When I ifdown and then ifup a WDS configuration, I get a kernel panic in ieee80211_input. This is with madwifi-ng with the patch from Ticket 209.
[17267421.272000] Unable to handle kernel NULL pointer dereference at virtual address 00000050
[17267421.280000] printing eip:
[17267421.284000] e09715f2
[17267421.288000] *pde = 00000000
[17267421.292000] Oops: 0000 [#1]
[17267421.292000] Modules linked in: wlan_scan_ap ath_pci ath_rate_sample wlan ath_hal bridge cmd64x i2c_piix4 i2c_core pci_hotplug intel_agp agpgart rtc ide_cd cdrom unix
[17267421.292000] CPU: 0
[17267421.292000] EIP: 0060:[<e09715f2>] Tainted: P VLI
[17267421.292000] EFLAGS: 00010202 (2.6.14.3)
[17267421.292000] EIP is at ieee80211_input+0x122/0x1410 [wlan]
[17267421.292000] eax: 00000008 ebx: 00000056 ecx: 00000000 edx: 00000000
[17267421.292000] esi: 00000000 edi: db965240 ebp: c0355f00 esp: c0355e68
[17267421.292000] ds: 007b es: 007b ss: 0068
[17267421.292000] Process swapper (pid: 0, threadinfo=c0354000 task=c030dba0)
[17267421.292000] Stack: c0355e7c c025e59d dc1a8f00 dc1a8f00 dbe68240 c0355e90 c025e645 dffe29e0
[17267421.292000] dc1a8f00 08000000 db965240 c025e717 dc1a8f00 00000286 dc35ec00 dc1a8f00
[17267421.292000] db538090 d5d6d090 dd8f1680 e09f2bb1 dc3a0000 db538090 1b538090 db5380c0
[17267421.292000] Call Trace:
[17267421.292000] [<c0103ebb>] show_stack+0xab/0xf0
[17267421.292000] [<c0104082>] show_registers+0x162/0x200
[17267421.292000] [<c0104298>] die+0xc8/0x150
[17267421.292000] [<c02cb45a>] do_page_fault+0x20a/0x6b0
[17267421.292000] [<c0103b5f>] error_code+0x4f/0x54
[17267421.292000] [<e09f8b75>] ath_rx_tasklet+0x3a5/0x660 [ath_pci]
[17267421.292000] [<c01201fe>] tasklet_action+0x3e/0x70
[17267421.292000] [<c011ff12>] __do_softirq+0x52/0xb0
[17267421.292000] [<c011ff9a>] do_softirq+0x2a/0x30
[17267421.292000] [<c0120055>] irq_exit+0x35/0x40
[17267421.292000] [<c0105181>] do_IRQ+0x21/0x30
[17267421.292000] [<c0103a96>] common_interrupt+0x1a/0x20
[17267421.292000] [<c01010f6>] cpu_idle+0x36/0x50
[17267421.292000] [<c010024b>] _stext+0x2b/0x40
[17267421.292000] [<c03568ba>] start_kernel+0x15a/0x170
[17267421.292000] [<c0100199>] 0xc0100199
[17267421.292000] Code: c6 45 e6 ff eb b3 8d 76 00 8b 4d dc 8b 75 d4 0f b6 41 01 0f b6 4d 8f 24 03 88 45 e5 0f b6 45 8f 80 e1 f0 88 4d e7 24 0c 88 45 e6 <80> 7e 50 00 79 48 80 7d e6 04 0f b6 45 e6 0f 84 93 02 00 00 80
[17267421.292000] <0>Kernel panic - not syncing: Fatal exception in interrupt
The /etc/network/interfaces stanza for the interface involved looks like this:
auto ath0
iface ath0 inet static
