Panic with WEP

Justin Reigle justin at
Thu Mar 20 18:13:56 EST 2003

I've recently been playing with hostap, 802.1x, and WEP in conjunction
with a Windows XP (post-SP1) station.

Simple data transfer works fine (i.e. ping). If I do anything more than
that, it doesn't take long before a panic occurs (reproducable).

I managed to track the problem down to the line of code where a null
pointer is dereferenced. The kernel version is 2.4.17. The code is in
linux/net/core/dev.c:netif_rx. The macro, dev_hold() is called, with
skb->dev passed to it. Here skb->dev is null, which causes the panic.

I'm not sure why skb->dev is null, or where the actual bug is. This is
a daily snapshot of the hostap code from this past sunday (march 16th).
I see the same behavior with a month old snapshot.

Here's some ksymoops output to provide a little more information:

CPU:    0
EIP:    0010:[<c0198dcd>]    Not tainted
EFLAGS: 00010046
eax: 00000000   ebx: c3a92ea0   ecx: 00000000   edx: c3a92eb0
esi: 00000246   edi: 00000000   ebp: c3a63e08   esp: c3a63cd0
ds: 0018   es: 0018   ss: 0018
Process boa (pid: 1305, stackpage=c3a63000)
Stack: c3a8c000 c356382e 00000283 00000000 00000000 c3a92ea0 c3a92efc 
        c3a92ea0 c11d6e00 c376b820 c11ad7e0 000001f4 c3435648 00000010 
        00000096 691000a7 abc9c507 c3563852 c38949ac 00000000 15b28679 
Call Trace: [<c784b69b>] [<c7847a2d>] [<c019570c>] [<c784a88d>] [<c783d7f9>]
    [<c01958bb>] [<c0195a33>] [<c784c05b>] [<c784b74f>] [<c0115fde>] 
    [<c01fc382>] [<c01cb987>] [<c01929a1>] [<c019570c>] [<c784c29f>] 
    [<c012c126>] [<c0115651>] [<c0106cf3>]
Code: ff 80 dc 00 00 00 b8 e0 26 26 c0 83 c0 0c 89 43 08 8b 50 08

 >>EIP; c0198dcd <netif_rx+4d/110>   <=====
Trace; c784b69b <[hostap]hostap_proc+573b/13100>
Trace; c7847a2d <[hostap]hostap_proc+1acd/13100>
Trace; c019570c <alloc_skb+dc/1b0>
Trace; c784a88d <[hostap]hostap_proc+492d/13100>
Trace; c783d7f9 <[hostap]hostap_info_process+55/1f0>
Trace; c01958bb <kfree_skbmem+b/70>
Trace; c0195a33 <__kfree_skb+113/120>
Trace; c784c05b <[hostap]hostap_proc+60fb/13100>
Trace; c784b74f <[hostap]hostap_proc+57ef/13100>
Trace; c0115fde <tasklet_action+3e/70>
Trace; c0115e43 <do_softirq+53/a0>
Trace; c01fc382 <stext_lock+26a2/3516>
Trace; c01cb987 <inet_recvmsg+37/50>
Trace; c01929a1 <sock_recvmsg+31/b0>
Trace; c019570c <alloc_skb+dc/1b0>
Trace; c784c29f <[hostap]hostap_proc+633f/13100>
Trace; c0192aba <sock_read+8a/a0>
Trace; c012c126 <sys_read+96/d0>
Trace; c0115651 <sys_time+11/50>
Trace; c0106cf3 <system_call+33/40>
Code;  c0198dcd <netif_rx+4d/110>
00000000 <_EIP>:
Code;  c0198dcd <netif_rx+4d/110>   <=====
    0:   ff 80 dc 00 00 00         incl   0xdc(%eax)   <=====
Code;  c0198dd3 <netif_rx+53/110>
    6:   b8 e0 26 26 c0            mov    $0xc02626e0,%eax
Code;  c0198dd8 <netif_rx+58/110>
    b:   83 c0 0c                  add    $0xc,%eax
Code;  c0198ddb <netif_rx+5b/110>
    e:   89 43 08                  mov    %eax,0x8(%ebx)
Code;  c0198dde <netif_rx+5e/110>
   11:   8b 50 08                  mov    0x8(%eax),%edx

  <0>Kernel panic: Aiee, killing interrupt handler


Justin Reigle

More information about the HostAP mailing list