Bug 772247
Summary: | [abrt] kernel: BUG: unable to handle kernel paging request at fffffffffffffbb0 : ieee80211_stop_tx_ba_cb_irqsafe() | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | reubendb | ||||||
Component: | kernel | Assignee: | John W. Linville <linville> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 16 | CC: | gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda, sgruszka, wey-yi.w.guy | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | abrt_hash:21110e29c3a0e232b44148ec2bc9718e9870a073 | ||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2012-03-12 18:18:11 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
reubendb
2012-01-06 15:16:03 UTC
Created attachment 551169 [details]
File: backtrace
BUG: unable to handle kernel paging request at fffffffffffffbb0 IP: [<ffffffffa01d12fd>] ieee80211_stop_tx_ba_cb_irqsafe+0x1d/0xa0 [mac80211] PGD 1a07067 PUD 1a08067 PMD 0 Oops: 0000 [#1] SMP CPU 2 Modules linked in: tcp_lp ppdev parport_pc lp parport fuse ebtable_nat ebtables ipt_MASQUERADE iptable_nat nf_nat xt_CHECKSUM iptable_mangle tun bridge stp llc lockd nf_conntrack_ipv4 nf_defrag_ipv4 ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables xts gf128mul dm_crypt virtio_net kvm_intel kvm snd_hda_codec_hdmi snd_hda_codec_idt snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm i2400m_usb i2400m iTCO_wdt iTCO_vendor_support uvcvideo wimax videodev media v4l2_compat_ioctl32 e1000e arc4 dell_laptop snd_timer snd soundcore iwlwifi mac80211 cfg80211 rfkill snd_page_alloc uinput sunrpc joydev dcdbas microcode i2c_i801 sdhci_pci sdhci mmc_core i915 drm_kms_helper drm i2c_algo_bit i2c_core video [last unloaded: scsi_wait_scan] Pid: 1097, comm: wpa_supplicant Not tainted 3.1.6-1.fc16.x86_64 #1 Dell Inc. Latitude E6420/032T9K RIP: 0010:[<ffffffffa01d12fd>] [<ffffffffa01d12fd>] ieee80211_stop_tx_ba_cb_irqsafe+0x1d/0xa0 [mac80211] RSP: 0018:ffff88021bcc3658 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff88021ad58000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88021ad5422c RDI: 0000000000000000 RBP: ffff88021bcc3678 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000282 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007fb4a4ebb7c0(0000) GS:ffff88023dd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffffffffffbb0 CR3: 000000021bc36000 CR4: 00000000000406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process wpa_supplicant (pid: 1097, threadinfo ffff88021bcc2000, task ffff880214615cc0) Stack: ffff88021ad58000 0000000000000282 0000000000000000 0000000000000000 ffff88021bcc3688 ffffffffa0228778 ffff88021bcc36d8 ffffffffa0234868 0000000100000000 000000000000000b 0000000000000000 ffff88021ad524e0 Call Trace: [<ffffffffa0228778>] iwl_stop_tx_ba_trans_ready+0x48/0x50 [iwlwifi] [<ffffffffa0234868>] iwl_trans_pcie_tx_agg_disable+0x148/0x1b0 [iwlwifi] [<ffffffffa021dcc3>] iwlagn_tx_agg_stop+0x43/0x90 [iwlwifi] [<ffffffff815d3bbd>] ? mutex_lock+0x1d/0x50 [<ffffffffa02146e2>] iwlagn_mac_ampdu_action+0xd2/0x2f0 [iwlwifi] [<ffffffffa01d19fb>] ___ieee80211_stop_tx_ba_session+0xeb/0x180 [mac80211] [<ffffffffa01d1eaf>] __ieee80211_stop_tx_ba_session+0x4f/0x80 [mac80211] [<ffffffffa01d0c72>] ieee80211_sta_tear_down_BA_sessions+0x42/0x70 [mac80211] [<ffffffffa01d4c6e>] ieee80211_set_disassoc+0xee/0x260 [mac80211] [<ffffffffa01d8320>] ieee80211_mgd_deauth+0x1c0/0x220 [mac80211] [<ffffffffa01de95e>] ieee80211_deauth+0x1e/0x20 [mac80211] [<ffffffffa01aa29e>] __cfg80211_mlme_deauth+0x11e/0x140 [cfg80211] [<ffffffffa01aa333>] cfg80211_mlme_deauth+0x73/0xa0 [cfg80211] [<ffffffffa019b70e>] nl80211_deauthenticate+0xbe/0xf0 [cfg80211] [<ffffffff814ed2f5>] genl_rcv_msg+0x1d5/0x250 [<ffffffff814ed120>] ? genl_rcv+0x40/0x40 [<ffffffff814ecbb9>] netlink_rcv_skb+0xa9/0xd0 [<ffffffff814ed105>] genl_rcv+0x25/0x40 [<ffffffff814ec4c8>] netlink_unicast+0x2a8/0x2f0 [<ffffffff814b9ea7>] ? memcpy_fromiovec+0x67/0xb0 [<ffffffff814ec7d2>] netlink_sendmsg+0x2c2/0x360 [<ffffffff814ac2fe>] sock_sendmsg+0x10e/0x130 [<ffffffff8115d40f>] ? kmem_cache_free+0x2f/0x110 [<ffffffff814aed21>] ? move_addr_to_kernel+0x71/0x80 [<ffffffff814ba1a6>] ? verify_iovec+0x56/0xd0 [<ffffffff814ad896>] __sys_sendmsg+0x396/0x3b0 [<ffffffff8107ecb7>] ? __set_task_blocked+0x37/0x80 [<ffffffff8108125f>] ? set_current_blocked+0x3f/0x60 [<ffffffff810980ed>] ? ktime_get_ts+0xad/0xe0 [<ffffffff81184f12>] ? poll_select_copy_remaining+0xf2/0x140 [<ffffffff814afcb9>] sys_sendmsg+0x49/0x90 [<ffffffff815dccc2>] system_call_fastpath+0x16/0x1b Code: 00 00 00 e8 86 99 01 00 5d c3 0f 1f 40 00 55 48 89 e5 48 83 ec 20 48 89 5d e0 4c 89 65 e8 4c 89 6d f0 4c 89 75 f8 66 66 66 66 90 <4c> 8b af b0 fb ff ff 48 89 fb 31 ff 49 89 f4 41 89 d6 e8 7c 59 RIP [<ffffffffa01d12fd>] ieee80211_stop_tx_ba_cb_irqsafe+0x1d/0xa0 [mac80211] RSP <ffff88021bcc3658> Wey-yi, this kernel is using a compat-wireless-3.2-rc6 snapshot. It is possible that this NULL pointer dereference is in the wild with kernel 3.2. John, is this cause by our driver name changes from iwlagn to iwlwifi? we found the problem and we have a patch ready to send to compat-wireless today. Thanks Wey I doubt if that is it -- we aren't even building the "native" drivers in these kernels (i.e. we only build the compat-wireless ones). So I don't think there is any iwlagn<->iwlwifi confusion. Any other thoughts? hmm, I agree, it shall only show up if the "native" already part of kernel. is there any procedure for us to reproduce this issue? we are also using compat-wireless for our internal testing. (but not the Open Source version of compat) Thanks Wey I'm guessing that "vif = priv->contexts[ctx].vif" is assiging a bad vif value? void iwl_stop_tx_ba_trans_ready(struct iwl_priv *priv, enum iwl_rxon_context_id ctx, u8 sta_id, u8 tid) { struct ieee80211_vif *vif; u8 *addr = priv->stations[sta_id].sta.sta.addr; if (ctx == NUM_IWL_RXON_CTX) ctx = priv->stations[sta_id].ctxid; vif = priv->contexts[ctx].vif; ieee80211_stop_tx_ba_cb_irqsafe(vif, addr, tid); } Created attachment 551931 [details]
iwlwifi-partially-remove-stop_tx_ba_trans_ready.patch
3.3-rc1 commit:
commit fdf426a34afe7b1c17a6783f273062e3464cceaa
Author: Emmanuel Grumbach <emmanuel.grumbach>
Date: Wed Dec 7 10:11:00 2011 +0200
iwlwifi: kill iwl_{start,stop}_tx_ba_trans_ready
remove functions, which can confuse vif's.
This is partial backport of that commit to 3.2-rc6. I did not test the patch, but I think it should help with the oops (and do not cause an other crach :-)
Test kernels with the above patch are building here: http://koji.fedoraproject.org/koji/taskinfo?taskID=3640359 Please give try to recreate this problem when they are finished building, and report the results here...thanks! Rueben, is this still a problem in the latest builds ? Hi Dave, I haven't seen this any more with the latest update. Thanks. |