ar9170usb crashes during iwconfig for ad-hoc mode

ar9170usb crashes during iwconfig for ad-hoc mode

[Joerg Albert]

After
	ifconfig wlan1 down
	iwconfig wlan1 mode managed essid huhu
	ifconfig wlan1 up
	ifconfig wlan1 down
	iwconfig wlan1 mode ad-hoc essid huhu_a channel 1

ar9170 crashes (see below for the syslog).

It seems like ar9170_op_bss_info_changed() is called with ar->vif == NULL
(i.e. ((struct ar9170 *)hw->priv)->vif == NULL), while parameter vif != NULL and
changed & (BSS_CHANGED_BEACON | BSS_CHANGED_BEACON_ENABLED) is non-zero.
ar->vif is passed unchecked to ieee80211_beacon_get().

Is this something ar9170 is supposed to handle or a bug in cfg80211/mac80211?
Is a driver's *bss_info_changed proc called while the netdev is closed?

Regards,
Joerg

Aug  2 10:15:42 nc10 kernel: [ 7174.202095] BUG: unable to handle kernel NULL pointer dereference at (null)
Aug  2 10:15:42 nc10 kernel: [ 7174.202118] IP: [<f8ecf27f>] ieee80211_beacon_get+0x1f/0x2a0 [mac80211]
Aug  2 10:15:42 nc10 kernel: [ 7174.202183] *pde = 00000000
Aug  2 10:15:42 nc10 kernel: [ 7174.202194] Oops: 0000 [#1] SMP
Aug  2 10:15:42 nc10 kernel: [ 7174.202206] last sysfs file: /sys/devices/LNXSYSTM:00/device:00/PNP0A08:00/device:23/PNP0C09:00/PNP0C0A:00/power_supply/BAT1/charge_full
Aug  2 10:15:42 nc10 kernel: [ 7174.202573]
Aug  2 10:15:42 nc10 kernel: [ 7174.202586] Pid: 23223, comm: iwconfig Not tainted (2.6.30 #1) NC10

