Ticket #1078 (closed defect: fixed)

Opened 5 years ago

Last modified 4 years ago

Corrupted vap pointer causes crash in ieee80211_hardstart function

Reported by: rozteck@interia.pl Assigned to:
Priority: major Milestone: version 0.9.5
Component: madwifi: driver Version: trunk
Keywords: Cc:
Patch is attached: 0 Pending:

Description

Kernel Oops is as follows: 

[  565.990000] Unable to handle kernel NULL pointer dereference at virtual address 00000248
[  566.000000] pgd = c0004000
[  566.000000] [00000248] *pgd=00000000
[  566.010000] Internal error: Oops: 17 [#1]
[  566.010000] Modules linked in: sch_sfq sch_htb ipt_REJECT bridge llc tun iptable_filter iptable_nat ip_nat bonding e100 pcnet32 wlan_scan_ap wlan_scan_s0
[  566.010000] CPU: 0
[  566.010000] PC is at ieee80211_hardstart+0x2a8/0x438 [wlan]
[  566.010000] LR is at 0x14
[  566.010000] pc : [<bf4fee60>]    lr : [<00000014>]    Tainted: P
[  566.010000] sp : c02d1dbc  ip : c2ee7812  fp : c02d1de4
[  566.010000] r10: 00000000  r9 : c2ee7812  r8 : 00000007
[  566.010000] r7 : c38329b0  r6 : c38b3000  r5 : c3832980  r4 : c3eae280
[  566.010000] r3 : 00000000  r2 : 00000000  r1 : c2ee7818  r0 : 00000000
[  566.010000] Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  Segment kernel
[  566.010000] Control: 39FF  Table: 03510000  DAC: 00000017
[  566.010000] Process softirq-net-rx/ (pid: 6, stack limit = 0xc02d0250)
[  566.010000] Stack: (0xc02d1dbc to 0xc02d2000)
[  566.010000] 1da0:                                                                c02d0000
[  566.010000] 1dc0: c3eae000 00000000 c3832980 c39eb000 c0211fb8 c3eae02c c02d1e0c c02d1de8
[  566.010000] 1de0: c0132128 bf4febc4 c02d0000 c3eae000 c3832980 00000000 bf580270 00000040
[  566.010000] 1e00: c02d1e2c c02d1e10 c012401c c0132084 c3832980 c0213014 c2f99a80 c2edbbc0
[  566.010000] 1e20: c02d1e48 c02d1e30 bf580154 c0123ec8 c02d1e3c c01424fc c0212e44 c02d1e68
[  566.010000] 1e40: c02d1e4c bf5801d8 bf5800d8 c0031394 c38d3260 00000000 c3832980 c02d1e90
[  566.010000] 1e60: c02d1e6c bf5802f4 bf580170 c2edbbc0 c3832980 c2f99a80 c3832980 c2f99a78
[  566.010000] 1e80: c3832980 c02d1eb4 c02d1e94 bf580460 bf58027c c2edbcc0 c2f99a80 c3832980
[  566.010000] 1ea0: c2ee7812 00000001 c02d1ec4 c02d1eb8 bf5804b4 bf580390 c02d1ee8 c02d1ec8
[  566.010000] 1ec0: bf581094 bf5804ac c2ee7812 c3832980 c02d1f1c c2edbcc0 00000001 c02d1f18
[  566.010000] 1ee0: c02d1eec bf5812d0 bf580f94 c002b470 c02d1f18 c02d1f00 c3832980 c2edbcc0
[  566.010000] 1f00: 00000000 c02122d8 c17f3000 c02d1f44 c02d1f1c c0124648 bf5810f8 c3832980
[  566.010000] 1f20: c17f3000 c0211fd4 00000000 c02d1f74 0000dd17 00000040 c02d1f70 c02d1f48
[  566.010000] 1f40: c0124804 c0124458 c0212094 c0211fd4 c0211fb8 0000dd17 c01c4108 00000000
[  566.010000] 1f60: c020d09c c02d1f98 c02d1f74 c0124990 c0124764 0000012c c02d0000 c020cf20
[  566.010000] 1f80: c020d090 00000008 00000000 c02d1fc4 c02d1f9c c003c44c c01248f0 00000001
[  566.010000] 1fa0: c020d090 c02d0000 c02c3f1c c003c33c fffffffc 00000000 c02d1ff4 c02d1fc8
[  566.010000] 1fc0: c004c124 c003c348 00000001 ffffffff ffffffff 00000000 00000000 00000000
[  566.010000] 1fe0: 00000000 00000000 00000000 c02d1ff8 c0038ae8 c004c040 cc33cc33 cc33cc33
[  566.010000] Backtrace:
[  566.010000] [<bf4febb8>] (ieee80211_hardstart+0x0/0x438 [wlan]) from [<c0132128>] (__qdisc_run+0xb0/0x220)
[  566.010000] [<c0132078>] (__qdisc_run+0x0/0x220) from [<c012401c>] (dev_queue_xmit+0x160/0x2b4)
[  566.010000] [<c0123ebc>] (dev_queue_xmit+0x0/0x2b4) from [<bf580154>] (br_dev_queue_push_xmit+0x88/0x98 [bridge])
[  566.010000]  r7 = C2EDBBC0  r6 = C2F99A80  r5 = C0213014  r4 = C3832980
[  566.010000] [<bf5800cc>] (br_dev_queue_push_xmit+0x0/0x98 [bridge]) from [<bf5801d8>] (br_forward_finish+0x74/0x84 [bridge])
[  566.010000]  r4 = C0212E44
[  566.010000] [<bf580164>] (br_forward_finish+0x0/0x84 [bridge]) from [<bf5802f4>] (__br_forward+0x84/0x94 [bridge])
[  566.010000] [<bf580270>] (__br_forward+0x0/0x94 [bridge]) from [<bf580460>] (br_flood+0xdc/0x100 [bridge])
[  566.010000]  r5 = C3832980  r4 = C2F99A78
[  566.010000] [<bf580384>] (br_flood+0x0/0x100 [bridge]) from [<bf5804b4>] (br_flood_forward+0x14/0x1c [bridge])
[  566.010000]  r8 = 00000001  r7 = C2EE7812  r6 = C3832980  r5 = C2F99A80
[  566.010000]  r4 = C2EDBCC0
[  566.010000] [<bf5804a0>] (br_flood_forward+0x0/0x1c [bridge]) from [<bf581094>] (br_handle_frame_finish+0x10c/0x120 [bridge])
[  566.010000] [<bf580f88>] (br_handle_frame_finish+0x0/0x120 [bridge]) from [<bf5812d0>] (br_handle_frame+0x1e4/0x210 [bridge])
[  566.010000]  r8 = 00000001  r7 = C2EDBCC0  r6 = C02D1F1C  r5 = C3832980
[  566.010000]  r4 = C2EE7812
[  566.010000] [<bf5810ec>] (br_handle_frame+0x0/0x210 [bridge]) from [<c0124648>] (netif_receive_skb+0x1fc/0x30c)
[  566.010000]  r7 = C17F3000  r6 = C02122D8  r5 = 00000000  r4 = C2EDBCC0
[  566.010000] [<c012444c>] (netif_receive_skb+0x0/0x30c) from [<c0124804>] (process_backlog+0xac/0x18c)
[  566.010000] [<c0124758>] (process_backlog+0x0/0x18c) from [<c0124990>] (net_rx_action+0xac/0x1a8)
[  566.010000] [<c01248e4>] (net_rx_action+0x0/0x1a8) from [<c003c44c>] (ksoftirqd+0x110/0x1bc)
[  566.010000]  r8 = 00000000  r7 = 00000008  r6 = C020D090  r5 = C020CF20
[  566.010000]  r4 = C02D0000
[  566.010000] [<c003c33c>] (ksoftirqd+0x0/0x1bc) from [<c004c124>] (kthread+0xf0/0x120)
[  566.010000] [<c004c034>] (kthread+0x0/0x120) from [<c0038ae8>] (do_exit+0x0/0x894)
[  566.010000]  r8 = 00000000  r7 = 00000000  r6 = 00000000  r5 = 00000000
[  566.010000]  r4 = 00000000
[  566.010000] Code: b1a02003 e35e0000 e5852070 0a000021 (e59e3234)
[  566.010000]  <2>kernel BUG at kernel/exit.c:862!

