On Wed, 2010-10-06 at 10:28 -0700, Ben Greear wrote:
> This test scenario has 72 stations on ath5k trying to connect to a cisco AP
> that supposedly only supports 63 stations.
>
> The 72 STA were created without ssid's configured, then we re-configured all
> 72 'at once' to give them the proper SSID (ifdown, ifup, iwconfig to set values).
Eww, iwconfig ;-)
> The system crashed and rebooted.
>
> Kernel is wireless-testing as of later yesterday, with a few additional
> patches mostly dealing with counters in /proc/net/wireless and some lockdep
> fixes pulled in from lkml etc.
>
> We have seen this before, but this is the first good stacktrace we got.
>
> Likely we can reproduce this if extra information is needed.
> list_del corruption, next is LIST_POISON1 (00100100)
This one's interesting.
But anyway, now that I look at it in more detail, it seems fairly
obvious. You should be able to trigger it with two stations, but it's
probably harder ...
I need to analyse the refcounting here again and in more detail, but in
the meantime can you try below patch?
johannes
---
net/wireless/scan.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- wireless-testing.orig/net/wireless/scan.c 2010-10-06 19:59:41.000000000 +0200
+++ wireless-testing/net/wireless/scan.c 2010-10-06 20:01:20.000000000 +0200
@@ -668,11 +668,11 @@ void cfg80211_unlink_bss(struct wiphy *w
bss = container_of(pub, struct cfg80211_internal_bss, pub);
spin_lock_bh(&dev->bss_lock);
-
- list_del(&bss->list);
- dev->bss_generation++;
- rb_erase(&bss->rbn, &dev->bss_tree);
-
+ if (!list_empty(&bss->list)) {
+ list_del_init(&bss->list);
+ dev->bss_generation++;
+ rb_erase(&bss->rbn, &dev->bss_tree);
+ }
spin_unlock_bh(&dev->bss_lock);
kref_put(&bss->ref, bss_release);
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