Aug  2 10:15:42 nc10 kernel: [ 7174.202599] EIP: 0060:[<f8ecf27f>] EFLAGS: 00010297 CPU: 1
Aug  2 10:15:42 nc10 kernel: [ 7174.202648] EIP is at ieee80211_beacon_get+0x1f/0x2a0 [mac80211]
Aug  2 10:15:42 nc10 kernel: [ 7174.202660] EAX: 00000000 EBX: f6d461c0 ECX: f66807cc EDX: fffffbb8
Aug  2 10:15:42 nc10 kernel: [ 7174.202672] ESI: f66807cc EDI: 00000200 EBP: f5fb1cf4 ESP: f5fb1cc0
Aug  2 10:15:42 nc10 kernel: [ 7174.202683]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Aug  2 10:15:42 nc10 kernel: [ 7174.202696] Process iwconfig (pid: 23223, ti=f5fb0000 task=d35918e0 task.ti=f5fb0000)
Aug  2 10:15:42 nc10 kernel: [ 7174.202706] Stack:
Aug  2 10:15:42 nc10 kernel: [ 7174.202713]  c04e53b8 00000000 c064aac0 f7424018 f77c9000 f7424018 f5fb1f00 fffffbb8
Aug  2 10:15:42 nc10 kernel: [ 7174.202739]  00000000 00000246 f6d46a20 f66807cc 00000200 f5fb1d2c fa03dde6 c01fcde6
Aug  2 10:15:42 nc10 kernel: [ 7174.202767]  00000178 00000174 f6d46a20 f5fb1d14 f5fb1d58 c0145ecc 00000000 f5fb1d2c
Aug  2 10:15:42 nc10 kernel: [ 7174.202797] Call Trace:
Aug  2 10:15:42 nc10 kernel: [ 7174.202807]  [<fa03dde6>] ? ar9170_update_beacon+0x16/0x430 [ar9170usb]
Aug  2 10:15:42 nc10 kernel: [ 7174.202836]  [<c01fcde6>] ? proc_alloc_inode+0x16/0x70
Aug  2 10:15:42 nc10 kernel: [ 7174.202857]  [<c0145ecc>] ? __cancel_work_timer+0x3c/0x160
Aug  2 10:15:42 nc10 kernel: [ 7174.202876]  [<fa03b205>] ? ar9170_op_bss_info_changed+0xb5/0x120 [ar9170usb]
Aug  2 10:15:42 nc10 kernel: [ 7174.202901]  [<fa03b150>] ? ar9170_op_bss_info_changed+0x0/0x120 [ar9170usb]
Aug  2 10:15:42 nc10 kernel: [ 7174.202926]  [<f8ebcf38>] ? ieee80211_bss_info_change_notify+0xf8/0x1c0 [mac80211]
Aug  2 10:15:42 nc10 kernel: [ 7174.202973]  [<f8ec1a99>] ? ieee80211_ibss_leave+0x79/0xc0 [mac80211]
Aug  2 10:15:42 nc10 kernel: [ 7174.203020]  [<f8ec9f7e>] ? ieee80211_leave_ibss+0xe/0x10 [mac80211]
Aug  2 10:15:42 nc10 kernel: [ 7174.203070]  [<f8c5a312>] ? __cfg80211_leave_ibss+0x52/0x80 [cfg80211]
Aug  2 10:15:42 nc10 kernel: [ 7174.203116]  [<f8c5a9d6>] ? cfg80211_ibss_wext_siwessid+0x76/0x120 [cfg80211]
Aug  2 10:15:42 nc10 kernel: [ 7174.203158]  [<f8c5cdb7>] ? cfg80211_wext_siwessid+0x57/0x70 [cfg80211]
Aug  2 10:15:42 nc10 kernel: [ 7174.203198]  [<c04b6ad9>] ? ioctl_standard_call+0x199/0x3a0
Aug  2 10:15:42 nc10 kernel: [ 7174.203218]  [<c03fe66d>] ? __dev_get_by_name+0x7d/0xa0
Aug  2 10:15:42 nc10 kernel: [ 7174.203237]  [<c04b65ef>] ? wext_handle_ioctl+0x14f/0x220
Aug  2 10:15:42 nc10 kernel: [ 7174.203253]  [<f8c5cd60>] ? cfg80211_wext_siwessid+0x0/0x70 [cfg80211]
Aug  2 10:15:42 nc10 kernel: [ 7174.203294]  [<c03ff1d0>] ? dev_ioctl+0x460/0x540
Aug  2 10:15:42 nc10 kernel: [ 7174.203312]  [<c03ee150>] ? sock_ioctl+0x0/0x260
Aug  2 10:15:42 nc10 kernel: [ 7174.203328]  [<c03ee23d>] ? sock_ioctl+0xed/0x260
Aug  2 10:15:42 nc10 kernel: [ 7174.203344]  [<c03ee150>] ? sock_ioctl+0x0/0x260
Aug  2 10:15:42 nc10 kernel: [ 7174.203358]  [<c01cc048>] ? vfs_ioctl+0x28/0x80
Aug  2 10:15:42 nc10 kernel: [ 7174.203376]  [<c01cc112>] ? do_vfs_ioctl+0x72/0x580
Aug  2 10:15:42 nc10 kernel: [ 7174.203392]  [<c01a7596>] ? unmap_region+0x106/0x130
Aug  2 10:15:42 nc10 kernel: [ 7174.203408]  [<c01a7606>] ? remove_vma+0x46/0x60
Aug  2 10:15:42 nc10 kernel: [ 7174.203423]  [<c01a7606>] ? remove_vma+0x46/0x60
Aug  2 10:15:42 nc10 kernel: [ 7174.203437]  [<c01a8483>] ? do_munmap+0x223/0x280
Aug  2 10:15:42 nc10 kernel: [ 7174.203453]  [<c01cc683>] ? sys_ioctl+0x63/0x70
Aug  2 10:15:42 nc10 kernel: [ 7174.203469]  [<c0102fc4>] ? sysenter_do_call+0x12/0x22
Aug  2 10:15:42 nc10 kernel: [ 7174.203487] Code: 7d e4 c6 45 eb fe e9 51 ff ff ff 90 55 89 e5 57 56 53 89 c3 83 ec 28 89 55 d0 8b 40 1c 81 ea 48 04 00 00 8b 00 89 55 e8 89 45 ec 
<8b> 82 48 04 00 00 83 f8 03 0f 84 2a 01 00 00 83 f8 01 0f 84 49
Aug  2 10:15:42 nc10 kernel: [ 7174.203631] EIP: [<f8ecf27f>] ieee80211_beacon_get+0x1f/0x2a0 [mac80211] SS:ESP 0068:f5fb1cc0
Aug  2 10:15:42 nc10 kernel: [ 7174.203687] CR2: 0000000000000000
Aug  2 10:15:42 nc10 kernel: [ 7174.203699] ---[ end trace 0732cb3688c4eefe ]---

