Re: [Kernel-packages] [Bug 1341275] Re: Kernel panic in rtl8821ae with 3.13.0-30

[TJ]

On 08/08/14 11:00, Christopher M. Penalver wrote:
> TJ, thank you for your comment. Unfortunately, this is scoped to the original 
> reporter David Coles, not you...

Christopher. I was triaging the bug as it affects other users, it is not 
specific to the original reporters motherboard. I worked on this in detail 
yesterday supporting another user with the identical 
failure on Asus X551MA.

As a kernel hacker I investigated the bug in detail and diagnosed the
cause.  My additions to this report are in light of my findings.

RIP [<ffffffffa042ffe5>] rtl8821ae_rx_query_desc+0x1d5/0xa50 [rtl8821ae]

No changes were introduced in the rtl8821ae module between 3.13.0-24 and
3.13.0-30. The only changes were in mac80211, which rtl8821ae depends on
(along with cfg80211):

# check rtl8821ae
$ gitlog Ubuntu-3.13.0-24.47..Ubuntu-3.13.0-30.55 -- drivers/staging/rtl8821ae
# check mac80211
$ gitlog Ubuntu-3.13.0-24.47..Ubuntu-3.13.0-30.55 -- net/mac80211
7049ad3 Mon May 19 18:45:30 2014 +0100 Michael Braun mac80211: fix WPA with 
VLAN on AP side with ps-sta again
5d31275 Mon May 19 18:45:30 2014 +0100 Johannes Berg mac80211: fix suspend vs. 
authentication race
56f2ea4 Mon May 19 18:45:29 2014 +0100 Johannes Berg mac80211: fix potential 
use-after-free
22bf70f Tue Apr 15 15:27:46 2014 +0100 Johannes Berg mac80211: add length check 
in ieee80211_is_robust_mgmt_frame()
# check mac80211
$ gitlog Ubuntu-3.13.0-24.47..Ubuntu-3.13.0-30.55 -- net/wireless/
$

The faulting location is in function rx_query_desc() at offset 0x1d5.

$ objdump -d
/lib/modules/3.13.0-30-generic/kernel/drivers/staging/rtl8821ae/rtl8821ae.ko

0000000000033e40 <rtl8821ae_rx_query_desc>:

Faulting instruction is at 0x33e40 + 0x1d5 = 0x34015

Now I examine the debug-symbols of the module with:

$ gdb -d drivers/staging/rtl8821ae -d
drivers/staging/rtl8821ae/rtl8821ae
/usr/lib/debug/modules/3.13.0-30-generic/kernel/drivers/staging/rtl8821ae/rtl8821ae.dbgsym.ko

(gdb) info line rtl8821ae_rx_query_desc
Line 539 of 
"/build/buildd/linux-3.13.0/drivers/staging/rtl8821ae/rtl8821ae/trx.c" starts 
at address 0x33e40 <rtl8821ae_rx_query_desc>
    and ends at 0x33e65 <rtl8821ae_rx_query_desc+37>.
(gdb) x/i 0x34015
    0x34015 <rtl8821ae_rx_query_desc+469>:       movzwl (%rdi),%esi
(gdb) disas rtl8821ae_rx_query_desc
...
    0x0000000000033ffe <+446>:   je     0x34641 <rtl8821ae_rx_query_desc+2049>
    0x0000000000034004 <+452>:   cmpl   $0x18,0x68(%rdx)
    0x0000000000034008 <+456>:   jbe    0x34268 <rtl8821ae_rx_query_desc+1064>
    0x000000000003400e <+462>:   mov    0xd8(%rdx),%rdi       /* 
hdr->frame_control */
    0x0000000000034015 <+469>:   movzwl (%rdi),%esi           /* FAULT %rdi 
invalid */
    0x0000000000034018 <+472>:   mov    %esi,%ecx
    0x000000000003401a <+474>:   and    $0xfc,%cx
    0x000000000003401f <+479>:   cmp    $0xa0,%cx
    0x0000000000034024 <+484>:   je     0x34068 <rtl8821ae_rx_query_desc+552>
...
(gdb) info line *0x34015
Line 2194 of "/build/buildd/linux-3.13.0/include/linux/ieee80211.h" starts at 
address 0x34015 <rtl8821ae_rx_query_desc+469>
    and ends at 0x34018 <rtl8821ae_rx_query_desc+472>.

---- include/linux/ieee80211.h -----
/**
  * _ieee80211_is_robust_mgmt_frame - check if frame is a robust management 
frame
  * @hdr: the frame (buffer must include at least the first octet of payload)
  */
static inline bool _ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)
{
   if (ieee80211_is_disassoc(hdr->frame_control) ||      /* LINE 2194 */
       ieee80211_is_deauth(hdr->frame_control))
     return true;


/**
  * ieee80211_is_disassoc - check if IEEE80211_FTYPE_MGMT && 
IEEE80211_STYPE_DISASSOC
  * @fc: frame control bytes in little-endian byteorder
  */
static inline int ieee80211_is_disassoc(__le16 fc)
{
   return (fc & cpu_to_le16(IEEE80211_FCTL_FTYPE | IEEE80211_FCTL_STYPE)) ==
          cpu_to_le16(IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_DISASSOC);
}

----- drivers/staging/rtl8821ae/rtl8821ae/trx.c::rtl8821ae_rx_query_desc() -----
...
     if ((ieee80211_is_robust_mgmt_frame(hdr)) &&        /* FAULT LOCATION */
       (ieee80211_has_protected(hdr->frame_control)))
       rx_status->flag &= ~RX_FLAG_DECRYPTED;
     else
       rx_status->flag |= RX_FLAG_DECRYPTED;
   }
...
----- 8-< -----

On investigation it appears that gdb may have an incorrect debug reference for 
the location of ieee80211_is_robust_mgmt_frame() since the
location it references is for the underscore-prefix function 
_ieee80211_is_robust_mgmt_frame(). This may be due to both functions being 
inline.

