Here is a script that reliably crashes my ath9k box.
A second box with completely different hardware (except
for ath9k) experiences similar problems.
I am using today's wireless-testing kernel with a few
patches of my own.
You will also need the very latest hostap tree as it has the
optimizations for allowing STAs to share scans. Without
this optimization, I did not see this problem.
A few notes about the script:
* I cannot remove any interfaces, seems a ref-count leak somewhere.
I haven't debugged this issue.
* Without the background ping, it is very hard to reproduce this problem,
but with it, it happens almost every time.
* You'll need to set up your paths at the top of the script.
#!/usr/bin/perl
use strict;
my $iw = "./local/sbin/iw";
my $ip = "./local/sbin/ip";
my $wpa_s = "./local/bin/wpa_supplicant";
my $ssid = "candela-n";
my $key = "wpadmz123";
my $phy = "wiphy0";
my $max = 32;
my $i;
my $bmac = "00:01:02:03:04:";
my $cmd;
# Cleanup previous stuff
runCmd("killall wpa_supplicant");
runCmd("killall ping");
for ($i = 0; $i<$max; $i++) {
# Work around ref-counting bugs in kernel
runCmd("$ip link set sta$i down");
runCmd("$ip addr flush dev sta$i");
runCmd("$ip route flush dev sta$i");
runCmd("$ip -6 addr flush dev sta$i");
runCmd("$ip -6 route flush dev sta$i");
# Bugger, cannot get the ref-count problem to go away.
# runCmd("$iw dev sta$i del");
}
#exit(0);
open(FD, ">pingbg") || die("Couldn't open pingbg.");
print FD "#!/bin/bash\n\n";
print FD "ping \$* > /dev/null 2>&1 &\n";
print FD "echo continuing....\n";
close(FD);
runCmd("chmod a+x pingbg");
# Create stations
for ($i = 0; $i<$max; $i++) {
runCmd("$iw phy $phy interface add sta$i type station");
my $mc5 = $i + 1;
if (length($mc5) == 1) {
$mc5 = "0$mc5"; # pad mac octet
}
my $mac = "$bmac$mc5";
runCmd("$ip link set sta$i address $mac");
runCmd("$iw dev sta$i set power_save off");
runCmd("$ip addr add 9.99.1.$mc5/24 dev sta$i");
runCmd("./pingbg -I sta$i 9.99.1.1");
}
# Bring them up with WPA
for ($i = 0; $i<$max; $i++) {
open(FD, ">sta$i" . "_wpa.conf") || die("Couldn't open file: $!\n");
print FD "
ctrl_interface=/var/run/wpa_supplicant
fast_reauth=1
#can_scan_one=1
network={
ssid=\"$ssid\"
proto=WPA
key_mgmt=WPA-PSK
psk=\"$key\"
pairwise=TKIP CCMP
group=TKIP CCMP
}
";
#runCmd("$wpa_s -B -i sta$i -c sta$i" . "_wpa.conf -P sta$i" . "_wpa.pid -t -f sta$i" . "_wpa.log");
}
# Build command to start one wpa_supplicant for all interfaces.
my $cmd = "$wpa_s -B -g /var/run/wpa_supplicant_if -P /tmp/wpa_supplicant-all.pid -t -f /tmp/wpa_supplicant_log_all.txt -i sta0 -c sta0_wpa.conf";
for ($i = 1; $i<$max; $i++) {
$cmd = "$cmd -N -i sta$i -c sta$i" . "_wpa.conf";
}
runCmd($cmd);
sub runCmd {
my $cmd = shift;
print "$cmd\n";
`$cmd`;
}
Example kernel crash output:
ADDRCONF(NETDEV_CHANGE): sta6: link becomes ready
ADDRCONF(NETDEV_CHANGE): sta5: link becomes ready
ADDRCONF(NETDEV_CHANGE): sta4: link becomes ready
ADDRCONF(NETDEV_CHANGE): sta3: link becomes ready
ADDRCONF(NETDEV_CHANGE): sta1: link becomes ready
ADDRCONF(NETDEV_CHANGE): sta0: link becomes ready
padlock: VIA PadLock not detected.