Re: ar9170usb crashes during iwconfig for ad-hoc mode

[Joerg Albert]

On 08/02/2009 03:23 PM, Joerg Albert wrote:
> After
>     ifconfig wlan1 down
>     iwconfig wlan1 mode managed essid huhu
>     ifconfig wlan1 up
>     ifconfig wlan1 down
>     iwconfig wlan1 mode ad-hoc essid huhu_a channel 1
> 
> ar9170 crashes (see below for the syslog).
> 
> It seems like ar9170_op_bss_info_changed() is called with ar->vif == NULL
> (i.e. ((struct ar9170 *)hw->priv)->vif == NULL), while parameter vif != 
> NULL and
> changed & (BSS_CHANGED_BEACON | BSS_CHANGED_BEACON_ENABLED) is non-zero.
> ar->vif is passed unchecked to ieee80211_beacon_get().
> 
> Is this something ar9170 is supposed to handle or a bug in 
> cfg80211/mac80211?
> Is a driver's *bss_info_changed proc called while the netdev is closed?

It looks like ar->vif is set to NULL by ar9170_remove_interface() and the one call
of ar9170_op_bss_info_changed() when ad-hoc is configured has changed==BSS_CHANGED_BEACON_ENABLED
with bss_info->enable_beacon == 0.
So it's a bug in the ar9170. I'll try to post a patch.

Re: ar9170usb crashes during iwconfig for ad-hoc mode

[Johannes Berg]

[-- Attachment #1: Type: text/plain, Size: 1179 bytes --]

On Mon, 2009-08-03 at 00:28 +0200, Joerg Albert wrote:
> On 08/02/2009 03:23 PM, Joerg Albert wrote:
> > After
> >     ifconfig wlan1 down
> >     iwconfig wlan1 mode managed essid huhu
> >     ifconfig wlan1 up
> >     ifconfig wlan1 down
> >     iwconfig wlan1 mode ad-hoc essid huhu_a channel 1
> > 
> > ar9170 crashes (see below for the syslog).
> > 
> > It seems like ar9170_op_bss_info_changed() is called with ar->vif == NULL
> > (i.e. ((struct ar9170 *)hw->priv)->vif == NULL), while parameter vif != 
> > NULL and
> > changed & (BSS_CHANGED_BEACON | BSS_CHANGED_BEACON_ENABLED) is non-zero.
> > ar->vif is passed unchecked to ieee80211_beacon_get().
> > 
> > Is this something ar9170 is supposed to handle or a bug in 
> > cfg80211/mac80211?
> > Is a driver's *bss_info_changed proc called while the netdev is closed?
> 
> It looks like ar->vif is set to NULL by ar9170_remove_interface() and the one call
> of ar9170_op_bss_info_changed() when ad-hoc is configured has changed==BSS_CHANGED_BEACON_ENABLED
> with bss_info->enable_beacon == 0.
> So it's a bug in the ar9170. I'll try to post a patch.

