Please note: This project is no longer active. The website is kept online for historic purposes only.
If you´re looking for a Linux driver for your Atheros WLAN device, you should continue here .

Ticket #1071 (closed defect: fixed)

Opened 13 years ago

Last modified 12 years ago

Function ieee80211_input sometimes crashes on IXP425 platform on driver reinit

Reported by: anonymous Assigned to:
Priority: major Milestone: version 0.9.5
Component: madwifi: driver Version: trunk
Keywords: Cc:
Patch is attached: 0 Pending:

Description

If you change some parameter as channel when the station is connected and some transmission is being done the madwifi driver crashes in ieee80211_input function. I'm using IXP425 platform device with kernel 2.6.18-rt7.

Attachments

ieee80211_input_crash_fix.diff (2.2 kB) - added by rozteck@interia.pl on 01/08/07 10:52:47.
The following patch fixes the bug
ieee80211_input_crash_fix.2.diff (2.2 kB) - added by rozteck@interia.pl on 01/09/07 10:28:43.
This patch adds some NULL pointer checking into 80211_input function preventing from crash on some circumstances. Signed-off-by: Tomasz Rostanski <rozteck@interia.pl>
ieee80211_input_crash_fix.3.diff (1.3 kB) - added by rozteck@interia.pl on 01/16/07 17:15:04.
This patch adds some NULL pointer checking. Signed-off-by: Tomasz Rostanski <rozteck@interia.pl>

Change History

01/08/07 10:52:47 changed by rozteck@interia.pl

  • attachment ieee80211_input_crash_fix.diff added.

The following patch fixes the bug

01/08/07 10:55:07 changed by mrenzmann

  • version set to trunk.

Please sign off the patch so that it can be committed to the repository after evaluation.

01/09/07 10:28:43 changed by rozteck@interia.pl

  • attachment ieee80211_input_crash_fix.2.diff added.

This patch adds some NULL pointer checking into 80211_input function preventing from crash on some circumstances. Signed-off-by: Tomasz Rostanski <rozteck@interia.pl>

01/16/07 03:05:57 changed by scottr

quick comment: line 35 dereferences vap before checking if it it NULL on line 42.

01/16/07 09:07:49 changed by rozteck@interia.pl

You're right. However it seems that the patch from ticket 907 (ported to the latest madwifi sources and rt kernel) is fixing the problems I'm having by preventing the situations like that.

01/16/07 17:15:04 changed by rozteck@interia.pl

  • attachment ieee80211_input_crash_fix.3.diff added.

This patch adds some NULL pointer checking. Signed-off-by: Tomasz Rostanski <rozteck@interia.pl>

01/16/07 17:18:03 changed by rozteck@interia.pl

I found that even after applying patch from ticket #907 I got a crash in ieee80211_input function. I have created ieee80211_input_crash_fix.3.diff as simple workaround for the crash I got. Backtrace:

