Ubuntu
linux package

Bug #1733194
Comment #24

Comment 24 for bug 1733194

Revision history for this message

In Linux Kernel Bug Tracker #200855, emmanuel.grumbach (emmanuel.grumbach-linux-kernel-bugs) wrote on 2018-08-19:

#24

So we fail here (last line):
0000000000008e7d <iwl_trans_pcie_txq_enable>:
e8 00 00 00 00 callq 8e82 <iwl_trans_pcie_txq_enable+0x5>
41 57 push %r15
41 56 push %r14
49 89 fe mov %rdi,%r14
41 55 push %r13
41 54 push %r12
49 89 cd mov %rcx,%r13
55 push %rbp
53 push %rbx
41 89 d4 mov %edx,%r12d
89 f3 mov %esi,%ebx
48 83 ec 20 sub $0x20,%rsp
65 48 8b 04 25 28 00 mov %gs:0x28,%rax
00 00
48 89 44 24 18 mov %rax,0x18(%rsp)
31 c0 xor %eax,%eax
48 63 c6 movslq %esi,%rax
66 89 54 24 02 mov %dx,0x2(%rsp)
4c 8b bc c7 08 7e 00 mov 0x7e08(%rdi,%rax,8),%r15
00
f0 48 0f ab 87 08 8e lock bts %rax,0x8e08(%rdi)
00 00
73 28 jae 8eee <iwl_trans_pcie_txq_enable+0x71>
80 3d 00 00 00 00 00 cmpb $0x0,0x0(%rip) # 8ecd <iwl_trans_pcie_txq_enable+0x50>
75 1f jne 8eee <iwl_trans_pcie_txq_enable+0x71>
48 c7 c7 00 00 00 00 mov $0x0,%rdi
44 89 44 24 04 mov %r8d,0x4(%rsp)
c6 05 00 00 00 00 01 movb $0x1,0x0(%rip) # 8ee2 <iwl_trans_pcie_txq_enable+0x65>
e8 00 00 00 00 callq 8ee7 <iwl_trans_pcie_txq_enable+0x6a>
0f 0b ud2
44 8b 44 24 04 mov 0x4(%rsp),%r8d
44 89 c7 mov %r8d,%edi
e8 00 00 00 00 callq 8ef6 <iwl_trans_pcie_txq_enable+0x79>
4d 85 ed test %r13,%r13
49 89 47 70 mov %rax,0x70(%r15)

Clearly, r15 is 0. r15 is assigned as mov 0x7e08(%rdi,%rax,8),%r15 which teaches me that r15 much be the pointer to the txq. rdi is the first param to the function (trans) and apparently rax is the txq_id (the second parameter although this doesn't come natural from the calling convention, rax is has been assigned to be txq_id).
The txq assignment is: struct iwl_txq *txq = trans_pcie->txq[txq_id];

Bottom line, txq is NULL...
Note that we tried (and failed) to open AMPDU a bit before the crash and this is clearly not a classic scenario.
I really don't see how trans_pcie->txq[txq_id] could be NULL... If only we knew what was the value of txq_id...
Can you load iwlwifi with debug=0x80000000 ?

So we fail here (last line):
0000000000008e7d <iwl_trans_pcie_txq_enable>:
    8e7d:       e8 00 00 00 00          callq  8e82 <iwl_trans_pcie_txq_enable+0x5>
    8e82:       41 57                   push   %r15
    8e84:       41 56                   push   %r14
    8e86:       49 89 fe                mov    %rdi,%r14
    8e89:       41 55                   push   %r13
    8e8b:       41 54                   push   %r12
    8e8d:       49 89 cd                mov    %rcx,%r13
    8e90:       55                      push   %rbp
    8e91:       53                      push   %rbx
    8e92:       41 89 d4                mov    %edx,%r12d
    8e95:       89 f3                   mov    %esi,%ebx
    8e97:       48 83 ec 20             sub    $0x20,%rsp
    8e9b:       65 48 8b 04 25 28 00    mov    %gs:0x28,%rax
    8ea2:       00 00
    8ea4:       48 89 44 24 18          mov    %rax,0x18(%rsp)
    8ea9:       31 c0                   xor    %eax,%eax
    8eab:       48 63 c6                movslq %esi,%rax
    8eae:       66 89 54 24 02          mov    %dx,0x2(%rsp)
    8eb3:       4c 8b bc c7 08 7e 00    mov    0x7e08(%rdi,%rax,8),%r15
    8eba:       00
    8ebb:       f0 48 0f ab 87 08 8e    lock bts %rax,0x8e08(%rdi)
    8ec2:       00 00
    8ec4:       73 28                   jae    8eee <iwl_trans_pcie_txq_enable+0x71>
    8ec6:       80 3d 00 00 00 00 00    cmpb   $0x0,0x0(%rip)        # 8ecd <iwl_trans_pcie_txq_enable+0x50>
    8ecd:       75 1f                   jne    8eee <iwl_trans_pcie_txq_enable+0x71>
    8ecf:       48 c7 c7 00 00 00 00    mov    $0x0,%rdi
    8ed6:       44 89 44 24 04          mov    %r8d,0x4(%rsp)
    8edb:       c6 05 00 00 00 00 01    movb   $0x1,0x0(%rip)        # 8ee2 <iwl_trans_pcie_txq_enable+0x65>
    8ee2:       e8 00 00 00 00          callq  8ee7 <iwl_trans_pcie_txq_enable+0x6a>
    8ee7:       0f 0b                   ud2
    8ee9:       44 8b 44 24 04          mov    0x4(%rsp),%r8d
    8eee:       44 89 c7                mov    %r8d,%edi
    8ef1:       e8 00 00 00 00          callq  8ef6 <iwl_trans_pcie_txq_enable+0x79>
    8ef6:       4d 85 ed                test   %r13,%r13
    8ef9:       49 89 47 70             mov    %rax,0x70(%r15)

Clearly, r15 is 0. r15 is assigned as mov    0x7e08(%rdi,%rax,8),%r15  which teaches me that r15 much be the pointer to the txq. rdi is the first param to the function (trans) and apparently rax is the txq_id (the second parameter although this doesn't come natural from the calling convention, rax is has been assigned to be txq_id).
The txq assignment is: struct iwl_txq *txq = trans_pcie->txq[txq_id];

Ubuntulinux package

Comment 24 for bug 1733194

Ubuntu
linux package