Bug 1978 – ieee80211_sta_find_ibss+0x294/0x37d [mac80211]

Bug 1978 - ieee80211_sta_find_ibss+0x294/0x37d [mac80211]

Summary:

ieee80211_sta_find_ibss+0x294/0x37d [mac80211]

Status:	VERIFIED FIXED

Product:	iwlwifi
Component:	mac80211
Version:	iwlwifi-2.6 development tree
Platform:	__UNSPECIFIED__ Fedora 10

Importance:	P1 critical
Assigned To:	reinette chatre
QA Contact:	Jeff Zheng

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2009-04-24 01:03 by ximin luo
Modified:	2009-05-03 22:44 (History)

Attachments
log message (4.54 KB, application/octet-stream) 2009-04-24 01:04, ximin luo	Details
new log (5.51 KB, application/octet-stream) 2009-04-27 20:04, ximin luo	Details
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From ximin luo 2009-04-24 01:03:39

Testing Environment
==============================================
Platform        :       Intel SDV M3M41
Wireless Card   :       Intel(R) WiFi Link 5300
OS              :       Redhat Fedora release 10 (Cambridge) 64bit
AP              :       Cisco 1250
uCode           :       iwlwifi-5000-1.ucode 5.4.1.16
Source          :       commit 66cc15337322b743b9264608bb42149f4dba0b30
                        (Wed Apr 22 10:31:11 2009)
Peer            :       Intel SDV M3M31

Issue
==============================================
Detect oops (mac80211 problems) when running auto tests in IBSS mode, but could
not manually reproduce it.

