Firstly, it does not appear in madwifi-ng-r2625-20070729 and only appears in madwifi-ng-r2621-20070728. I think it has been fixed up.
Secondly, I also don't think it is 2.4.20's fault. And I guess 2.4.23 could be the same(not proved). My job is adding Atheros chip to a device which based on 2.4.20 kernel. I use 2.4.20 just because the supplier has not give me version on another kernel. But 2.4.20 has worked well with madwifi 0.9.0, 0.9.2 and for several months by many users.
Lastly, I will show what I have done at below. I am not familiar with kernel OOPs. I don't known how to print the panic screen and OOPs-test-module's screen. I write down the last panic screen words and /proc/ooops screen words onto paper. Then type them here. I'll try to write clearly.
Thanks for your patience and help.
insmod oops-test-0.1.0.o (not sure this filename)
insmod wlan.o
insmod wlan_acl.o
insmod wlan_scan_ap.o
insmod wlan_scan_sta.o
insmod wlan_wep.o
insmod wlan_xauth.o
insmod wlan_tkip.o
insmod wlan_ccmp.o
insmod ../ath_hal/ath_hal.o
insmod ../ath_rate/sample/ath_rate_sample.o
insmod ../ath_rate/onoe/ath_rate_onoe.o
insmod ../ath/ath_pci.o
ifconfig br0 down
brctl delbr br0
brctl addbr br0
wlanconfig ath0 destroy
wlanconfig ath0 create wlandev wifi0 wlanmode ap
iwconfig ath0 essid "ath0"
iwpriv ath0 bintval 100
iwconfig ath0 channel 9
iwpriv ath0 rsncaps 0
iwpriv ath0 wpa 0
iwpriv ath0 uapsd 0
iwpriv ath0 authmode 1
iwpriv ath0 keymgtalgs 1

iwconfig ath0 key [1] 0000000000
iwconfig ath0 key [1]
iwconfig ath0 key on
ifconfig ath0 up
ifconfig ath0
brctl addif br0 $1
ifconfig br0 up
brctl show br0
brctl addif br0 eth0
ifconfig br0 up
brctl show br0
wait for 3 seconds, then kernel panic.
This is panic screen.
[<f888ffe4>]    ieee80211_recv_mgmt[wlan]   0x2bf0(0xc033fcc0))
[<c01b8eac>]  ata_output_data[kernel]        0xbc(0xc033fda4))
[<c01b8eac>]  ata_output_data[kernel]        0xbc(0xc033fdb4))
[<f8943646>]   ath_recv_mgmt[ath_pci]       0x5e(0xc033fdec))
[<f8889995>]   ieee80211_input[wlan]          0x575(0xc033fe24))
[<c01ea7b4>]  pskb_expand_head[kernel]     0xdc(0xc033fe60))
[<f888aa63>]   ieee80211_iinput_all[wlan]    0x77(0xc033fea8))
[<f894c2bd>]   __func__.47[ath_pci]          0x0(0xc033fec0))
[<f8943dc5>]   ath_rx_tasklet[ath_pci]       0x605(0xc033fee8))
[<c01209b6>]  tasklet_action[kernel]          0x46(0xc033ff44))
[<c0120885>]  do_softirq[kernel]               0x95(0xc033ff50))
[<c010a9ae>]  do_irq[kernel]                   0xb2(0xc033ff68))
[<c010d3e8>]  call_do_IRQ[kernel]          0x5(0xc033ff88))
[<c0106443>]  default_idle[kernel]         0x23(0xc033ffb4))
[<c011513c>]  apm_cpu_idle[kernel]      0x23(0xc033ffc0))
[<c0115098>]  apm_cpu_idle[kernel]      0xa4(0xc033ffc4))
[<c0106fd0>]  default_idle[kernel]         0x0(0xc033ffd0))
[<c0107072>]  cpu_idle[kernel]            0x46(0xc033ffd4))
[<c0105000>]  stext[kernel]                0x0(0xc033ffe0))
Code 8b 9c 90 90 00 00 00 85 db 74 20 8d
       b4 26 00 00 00 00 fc 8b
<0> Kernel Panic: Aiee, killing interrupt handler!
In interrupt handler-not syncing.
After reboot,
'insmod oops-test-0.1.0'.
'cat /proc/oops'.
I am not sure the oops-test-module should be used in this way.
This is the screen.
<5> Generation Oops...
Unable to handle kernel NULL pointer dereference at address 00000000
   printing eip:
oopstest nls_iso8859_1 nls_cp437 vfat fat parport_pc lp parport autofs wlan_scan_sta ath_rate_sample ath_pci wlan ath_hal ipt_REJECT iptable_filter ip_tables
EIP is at oopstest_handle_proc[oopstest] 0x10(2.4.20-8)
     eax:00000016 ebx:f601d1c0 ecx:c0360d24 edx :f6273f7c
     esi:00000c00 edi:f2ba20000 ebp:f24bbf50 esp:f24bbf38
     ds:0068 es:0068 ss:0068
Process cat(pid:3122,stack page=f24bb000)
Stack:f8881108 c02ffa80 00000000 f2906ac0
         ffffffea 00001000 00001000 c01671e4
         f2ba2000 f24bbf80 00000000 00000c00
         f24bbf7c 00000000 f24ba00 f601d1c0
         00000000 00000000 00000000 00000000
         f2906ac0 ffffffea 00001000 c0143bd7
Call Trace:[<f8881108>].rodata.str1.1 [oopstest]   0x5(0xf24bbf38))
              [<c01671e4>]proc_file_read[kernel]        0xcc(0xf24bbf54))
              [<c0143bd7>]sys_read[kernel]              0xa3(0xf24bbf94))
              [<c01093b3>]system_call[kernel]          0x33(0xf24bbfc0))
Code: c7 05 00 00 00 00 00 00
        00 00 b8 00 00 00 00 c9
        c3 55 89 e5
Segmentation fault

Local listings, incredible imagery, and driving directions - all in one place! Find it!