No, it's a bug in cfg80211 :)

johannes

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: ar9170usb crashes during iwconfig for ad-hoc mode

[Johannes Berg]

[-- Attachment #1: Type: text/plain, Size: 475 bytes --]

On Mon, 2009-08-03 at 10:44 +0200, Johannes Berg wrote:

> > >     ifconfig wlan1 down
> > >     iwconfig wlan1 mode managed essid huhu
> > >     ifconfig wlan1 up
> > >     ifconfig wlan1 down
> > >     iwconfig wlan1 mode ad-hoc essid huhu_a channel 1

> No, it's a bug in cfg80211 :)

But it's not making sense to me. I'll have to try to reproduce it. In
any case, we shouldn't be calling in to mac80211 from cfg80211 while the
interface is down.

johannes

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: ar9170usb crashes during iwconfig for ad-hoc mode

[Joerg Albert]

> On Mon, 2009-08-03 at 10:44 +0200, Johannes Berg wrote:
> 
> > > >     ifconfig wlan1 down
> > > >     iwconfig wlan1 mode managed essid huhu
> > > >     ifconfig wlan1 up
> > > >     ifconfig wlan1 down
> > > >     iwconfig wlan1 mode ad-hoc essid huhu_a channel 1
> 
> > No, it's a bug in cfg80211 :)
> 
> But it's not making sense to me. I'll have to try to reproduce it. In
> any case, we shouldn't be calling in to mac80211 from cfg80211 while the
> interface is down.

I guess this is caused by the call to __cfg80211_leave_ibss()
in  net/wireless/ibss.c::cfg80211_ibss_wext_siwfreq() trying to
disable the beacon via net/mac80211::ieee80211_ibss_leave().
-- 
Neu: GMX Doppel-FLAT mit Internet-Flatrate + Telefon-Flatrate
für nur 19,99 Euro/mtl.!* http://portal.gmx.net/de/go/dsl02

Re: ar9170usb crashes during iwconfig for ad-hoc mode

[Christian Lamparter]

[-- Attachment #1: Type: text/plain, Size: 841 bytes --]

On Monday 03 August 2009 14:36:42 Joerg Albert wrote:
> 
> > On Mon, 2009-08-03 at 10:44 +0200, Johannes Berg wrote:
> > 
> > > > >     ifconfig wlan1 down
> > > > >     iwconfig wlan1 mode managed essid huhu
> > > > >     ifconfig wlan1 up
> > > > >     ifconfig wlan1 down
> > > > >     iwconfig wlan1 mode ad-hoc essid huhu_a channel 1
> > 
> > > No, it's a bug in cfg80211 :)
> > 
> > But it's not making sense to me. I'll have to try to reproduce it. In
> > any case, we shouldn't be calling in to mac80211 from cfg80211 while the
> > interface is down.
> 
> I guess this is caused by the call to __cfg80211_leave_ibss()
> in  net/wireless/ibss.c::cfg80211_ibss_wext_siwfreq() trying to
> disable the beacon via net/mac80211::ieee80211_ibss_leave().
what about this? (only compiled so far, don't have the device here...)

Regards,
	Chr

[-- Attachment #2: bss-beacon.diff --]
[-- Type: text/x-patch, Size: 495 bytes --]

diff --git a/drivers/net/wireless/ath/ar9170/main.c b/drivers/net/wireless/ath/ar9170/main.c
index 099ed3c..9c97ad7 100644
--- a/drivers/net/wireless/ath/ar9170/main.c
+++ b/drivers/net/wireless/ath/ar9170/main.c
@@ -2177,7 +2177,7 @@ static void ar9170_op_bss_info_changed(struct ieee80211_hw *hw,
 			goto out;
 	}
 
