Ticket #1200 (closed defect: fixed)

Opened 5 years ago

Last modified 4 years ago

ioctl_setmlme / freed lock related kernel crash

Reported by: ddrake@brontes3d.com Assigned to:
Priority: major Milestone: version 0.9.5
Component: madwifi: driver Version: v0.9.2.1
Keywords: Cc:
Patch is attached: 0 Pending:

Description

Using a script which repeatedly uses wpa_supplicant to associate to an AP (WEP encryption), waits to obtain an IP over dhcp then shuts down wpa_supplicant and repeats the process, I reliably get this crash after a few hours: 

NMI Watchdog detected LOCKUP on CPU 3
Pid: 22708, comm: wpa_supplicant Tainted:P 2.6.18-brontes-r6 #1
RIP: .text.lock.spinlock+022/0x97
Call Trace:
<IRQ> :wlan:ieee80211_free_node+0x2f/0xa0
:ath:pci:ath_rx_tasklet
tasklet_action
__do_softirq
:wlan:ieee80211_ioctl_setmlme
call_softirq
do_IRQ
ret_from_intr
<EOI> :ath_pci:ath_updateslot
:ath_pci:ath_wme_update
:ath_hal:zz0067d221
:wlan:ieee80211_wme_updateparams_locked
:wlan:ieee80211_wme_initparams
:wlan:ieee80211_sta_join1
:wlan:ieee80211_ioctl_setmlme
wireless_process_ioctl
netdev_run_todo
dev_ioctl
do_page_fault
sock_ioctl
do_ioctl
vfs_ioctl
sys_ioctl
system_call

console shuts up ...
Kernel panic - not syncing: Aiee, killing interrupt handler!

It looks like it is trying to obtain a lock which has already been freed.

Attachments

out.jpg (94.2 kB) - added by ddrake@brontes3d.com on 03/19/07 14:44:53.
out2.jpg (99.6 kB) - added by ddrake@brontes3d.com on 03/19/07 14:57:11.

Change History

03/19/07 14:41:37 changed by ddrake@brontes3d.com

The oops messages vary a little each time. I'll attach photos of 2 other crashes here.

03/19/07 14:43:17 changed by mrenzmann

  • priority changed from critical to major.

Did you try current trunk and/or the refcount (see #907) branch already?

03/19/07 14:44:53 changed by ddrake@brontes3d.com

  • attachment out.jpg added.

03/19/07 14:57:11 changed by ddrake@brontes3d.com

  • attachment out2.jpg added.

03/19/07 14:58:50 changed by ddrake@brontes3d.com

Not yet. My plan is to first reproduce it with lock debugging and frame unwinding in the kernel (and a serial console cable), then I'll move to testing a trunk snapshot.

03/23/07 14:42:54 changed by anonymous

I wasn't able to reproduce this with 0.9.2.1 and frame unwinding/detection of freed locks support in the kernel - I guess the timing was altered slightly in this configuration.

I also have not been able to reproduce this with 0.9.3 (without the extra debug options) after 2 nights of testing, but I want to leave it running all weekend before giving a more definitive statement about that version.

03/23/07 22:34:00 changed by anonymous

Reproduced with 0.9.3.

RIP at .text.lock.spinlock+0x22/0x97

Call trace: 

ieee80211_free_node
ieee80211_input_all
ath_rx_tasklet
tasklet_action
__do_softirq
call_softirq
do_softirq
do_IRQ
ret_from_intr
<EOI> zz016e309b
ath_txq_update
ieee80211_setmlme
....

03/27/07 00:25:12 changed by ddrake@brontes3d.com

refcount branch appears to be even worse. Left some feedback on #907

05/07/07 16:51:38 changed by ddrake@brontes3d.com

refcount branch fixes this bug

05/21/07 20:46:35 changed by mentor

  • status changed from new to closed.
  • resolution set to fixed.
  • milestone set to version 0.9.4.

refcount has been merged, so I'm closing this bug.

r2357

02/11/08 06:16:39 changed by mrenzmann

  • milestone changed from version 0.9.4 to version 0.9.5.

Add/Change #1200 (ioctl_setmlme / freed lock related kernel crash)