[root@ath9k-dev1 ~]# ADDRCONF(NETDEV_CHANGE): sta30: link becomes ready
ADDRCONF(NETDEV_CHANGE): sta29: link becomes ready
------------[ cut here ]------------
WARNING: at /home/greearb/git/linux.wireless-testing/drivers/net/wireless/ath/ath9k/recv.c:532 ath_stoprecv+0x90/0x9a [ath9k]()
Hardware name: PDSBM
Could not stop RX, we could be confusing the DMA engine when we start RX up
Modules linked in: aes_i586 aes_generic fuse nfs lockd fscache nfs_acl auth_rpcgss sunrpc ipv6 uinput arc4 ecb ath9k mac80211 ath9k_common ath9k_hw mi]
Pid: 3505, comm: wpa_supplicant Not tainted 2.6.37-rc3-wl+ #53
Call Trace:
[<78436fe9>] warn_slowpath_common+0x77/0x8c
[<f933019e>] ? ath_stoprecv+0x90/0x9a [ath9k]
[<f933019e>] ? ath_stoprecv+0x90/0x9a [ath9k]
[<7843707a>] warn_slowpath_fmt+0x2e/0x30
[<f933019e>] ath_stoprecv+0x90/0x9a [ath9k]
[<f932f13c>] ath_set_channel+0x94/0x1e8 [ath9k]
[<7845a425>] ? mark_held_locks+0x47/0x5f
[<7878e5bb>] ? _raw_spin_unlock_irqrestore+0x3c/0x48
[<f932f5d4>] ath9k_config+0x344/0x423 [ath9k]
[<f919aaaa>] ieee80211_hw_config+0x11b/0x125 [mac80211]
[<f91aa25a>] ieee80211_set_channel+0x74/0x9e [mac80211]
[<f8d37d36>] cfg80211_set_freq+0xf3/0x12d [cfg80211]
[<f91aa1e6>] ? ieee80211_set_channel+0x0/0x9e [mac80211]
[<f8d3a24c>] cfg80211_mgd_wext_siwfreq+0x108/0x148 [cfg80211]
[<f8d395c9>] cfg80211_wext_siwfreq+0x42/0xbf [cfg80211]
[<7876e14f>] ioctl_standard_call+0x52/0x28e
[<786f2db3>] ? dev_name_hash+0x16/0x48
[<786f67cc>] ? __dev_get_by_name+0x32/0x3d
[<7876e418>] wext_handle_ioctl+0x8d/0x18d
[<f8d39587>] ? cfg80211_wext_siwfreq+0x0/0xbf [cfg80211]
[<786f78f9>] dev_ioctl+0x520/0x53f
[<786e5f7f>] ? sock_ioctl+0x0/0x202
[<786e6175>] sock_ioctl+0x1f6/0x202
[<7878e576>] ? _raw_spin_unlock_irq+0x22/0x2b
[<786e5f7f>] ? sock_ioctl+0x0/0x202
[<784cc151>] do_vfs_ioctl+0x4b1/0x4f6
[<7878e576>] ? _raw_spin_unlock_irq+0x22/0x2b
[<784303cd>] ? finish_task_switch+0x72/0xd4
[<784c14a9>] ? fcheck_files+0x9b/0xca
[<784c1505>] ? fget_light+0x2d/0xb0
[<784cc1d9>] sys_ioctl+0x43/0x62
[<784030dc>] sysenter_do_call+0x12/0x38
---[ end trace 34d8f42d696b7763 ]---
------------[ cut here ]------------
WARNING: at /home/greearb/git/linux.wireless-testing/net/wireless/mlme.c:285 __cfg80211_auth_remove+0x98/0x9e [cfg80211]()
Hardware name: PDSBM
Modules linked in: aes_i586 aes_generic fuse nfs lockd fscache nfs_acl auth_rpcgss sunrpc ipv6 uinput arc4 ecb ath9k mac80211 ath9k_common ath9k_hw mi]