Part of Call Trace
==============================================
wlan0: Creating new IBSS network, BSSID ce:f9:88:76:1e:4d
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<ffffffffa03be114>] ieee80211_sta_find_ibss+0x294/0x37d [mac80211]
PGD 7cdf5067 PUD 72534067 PMD 0
Oops: 0000 [#1] SMP
last sysfs file: /sys/class/firmware/0000:01:00.0/loading
CPU 0
Modules linked in: iwlagn iwlcore mac80211 netconsole configfs bridge stp bnep
sco l2cap bluetooth sunrpc ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4
iptable_filter ip_tables ip6t_REJECT xt_tcpudp nf_conntrack_ipv6 xt_state
nf_conntrack ip6table_filter ip6_tables x_tables ipv6 cpufreq_ondemand
acpi_cpufreq dm_mirror dm_region_hash dm_log dm_multipath dm_mod uinput
snd_hda_intel snd_hda_codec snd_hwdep snd_seq_dummy snd_seq_oss
snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm
snd_timer button i2c_i801 iTCO_wdt iTCO_vendor_support video snd e1000e sr_mod
i2c_core battery sg output soundcore snd_page_alloc pcspkr ac cdrom ata_generic
ata_piix libata sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd
[last unloaded: mac80211]
Pid: 16971, comm: iwlagn Tainted: G        W  2.6.30-rc2-wl #10 Santa Rosa
platform
RIP: 0010:[<ffffffffa03be114>]  [<ffffffffa03be114>]
ieee80211_sta_find_ibss+0x294/0x37d [mac80211]
RSP: 0018:ffff88006c5cdd50  EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff88007c0d6880 RCX: ffffffff8103c586
RDX: ffff88006c5201a0 RSI: 0000000000000001 RDI: ffffffff8103c6e4
RBP: ffff88006c5cdd90 R08: 0000000000000002 R09: 0000000000025336
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88006c5203c0
R13: ffff88006c5203c0 R14: ffff88007c0d6c60 R15: ffff88007c0d6c5a
FS:  0000000000000000(0000) GS:ffff880001024000(0000) knlGS:0000000000000000
CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 0000000000000000 CR3: 00000000770d3000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process iwlagn (pid: 16971, threadinfo ffff88006c5cc000, task ffff880075501070)
Stack:
 ffffe20000000002 0000000000000246 0000000000000000 0000000000000001
 0000000000000002 0000000000000000 0000000000000000 0000000000000246
 00004d1e7688f9ce ffffffffa03be1fd ffffffff8147bb00 ffff88007c0d6880
Call Trace:
 [<ffffffffa03be1fd>] ieee80211_ibss_notify_scan_completed+0x0/0x88 [mac80211]
 [<ffffffffa03be25b>] ? ieee80211_ibss_notify_scan_completed+0x5e/0x88
[mac80211]
 [<ffffffffa03be1fd>] ? ieee80211_ibss_notify_scan_completed+0x0/0x88
[mac80211]
 [<ffffffffa03bbd9c>] ? ieee80211_scan_completed+0x36c/0x39d [mac80211]
 [<ffffffffa03f7f4e>] ? iwl_bg_scan_completed+0x9d/0xd4 [iwlcore]
 [<ffffffff8104ba47>] ? worker_thread+0x1e2/0x2ea
 [<ffffffff8104b9f3>] ? worker_thread+0x18e/0x2ea
 [<ffffffffa03f7eb1>] ? iwl_bg_scan_completed+0x0/0xd4 [iwlcore]
 [<ffffffff8104f6cf>] ? autoremove_wake_function+0x0/0x2e
 [<ffffffff8102c710>] ? __wake_up_common+0x44/0x72
 [<ffffffff8104b865>] ? worker_thread+0x0/0x2ea
 [<ffffffff8104b865>] ? worker_thread+0x0/0x2ea
 [<ffffffff8104f32f>] ? kthread+0x54/0x80
 [<ffffffff812e00db>] ? trace_hardirqs_on_thunk+0x3a/0x3f
 [<ffffffff8100caba>] ? child_rip+0xa/0x20
 [<ffffffff812e0460>] ? _spin_unlock_irq+0x24/0x27
 [<ffffffff8100c4bc>] ? restore_args+0x0/0x30
 [<ffffffff812de017>] ? schedule+0x9/0x1d
 [<ffffffff8104f2b6>] ? kthreadd+0xff/0x124
 [<ffffffff8104f2db>] ? kthread+0x0/0x80
 [<ffffffff8100cab0>] ? child_rip+0x0/0x20
Code: 48 8d 54 24 40 48 8b b3 a8 00 00 00 31 c0 48 c7 c7 e3 46 3d a0 e8 f8 f1
f1 e0 49 8b 54 24 28 48 8b 83 10 04 00 00 41 83 3c 24 00 <8b> 00 48 8b 74 c2 40
75 08 41 c7 04 24 64 00 00 00 bf 12 00 00
RIP  [<ffffffffa03be114>] ieee80211_sta_find_ibss+0x294/0x37d [mac80211]
 RSP <ffff88006c5cdd50>
CR2: 0000000000000000
---[ end trace 4eaefd7f8b3cb6b8 ]---
wlan0: no IPv6 routers present

------- Comment #1 From ximin luo 2009-04-24 01:04:22 -------

Created an attachment (id=1963) [details]
log message

------- Comment #2 From reinette chatre 2009-04-24 11:32:35 -------

Johannes sent a patch upstream to address this. See
http://marc.info/?l=linux-wireless&m=124048017325147&w=2


Subject:    [PATCH v2] mac80211: fix various problems in ibss code
From:       Johannes Berg <johannes@sipsolutions.net>

There are a few problems in the IBSS code:
 a) it tries to activate interfaces that are down after scanning
 b) it crashes after scanning on an IBSS iface that isn't active
 c) since the ssid_len is used as a flag, need to make it visible
    only after all other settings are set, this helps protect
    against b)

For b), we get a system crash:

wlan0: Creating new IBSS network, BSSID ce:f9:88:76:1e:4d
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<...>] ieee80211_sta_find_ibss+0x294/0x37d [mac80211]
Call Trace:
 [<...>] ieee80211_ibss_notify_scan_completed+0x0/0x88 [mac80211]

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
---

This patch should be in our repo next week some time.

