Most recent kernel where this bug did not occur: N/A (the driver was introduced in 2.6.24-rc1) Distribution: Bluewhite 64 12.0 (64 bit version of Slackware 12) Hardware Environment: Broadcom wireless chip Software Environment: Problem Description: I got a crash after issuing the command ifconfig down on a b43 wireless interface, in order to pass it in ad-hoc mode. The interface was certainly in use in the background by wpa_supplicant, that I forgot to kill before downing the interface. There may have been a scan in progress, or an association request. Here is the output from syslog: Oct 27 16:08:19 athor kernel: ------------[ cut here ]------------ Oct 27 16:08:19 athor kernel: kernel BUG at kernel/workqueue.c:273! Oct 27 16:08:19 athor kernel: invalid opcode: 0000 [1] PREEMPT Oct 27 16:08:19 athor kernel: CPU 0 Oct 27 16:08:19 athor kernel: Modules linked in: kqemu Oct 27 16:08:19 athor kernel: Pid: 963, comm: b43 Tainted: G M 2.6.24-rc1 #7 Oct 27 16:08:19 athor kernel: RIP: 0010:[<ffffffff8024683e>] [<ffffffff8024683e>] run_workqueue+0x21e/0x230 Oct 27 16:08:19 athor kernel: RSP: 0018:ffff810002b3fe50 EFLAGS: 00010282 Oct 27 16:08:19 athor kernel: RAX: 0000000000000000 RBX: ffff810004012a28 RCX: 0000000000000000 Oct 27 16:08:19 athor kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001 Oct 27 16:08:19 athor kernel: RBP: ffff810002b3feb0 R08: 0000000000000001 R09: 0000000000000001 Oct 27 16:08:19 athor kernel: R10: ffffffff80246639 R11: 0000000000000246 R12: ffff810004046108 Oct 27 16:08:19 athor kernel: R13: ffff810004012a20 R14: ffffffff805c6540 R15: ffff810002b3fe60 Oct 27 16:08:19 athor kernel: FS: 00002ba989812bf0(0000) GS:ffffffff807af000(0000) knlGS:0000000000000000 Oct 27 16:08:19 athor kernel: CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b Oct 27 16:08:19 athor kernel: CR2: 00002b6df564d600 CR3: 0000000006349000 CR4: 00000000000006e0 Oct 27 16:08:19 athor kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 Oct 27 16:08:19 athor kernel: DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Oct 27 16:08:19 athor kernel: Process b43 (pid: 963, threadinfo ffff810002b3e000, task ffff810002940000) Oct 27 16:08:19 athor kernel: Stack: ffff810002b3feb0 ffff810004046138 0000000000000000 0000000000000000 Oct 27 16:08:19 athor kernel: 0000000000000000 ffff810004046148 ffff810002b3feb0 ffff810004046148 Oct 27 16:08:19 athor kernel: ffff810004046108 ffff810002b3fec0 ffff810004046138 0000000000000000 Oct 27 16:08:19 athor kernel: Call Trace: Oct 27 16:08:19 athor kernel: [<ffffffff8024733a>] worker_thread+0xca/0x130 Oct 27 16:08:19 athor kernel: [<ffffffff8024b240>] autoremove_wake_function+0x0/0x40 Oct 27 16:08:19 athor kernel: [<ffffffff80247270>] worker_thread+0x0/0x130 Oct 27 16:08:19 athor kernel: [<ffffffff8024ae7d>] kthread+0x4d/0x80 Oct 27 16:08:19 athor kernel: [<ffffffff8020c608>] child_rip+0xa/0x12 Oct 27 16:08:19 athor kernel: [<ffffffff8020c1c3>] restore_args+0x0/0x30 Oct 27 16:08:19 athor kernel: [<ffffffff8024af82>] kthreadd+0xd2/0x150 Oct 27 16:08:19 athor kernel: [<ffffffff8024ae30>] kthread+0x0/0x80 Oct 27 16:08:19 athor kernel: [<ffffffff8020c5fe>] child_rip+0x0/0x12 Oct 27 16:08:19 athor kernel: Oct 27 16:08:19 athor kernel: Oct 27 16:08:19 athor kernel: Code: 0f 0b eb fe 0f 1f 80 00 00 00 00 0f 1f 80 00 00 00 00 55 48 Oct 27 16:08:19 athor kernel: RIP [<ffffffff8024683e>] run_workqueue+0x21e/0x230 Oct 27 16:08:19 athor kernel: RSP <ffff810002b3fe50> I panic'd the kernel after when insisting and issuing another ifconfig down, but it was stupid. This bug may be related to - if not the same as - bug http://bugzilla.kernel.org/show_bug.cgi?id=9233 Steps to reproduce: Didn't manage to reproduce.
Totally reproduceable now. What I do is: /etc/rc.d/rc.inet1 eth1_stop (the if is renamed to eth1 by udev at boot). This basically kills wpa_supplicant, dhcpcd, and does ifconfig eth1 down. Then, I issue the following command in a row: iwconfig eth1 rate 1M essid az channel 6 mode ad-hoc key off commit -> boom, panic in worker_thread. Seems to be the ad-hoc or commit, don't know exactly, but I crashed 3 times in a row with this sequence. I didn't crashed up to now maybe because I issue the commands separatly, or do not use "commit". It seems commit can be applied to ad-hoc, but not on other options, and if I group them, it crashes.
This might be a mac80211 bug. There is a bug in mac80211 that the scan workqueue is not properly terminated somehow. (I'm not really sure what happens exactlt, yet). But I also get a crash with zd1211-mac80211 on rmmod (or when I pull the device out). Though, I did could not reproduce this bug with b43, yet. But I'd tend to searching the bug in mac80211.go
I didn't managed to reproduce this bug anymore with 2.6.27-rc3.