Pid: 38, comm: kworker/u:1 Tainted: G W 2.6.37-rc3-wl+ #53
Call Trace:
[<78436fe9>] warn_slowpath_common+0x77/0x8c
[<f8d34888>] ? __cfg80211_auth_remove+0x98/0x9e [cfg80211]
[<f8d34888>] ? __cfg80211_auth_remove+0x98/0x9e [cfg80211]
[<7843701b>] warn_slowpath_null+0x1d/0x1f
[<f8d34888>] __cfg80211_auth_remove+0x98/0x9e [cfg80211]
[<f8d34fc2>] cfg80211_send_auth_timeout+0x90/0xa0 [cfg80211]
[<7845a681>] ? trace_hardirqs_on_caller+0x104/0x125
[<7845a6ad>] ? trace_hardirqs_on+0xb/0xd
[<f91a434b>] ieee80211_probe_auth_done+0x1e/0x7b [mac80211]
[<f91a6861>] ieee80211_work_work+0xd51/0xd8f [mac80211]
[<7845a681>] ? trace_hardirqs_on_caller+0x104/0x125
[<7845a602>] ? trace_hardirqs_on_caller+0x85/0x125
[<78447000>] process_one_work+0x1af/0x2bf
[<78446f8f>] ? process_one_work+0x13e/0x2bf
[<f91a5b10>] ? ieee80211_work_work+0x0/0xd8f [mac80211]
[<7844874e>] worker_thread+0xf9/0x1bf
[<78448655>] ? worker_thread+0x0/0x1bf
[<7844b27e>] kthread+0x62/0x67
[<7844b21c>] ? kthread+0x0/0x67
[<784036c6>] kernel_thread_helper+0x6/0x1a
---[ end trace 34d8f42d696b7764 ]---
e1000e 0000:06:00.0: eth0: Detected Hardware Unit Hang:
TDH <f1>
TDT <f4>
next_to_use <f4>
next_to_clean <f1>
buffer_info[next_to_clean]:
time_stamp <bcc5>
next_to_watch <f1>
jiffies <c73c>
next_to_watch.status <0>
MAC Status <80080f83>
PHY Status <796d>
PHY 1000BASE-T Status <7c00>
PHY Extended Status <3000>
PCI Status <4010>
e1000e 0000:06:00.0: eth0: Detected Hardware Unit Hang:
TDH <f1>
TDT <f4>
next_to_use <f4>
next_to_clean <f1>
buffer_info[next_to_clean]:
time_stamp <bcc5>
next_to_watch <f1>
jiffies <cf0c>
next_to_watch.status <0>
MAC Status <80080f83>
PHY Status <796d>
PHY 1000BASE-T Status <7c00>
PHY Extended Status <3000>
PCI Status <4010>
BUG: unable to handle kernel NULL pointer dereference at 00000040
IP: [<f933470a>] ath_tx_start+0x461/0x5ef [ath9k]
*pde = 00000000
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
last sysfs file: /sys/devices/pci0000:00/0000:00:1e.0/0000:08:01.0/irq
Modules linked in: aes_i586 aes_generic fuse nfs lockd fscache nfs_acl auth_rpcgss sunrpc ipv6 uinput arc4 ecb ath9k mac80211 ath9k_common ath9k_hw mi]
Pid: 38, comm: kworker/u:1 Tainted: G W 2.6.37-rc3-wl+ #53 PDSBM/PDSBM
EIP: 0060:[<f933470a>] EFLAGS: 00010246 CPU: 1
EIP is at ath_tx_start+0x461/0x5ef [ath9k]
--
Ben Greear <greearb@xxxxxxxxxxxxxxx>
Candela Technologies Inc http://www.candelatech.com
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
