Bug 330621

Summary: ath5k driver causes a null pointer dereference on network start
Product: [Fedora] Fedora Reporter: Joseph Davidson <nugins99>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 6   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-15 18:16:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joseph Davidson 2007-10-13 13:26:25 UTC 
Description of problem:
Starting network causes ath5k driver to crash inside the kernel. 

Loading the device driver and calling iwconfig doesn't seem to trigger
this bug.  Only the process of calling ifup.   

Version-Release number of selected component (if applicable):
2.6.23-6.fc8-i586

How reproducible:
Every time network service is started on interface. 

Steps to Reproduce:
Attempt to bring up wlan0 
  
Actual results:
Oct 12 18:28:55 localhost kernel: BUG: unable to handle kernel NULL pointer 
dereference at virtual address 00000000
Oct 12 18:28:55 localhost kernel: printing eip: f899f331 *pde = 27743067 *pte 
= 00000000 
Oct 12 18:28:55 localhost kernel: Oops: 0000 [#1] SMP 
Oct 12 18:28:55 localhost kernel: Modules linked in: autofs4 rfcomm l2cap 
bluetooth sunrpc dm_mirror dm_multipath dm_mod ipv6 floppy snd_emu10k1_synth 
snd_emux_synth snd_seq_virmidi snd_seq_midi_emul snd_emu10k1 snd_rawmidi 
snd_ac97_codec ac97_bus snd_seq_dummy arc4 ecb snd_seq_oss blkcipher 
snd_seq_midi_event snd_seq snd_pcm_oss snd_mixer_oss snd_pcm rc80211_simple 
snd_seq_device snd_timer snd_page_alloc snd_util_mem snd_hwdep snd 
firewire_ohci firewire_core ath5k parport_pc emu10k1_gp crc_itu_t parport 
soundcore mac80211 gameport cfg80211 k8temp hwmon i2c_nforce2 forcedeth 
i2c_core button sg sr_mod cdrom ata_generic pata_amd libata sd_mod scsi_mod 
ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd
Oct 12 18:28:55 localhost kernel: CPU:    0
Oct 12 18:28:55 localhost kernel: EIP:    0060:[<f899f331>]    Not tainted VLI
Oct 12 18:28:55 localhost kernel: EFLAGS: 00210246   (2.6.23-6.fc8 #1)
Oct 12 18:28:55 localhost kernel: EIP is at ath5k_hw_reset+0x39c/0xcd0 [ath5k]
Oct 12 18:28:55 localhost kernel: eax: 00000000   ebx: f7b6a000   ecx: 
00000000   edx: 00000005
Oct 12 18:28:55 localhost kernel: esi: 00000000   edi: 00000000   ebp: 
e7536e10   esp: e7536dac
Oct 12 18:28:55 localhost kernel: ds: 007b   es: 007b   fs: 00d8  gs: 0033  
ss: 0068
Oct 12 18:28:55 localhost kernel: Process ip (pid: 2933, ti=e7536000 
task=e7928000 task.ti=e7536000)
Oct 12 18:28:55 localhost kernel: Stack: c0502278 e7536df4 f89994e0 f77b9190 
f7e6d060 00000002 f77baf4c f77baf44 
Oct 12 18:28:55 localhost kernel:        00000000 00000000 00000001 f8969801 
00000003 00000001 00000002 00000014 
Oct 12 18:28:55 localhost kernel:        e7536df4 00000000 00000000 00000000 
f77b8fe0 f7b6a600 f7b6a000 f77b8fe0 
Oct 12 18:28:55 localhost kernel: Call Trace:
Oct 12 18:28:55 localhost kernel:  [<c0406463>] show_trace_log_lvl+0x1a/0x2f
Oct 12 18:28:55 localhost kernel:  [<c0406513>] show_stack_log_lvl+0x9b/0xa3
Oct 12 18:28:55 localhost kernel:  [<c04066d3>] show_registers+0x1b8/0x289
Oct 12 18:28:55 localhost kernel:  [<c04068af>] die+0x10b/0x23e
Oct 12 18:28:55 localhost kernel:  [<c063638c>] do_page_fault+0x51c/0x5ed
Oct 12 18:28:55 localhost kernel:  [<c0634ab2>] error_code+0x72/0x78
Oct 12 18:28:55 localhost kernel:  [<f8999a82>] ath_init+0x74/0xfb [ath5k]
Oct 12 18:28:55 localhost kernel:  [<f8999b9f>] ath_open+0xb/0xd [ath5k]
Oct 12 18:28:55 localhost kernel:  [<f89565d8>] ieee80211_open+0x259/0x320 
[mac80211]
Oct 12 18:28:55 localhost kernel:  [<c05cfdca>] dev_open+0x31/0x6c
Oct 12 18:28:55 localhost kernel:  [<c05cdf21>] dev_change_flags+0xa3/0x156
Oct 12 18:28:55 localhost kernel:  [<c060e80d>] devinet_ioctl+0x207/0x50e
Oct 12 18:28:55 localhost kernel:  [<c060eebb>] inet_ioctl+0x86/0xa4
Oct 12 18:28:55 localhost kernel:  [<c05c40f6>] sock_ioctl+0x1ac/0x1c9
Oct 12 18:28:55 localhost kernel:  [<c049434e>] do_ioctl+0x22/0x68
Oct 12 18:28:55 localhost kernel:  [<c04945dd>] vfs_ioctl+0x249/0x25c
Oct 12 18:28:55 localhost kernel:  [<c0494639>] sys_ioctl+0x49/0x64
Oct 12 18:28:55 localhost kernel:  [<c040522e>] syscall_call+0x7/0xb
Oct 12 18:28:55 localhost kernel:  =======================
Oct 12 18:28:55 localhost kernel: Code: 00 00 03 5a 08 89 fa c7 44 24 04 00 00 
00 00 0f b6 46 1c 89 04 24 8b 45 ac e8 50 cf ff ff 89 da 0f b7 c0 e8 a9 4a b6 
c7 ff 45 e8 <0f> b7 07 83 c6 14 39 45 e8 72 b0 8b 4d ac 83 79 48 01 76 51 66 
Oct 12 18:28:55 localhost kernel: EIP: [<f899f331>] ath5k_hw_reset+0x39c/0xcd0 
[ath5k] SS:ESP 0068:e7536dac


