On 2013-05-01 6:01 PM, Ben Greear wrote:
> On 04/30/2013 11:05 AM, Ben Greear wrote:
>> On 04/28/2013 08:05 AM, Ben Greear wrote:
>>> On 04/27/2013 01:58 AM, Felix Fietkau wrote:
>>>> On 2013-04-27 1:46 AM, Ben Greear wrote:
>>>>> Was running around 200 stations against a VAP on this system, and
>>>>> then changed the channel from 1 to 36 (by restarting hostapd with new
>>>>> config).
>>>>>
>>>>> Looks like null-pointer de-ref... Anyone seen anything similar?
>>>> I've never seen this one. Please use gdb to figure out the source code
>>>> line that the NULL pointer deref happens in.
>>>> As for the 'keycache entry 228 out of range' stuff, I'm going to send a
>>>> patch for that now.
>>>
>>> Thanks.
>>>
>>> I'm away from the office for a bit, but will build a debugging kernel
>>> and crank on this early next week.
>>
>> Ok, this is against a modified 3.9.0 tree. My patches are here:
>>
>> http://dmz2.candelatech.com/git/gitweb.cgi?p=linux-3.9.dev.y/.git;a=summary
>>
>> I'm going to try reproducing against upstream 3.9.0 (using a smaller number
>> of
>> stations since upstream doesn't have needed optimizations to make it work on
>> my hardware...)
>
> With the wpa_supplicant optimizations I posted yesterday, I can
> reproduce the crash on a standard 3.9.0 kernel with the regdomain
> patch AND the "mac80211: Add per-sdata station hash, and sdata hash."
>
> https://patchwork.kernel.org/patch/2482351/
>
> I was not able to reproduce this without the hash optimization patch,
> so either it's buggy, or it just makes things a lot faster and that
> triggers bugs in ath9k more easily.....
It's buggy. Take a look at this part:
> diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
> index 238a0cc..6b0fe74 100644
> --- a/net/mac80211/sta_info.c
> +++ b/net/mac80211/sta_info.c
> @@ -965,6 +1018,13 @@ struct ieee80211_sta
> *ieee80211_find_sta_by_ifaddr(struct ieee80211_hw *hw,
> {
> struct sta_info *sta, *nxt;
>
> + if (localaddr) {
> + sta = sta_info_get_by_vif(hw_to_local(hw), localaddr, addr);
> + if (sta && !sta->uploaded)
> + return NULL;
> + return &sta->sta;
> + }
If sta is NULL, it'll return &sta->sta, which is non-NULL. It matches
the null-pointer crash on dereferencing the driver's tid struct inside
sta->drv_priv.
- Felix
_______________________________________________
ath9k-devel mailing list
ath9k-devel@lists.ath9k.org
https://lists.ath9k.org/mailman/listinfo/ath9k-devel