[ 2188.220000] ath0: [00:15:6d:44:00:f8] station reassociated at aid 1: long preamble, short slot time, QoS, fast-frames
[ 2188.270000] Unable to handle kernel NULL pointer dereference at virtual address 000000f0
[ 2188.280000] pgd = c0004000
[ 2188.280000] [000000f0] *pgd=00000000
[ 2188.290000] Internal error: Oops: 17 [#1]
[ 2188.290000] Modules linked in: sch_sfq sch_htb ipt_REJECT bridge llc tun iptable_filter iptable_nat ip_nat bonding e100 pcnet32 wlan_scan_ap wlan_scan_s0
[ 2188.290000] CPU: 0
[ 2188.290000] PC is at ieee80211_input+0x1c/0x181c [wlan]
[ 2188.290000] LR is at ath_rx_tasklet+0x7ec/0xae8 [ath_pci]
[ 2188.290000] pc : [<bf4feb9c>]    lr : [<bf5401d8>]    Tainted: P
[ 2188.290000] sp : c02dbe7c  ip : c02dbf18  fp : c02dbf14
[ 2188.290000] r10: c3cea280  r9 : c2f27b40  r8 : 00000000
[ 2188.290000] r7 : c2833000  r6 : c2833000  r5 : 00000038  r4 : c3ceb690
[ 2188.290000] r3 : 00004802  r2 : 00000027  r1 : c2f27b40  r0 : c2833000
[ 2188.290000] Flags: nZcv  IRQs on  FIQs on  Mode SVC_32  Segment kernel
[ 2188.290000] Control: 39FF  Table: 03554000  DAC: 00000017
[ 2188.290000] Process softirq-tasklet (pid: 8, stack limit = 0xc02da250)
[ 2188.290000] Stack: (0xc02dbe7c to 0xc02dc000)
[ 2188.290000] be60:                                                                a0000013
[ 2188.290000] be80: c2ef1720 00000f08 00000000 00000001 c2ef1720 60000013 c2ef1720 00000f08
[ 2188.290000] bea0: 00000000 00000001 c2ef1720 c02dbed0 c02dbebc c00721d4 c0071fb0 00000000
[ 2188.290000] bec0: c2ef1720 c02dbee4 c02da000 c02dbef8 c02dbedc bf5019c0 c00e1d40 c02da000
[ 2188.290000] bee0: 60000013 c02131a0 00000020 c3ceb690 00000000 c2833000 00000020 00000000
[ 2188.290000] bf00: ffc001c0 c3cea280 c02dbf70 c02dbf18 bf5401d8 bf4feb8c c005adbc c02d201c
[ 2188.290000] bf20: c02c68a0 00000017 c3ceb680 0000001c c2f27b40 c3d60000 c170d180 c3cea000
[ 2188.290000] bf40: c02da000 c02c69bc c3ceb690 00000000 c02131a0 00000020 00000000 00000000
[ 2188.290000] bf60: c02131ac c02dbf88 c02dbf74 c003c70c bf53f9f8 c02da000 c0213000 c02dbf98
[ 2188.290000] bf80: c02dbf8c c003c758 c003c6a0 c02dbfc4 c02dbf9c c003c96c c003c72c 00000001
[ 2188.290000] bfa0: c02131a0 c02da000 c02c9f1c c003c85c fffffffc 00000000 c02dbff4 c02dbfc8
[ 2188.290000] bfc0: c004c644 c003c868 00000001 ffffffff ffffffff 00000000 00000000 00000000
[ 2188.290000] bfe0: 00000000 00000000 00000000 c02dbff8 c0038f2c c004c560 cc33cc33 cc33cc33
[ 2188.290000] Backtrace:
[ 2188.290000] [<bf4feb80>] (ieee80211_input+0x0/0x181c [wlan]) from [<bf5401d8>] (ath_rx_tasklet+0x7ec/0xae8 [ath_pci])
[ 2188.290000] [<bf53f9ec>] (ath_rx_tasklet+0x0/0xae8 [ath_pci]) from [<c003c70c>] (__tasklet_action+0x78/0x8c)
[ 2188.290000] [<c003c694>] (__tasklet_action+0x0/0x8c) from [<c003c758>] (tasklet_action+0x38/0x40)
[ 2188.290000]  r5 = C0213000  r4 = C02DA000
[ 2188.290000] [<c003c720>] (tasklet_action+0x0/0x40) from [<c003c96c>] (ksoftirqd+0x110/0x1bc)
[ 2188.290000] [<c003c85c>] (ksoftirqd+0x0/0x1bc) from [<c004c644>] (kthread+0xf0/0x120)
[ 2188.290000] [<c004c554>] (kthread+0x0/0x120) from [<c0038f2c>] (do_exit+0x0/0x970)
[ 2188.290000]  r8 = 00000000  r7 = 00000000  r6 = 00000000  r5 = 00000000
[ 2188.290000]  r4 = 00000000
[ 2188.290000] Code: e24dd070 e5905000 e1a07000 e1a09001 (e59500b8)

01/24/07 07:11:46 changed by rozteck@interia.pl

It is being solved by the latest revision of patch from ticket #907.

06/21/07 22:56:11 changed by mtaylor

  • status changed from new to closed.
  • resolution set to fixed.

This should be fixed in trunk.

06/27/07 12:15:39 changed by mrenzmann

  • milestone set to version 0.9.4.

02/11/08 06:14:53 changed by mrenzmann

  • milestone changed from version 0.9.4 to version 0.9.5.