kernel panic on 3.10.0-rc7

Commit Message

Krzysztof Mazur July 15, 2013, 11:25 a.m. UTC

On Mon, Jul 15, 2013 at 11:48:33AM +0200, Felix Fietkau wrote:
> On 2013-07-15 11:35 AM, Krzysztof Mazur wrote:
> > On Mon, Jul 15, 2013 at 11:27:30AM +0200, Krzysztof Mazur wrote:
> >> On Mon, Jul 15, 2013 at 11:06:27AM +0200, Felix Fietkau wrote:
> >> > Please post the actual message output. Saying "it looks like something
> >> > wrong with the rate control mechanism" doesn't give me anything useful
> >> > to work with.
> >> > 
> >> 
> >> Sorry, I added you to Cc after I removed the original Oops.
> >> 
> > 
> > On my system the NULL pointer dereference occurs at 0x806389b0,
> > and the minstrel_get_rate() looks like:
> > 
> > 80638990 <minstrel_get_rate>:
> > 80638990:	83 ec 1c             	sub    $0x1c,%esp
> > 80638993:	89 7c 24 14          	mov    %edi,0x14(%esp)
> > 80638997:	8b 7c 24 20          	mov    0x20(%esp),%edi
> > 8063899b:	89 5c 24 0c          	mov    %ebx,0xc(%esp)
> > 8063899f:	89 cb                	mov    %ecx,%ebx
> > 806389a1:	89 6c 24 18          	mov    %ebp,0x18(%esp)
> > 806389a5:	89 c5                	mov    %eax,%ebp
> > 806389a7:	89 d0                	mov    %edx,%eax
> > 806389a9:	89 74 24 10          	mov    %esi,0x10(%esp)
> > 806389ad:	8b 77 0c             	mov    0xc(%edi),%esi
> > * 806389b0:	0f b6 49 38          	movzbl 0x38(%ecx),%ecx *
> > 806389b4:	8d 56 20             	lea    0x20(%esi),%edx
> > 806389b7:	89 54 24 04          	mov    %edx,0x4(%esp)
> > 806389bb:	89 da                	mov    %ebx,%edx
> > 806389bd:	88 4c 24 0b          	mov    %cl,0xb(%esp)
> > 806389c1:	89 f9                	mov    %edi,%ecx
> > 806389c3:	e8 38 2f fe ff       	call   8061b900 <rate_control_send_low>
> My x86 assembly is a a bit rusty (I usually work with ARM and MIPS), so
> I'm having trouble figuring out the exact line of code here. Please use
> gdb to track it down.
> 

The priv_sta is NULL and it's later dereferenced in:
	bool prev_sample = mi->prev_sample;

static void
minstrel_get_rate(void *priv, struct ieee80211_sta *sta,
		  void *priv_sta, struct ieee80211_tx_rate_control *txrc)
{
	struct sk_buff *skb = txrc->skb;
	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
	struct minstrel_sta_info *mi = priv_sta;
	struct minstrel_priv *mp = priv;
	struct ieee80211_tx_rate *rate = &info->control.rates[0];
	struct minstrel_rate *msr, *mr;
	unsigned int ndx;
	bool mrr_capable;
	bool prev_sample = mi->prev_sample;
	int delta;
	int sampling_ratio;

With:


the system no longer crashes and just prints a message.

Krzysiek
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/mac80211/rc80211_minstrel.c b/net/mac80211/rc80211_minstrel.c
index ac7ef54..be17d52 100644
--- a/net/mac80211/rc80211_minstrel.c
+++ b/net/mac80211/rc80211_minstrel.c
@@ -290,9 +290,15 @@  minstrel_get_rate(void *priv, struct ieee80211_sta *sta,
 	struct minstrel_rate *msr, *mr;
 	unsigned int ndx;
 	bool mrr_capable;
-	bool prev_sample = mi->prev_sample;
+	bool prev_sample;
 	int delta;
 	int sampling_ratio;
+       	
+	if (!mi) {
+		printk("Oops, mi is NULL\n");
+		return;
+	}
+	prev_sample = mi->prev_sample;
 
 	/* management/no-ack frames do not use rate control */
 	if (rate_control_send_low(sta, priv_sta, txrc))