gdb output is: 

(gdb) list *(ieee80211_hardstart+0x2a8)
0x300 is in ieee80211_hardstart (/mnt/fedora-home/modules-2.6.18-rt7/5000_madwifi/madwifi-svn-r1860/net80211/ieee80211_output.c:172).
167             skb->priority = d_wme_ac;
168             if (v_wme_ac > d_wme_ac)
169                     skb->priority = v_wme_ac;
170
171             /* Applying ACM policy */
172             if ((vap != NULL) && (vap->iv_opmode == IEEE80211_M_STA)) {
173                     struct ieee80211com *ic = ni->ni_ic;
174
175                     while ((skb->priority != WME_AC_BK) && (ic != NULL) &&
176                         (ic->ic_wme.wme_wmeBssChanParams.cap_wmeParams[skb->priority].wmep_acm)) {
(gdb)

It seems for me that vap pointer is not null but is filled with wrong (corrupted?) address.

Attachments

delayed_ieee80211_sta_join1_tasklet.diff (0.7 kB) - added by rozteck@interia.pl on 01/10/07 19:45:45.
moving the ieee80211_sta_join1_tasklet initialization a few lines lower seems to solve the problem

Change History

01/10/07 19:45:45 changed by rozteck@interia.pl

  • attachment delayed_ieee80211_sta_join1_tasklet.diff added.

moving the ieee80211_sta_join1_tasklet initialization a few lines lower seems to solve the problem

01/10/07 19:47:55 changed by rozteck@interia.pl

I would not consider this diff as a patch - I did it and it seems for me that the crash is not occuring anymore. In fact I'm getting other crashes (in _ieee80211_free_node function) so I cannot say if it help definitelly or just delayed the crash in time).

01/16/07 17:05:40 changed by rozteck@interia.pl

The crash is being fixed after applying patch from ticket #907

07/26/07 05:22:56 changed by mentor

  • status changed from new to closed.
  • resolution set to fixed.
  • milestone set to version 0.9.4.

02/11/08 06:15:11 changed by mrenzmann

  • milestone changed from version 0.9.4 to version 0.9.5.

Add/Change #1078 (Corrupted vap pointer causes crash in ieee80211_hardstart function)