------- Comment #3 From ximin luo 2009-04-27 20:04:07 -------

Created an attachment (id=1972) [details]
new log

see new WARNING message after running auto IBSS testing.
Testing Environment
==============================================
Platform        :       Intel SDV M3M41 
Wireless Card   :       Intel(R) WiFi Link 5100
OS              :       Redhat Fedora release 10 (Cambridge) 32bit
AP              :       Cisco 1250
uCode           :       iwlwifi-5000-1.ucode 5.4.1.16
Source          :       commit bfe39c927702f6517a1741e395277c21addef385
                     (Fri Apr 24 13:04:59 2009)
Peer            :       Intel SDV M3M31

Part of log message
==============================================
EIP: [<f87ad2ea>] ieee80211_sta_find_ibss+0x291/0x3a7 [mac80211] SS:ESP
0068:f1deded8
CR2: 0000000000000000
---[ end trace 703d95d318a986e1 ]---
------------[ cut here ]------------
WARNING: at kernel/workqueue.c:371 flush_cpu_workqueue+0x26/0x68()
Hardware name: Montevina platform
Modules linked in: iwlagn iwlcore rfkill mac80211 cfg80211 sco bridge stp bnep
l2cap bluetooth sunrpc ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4
iptable_filter ip_tables ip6t_REJECT xt_tcpudp nf_conntrack_ipv6 xt_state
nf_conntrack ip6table_filter ip6_tables x_tables ipv6 cpufreq_ondemand
acpi_cpufreq dm_mirror dm_region_hash dm_log dm_multipath dm_mod uinput arc4
ecb snd_hda_intel snd_hda_codec snd_hwdep snd_seq_dummy snd_seq_oss
snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss sr_mod
snd_pcm snd_timer snd soundcore i2c_i801 e1000 i2c_core snd_page_alloc cdrom
video output sg battery pcspkr serio_raw button ac ata_generic ata_piix libata
sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd [last unloaded:
cfg80211]
Pid: 5135, comm: ifconfig Tainted: G      D W  2.6.30-rc3-wl #3
Call Trace:
 [<c0429193>] warn_slowpath+0x71/0xa0
 [<c065cca0>] ? __schedule+0x91b/0x973
 [<c0412e32>] ? smp_apic_timer_interrupt+0x6f/0x7d
 [<c04032a6>] ? apic_timer_interrupt+0x2a/0x30
 [<f90a007b>] ? iwl_pci_probe+0x784/0x8d6 [iwlagn]
 [<c065cd00>] ? schedule+0x8/0x17
 [<c04258ca>] ? __cond_resched+0x25/0x3b
 [<c0436e00>] ? __cancel_work_timer+0x9f/0x155
 [<c0436a7c>] flush_cpu_workqueue+0x26/0x68
 [<c0431047>] ? try_to_del_timer_sync+0x48/0x4f
 [<c0436f8e>] flush_workqueue+0x3f/0x5d
 [<f909c712>] iwl_mac_stop+0xa0/0x192 [iwlagn]
 [<f87b1565>] ieee80211_stop+0x420/0x48e [mac80211]
 [<c05f6515>] ? dev_deactivate+0x121/0x151
 [<c05e88de>] dev_close+0x7a/0x9b
 [<c05e85f7>] dev_change_flags+0xa5/0x158
 [<c06260cc>] devinet_ioctl+0x21a/0x50a
 [<c062710e>] inet_ioctl+0x8e/0xa7
 [<c05db819>] sock_ioctl+0x1e8/0x20c
 [<c05db631>] ? sock_ioctl+0x0/0x20c
 [<c04995be>] vfs_ioctl+0x22/0x69
 [<c0499ac4>] do_vfs_ioctl+0x4bf/0x4f8
 [<c0499b3d>] sys_ioctl+0x40/0x5a
 [<c0402984>] sysenter_do_call+0x12/0x22
---[ end trace 703d95d318a986e2 ]---
wlan0: no IPv6 routers present

------- Comment #4 From reinette chatre 2009-04-29 16:13:47 -------

Patch mentioned in comment #2 can now be found in our repo. Marking as FIXED.

------- Comment #5 From ximin luo 2009-05-03 22:44:22 -------

I retest it on 2.6.30-rc4-wl (commit 7b2d7414d5da4d742319588c4a8b4bce62139929),
this issue was fixed. marked as verified.