Please note: This project is no longer active. The website is kept online for historic purposes only.
If you´re looking for a Linux driver for your Atheros WLAN device, you should continue here .

Ticket #1070 (closed defect: fixed)

Opened 12 years ago

Last modified 11 years ago

Function _ieee80211_free_node causes crash on IXP425 platform on station reassociation and driver reinit

Reported by: anonymous Assigned to:
Priority: major Milestone: version 0.9.5
Component: madwifi: driver Version: trunk
Keywords: Cc:
Patch is attached: 1 Pending:

Description

On IXP425 platform when the station is being reassociated or the driver is reinited (eg. channel is being changed) the function _ieee80211_free_node crashes the system. The kernel I'm running is 2.6.18-rt7.

Attachments

_ieee80211_free_node_fix.diff (0.7 kB) - added by rozteck@interia.pl on 01/08/07 10:46:43.
The patch for fixing the bug above
_ieee80211_free_node_fix.2.diff (0.7 kB) - added by rozteck@interia.pl on 01/09/07 10:31:10.
This patch adds some NULL pointer checking to _ieee80211_free_node preventing from removing already removed node which causes crash. Signed-off-by: Tomasz Rostanski <rozteck@interia.pl>

Change History

01/08/07 10:46:43 changed by rozteck@interia.pl

  • attachment _ieee80211_free_node_fix.diff added.

The patch for fixing the bug above

01/08/07 10:54:39 changed by mrenzmann

  • version set to trunk.

Please sign off the patch so that it can be committed to the repository after evaluation.

01/09/07 10:31:10 changed by rozteck@interia.pl

  • attachment _ieee80211_free_node_fix.2.diff added.

This patch adds some NULL pointer checking to _ieee80211_free_node preventing from removing already removed node which causes crash. Signed-off-by: Tomasz Rostanski <rozteck@interia.pl>

01/09/07 12:12:01 changed by kovalenko@iitp.ru

vap pointer from the node always != NULL , the only situation when this pointer can be NULL is when BUG exist at higher level. It will be useful if you sent decoded kernel ooops message.

01/09/07 13:39:22 changed by mrenzmann

Just to mention it for the other patches you submitted (thanks for that, by the way!), also waiting for being signed off: you don't need to attach the patch a second time to sign off. Adding a comment with the corresponding Signed-off-by line is ok as well.

01/10/07 09:44:30 changed by rozteck@interia.pl

The problem is that the vap pointer is NULL. I say even more - there is problem with ni->ni_vap pointer across the madwifi driver on platform I'm using with ath interface added to bridge. This pointer is sometimes NULL, sometimes set to some random value causing crashes in different places.

01/10/07 13:48:19 changed by kovalenko@itep.ru

Yes, problem arise if you add ath to the bridge, but it isn't only IXP problem, the same crash happen and on i386. I think ( but i am not sure) the problem originate from non correct wds node management. Can I ask you, is crash arise after ieee80211_input_all ?

01/10/07 13:52:32 changed by anonymous

Here it is a kernel oops message:

[  405.680000] Unable to handle kernel NULL pointer dereference at virtual address 000000bc
[  405.680000] pgd = c0004000
[  405.680000] [000000bc] *pgd=00000000
[  405.680000] Internal error: Oops: 17 [#1]
[  405.680000] Modules linked in: sch_sfq sch_htb ipt_REJECT bridge llc tun iptable_filter iptable_nat ip_nat bonding e100 pcnet32 wlan_scan_ap wlan_scan_s0
[  405.680000] CPU: 0
[  405.680000] PC is at _ieee80211_free_node+0x20/0x110 [wlan]
[  405.680000] LR is at ieee80211_remove_wds_addr+0x94/0xe0 [wlan]
[  405.680000] pc : [<bf4fba40>]    lr : [<bf4fc26c>]    Tainted: P
[  405.680000] sp : c02d5e3c  ip : c02d5e64  fp : c02d5e60
[  405.680000] r10: c3579160  r9 : c3918000  r8 : c3ead280
[  405.680000] r7 : c39f7038  r6 : 00000000  r5 : 00000000  r4 : c3918000
[  405.680000] r3 : 00000000  r2 : c3918000  r1 : 60000093  r0 : c3918000
[  405.680000] Flags: NzCv  IRQs off  FIQs on  Mode SVC_32  Segment kernel
[  405.680000] Control: 39FF  Table: 03518000  DAC: 00000017
[  405.680000] Process softirq-tasklet (pid: 8, stack limit = 0xc02d4250)
[  405.680000] Stack: (0xc02d5e3c to 0xc02d6000)
[  405.680000] 5e20:                                                                c32fab80
[  405.680000] 5e40: c02d5e64 c02d5e50 c382bac0 c02d4000 20000013 c02d5e80 c02d5e64 bf4fc26c
[  405.680000] 5e60: bf4fba2c c3cfac04 c39f7020 c39f7038 c383b000 c02d5f18 c02d5e84 bf4fa100
[  405.680000] 5e80: bf4fc1e4 60000013 00000001 c02d5ec4 ffffffff c01c4964 c028a8a0 c028a880
[  405.680000] 5ea0: 00000000 00000020 00000080 00000008 c020d0cc c3ead000 c3cfa280 000029a6
[  405.680000] 5ec0: 00000033 c02d5ec4 c02d5ec4 c38c4000 c38686c0 c020d0c0 00000020 00000000
[  405.680000] 5ee0: c02d5efc 60000013 c38686c0 c02d5f18 c383b000 00000000 c020d0c0 00000020
[  405.680000] 5f00: 00000000 ffc00630 c3cfa280 c02d5f70 c02d5f1c bf530b64 bf4f98e8 c01be01c
[  405.680000] 5f20: c02c08a0 00000017 c02d5f84 0000005a c3579160 c3d40000 c3b07630 c3cfa000
[  405.680000] 5f40: c02d4000 c02c09bc c3cfb684 00000000 c020d0c0 00000020 00000000 00000000
[  405.680000] 5f60: c020d0cc c02d5f88 c02d5f74 c003c1ec bf530518 c02d4000 c020cf20 c02d5f98
[  405.680000] 5f80: c02d5f8c c003c238 c003c180 c02d5fc4 c02d5f9c c003c44c c003c20c 00000001
[  405.680000] 5fa0: c020d0c0 c02d4000 c02c3f1c c003c33c fffffffc 00000000 c02d5ff4 c02d5fc8
[  405.680000] 5fc0: c004c124 c003c348 00000001 ffffffff ffffffff 00000000 00000000 00000000
[  405.680000] 5fe0: 00000000 00000000 00000000 c02d5ff8 c0038ae8 c004c040 cc33cc33 cc33cc33
[  405.680000] Backtrace:
[  405.680000] [<bf4fba20>] (_ieee80211_free_node+0x0/0x110 [wlan]) from [<bf4fc26c>] (ieee80211_remove_wds_addr+0x94/0xe0 [wlan])
[  405.680000]  r6 = 20000013  r5 = C02D4000  r4 = C382BAC0
[  405.680000] [<bf4fc1d8>] (ieee80211_remove_wds_addr+0x0/0xe0 [wlan]) from [<bf4fa100>] (ieee80211_input+0x824/0x17e4 [wlan])
[  405.680000]  r7 = C383B000  r6 = C39F7038  r5 = C39F7020  r4 = C3CFAC04
[  405.680000] [<bf4f98dc>] (ieee80211_input+0x0/0x17e4 [wlan]) from [<bf530b64>] (ath_rx_tasklet+0x658/0x978 [ath_pci])
[  405.680000] [<bf53050c>] (ath_rx_tasklet+0x0/0x978 [ath_pci]) from [<c003c1ec>] (__tasklet_action+0x78/0x8c)
[  405.680000] [<c003c174>] (__tasklet_action+0x0/0x8c) from [<c003c238>] (tasklet_action+0x38/0x40)
[  405.680000]  r5 = C020CF20  r4 = C02D4000
[  405.680000] [<c003c200>] (tasklet_action+0x0/0x40) from [<c003c44c>] (ksoftirqd+0x110/0x1bc)
[  405.680000] [<c003c33c>] (ksoftirqd+0x0/0x1bc) from [<c004c124>] (kthread+0xf0/0x120)
[  405.680000] [<c004c034>] (kthread+0x0/0x120) from [<c0038ae8>] (do_exit+0x0/0x894)
[  405.680000]  r8 = 00000000  r7 = 00000000  r6 = 00000000  r5 = 00000000
[  405.680000]  r4 = 00000000
[  405.680000] Code: e2504000 0a000038 e5945000 e5946008 (e5d530bc)
[  405.680000]  <2>kernel BUG at kernel/exit.c:862!

This time because I didn't put the vap is null checking before calling IEEE80211_DPRINTF function

01/10/07 13:54:02 changed by rozteck@interia.pl

I hope the oops will be helpful...

01/16/07 17:03:52 changed by rozteck@interia.pl

Can be fixed by using patch from ticket #907

01/24/07 07:14:36 changed by rozteck@interia.pl

The patch from ticket #907 solves the problem.

06/21/07 22:57:32 changed by mtaylor

  • status changed from new to closed.
  • resolution set to fixed.

This should be fixed in trunk.

06/27/07 12:16:41 changed by mrenzmann

  • milestone set to version 0.9.4.

02/11/08 06:14:50 changed by mrenzmann

  • milestone changed from version 0.9.4 to version 0.9.5.