The changes introduced in commit:

22bf70f Tue Apr 15 15:27:46 2014 +0100 Johannes Berg mac80211: add
length check in ieee80211_is_robust_mgmt_frame()

include renaming the existing

ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)

to

_ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)

and replacing the original function with one taking an skb, not
ieee80211_hdr:

+ * ieee80211_is_robust_mgmt_frame - check if skb contains a robust mgmt frame
+ * @skb: the skb containing the frame, length will be checked
+ */
+static inline bool ieee80211_is_robust_mgmt_frame(struct sk_buff *skb)
+{
+       if (skb->len < 25)
+               return false;
+       return _ieee80211_is_robust_mgmt_frame((void *)skb->data);
+}
+
+/**

Not being able to debug a live kernel with this hardware I'm unable to pursue 
much further, but commit 22bf70f suggests that the wrong function is now being 
called by rtl8821ae because it isn't 
patched to call the underscore version of the function as all other rtl* 
drivers were. If this is the case, the receiving function is expecting a skb.

The required change therefore probably should be:

$ git diff drivers/staging/rtl8821ae/rtl8821ae/trx.c
diff --git a/drivers/staging/rtl8821ae/rtl8821ae/trx.c 
b/drivers/staging/rtl8821ae/rtl8821ae/trx.c
index 75ae438..963b55f 100644
--- a/drivers/staging/rtl8821ae/rtl8821ae/trx.c
+++ b/drivers/staging/rtl8821ae/rtl8821ae/trx.c
@@ -616,7 +616,7 @@ bool rtl8821ae_rx_query_desc(struct ieee80211_hw *hw,
                                 return false;
                 }

-               if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
+               if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
                         (ieee80211_has_protected(hdr->frame_control)))
                         rx_status->flag &= ~RX_FLAG_DECRYPTED;
                 else
---


** Attachment added: "Asus-X551MA.jpg"
   
https://bugs.launchpad.net/bugs/1341275/+attachment/4172879/+files/Asus-X551MA.jpg

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1341275

Title:
  10ec:8821 [Gigabyte GB-BXi7-4470R] Kernel panic in rtl8821ae

Status in “linux” package in Ubuntu:
  Incomplete

Bug description:
  After updating the system to linux-image-3.13.0-30-generic (trusty-
  updates), the encounters a kernel panic during boot in the rtl8821ae
  module. This prevents the system from booting.

  This appears to be an issue relating to the mPCI WiFi+BT module
  (Realtek Semiconductor Co., Ltd. RTL8821AE 802.11ac PCIe Wireless
  Network Adapter) included with the system.

  A workaround is to boot using the older linux-image-3.13.0-24-generic
  (trusty).

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: linux-image-3.13.0-30-generic 3.13.0-30.55
  ProcVersionSignature: Ubuntu 3.13.0-24.47-generic 3.13.9
  Uname: Linux 3.13.0-24-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.2
  Architecture: amd64
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/controlC1:  dcoles     2324 F.... pulseaudio
   /dev/snd/pcmC1D0p:   dcoles     2324 F...m pulseaudio
   /dev/snd/controlC0:  dcoles     2324 F.... pulseaudio
  CurrentDesktop: GNOME
  Date: Sun Jul 13 20:35:13 2014
  HibernationDevice: RESUME=UUID=489d6aeb-add6-485d-8056-de392a8591b7
  InstallationDate: Installed on 2014-03-14 (120 days ago)
  InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140310)
  MachineType: GIGABYTE M4HM87P-00
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.13.0-24-generic.efi.signed 
root=/dev/mapper/ubuntu--vg-root ro quiet splash
  RelatedPackageVersions:
   linux-restricted-modules-3.13.0-24-generic N/A
   linux-backports-modules-3.13.0-24-generic  N/A
   linux-firmware                             1.127.4
  SourcePackage: linux
  StagingDrivers: rtl8821ae
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 02/06/2014
  dmi.bios.vendor: American Megatrends Inc.
  dmi.bios.version: F3
  dmi.board.asset.tag: To be filled by O.E.M.
  dmi.board.name: M4HM87P-00
  dmi.board.vendor: GIGABYTE
  dmi.board.version: 1.x
  dmi.chassis.asset.tag: To Be Filled By O.E.M.
  dmi.chassis.type: 3
  dmi.chassis.vendor: To Be Filled By O.E.M.
  dmi.chassis.version: To Be Filled By O.E.M.
  dmi.modalias: 
dmi:bvnAmericanMegatrendsInc.:bvrF3:bd02/06/2014:svnGIGABYTE:pnM4HM87P-00:pvr1.x:rvnGIGABYTE:rnM4HM87P-00:rvr1.x:cvnToBeFilledByO.E.M.:ct3:cvrToBeFilledByO.E.M.:
  dmi.product.name: M4HM87P-00
  dmi.product.version: 1.x
  dmi.sys.vendor: GIGABYTE

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1341275/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp