We've noticed that there is a double free of a buffer. We added some code to trace this and discovered the following:
1. p80211knetdev_hard_start_xmit() calls wlandev->txframe (which is a function ptr to prism2sta_txframe).

2. On occasion the first call to hfa384x_copy_to_bap() in prism2sta_txframe() fails with a return code of 51757, this error causes p80211pb_free(pb) to be called. (The second call to hfa384x_copy_to_bap() can also cause this problem, but it seem to occur much less often).

3. Upon return of the error from wlandev->txframe, there is an additional call to free the pb, which then causes a kernel oops.

I put a "quick" fix into the prism2sta_txframe() in which if this error occurs, I don't free the buffer and let the code in p80211netdev_hard_start_xmit() do so which stops the crashing, but doesn't necessarily solve the root problem.

I'd like to better understand what is happening though and if this is a known problem...

We are running on an Arcom Single board computer using a National Semiconductor 233 Mhz Geode Media GX processor with 32 M SDRAM. Running Linux 2.2.18 with PCMCIA 3.1.25 and linux-wlan-ng-0.1.7 where this problem shows up. This problem does not show up on any of the other systems we are using. But also no other PCMCIA card has a similar problem on the Arcom board (Ran the Lucent Silver card overnite with no problems).

I'm going to try linux-wlan-ng-0.1.8pre10 tommorow though I did try pre8 earlier with no success.

-- 
Robert J. Berger
UltraDevices, Inc.
257 Castro Street, Suite 223 Mt. View CA. 94041
Voice: 408-882-4755 Fax: 408-490-2868
Email: rbergerultradevices.com  http://www.ultradevices.com
-----------------------------------------------
The Linux WLAN User's Mailing List
For more information about this list see:
http://www.absoval.com/linux-wlan/lists.html

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]