I have a 100% reproducable oops inside of the skb_orphan call of mac80211's ieee80211_tx_status function. I could only reproduce it with the CompactFlash bcm4318 card, yet. So maybe the it's somehow related to b43's PIO code. Here's the oops: http://bu3sch.de/misc/sk_oops.JPG As you can see, I added some debugging printks. So let me explain what is going on. After fireing up wpa_supplicant, ieee80211_tx_status is invoked several times without crashing. But then suddenly it crashes on the skb_orphan call. The skb_orphan call will call the skb destructor. You can see the skb->destructor and skb->sk pointers right above the oops message. The destructor pointer is assigned to sock_wfree() and the sk pointer is NULL. So skb_orphan calls skb->destructor with skb->sk as parameter and sock_wfree (which is the destructor) will dereference skb->sk. That will obviously crash. Any ideas why skb->sk is NULL while the destructor is not NULL? They should either be both NULL or not NULL. -- Greetings Michael. -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
