Please note: This project is no longer active. The website is kept online for historic purposes only.
If you´re looking for a Linux driver for your Atheros WLAN device, you should continue here .

Ticket #1095 (new defect)

Opened 15 years ago

Last modified 15 years ago

Madwifi-ng, bridging mastermode kernel panics

Reported by: Assigned to:
Priority: major Milestone:
Component: madwifi: other Version:
Keywords: Cc:
Patch is attached: 0 Pending:


In Pyramid Linux a distro for soekris boxes madwifi while part of a bridge group seems to consistently kernel panic after heavy load with or without wpa-psk/hostapd. This was originally tested with madwifi-0.9.2 and then madwifi-ng-r1968-20070113.

Hardware: Soekris Net4526-30 CM9 Atheros Mini-pci card

Configuration: One VAP in Master mode acting as part of a bridge group with eth0. Hostapd with wpa-psk running on bridge interface br0.

I have two kernel oops, unfortunately I have not had the best luck replicating this problem and have been trying to find conditions that would easily replicate the oops. Any suggestions for how to get you more data or replicate the bug consistently is appreciated.

Kernel Oops:

BUG: unable to handle kernel NULL pointer dereference at virtual1 printing eip:
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: ipv6 airprime usbserial ohci_hcd ehci_hcd usbcore wlan_ccmp xCPU:    0
EIP:    0060:[<c01f9b74>]    Tainted: P      VLI
EFLAGS: 00010206   ( #1)
EIP is at dev_queue_xmit+0x10/0x19b
eax: 000000b1   ebx: 0b00d000   ecx: c2abe650   edx: 00000100
esi: c2abe656   edi: c2abd718   ebp: 00000002   esp: c3b7583c
ds: 007b   es: 007b   ss: 0068
Process hostapd (pid: 435, threadinfo=c3b74000 task=c3b8a890)
Stack: c2abd718 c2abe656 c34d302c c491cd3c c2abd718 c34d3026 c2abd73c c49207d3
       c2abe650 c3a83800 c2abe650 c3b758c4 80000000 c491cc77 c3987440 c020a29b
       00000004 c3b758fc 00000000 c3987440 c491cc77 00000004 c3b758fc c03004a0
Call Trace:
 <c491cd3c> br_dev_queue_push_xmit+0xc5/0xcc [bridge]  <c49207d3> br_nf_post_ro] <c491cc77> br_dev_queue_push_xmit+0x0/0xcc [bridge]  <c020a29b> nf_iterate+0x2e <c491cc77> br_dev_queue_push_xmit+0x0/0xcc [bridge]  <c491cc77> br_dev_queue_p] <c020a309> nf_hook_slow+0x3c/0x94  <c491cc77> br_dev_queue_push_xmit+0x0/0xcc ] <c491cd71> br_forward_finish+0x2e/0x41 [bridge]  <c491cc77> br_dev_queue_push_] <c492055b> br_nf_forward_finish+0xc6/0xcb [bridge]  <c4920c42> br_nf_forward_i] <c491cd43> br_forward_finish+0x0/0x41 [bridge]  <c020a29b> nf_iterate+0x2c/0x5e <c491cd43> br_forward_finish+0x0/0x41 [bridge]  <c491cd43> br_forward_finish+0] <c020a309> nf_hook_slow+0x3c/0x94  <c491cd43> br_forward_finish+0x0/0x41 [brid] <c491cdca> __br_forward+0x46/0x57 [bridge]  <c491cd43> br_forward_finish+0x0/0] <c491d776> br_handle_frame_finish+0xb5/0xd5 [bridge]  <c4920ace> br_nf_pre_rou] <c492085e> br_nf_pre_routing_finish+0x0/0x27b [bridge]  <c020a309> nf_hook_slo4 <c492085e> br_nf_pre_routing_finish+0x0/0x27b [bridge]  <c491d6c1> br_handle_f] <c492138a> br_nf_pre_routing+0x546/0x578 [bridge]  <c491d6c1> br_handle_frame_] <c4921399> br_nf_pre_routing+0x555/0x578 [bridge]  <c492138a> br_nf_pre_routin] <c491d6c1> br_handle_frame_finish+0x0/0xd5 [bridge]  <c020a29b> nf_iterate+0x2e <c491d6c1> br_handle_frame_finish+0x0/0xd5 [bridge]  <c491d6c1> br_handle_fram] <c020a309> nf_hook_slow+0x3c/0x94  <c491d6c1> br_handle_frame_finish+0x0/0xd5 ] <c491d8c6> br_handle_frame+0x130/0x15a [bridge]  <c491d6c1> br_handle_frame_fi] <c01fa063> netif_receive_skb+0x253/0x2fe  <c4854691> natsemi_poll+0x486/0x5bc ] <c01f8b0d> net_rx_action+0x6c/0xfc  <c011042e> __do_softirq+0x34/0x7d
 <c0110499> do_softirq+0x22/0x26  <c011059b> local_bh_enable+0x51/0x5c
 <c4914aea> packet_poll+0x67/0x6c [af_packet]  <c01f075c> sock_poll+0x13/0x17
 <c01436a1> do_select+0x262/0x41a  <c0143388> __pollwait+0x0/0xb7
 <c010a1b4> default_wake_function+0x0/0x15  <c010a1b4> default_wake_function+0x5 <c010a1b4> default_wake_function+0x0/0x15  <c010a1b4> default_wake_function+0x5 <c020a29b> nf_iterate+0x2c/0x5e  <c491cc77> br_dev_queue_push_xmit+0x0/0xcc [b] <c491cc77> br_dev_queue_push_xmit+0x0/0xcc [bridge]  <c020a309> nf_hook_slow+04 <c491cc77> br_dev_queue_push_xmit+0x0/0xcc [bridge]  <c491cd71> br_forward_fin] <c491cc77> br_dev_queue_push_xmit+0x0/0xcc [bridge]  <c492055b> br_nf_forward_] <c4920c42> br_nf_forward_ip+0x129/0x138 [bridge]  <c491cd43> br_forward_finish] <c020a29b> nf_iterate+0x2c/0x5e  <c491cd43> br_forward_finish+0x0/0x41 [bridge] <c491cd43> br_forward_finish+0x0/0x41 [bridge]  <c020a309> nf_hook_slow+0x3c/04 <c491cd43> br_forward_finish+0x0/0x41 [bridge]  <c491cdca> __br_forward+0x46/0] <c492fd91> ccmp_decap+0x4ac/0x573 [wlan_ccmp]  <c020a309> nf_hook_slow+0x3c/0x4 <c492085e> br_nf_pre_routing_finish+0x0/0x27b [bridge]  <c491d6c1> br_handle_f] <c488ef54> zz06dff44a+0x234/0x3f0 [ath_hal]  <c0143a45> core_sys_select+0x1ec/6 <c48c5dfa> ieee80211_ioctl_setkey+0x1c0/0x23f [wlan]  <c48c5e30> ieee80211_ioc] <c0201b53> wireless_process_ioctl+0x2b3/0x316  <c48c5c3a> ieee80211_ioctl_setk] <c01f862e> netdev_run_todo+0x1cd/0x1d3  <c01f9a3e> dev_ioctl+0x3fa/0x433
 <c4814ef4> unix_release_sock+0x15e/0x176 [unix]  <c0143de2> sys_select+0x98/0x5 <c010fa49> sys_gettimeofday+0x22/0x51  <c01023c7> syscall_call+0x7/0xb
Code: 83 ee 10 8b 46 10 8d 74 26 00 81 fe f0 fe 2f c0 0f 85 64 ff ff ff 5b 5e 5
EIP: [<c01f9b74>] dev_queue_xmit+0x10/0x19b SS:ESP 0068:c3b7583c
 <0>Kernel panic - not syncing: Fatal exception in interrupt

This one was reported from a another user:

BUG: unable to handle kernel NULL pointer dereference at virtual address 00000e printing eip:
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: wlan_ccmp wlan_tkip wlan_xauth af_packet ipv6 airprime usbserial ohci_hcd ehci_hxCPU:    0
EIP:    0060:[<c2be3c8c>]    Tainted: P      VLI
EFLAGS: 00010202   ( #1)
EIP is at 0xc2be3c8c
eax: 0000007e   ebx: c2b2dc30   ecx: c2b7ae48   edx: 00000100
esi: 80000000   edi: c491ac77   ebp: c2be3c8e   esp: c2b2dbe4
ds: 007b   es: 007b   ss: 0068
Process pppd (pid: 1961, threadinfo=c2b2c000 task=c2b56000)
Stack: c2be0060 c49230e0 00000000 00000000 c3a26360 c491ac77 00000004 c2b2dc68
       c03004a0 c491ac77 c020a309 c03004a0 c2b2dc68 00000004 00000000 c3a26360
       c2b2dc30 c491ac77 80000000 c4922fcc c3839280 00000002 c39e7480 c3a26360
Call Trace:
 <c491ac77> br_dev_queue_push_xmit+0x0/0xcc [bridge]  <c491ac77> br_dev_queue_push_xmit+0x0/0xcc [b] <c020a309> nf_hook_slow+0x3c/0x94  <c491ac77> br_dev_queue_push_xmit+0x0/0xcc [bridge]
 <c491ad71> br_forward_finish+0x2e/0x41 [bridge]  <c491ac77> br_dev_queue_push_xmit+0x0/0xcc [bridg] <c491e55b> br_nf_forward_finish+0xc6/0xcb [bridge]  <c491ec42> br_nf_forward_ip+0x129/0x138 [bridg] <c491ad43> br_forward_finish+0x0/0x41 [bridge]  <c020a29b> nf_iterate+0x2c/0x5e
 <c491ad43> br_forward_finish+0x0/0x41 [bridge]  <c491ad43> br_forward_finish+0x0/0x41 [bridge]
 <c020a309> nf_hook_slow+0x3c/0x94  <c491ad43> br_forward_finish+0x0/0x41 [bridge]
 <c491adca> __br_forward+0x46/0x57 [bridge]  <c491ad43> br_forward_finish+0x0/0x41 [bridge]
 <c491b776> br_handle_frame_finish+0xb5/0xd5 [bridge]  <c491eace> br_nf_pre_routing_finish+0x270/0x] <c491e85e> br_nf_pre_routing_finish+0x0/0x27b [bridge]  <c020a309> nf_hook_slow+0x3c/0x94
 <c491e85e> br_nf_pre_routing_finish+0x0/0x27b [bridge]  <c491b6c1> br_handle_frame_finish+0x0/0xd5] <c491f38a> br_nf_pre_routing+0x546/0x578 [bridge]  <c491b6c1> br_handle_frame_finish+0x0/0xd5 [bri] <c491f399> br_nf_pre_routing+0x555/0x578 [bridge]  <c491f38a> br_nf_pre_routing+0x546/0x578 [bridg] <c491b6c1> br_handle_frame_finish+0x0/0xd5 [bridge]  <c020a29b> nf_iterate+0x2c/0x5e
 <c491b6c1> br_handle_frame_finish+0x0/0xd5 [bridge]  <c491b6c1> br_handle_frame_finish+0x0/0xd5 [b] <c020a309> nf_hook_slow+0x3c/0x94  <c491b6c1> br_handle_frame_finish+0x0/0xd5 [bridge]
 <c491b8c6> br_handle_frame+0x130/0x15a [bridge]  <c491b6c1> br_handle_frame_finish+0x0/0xd5 [bridg] <c01fa063> netif_receive_skb+0x253/0x2fe  <c4854691> natsemi_poll+0x486/0x5bc [natsemi]
 <c01f8b0d> net_rx_action+0x6c/0xfc  <c011042e> __do_softirq+0x34/0x7d
 <c0110499> do_softirq+0x22/0x26  <c0103c38> do_IRQ+0x1e/0x26
 <c010261a> common_interrupt+0x1a/0x20  <c0122443> filemap_nopage+0x88/0x2a7
 <c012a99c> __handle_mm_fault+0x213/0x664  <c0108c3a> do_page_fault+0x20d/0x528
 <c0108a2d> do_page_fault+0x0/0x528  <c010267f> error_code+0x4f/0x60
Code: 42 be c2 21 40 41 99 da 00 00 00 00 5d be c2 1f 3c f1 40 a1 52 ab f9 83 7e 89 77 6d 40 ad 68
EIP: [<c2be3c8c>] 0xc2be3c8c SS:ESP 0068:c2b2dbe4
 <0>Kernel panic - not syncing: Fatal exception in interrupt

