When txrate == 0, ath_hardstart function jumps to hardstart_fail, then it sets bf_skb to NULL, then calls clean up function and eventually calls bus_unmap_single where it tries to pass bf->bf_skb->len as parameter. Since bf_skb was set to NULL earlier, dereferencing a NULL pointer caused the kernel oops.

ath_hardstart(struct sk_buff *skb, struct net_device *dev)
{
...
hardstart_fail:
/* Clear all SKBs from the buffers, we will clear them separately IF
* we do not requeue them. */
ATH_TXBUF_LOCK_IRQ(sc);
STAILQ_FOREACH_SAFE(tbf, &bf_head, bf_list, tempbf) {
tbf->bf_skb = NULL;
}
ATH_TXBUF_UNLOCK_IRQ(sc);
/* Release the buffers, now that skbs are disconnected */
ath_return_txbuf_list(sc, &bf_head);
...
}


cleanup_ath_buf(struct ath_softc *sc, struct ath_buf *bf, int direction)
{
...
bus_unmap_single(
sc->sc_bdev,
bf->bf_skbaddr,
(direction == BUS_DMA_FROMDEVICE ?
sc->sc_rxbufsize : bf->bf_skb->len),
direction);
...
}

How to fix this?





From: Joo Aun Saw <jasaw81@yahoo.com.au>
To: madwifi-userlist <madwifi-users@lists.sourceforge.net>
Sent: Wednesday, 17 December, 2008 12:45:52 PM
Subject: [Madwifi-users] Madwifi bug #1897

Hello,

I've recently discovered this bug (http://madwifi-project.org/ticket/1897) and this is a show stopper for me. Does anyone know any potential fix I can try?

Thanks.

JA.


Start your day with Yahoo!7 and win a Sony Bravia TV. Enter now.


Start your day with Yahoo!7 and win a Sony Bravia TV. Enter now.