lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <m3tyy8fkda.fsf@intrepid.localdomain>
Date:	Fri, 09 Oct 2009 21:16:49 +0200
From:	Krzysztof Halasa <khc@...waw.pl>
To:	linux-wireless@...r.kernel.org, ath5k-devel@...ts.ath5k.org,
	<netdev@...r.kernel.org>
Subject: Ath5k data aborts

Hi,

I have done a small investigation. IXP425 (ARM) in big-endian mode,
EABI, mini-PCI atk5k wifi card, hostapd.

Atheros Communications Inc. Atheros AR5001X+ Wireless Network Adapter (rev 01)
Subsystem: Wistron NeWeb Corp. CM9 Wireless a/b/g MiniPCI Adapter
168c:0013 subsystem 185f:1012


Results:
Bad mode in data abort handler detected
Internal error: Oops - bad mode: 0 [#1]
LR is at ath5k_beacon_config+0x150/0x1d4 [ath5k]

This means the PCI device didn't respond on the bus or something
like that. Obviously the card is then unusable and the system needs to
be restarted.

Bisecting (I had to modify the procedure a bit since it only started to
show up after other unrelated code was merged) shows the guilty commit:
e8f055f0c3ba226ca599c14c2e5fe829f6f57cbb (ath5k: Update reset code).

The problem exists with 2.6.30, 2.6.31 and current Linus' tree.

Signed-off-by: Krzysztof HaƂasa <khc@...waw.pl>

----------------------------------------------
2.6.30 appears to be fixed by:

--- a/drivers/net/wireless/ath5k/reset.c
+++ b/drivers/net/wireless/ath5k/reset.c
@@ -476,7 +476,7 @@ static void ath5k_hw_set_sleep_clock(struct ath5k_hw *ah, bool enable)
 		(ah->ah_mac_version == (AR5K_SREV_AR2417 >> 4))) {
 			ath5k_hw_reg_write(ah, 0x26, AR5K_PHY_SLMT);
 			ath5k_hw_reg_write(ah, 0x0d, AR5K_PHY_SCAL);
-			ath5k_hw_reg_write(ah, 0x07, AR5K_PHY_SCLOCK);
+			ath5k_hw_reg_write(ah, 0x0C, AR5K_PHY_SCLOCK);
 			ath5k_hw_reg_write(ah, 0x3f, AR5K_PHY_SDELAY);
 			AR5K_REG_WRITE_BITS(ah, AR5K_PCICFG,
 				AR5K_PCICFG_SLEEP_CLOCK_RATE, 0x02);
@@ -490,8 +490,10 @@ static void ath5k_hw_set_sleep_clock(struct ath5k_hw *ah, bool enable)
 		}
 
 		/* Enable sleep clock operation */
+#if 0
 		AR5K_REG_ENABLE_BITS(ah, AR5K_PCICFG,
 				AR5K_PCICFG_SLEEP_CLOCK_EN);
+#endif
 
 	} else {
 


The AR5K_PHY_SCLOCK brings the old value (before the commit in question)
back, I have no idea what is it. Leaving the new value causes the second
run of hostapd to make the driver fail, the chip seems to not respond.
It seems the value itself may be correct (as it works with 2.6.31+) but
there is some additional bug fixed after 2.6.30, gitk show several
candidate patches for this.


Only disabling AR5K_PCICFG write makes the data abort go away.

----------------------------------------------
2.6.31 and Linus-current only need the AR5K_PCICFG change:

--- a/drivers/net/wireless/ath/ath5k/reset.c
+++ b/drivers/net/wireless/ath/ath5k/reset.c
@@ -489,9 +489,10 @@ static void ath5k_hw_set_sleep_clock(struct ath5k_hw *ah, bool enable)
 		}
 
 		/* Enable sleep clock operation */
+#if 0
 		AR5K_REG_ENABLE_BITS(ah, AR5K_PCICFG,
 				AR5K_PCICFG_SLEEP_CLOCK_EN);
-
+#endif
 	} else {
 
 		/* Disable sleep clock operation and


The question is, obviously, how to fix that for good. I can test the
result.


Full error message, not sure why the backtrace isn't printed.