Dmesg for this system:

Linux version (ken@compost) (gcc version 4.0.2 20050808 (prerelease) (Ubuntu 4.0.1-4ubuntu9)) #1 Thu Aug 17 13:24:26 PDT 2006
BIOS-provided physical RAM map:
 BIOS-e820: 0000000000000000 - 000000000009fc00 (usable)
 BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved)
 BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved)
 BIOS-e820: 0000000000100000 - 0000000004000000 (usable)
 BIOS-e820: 00000000fff00000 - 0000000100000000 (reserved)
64MB LOWMEM available.
DMI not present or invalid.
Allocating PCI resources starting at 10000000 (gap: 04000000:fbf00000)
Built 1 zonelists
Kernel command line: root=/dev/hda1 console=ttyS0,19200n8
Initializing CPU#0
PID hash table entries: 512 (order: 9, 2048 bytes)
Using pit for high-res timesource
Console: colour dummy device 80x25
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 62336k/65536k available (1364k kernel code, 2748k reserved, 475k data, 104k init, 0k highmem)
Checking if this processor honours the WP bit even in supervisor mode... Ok.
Mount-cache hash table entries: 512
CPU: AMD 486 DX/4-WB stepping 04
Checking 'hlt' instruction... OK.
SMP alternatives: switching to UP code
Freeing SMP alternatives: 0k freed
NET: Registered protocol family 16
PCI: PCI BIOS revision 2.01 entry at 0xf7861, last bus=0
Setting up standard PCI resources
PCI: Probing PCI hardware
TC classifier action (bugs to cc
NET: Registered protocol family 2
IP route cache hash table entries: 512 (order: -1, 2048 bytes)
TCP established hash table entries: 2048 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 2048 bind 1024)
TCP reno registered
Initializing Cryptographic API
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing enabled
serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
serial8250: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
Uniform Multi-Platform E-IDE driver Revision: 7.00alpha2
ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
hda: 64MB ATA Flash Disk, ATA DISK drive
ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
hda: max request size: 128KiB
hda: 125056 sectors (64 MB) w/1KiB Cache, CHS=977/4/32
hda: cache flushes not supported
 hda: hda1
Using IPI Shortcut mode
VFS: Mounted root (ext2 filesystem) readonly.
Freeing unused kernel memory: 104k freed
^[[8;1RNET: Registered protocol family 1
 * version 2.86 booting
 * Starting hardware event daemon...
 * Mounting a tmpfs over /dev...
 * Creating initial device nodes...
Loading modules: hostap_pci hostap_pci: 0.4.4-kernel (Jouni Malinen <>)
ath_pci ath_hal: module license 'Proprietary' taints kernel.
ath_hal: (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
wlan: (0.9.2)
ath_rate_sample: 1.2 (0.9.2)
ath_pci: (0.9.2)
wifi0: 11a rates: 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
wifi0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
wifi0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
wifi0: turboA rates: 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
wifi0: turboG rates: 6Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
wifi0: H/W encryption support: WEP AES AES_CCM TKIP
wifi0: mac 5.9 phy 4.3 radio 3.6
wifi0: Use hw queue 1 for WME_AC_BE traffic
wifi0: Use hw queue 0 for WME_AC_BK traffic
wifi0: Use hw queue 2 for WME_AC_VI traffic
wifi0: Use hw queue 3 for WME_AC_VO traffic
wifi0: Use hw queue 8 for CAB traffic
wifi0: Use hw queue 9 for beacons
wifi0: Atheros 5212: mem=0xa0000000, irq=10
natsemi natsemi dp8381x driver, version 1.07+LK1.0.17, Sep 27, 2002
  originally by Donald Becker <>
  2.4.x kernel port by Jeff Garzik, Tjeerd Mulder
natsemi eth0: NatSemi DP8381[56] at 0xa0010000 (0000:00:12.0), 00:00:24:c6:d5:54, IRQ 11, port TP.
ip_tables ip_tables: (C) 2000-2006 Netfilter Core Team
iptable_filter iptable_mangle iptable_nat ip_conntrack version 2.4 (512 buckets, 4096 max) - 224 bytes per conntrack
ipt_mac ipt_mark ipt_state ipt_LOG ipt_MARK ipt_MASQUERADE ipt_REDIRECT ipt_REJECT ipt_TOS ip_conntrack ip_nat_ftp ppp_generic CSLIP: code copyright 1989 Regents of the University of California
PPP generic driver version 2.4.2

