Bug 10755

Summary: iwl3945 regression - NULL deref in ieee80211_associate
Product: Drivers Reporter: Jan C. Nordholz (jckn)
Component: network-wirelessAssignee: John W. Linville (linville)
Status: CLOSED CODE_FIX    
Severity: normal CC: bunk, rjw
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.26-rc3 Subsystem:
Regression: Yes Bisected commit-id:
Bug Depends on:    
Bug Blocks: 10492    
Attachments: Dmesg output (2.6.26-rc3)
net/mac80211/mlme.o from my 2.6.26-rc3 build tree

Description Jan C. Nordholz 2008-05-19 15:56:01 UTC
Latest working kernel version: 2.6.26-rc2
Earliest failing kernel version: 2.6.26-rc3
Distribution: Debian
Hardware Environment: Lenovo Thinkpad R61 (8943-DLG)
Software Environment:
Problem Description: iwl3945 trying to associate to an AP leads to a kernel oops. The current (2008/05/19) linuxwireless.org compat-wireless driver is affected, too.
Comment 1 Jan C. Nordholz 2008-05-19 15:56:23 UTC
Created attachment 16207 [details]
Dmesg output (2.6.26-rc3)
Comment 2 Anonymous Emailer 2008-05-19 16:27:18 UTC
Reply-To: akpm@linux-foundation.org

On Mon, 19 May 2008 15:56:01 -0700 (PDT)
bugme-daemon@bugzilla.kernel.org wrote:

> http://bugzilla.kernel.org/show_bug.cgi?id=10755
> 
>            Summary: iwl3945 regression - NULL deref in ieee80211_associate
>            Product: Drivers
>            Version: 2.5
>      KernelVersion: 2.6.26-rc3
>           Platform: All
>         OS/Version: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: network-wireless
>         AssignedTo: drivers_network-wireless@kernel-bugs.osdl.org
>         ReportedBy: jckn@gmx.net
> 
> 
> Latest working kernel version: 2.6.26-rc2
> Earliest failing kernel version: 2.6.26-rc3
> Distribution: Debian
> Hardware Environment: Lenovo Thinkpad R61 (8943-DLG)
> Software Environment:
> Problem Description: iwl3945 trying to associate to an AP leads to a kernel
> oops. The current (2008/05/19) linuxwireless.org compat-wireless driver is
> affected, too.
> 

A post-2.6.25 regression.

EIP is at ieee80211_associate+0x253/0x640 [mac80211]

and it might not be iwl3945-specific.
Comment 3 Adrian Bunk 2008-05-19 16:36:25 UTC
Jan, can you attach your net/mac80211/mlme.o to this bug?
Comment 4 Larry Finger 2008-05-19 16:48:59 UTC
Andrew Morton wrote:
> On Mon, 19 May 2008 15:56:01 -0700 (PDT)
> bugme-daemon@bugzilla.kernel.org wrote:
> 
>> http://bugzilla.kernel.org/show_bug.cgi?id=10755
>>
>>            Summary: iwl3945 regression - NULL deref in ieee80211_associate
>>            Product: Drivers
>>            Version: 2.5
>>      KernelVersion: 2.6.26-rc3
>>           Platform: All
>>         OS/Version: Linux
>>               Tree: Mainline
>>             Status: NEW
>>           Severity: normal
>>           Priority: P1
>>          Component: network-wireless
>>         AssignedTo: drivers_network-wireless@kernel-bugs.osdl.org
>>         ReportedBy: jckn@gmx.net
>>
>>
>> Latest working kernel version: 2.6.26-rc2
>> Earliest failing kernel version: 2.6.26-rc3
>> Distribution: Debian
>> Hardware Environment: Lenovo Thinkpad R61 (8943-DLG)
>> Software Environment:
>> Problem Description: iwl3945 trying to associate to an AP leads to a kernel
>> oops. The current (2008/05/19) linuxwireless.org compat-wireless driver is
>> affected, too.
>>
> 
> A post-2.6.25 regression.
> 
> EIP is at ieee80211_associate+0x253/0x640 [mac80211]
> 
> and it might not be iwl3945-specific.

This bug looks like the one I found and reported in 
http://marc.info/?l=linux-wireless&m=121097330013277&w=2. I found it for b43 
- it is clearly not iwl3945 specific.

The patch is in version 4 and probably not the final one, but it fixes the 
oops. You will find the patch at 
http://marc.info/?l=linux-wireless&m=121120929012836&w=2.

We know that bss is NULL when mac80211 tries to associate; however, I had 
only one of these that happened after my interface had been connected to my 
AP for ~18 hours, then got disassociated, followed by the oops. It sounds as 
if jckn@gmx.net might be getting this systematically and there is hope to 
find the root cause so as to prevent the problem rather than covering over 
the symptoms as is done with the patch. In any case, there is a fix in the works.

I have added Johannes and Helmut to the CC list.

Larry
Comment 5 Jan C. Nordholz 2008-05-20 02:36:39 UTC
Yes, I can reliably reproduce the bug - I'm getting this right after bootup (i.e. without having been associated before). Shall I try to investigate, or are the cause and the circumstances of this bug already known?
Comment 6 Jan C. Nordholz 2008-05-20 02:37:50 UTC
Created attachment 16213 [details]
net/mac80211/mlme.o from my 2.6.26-rc3 build tree
Comment 7 John W. Linville 2008-05-20 11:49:11 UTC
Jan, can you apply the patch here:

   http://marc.info/?l=linux-wireless&m=121127020512169&w=2

Does it resolve the issue for you?
Comment 8 Rafael J. Wysocki 2008-05-20 16:06:29 UTC
*** Bug 10758 has been marked as a duplicate of this bug. ***
Comment 9 Rafael J. Wysocki 2008-05-20 16:09:05 UTC
Regressions list annotation:
References : http://marc.info/?l=linux-kernel&m=121114227216807&w=2
Handled-By : John W. Linville <mailto:linville@tuxdriver.com>
Handled-By : Helmut Schaa <hschaa@suse.de>
Patch : http://marc.info/?l=linux-wireless&m=121127020512169&w=2
Comment 10 Jan C. Nordholz 2008-05-21 09:20:22 UTC
Yes, that patch fixes the bug - but I gather from the thread on linux-wireless that this is merely a workaround? I thought this is a rc2->rc3 regression? Or is bss (now) allowed to be NULL down there?

Anyway, let me know if I can help.
Comment 11 John W. Linville 2008-05-21 13:59:32 UTC
Sent upstream via Dave M. yesterday evening...
Comment 12 Rafael J. Wysocki 2008-05-21 16:34:08 UTC
Which commit is this in the Linus' tree?
Comment 13 John W. Linville 2008-05-27 16:53:02 UTC
commit 0d580a774b3682b8b2b5c89ab9b813d149ef28e7
Author: Helmut Schaa <hschaa@suse.de>
Date:   Tue May 20 09:56:37 2008 +0200

    mac80211: fix NULL pointer dereference in ieee80211_compatible_rates