcmfmac]) from [<bf2226f0>] (brcmf_ops_sdio_remove+0x88/0xe0 [brcmfmac])

[ 1147.582979]  r5:c77db840 r4:c772c800

[ 1147.587224] [<bf222668>] (brcmf_ops_sdio_remove [brcmfmac]) from [<c04a3af8>] (sdio_bus_remove+0x38/0xf8)

[ 1147.596896]  r5:c73df000 r4:c73df008

[ 1147.600723] [<c04a3ac0>] (sdio_bus_remove) from [<c03f2640>] (__device_release_driver+0x78/0xec)

[ 1147.609612]  r7:c73df03c r6:bf22f370 r5:bf22f370 r4:c73df008

[ 1147.615567] [<c03f25c8>] (__device_release_driver) from [<c03f2ea8>] (driver_detach+0x124/0x130)

[ 1147.624459]  r5:c40ca000 r4:c73df008

[ 1147.628239] [<c03f2d84>] (driver_detach) from [<c03f2368>] (bus_remove_driver+0x54/0xa8)

[ 1147.636423]  r7:00000081 r6:00000800 r5:0003be94 r4:bf22f370

[ 1147.642384] [<c03f2314>] (bus_remove_driver) from [<c03f3538>] (driver_unregister+0x30/0x50)

[ 1147.650915]  r5:0003be94 r4:bf22f370

[ 1147.654695] [<c03f3508>] (driver_unregister) from [<c04a3e54>] (sdio_unregister_driver+0x20/0x28)

[ 1147.663670]  r5:0003be94 r4:bf22f40c

[ 1147.667972] [<c04a3e34>] (sdio_unregister_driver) from [<bf2242d8>] (brcmf_sdio_exit+0x40/0x58 [brcmfmac])

[ 1147.678681] [<bf224298>] (brcmf_sdio_exit [brcmfmac]) from [<bf22459c>] (brcmfmac_module_exit+0x18/0x24 [brcmfmac])

[ 1147.689694] [<bf224584>] (brcmfmac_module_exit [brcmfmac]) from [<c008e034>] (SyS_delete_module+0x114/0x1d8)

[ 1147.699727] [<c008df20>] (SyS_delete_module) from [<c000f880>] (ret_fast_syscall+0x0/0x3c)

[ 1147.708085]  r6:0003be58 r5:0003be94 r4:0003be58

[ 1147.712940] Code: e59022a4 e1a04000 e3a03000 e59002a0 (e5922000)

0 Likes

Hi manoj_1578136,

The original kernel panic in brcmf_p2p_detach has been fixed by the patches that Chi mentioned on 1/10.

The new NULL pointer exception happened in kthread_stop, I need more info to figure out the root cause.

1. Is reproducible rate 100%? 2. Could you let us know where you got the brcmfmac source code? and what the additional patches you have applied?

I'd like to reproduce the kernel panic and debug on my local side.

Wright(Wen-Chieh) Feng

lock attach
Attachments are accessible only for community members.
Anonymous
Not applicable

Hi wefe

1) The above exception is not 100% reproducible. It happen randomly when I remove the driver before entering into sleep mode. Below are      the sequence used for enter and exit into sleep mode.

    i) Before entering into sleep mode

          rfkill block wlan0

          sleep 1

          modprobe -r brcmfmac

    ii) After existing from sleep mode

          rfkill unblock wlan0

          modprobe brcmfmac

          sleep 1

          rfkill unblock wlan0

2) We are using brcmfmac source code from Texas Instrument processor-sdk-02.00.02.11. Attached patch files, which exclude chip related changes. Also attached full brcmfmac source.

Note: We are using in-band SDIO

0 Likes

Hi Manoj,

I've done the test with blocking wifi and removing module 10 times, but cannot reproduce the same symptom.

However, because my platform is NXP i.MX instead of TI AM33XX, I think the issue might be platform specific.

Let's go back to the original debugging method. Could you please get more information, and the reason is also described as below.

1. Disassemble the object by using objdump in your TI AM33XX toolchain, so that we can see which line and which register hit the null pointer exception.

# {$toolchain}-objdump -SdCg kernel/cred.o

# {$toolchain}-objdump -SdCg kernel/fork.o

# {$toolchain}-objdump -SdCg kernel/kthread.o

2. What is the failed rate?

I'd like to know if we need to do more trials on i.MX to confirm it is platform specific issue.

Sorry for taking your time to help us get these info, but we need them to check kernel panic log.

Regards,

Wright

lock attach
Attachments are accessible only for community members.
Anonymous
Not applicable

Hi Wright,

1) I have attached objdump of the above kernel binaries. Are you using our brcmfmac driver code..? Is there any patch is missing in our driver. if possible can you provide a diff between NXP driver and our driver.