tmpfs on /rw type tmpfs (rw,size=10M)
Setting up IP spoofing protection: rp_filter.
Enabling packet forwarding: done.
Configuring network interfaces: ath0
Bridge firewalling registered
device eth0 entered promiscuous mode
eth0: DSPCFG accepted after 0 usec.
eth0: link up.
eth0: Setting full-duplex based on negotiated link capability.
eth0: Promiscuous mode enabled.
eth0: Promiscuous mode enabled.
eth0: Promiscuous mode enabled.
eth0: Promiscuous mode enabled.
eth0: Promiscuous mode enabled.
device ath0 entered promiscuous mode
br0: port 2(ath0) entering learning state
br0: port 1(eth0) entering learning state
Waiting for br0 to get ready (MAXWAIT is 32 seconds).
br0: topology change detected, propagating
br0: port 2(ath0) entering forwarding state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
 * Entering runlevel: 2
Starting kernel log daemon: klogd.
Starting PCMCIA services: cardmgr.
cardmgr[517]: error in file 'config' line 2166: syntax error
cardmgr[517]: no sockets found!
Starting hotplug subsystem: usbusbcore: registered new driver usbfs
usbcore: registered new driver hub
usbcore: registered new driver usbserial
drivers/usb/serial/usb-serial.c: USB Serial support registered for generic
usbcore: registered new driver usbserial_generic
drivers/usb/serial/usb-serial.c: USB Serial Driver core
drivers/usb/serial/usb-serial.c: USB Serial support registered for airprime
usbcore: registered new driver airprime
Starting ntpd: ntpd.
/etc/rc2.d/S19portforwarding: start
/etc/rc2.d/S20dhcrelay: line 14: /etc/default/dhcrelay.*: No such file or directory
Starting OpenBSD Secure Shell server: sshdNET: Registered protocol family 10
lo: Disabled Privacy Extensions
eth0: Promiscuous mode enabled.
eth0: Promiscuous mode enabled.
IPv6 over IPv4 tunneling driver
 * Starting periodic command scheduler...
Building initial RRD databases...
NET: Registered protocol family 17


kernel-oops (5.8 kB) - added by on 01/18/07 05:36:08.
kernel oops, madwifi-ng bridging AP, transfering data via intel card on windows

Change History

01/18/07 05:36:08 changed by

  • attachment kernel-oops added.

kernel oops, madwifi-ng bridging AP, transfering data via intel card on windows

01/18/07 05:41:27 changed by

Update, I am able to reproduce this reliabily now. It seems to only happen for me when using an Intel card on Windows. Basically create an master VAP bridge it with br0 and ath0 and start transferring large amounts of data with the intel card/windows box. In this case three simultaneous ISO downloads via HTTP of a local machine on the eth0 side was able to repro the bug.

Any more information or testing I should do?