Expected results:
Network should be working. 

Additional info:
$ /sbin/lspci
00:00.0 Host bridge: nVidia Corporation nForce3 250Gb Host Bridge (rev a1)
00:01.0 ISA bridge: nVidia Corporation nForce3 250Gb LPC Bridge (rev a2)
00:01.1 SMBus: nVidia Corporation nForce 250Gb PCI System Management (rev a1)
00:02.0 USB Controller: nVidia Corporation CK8S USB Controller (rev a1)
00:02.1 USB Controller: nVidia Corporation CK8S USB Controller (rev a1)
00:02.2 USB Controller: nVidia Corporation nForce3 EHCI USB 2.0 Controller 
(rev a2)
00:05.0 Bridge: nVidia Corporation CK8S Ethernet Controller (rev a2)
00:08.0 IDE interface: nVidia Corporation CK8S Parallel ATA Controller (v2.5) 
(rev a2)
00:0b.0 PCI bridge: nVidia Corporation nForce3 250Gb AGP Host to PCI Bridge 
(rev a2)
00:0e.0 PCI bridge: nVidia Corporation nForce3 250Gb PCI-to-PCI Bridge (rev 
a2)
00:18.0 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] 
HyperTransport Technology Configuration
00:18.1 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] 
Address Map
00:18.2 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] DRAM 
Controller
00:18.3 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] 
Miscellaneous Control
01:00.0 VGA compatible controller: nVidia Corporation NV40 [GeForce 6800] (rev 
a1)
02:07.0 Ethernet controller: Atheros Communications, Inc. AR5005G 802.11abg 
NIC (rev 01)
02:08.0 Multimedia audio controller: Creative Labs SB Audigy (rev 04)
02:08.1 Input device controller: Creative Labs SB Audigy Game Port (rev 04)
02:08.2 FireWire (IEEE 1394): Creative Labs SB Audigy FireWire Port (rev 04)
02:0c.0 FireWire (IEEE 1394): VIA Technologies, Inc. IEEE 1394 Host Controller 
(rev 46)
Comment 1 Joseph Davidson 2007-10-14 01:46:41 UTC 
I've spent a some time digging into this a bit more...

It appears that ath5k_hw_get_rate_table() is returning NULL.   
It is getting passed mode value of 5, and the 
hal->ah_capabilities.cap_mode == 6

So the function returns NULL with this if statement: 
	if (!test_bit(mode, hal->ah_capabilities.cap_mode))
		return NULL;

Some more information on the hwardware
This card is Dynex DX-WGDTC (purchased at BestBuy) 
02:07.0 Ethernet controller: Atheros Communications, Inc. AR5005G 802.11abg 
NIC (rev 01)
        Subsystem: Unknown device 17f9:0018
        Flags: bus master, medium devsel, latency 168, IRQ 20
        Memory at eb000000 (32-bit, non-prefetchable) [size=64K]
        Capabilities: [44] Power Management version 2
Comment 2 Chuck Ebbert 2007-10-15 18:16:37 UTC 

*** This bug has been marked as a duplicate of 254192 ***