2) We are getting that NULL pointer exception for every 5 or 7 times.

Is there any other way to disable wifi for power consumption instead of removing/inserting wifi driver..?

"wl" tool supports  bcm wifi related operation in old kernels. Is there any "wl" tool support available for 4.1 kernel..?

Regards,

Manoj

0 Likes
lock attach
Attachments are accessible only for community members.

Hi Manoj,

1) Currently i.MX uses bcmdhd instead of brcmfmac. I bought up your brcmfmac source code on i.MX, the only change is for reading device tree data on i.MX.

2) What's the power consumption now after using rfkill to block wifi device?

3) As I know, wl tool doesn't bundle with kernel version. However, the wl tool to customer now only fort bcmdhd driver instead of brcmfmac.

4) Back to NULL pointer debugging process.

Refer to the panic message and the object dump,

maybe you already knew it, the null pointer exception was caused by accessing bus->watchdog_tsk->cred.

[ 1147.259558] PC is at exit_creds+0x1c/0x80

[ 1147.292059] r3 : 00000000  r2 : 00000000  r1 : 00000000  r0 : 00000000

64c:    e59022a4    ldr    r2, [r0, #676]    ; 0x2a4

65c:    e5922000    ldr    r2, [r2]

In brcmfmac, it just initialzes, starts and stops the wathdog task kernel thread. I am afraid that it didn't get cred object when inserting the module.

Please help apply below patch which includes some debug print and help capture kernel/panic message.

Hope we can know which step the pointer is set to NULL.

Thanks for your quick reply and help.

Regards,

Wright

0 Likes
lock attach
Attachments are accessible only for community members.
Anonymous
Not applicable

Hi wefe

With below patch I'm able to get rid of that NULL pointer exception. But we are continuously testing it for exception and I dont know how it solves the NULL pointer exception.

Is there any stable brcmfmac driver is available..? Even I'm seeing lot of difference between kernel 4.1 and 4.4.

2)40mA current consumption got reduced after issue rfkill block to wlan.

Thanks for your support.

Regards,
Manoj

0 Likes

Hi Manoj,

Is your patch from below commit?

Refer to the commit message, the kernel oops happens when doing 2nd modprobe. And it is caused by previous chip attach failed.

The symptom and de-reference pointer are not same as your panic message, so I have no idea why it can fix your problem either.

If you have free time, I still need your help to get full dmesg(with my log patch) when hitting the issue, because I'd like to know your root cause.

1) The first question that Mifo just answered.

2) Since your issue has been fixed by the patch, removing module is the way to reduce the most power consumption.

---

commit b88a2e80396ba463a4800c62c96e86954cb0f4f7

Author: xxxxxx

    brcmfmac: Fix kernel oops in failed chip_attach

    When chip attach fails, brcmf_sdiod_intr_unregister is being called

    but that is too early as sdiodev->settings has not been set yet

    nor has brcmf_sdiod_intr_register been called.

    Change to use oob_irq_requested + newly created sd_irq_requested

    to decide on what to unregister at intr_unregister time.

    Steps to reproduce problem:

    - modprobe brcmfmac using buggy FW

    - rmmod brcmfmac

    - modprobe brcmfmac again.

    If done with a buggy firmware, brcm_chip_attach will fail on the

    2nd modprobe triggering the call to intr_unregister and the

    kernel oops when attempting to de-reference sdiodev->settings->bus.sdio

    which has not yet been set.

0 Likes
Anonymous
Not applicable

Hi Wright,

Sorry for late reply. I was into some other work. Again we are getting the same NULL pointer exception. I have added your patch and below is the log

[   66.653683] brcmf_cfg80211_reg_notifier: not a ISO3166 code

[   70.033656] brcmf_sdio_bus_stop: Enter

[   70.183640] brcmf_sdio_bus_stop: cred=c75b7880

[   70.245616] brcmf_sdio_bus_stop: After SIGTERM, cred=c75b7880

[   70.305065] Unable to handle kernel NULL pointer dereference at virtual address 00000000

[   70.384423] pgd = c3918000

[   70.387387] [00000000] pgd=8456c831, pte=00000000, *ppte=00000000

[   70.467516] Internal error: Oops: 17 [#1] PREEMPT ARM

[   70.472774] Modules linked in: brcmfmac(-) cfg80211 brcmutil

[   70.478770] CPU: 0 PID: 527 Comm: modprobe Not tainted 4.1.18-gbbe8cfc #70

[   70.485753] Hardware name: Generic AM33XX (Flattened Device Tree)