address 1.0.0.0
netmask 255.255.255.255
broadcast 255.255.255.255
pre-up /sbin/modprobe ath-pci
pre-up wlanconfig ath0 create wlandev wifi0 wlanmode ap
pre-up wlanconfig ath1 create wlandev wifi0 wlanmode wds
pre-up wlanconfig ath2 create wlandev wifi0 wlanmode wds
pre-up iwconfig ath0 essid backhaul
pre-up iwpriv ath1 wds_add 00:02:6f:20:f7:2b
pre-up iwpriv ath2 wds_add 00:02:6f:21:ec:a2
pre-up iwpriv ath1 wds 1
pre-up iwpriv ath2 wds 1
pre-up ifconfig ath1 up
pre-up ifconfig ath2 up
pre-up ifconfig ath0 up
pre-up iwconfig ath0 channel 161
up brctl addif br0 ath0
up brctl addif br0 ath1
up brctl addif br0 ath2
down brctl delif br0 ath0
down brctl delif br0 ath1
down brctl delif br0 ath2
post-down wlanconfig ath0 destroy
post-down wlanconfig ath1 destroy
post-down wlanconfig ath2 destroy
The ifdown -v ath0 looks like this:
Configuring interface ath0=ath0 (inet)
brctl delif br0 ath0
brctl delif br0 ath1
brctl delif br0 ath2
run-parts --verbose /etc/network/if-down.d
ifconfig ath0 down
wlanconfig ath0 destroy
wlanconfig ath1 destroy
wlanconfig ath2 destroy
run-parts --verbose /etc/network/if-post-down.d
run-parts: executing /etc/network/if-post-down.d/bridge
run-parts: executing /etc/network/if-post-down.d/wireless-tools
and the crashing ifup -v ath0 looks like this:
Configuring interface ath0=ath0 (inet)
/sbin/modprobe ath-pci
wlanconfig ath0 create wlandev wifi0 wlanmode ap
ath0
wlanconfig ath1 create wlandev wifi0 wlanmode wds
ath1
wlanconfig ath2 create wlandev wifi0 wlanmode wds
ath2
iwconfig ath0 essid backhaul
iwpriv ath1 wds_add 00:02:6f:20:f7:2b
iwpriv ath2 wds_add 00:02:6f:21:ec:a2
iwpriv ath1 wds 1
iwpriv ath2 wds 1
ifconfig ath1 up
ifconfig ath2 up
ifconfig ath0 up
iwconfig ath0 channel 161
run-parts --verbose /etc/network/if-pre-up.d
[hang]
Looking at objdump -D ieee80211_input.o output:
ieee80211_input.o: file format elf32-i386
Disassembly of section .text:
00000000 <ieee80211_input>:
0: 55 push %ebp
1: 89 e5 mov %esp,%ebp
3: 57 push %edi
4: 56 push %esi
5: 53 push %ebx
6: 81 ec 8c 00 00 00 sub $0x8c,%esp
c: 8b 45 08 mov 0x8(%ebp),%eax
f: 8b 5d 08 mov 0x8(%ebp),%ebx
12: 8b 00 mov (%eax),%eax
14: 89 45 90 mov %eax,0xffffff90(%ebp)
17: 8b 90 b8 00 00 00 mov 0xb8(%eax),%edx
1d: 89 55 d4 mov %edx,0xffffffd4(%ebp)
20: 8b 08 mov (%eax),%ecx
22: 89 4d d8 mov %ecx,0xffffffd8(%ebp)
25: 0f b7 83 d6 01 00 00 movzwl 0x1d6(%ebx),%eax
2c: 66 89 83 d4 01 00 00 mov %ax,0x1d4(%ebx)
33: 8b 75 0c mov 0xc(%ebp),%esi
36: 8b 46 58 mov 0x58(%esi),%eax
39: 83 f8 0f cmp $0xf,%eax
3c: 0f 86 2e 06 00 00 jbe 670 <ieee80211_input+0x670>