Bad mode in data abort handler detected
Internal error: Oops - bad mode: 0 [#1]
Modules linked in: ohci_hcd ehci_hcd usbcore nls_base ixp4xx_hss ath5k ath ixp4x
x_eth
CPU: 0    Not tainted  (2.6.32-rc3 #123)
PC is at 0xffff01fc
LR is at ath5k_beacon_config+0x150/0x1d4 [ath5k]
pc : [<ffff01fc>]    lr : [<bf028db0>]    psr: a0000092
sp : c7dbfb90  ip : 00008050  fp : c78aa000
r10: c7dbfbd8  r9 : c78ac1c0  r8 : 00003304
r7 : c78aa000  r6 : c78aa000  r5 : 00000013  r4 : c78ac900
r3 : c88e0000  r2 : c88d0024  r1 : c88d0048  r0 : 800924b5
Flags: NzCv  IRQs off  FIQs on  Mode IRQ_32  ISA ARM  Segment user
Control: 000039ff  Table: 067e0000  DAC: 00000015
Process hostapd (pid: 258, stack limit = 0xc7dbe278)
Stack: (0xc7dbfb90 to 0xc7dc0000)
fb80:                                     800924b5 c88d0048 c88d0024 c88e0000 
fba0: c78ac900 00000013 c78aa000 c78aa000 00003304 c78ac1c0 c7dbfbd8 c78aa000 
fbc0: 00008050 c7dbfb90 bf028db0 ffff01fc a0000092 ffffffff 00000003 00000000 
fbe0: 00080000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
fc00: c78ac924 c78ac900 c78ac924 c7d34628 00000300 c7d34620 00000013 bf028ec8 
fc20: c78ac1c0 c7d52980 c0487e90 c7d342c0 c78ac1c0 c67e7140 c7caef20 0000001a 
fc40: 00000004 00000000 00000024 c0391694 c67e7140 c7caef20 0000001a c7dbfc88 
fc60: c7d342c0 c039e974 c7d52440 00000033 c7dbfcc0 c039e998 c7dbfc88 c0487d30 
fc80: c7c6e810 c0384640 00000000 00000000 00000000 00000002 00000000 00000000 
fca0: c7d34000 c78ac000 c0487bb0 c7c6e800 c7d52440 c02c5448 c0488184 00000102 
fcc0: 00000080 00000102 c7c6e800 c7c6e810 c7c6e814 c788d000 c7c6e800 c7d52440 
fce0: c02c5258 c7c54600 c04a0710 00000038 c7dbfd1c c02c42dc c047f6ac c7d52440 
fd00: c7d52440 c02c5244 c788d200 00000000 c7d52440 c02c3f14 00000024 7fffffff 
fd20: 00000000 c7dbff5c c7c54600 c7d52440 c7dbfe18 00000024 00000000 00000000 
fd40: 00000000 c02c47cc c7dbfe38 c7c54600 00000102 00000000 00000000 00000000 
fd60: 00000000 c7dbff5c c7dbfe18 00000000 00000000 00000024 c7dbfefc 00000000 
fd80: 00000008 c0282298 00000000 c7dbff1c 00000000 00000001 ffffffff 00000000 
fda0: 00000000 00000000 00000000 00000000 c7839080 00000001 00000000 00000000 
fdc0: 00000000 c7839080 c0185ccc c7dbfdcc c7dbfdcc 0000092a c7dbfec8 c038eae4 
fde0: c7dbfe18 00008b24 c7dbfec8 c037ab88 c7dbfdec c7dbfe0c c67d7360 c01aaf9c 
fe00: c7dbfe38 c0161cfc 00000000 c67da1a4 00000040 00000000 00000000 c74231bc 
fe20: 00000015 00000024 c7489380 0001d000 c7dbfd50 c7dbff5c c7dbfe7c c7dbfefc 
fe40: c7dbfe7c c7dbfefc c015a048 c7dbfefc 00000008 00000000 c7dbff5c c7dbff5c 
fe60: c7489380 00000000 c7dbfefc c02823ec c7dbff3c c7dbff3c 00000000 00100000 
fe80: 00000000 00000000 00000020 00000000 00008933 c02941a4 c67e4380 c67e4000 
fea0: 0000000a c67e4380 c7dbe000 c047bc28 c786d940 c024df48 776c616e 30000000 
fec0: 00000000 00000000 00000006 00000000 00000000 0e000000 c67e40e0 c67e4084 
fee0: 00000000 c028171c c786d340 00008933 00000000 60000013 00000007 0005c754 
ff00: 00000000 00000000 00000000 00000000 c74890e8 c0472750 00200200 00100100 
ff20: c7497338 c7401498 00200200 00100100 ffffffff ffffffff c780d5a0 c01ce3a0 
ff40: c7497338 c0472750 00200200 c01cea04 c786d340 00000000 c7497338 c7dbfe7c 
ff60: 0000000c c7dbfefc 00000001 00000000 00000000 00000000 00000000 ffffff97 
ff80: c786d340 000598f8 400722b0 000598a0 00000128 c015a048 c7dbe000 00000000 
ffa0: 00000001 c0159ea0 000598f8 400722b0 00000004 be9dfb24 00000000 00000000 
ffc0: 000598f8 400722b0 000598a0 00000128 00000000 00000000 00000001 00000001 
ffe0: be9dfb24 be9dfaf8 40039c84 402b022c 60000010 00000004 00000000 00000000 
Code: 00000000 00000000 00000000 00000000 (00000000) 
---[ end trace ff977de942e87c2d ]---

-- 
Krzysztof Halasa
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