[   70.491964] task: c4528900 ti: c3916000 task.ti: c3916000

[   70.497578] PC is at exit_creds+0x1c/0x80

[   70.501768] LR is at __put_task_struct+0x50/0xe0

[   70.506498] pc : [<c0052960>]    lr : [<c0034234>]    psr: 20000013

[   70.506498] sp : c3917da8  ip : c3917dc0  fp : c3917dbc

[   70.518119] r10: 00000000  r9 : c3916000  r8 : c000fa24

[   70.523423] r7 : c73df03c  r6 : 00000000  r5 : c75e9b08  r4 : c75e9b00

[   70.530073] r3 : 00000000  r2 : 00000000  r1 : 00000000  r0 : 00000000

[   70.536726] Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user

[   70.543971] Control: 10c5387d  Table: 83918019  DAC: 00000015

[   70.549810] Process modprobe (pid: 527, stack limit = 0xc3916210)

[   70.556003] Stack: (0xc3917da8 to 0xc3918000)

[   70.560495] 7da0:                   c75e9b00 c75e9b08 c3917dd4 c3917dc0 c0034234 c0052950

[   70.568829] 7dc0: c75e9b00 c75e9b08 c3917df4 c3917dd8 c0050e48 c00341f0 c761c800 c766bc00

[   70.577158] 7de0: c767e280 c73df03c c3917e1c c3917df8 bf1060d8 c0050dbc c3917e1c c3917e1c

[   70.585486] 7e00: bf113b48 ffffffff c3884000 c767e280 c3917e3c c3917e20 bf102010 bf106064

[   70.593801] 7e20: c761c800 c761ca1c c766bc00 c73df03c c3917e54 c3917e40 bf1095cc bf101f78

[   70.602090] 7e40: c766bc00 00000000 c3917e6c c3917e58 bf10a478 bf109598 c73df000 c767e280

[   70.610441] 7e60: c3917e8c c3917e70 bf10b81c bf10a45c c73df008 c73df000 bf117488 c73df03c

[   70.618776] 7e80: c3917eac c3917e90 c04a3af8 bf10b798 c73df008 bf117488 bf117488 c73df03c

[   70.627087] 7ea0: c3917ec4 c3917eb0 c03f2640 c04a3acc c73df008 c3916000 c3917ee4 c3917ec8

[   70.635420] 7ec0: c03f2ea8 c03f25d4 bf117488 0003be94 00000800 00000081 c3917efc c3917ee8

[   70.643745] 7ee0: c03f2368 c03f2d90 bf117488 0003be94 c3917f14 c3917f00 c03f3538 c03f2320

[   70.652066] 7f00: bf117524 0003be94 c3917f24 c3917f18 c04a3e54 c03f3514 c3917f34 c3917f28

[   70.660388] 7f20: bf10c378 c04a3e40 c3917f44 c3917f38 bf10c63c bf10c344 c3917fa4 c3917f48

[   70.668717] 7f40: c008e034 bf10c630 c3917f64 6d637262 63616d66 00000000 c3917f8c c3917f68

[   70.677037] 7f60: c004f00c c0668d24 c3916000 c3917fb0 c000fa24 00000000 c000fa24 c3916000

[   70.685367] 7f80: c3917fac 00917f90 c0012804 0003be58 0003be94 0003be58 00000000 c3917fa8

[   70.693682] 7fa0: c000f880 c008df2c 0003be58 0003be94 0003be94 00000800 b6ea5bd0 00000000

[   70.702013] 7fc0: 0003be58 0003be94 0003be58 00000081 00000001 0003be58 beca2ed2 0003b008

[   70.710332] 7fe0: b6e7e861 beca1a1c 0001f4d0 b6e7e866 80080030 0003be94 87ff2821 87ff2c21

[   70.718592] Backtrace:

[   70.721243] [<c0052944>] (exit_creds) from [<c0034234>] (__put_task_struct+0x50/0xe0)

[   70.729177]  r5:c75e9b08 r4:c75e9b00

[   70.732971] [<c00341e4>] (__put_task_struct) from [<c0050e48>] (kthread_stop+0x98/0xa0)

[   70.741074]  r5:c75e9b08 r4:c75e9b00

[   70.745830] [<c0050db0>] (kthread_stop) from [<bf1060d8>] (brcmf_sdio_bus_stop+0x80/0x210 [brcmfmac])

[   70.755173]  r7:c73df03c r6:c767e280 r5:c766bc00 r4:c761c800

[   70.761986] [<bf106058>] (brcmf_sdio_bus_stop [brcmfmac]) from [<bf102010>] (brcmf_detach+0xa4/0xd4 [brcmfmac])

[   70.772188]  r6:c767e280 r5:c3884000 r4:ffffffff

[   70.777925] [<bf101f6c>] (brcmf_detach [brcmfmac]) from [<bf1095cc>] (brcmf_sdio_remove+0x40/0x104 [brcmfmac])