42: 8b 7d 90 mov 0xffffff90(%ebp),%edi
45: 8b 97 2c 02 00 00 mov 0x22c(%edi),%edx
4b: c6 45 e6 ff movb $0xff,0xffffffe6(%ebp)
4f: 83 fa 08 cmp $0x8,%edx
52: 74 5c je b0 <ieee80211_input+0xb0>
54: 8b 45 0c mov 0xc(%ebp),%eax
57: 8b 58 58 mov 0x58(%eax),%ebx
5a: 83 fb 0f cmp $0xf,%ebx
5d: 0f 86 7d 00 00 00 jbe e0 <ieee80211_input+0xe0>
63: 8b 4d 0c mov 0xc(%ebp),%ecx
66: 8b 89 90 00 00 00 mov 0x90(%ecx),%ecx
6c: 89 4d dc mov %ecx,0xffffffdc(%ebp)
6f: 0f b6 01 movzbl (%ecx),%eax
72: 0f b6 c8 movzbl %al,%ecx
75: f6 c1 03 test $0x3,%cl
78: 88 45 8f mov %al,0xffffff8f(%ebp)
7b: 0f 84 7f 00 00 00 je 100 <ieee80211_input+0x100>
81: 8b 55 90 mov 0xffffff90(%ebp),%edx
84: 8b 82 bc 00 00 00 mov 0xbc(%edx),%eax
8a: 85 c0 test %eax,%eax
8c: 0f 85 ee 00 00 00 jne 180 <ieee80211_input+0x180>
92: 8b 4d 90 mov 0xffffff90(%ebp),%ecx
95: ff 81 c0 00 00 00 incl 0xc0(%ecx)
9b: c6 45 e6 ff movb $0xff,0xffffffe6(%ebp)
9f: 8b 5d 90 mov 0xffffff90(%ebp),%ebx
a2: ff 43 14 incl 0x14(%ebx)
a5: 8b 45 0c mov 0xc(%ebp),%eax
a8: 85 c0 test %eax,%eax
aa: 74 1f je cb <ieee80211_input+0xcb>
ac: 8d 74 26 00 lea 0x0(%esi),%esi
b0: 8b 75 0c mov 0xc(%ebp),%esi
b3: 8b 86 88 00 00 00 mov 0x88(%esi),%eax
b9: 48 dec %eax
ba: 0f 85 cd 05 00 00 jne 68d <ieee80211_input+0x68d>
c0: 8b 45 0c mov 0xc(%ebp),%eax
c3: 89 04 24 mov %eax,(%esp)
c6: e8 fc ff ff ff call c7 <ieee80211_input+0xc7>
cb: 0f b6 45 e6 movzbl 0xffffffe6(%ebp),%eax
cf: 81 c4 8c 00 00 00 add $0x8c,%esp
d5: 5b pop %ebx
d6: 5e pop %esi
d7: 5f pop %edi
d8: 5d pop %ebp
d9: c3 ret
da: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
e0: 8b b7 bc 00 00 00 mov 0xbc(%edi),%esi
e6: 85 f6 test %esi,%esi
e8: 0f 85 c2 00 00 00 jne 1b0 <ieee80211_input+0x1b0>
ee: 8b 55 90 mov 0xffffff90(%ebp),%edx
f1: ff 82 c4 00 00 00 incl 0xc4(%edx)
f7: c6 45 e6 ff movb $0xff,0xffffffe6(%ebp)
fb: eb b3 jmp b0 <ieee80211_input+0xb0>
fd: 8d 76 00 lea 0x0(%esi),%esi
100: 8b 4d dc mov 0xffffffdc(%ebp),%ecx
103: 8b 75 d4 mov 0xffffffd4(%ebp),%esi
106: 0f b6 41 01 movzbl 0x1(%ecx),%eax
10a: 0f b6 4d 8f movzbl 0xffffff8f(%ebp),%ecx
10e: 24 03 and $0x3,%al
110: 88 45 e5 mov %al,0xffffffe5(%ebp)
113: 0f b6 45 8f movzbl 0xffffff8f(%ebp),%eax
117: 80 e1 f0 and $0xf0,%cl
11a: 88 4d e7 mov %cl,0xffffffe7(%ebp)
11d: 24 0c and $0xc,%al
11f: 88 45 e6 mov %al,0xffffffe6(%ebp)
122: 80 7e 50 00 cmpb $0x0,0x50(%esi)
[...]
122 (the EIP at panic) looks like a struct member pointer being compared to NULL, but the pointer to the struct itself is NULL, so the NULL+0x50 dereference is panic'ing. I haven't found the corresponding line in ieee80211_input() yet.