-	if (changed & (BSS_CHANGED_BEACON | BSS_CHANGED_BEACON_ENABLED)) {
+	if (changed & BSS_CHANGED_BEACON_ENABLED) {
 		err = ar9170_update_beacon(ar);
 		if (err)
 			goto out;

Re: ar9170usb crashes during iwconfig for ad-hoc mode

[Johannes Berg]

[-- Attachment #1: Type: text/plain, Size: 873 bytes --]

On Mon, 2009-08-03 at 14:36 +0200, Joerg Albert wrote:
> 
> > On Mon, 2009-08-03 at 10:44 +0200, Johannes Berg wrote:
> > 
> > > > >     ifconfig wlan1 down
> > > > >     iwconfig wlan1 mode managed essid huhu
> > > > >     ifconfig wlan1 up
> > > > >     ifconfig wlan1 down
> > > > >     iwconfig wlan1 mode ad-hoc essid huhu_a channel 1
> > 
> > > No, it's a bug in cfg80211 :)
> > 
> > But it's not making sense to me. I'll have to try to reproduce it. In
> > any case, we shouldn't be calling in to mac80211 from cfg80211 while the
> > interface is down.
> 
> I guess this is caused by the call to __cfg80211_leave_ibss()
> in  net/wireless/ibss.c::cfg80211_ibss_wext_siwfreq() trying to
> disable the beacon via net/mac80211::ieee80211_ibss_leave().

But it only does that if (wdev->ssid_len) which should be false, so I'm
confused.

johannes

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: ar9170usb crashes during iwconfig for ad-hoc mode

[Joerg Albert]

Hi Christian,

On 08/03/2009 03:09 PM, Christian Lamparter wrote:
> On Monday 03 August 2009 14:36:42 Joerg Albert wrote:
>>> On Mon, 2009-08-03 at 10:44 +0200, Johannes Berg wrote:
>>>
>>>>>>     ifconfig wlan1 down
>>>>>>     iwconfig wlan1 mode managed essid huhu
>>>>>>     ifconfig wlan1 up
>>>>>>     ifconfig wlan1 down
>>>>>>     iwconfig wlan1 mode ad-hoc essid huhu_a channel 1
>>>> No, it's a bug in cfg80211 :)
>>> But it's not making sense to me. I'll have to try to reproduce it. In
>>> any case, we shouldn't be calling in to mac80211 from cfg80211 while the
>>> interface is down.
>> I guess this is caused by the call to __cfg80211_leave_ibss()
>> in  net/wireless/ibss.c::cfg80211_ibss_wext_siwfreq() trying to
>> disable the beacon via net/mac80211::ieee80211_ibss_leave().

> what about this? (only compiled so far, don't have the device here...)

 > diff --git a/drivers/net/wireless/ath/ar9170/main.c b/drivers/net/wireless/ath/ar9170/main.c
 > index 099ed3c..9c97ad7 100644
 > --- a/drivers/net/wireless/ath/ar9170/main.c
 > +++ b/drivers/net/wireless/ath/ar9170/main.c
 > @@ -2177,7 +2177,7 @@ static void ar9170_op_bss_info_changed(struct ieee80211_hw *hw,
 >                         goto out;
 >         }
 >
 > -       if (changed & (BSS_CHANGED_BEACON | BSS_CHANGED_BEACON_ENABLED)) {
 > +       if (changed & BSS_CHANGED_BEACON_ENABLED) {
 >                 err = ar9170_update_beacon(ar);
 >               if (err)
 >                         goto out;

Thanks for the patch,  but I think it won't help. ar9170_op_bss_info_changed() is called
with BSS_CHANGED_BEACON_ENABLED set in changed, while ar->vif is NULL as _op_remove_interface() was called before
(by "ifconfig down"). This triggers the crash.

I've got a patch ready here, which uses the vif parameter of ar9170_op_bss_info_changed() instead of ar->vif.
I'll try Johannes' patch first.

Regards,
Joerg.