[   70.788041]  r7:c73df03c r6:c766bc00 r5:c761ca1c r4:c761c800

[   70.794896] [<bf10958c>] (brcmf_sdio_remove [brcmfmac]) from [<bf10a478>] (brcmf_sdiod_remove+0x28/0xc0 [brcmfmac])

[   70.805438]  r5:00000000 r4:c766bc00

[   70.810159] [<bf10a450>] (brcmf_sdiod_remove [brcmfmac]) from [<bf10b81c>] (brcmf_ops_sdio_remove+0x90/0xe8 [brcmfmac])

[   70.821052]  r5:c767e280 r4:c73df000

[   70.825327] [<bf10b78c>] (brcmf_ops_sdio_remove [brcmfmac]) from [<c04a3af8>] (sdio_bus_remove+0x38/0xf8)

[   70.835012]  r7:c73df03c r6:bf117488 r5:c73df000 r4:c73df008

[   70.841014] [<c04a3ac0>] (sdio_bus_remove) from [<c03f2640>] (__device_release_driver+0x78/0xec)

[   70.849898]  r7:c73df03c r6:bf117488 r5:bf117488 r4:c73df008

[   70.855856] [<c03f25c8>] (__device_release_driver) from [<c03f2ea8>] (driver_detach+0x124/0x130)

[   70.864741]  r5:c3916000 r4:c73df008

[   70.868538] [<c03f2d84>] (driver_detach) from [<c03f2368>] (bus_remove_driver+0x54/0xa8)

[   70.876728]  r7:00000081 r6:00000800 r5:0003be94 r4:bf117488

[   70.882686] [<c03f2314>] (bus_remove_driver) from [<c03f3538>] (driver_unregister+0x30/0x50)

[   70.891221]  r5:0003be94 r4:bf117488

[   70.894998] [<c03f3508>] (driver_unregister) from [<c04a3e54>] (sdio_unregister_driver+0x20/0x28)

[   70.903976]  r5:0003be94 r4:bf117524

[   70.908266] [<c04a3e34>] (sdio_unregister_driver) from [<bf10c378>] (brcmf_sdio_exit+0x40/0x58 [brcmfmac])

[   70.918967] [<bf10c338>] (brcmf_sdio_exit [brcmfmac]) from [<bf10c63c>] (brcmfmac_module_exit+0x18/0x24 [brcmfmac])

[   70.929985] [<bf10c624>] (brcmfmac_module_exit [brcmfmac]) from [<c008e034>] (SyS_delete_module+0x114/0x1d8)

[   70.940015] [<c008df20>] (SyS_delete_module) from [<c000f880>] (ret_fast_syscall+0x0/0x3c)

[   70.948382]  r6:0003be58 r5:0003be94 r4:0003be58

[   70.953234] Code: e59022a4 e1a04000 e3a03000 e59002a0 (e5922000)

Regards,
Manoj

Hi Manoj,

Thanks for getting the kernel log for us.

In the log, bus->watchdog_tsk->cred was not NULL before brcmfmac passed the watchdog_tsk pointer to kthread_stop.

Because r2 and r0 were NULL, it looks like the cred and real_cred were set to NULL before calling exit_cred.

Refer to back trace as below, please add the logs in your kernel and check which function set those pointers to NULL.

The pointer cred should be set to NULL before doing exit_creds.

[   70.721243] [<c0052944>] (exit_creds) from [<c0034234>] (__put_task_struct+0x50/0xe0)

[   70.729177]  r5:c75e9b08 r4:c75e9b00

[   70.732971] [<c00341e4>] (__put_task_struct) from [<c0050e48>] (kthread_stop+0x98/0xa0)

[   70.741074]  r5:c75e9b08 r4:c75e9b00

[   70.745830] [<c0050db0>] (kthread_stop) from [<bf1060d8>] (brcmf_sdio_bus_stop+0x80/0x210 [brcmfmac])

[   70.755173]  r7:c73df03c r6:c767e280 r5:c766bc00 r4:c761c800

Regards,

Wright

Hi Manoj,

1) What is the board you are using? Could you please send me a link to the board.

2)  Using this board would you be able to hook up a Murata module(1DX)?

Thanks,

Venkat

0 Likes

Note that we are not supporting FMAC in the broad market at this point as it has not been tested with the partner evaluation platforms and the standard Linux release from Freescale/NXP.

0 Likes
Anonymous
Not applicable

Hi Manoj,

Is the issue resolved ?

0 Likes
Anonymous
Not applicable

Hi Manoj,

Is the issue resolved ?

0 Likes