[ath9k-devel] Crash in 3.14.0+, divide error.

[ath9k-devel] Crash in 3.14.0+, divide error.

[Ben Greear]

This is a bit modified from stock upstream, but not many patches
to ath9k.  Seems beacon_interval can be zero or something like that?

It appears to crash in this method, so div_tu must be zero
in some cases.


/* Calculate the modulo of a 64 bit TSF snapshot with a TU divisor */
static u32 ath9k_mod_tsf64_tu(u64 tsf, u32 div_tu)
{
	u32 tsf_mod, tsf_hi, tsf_lo, mod_hi, mod_lo;

	tsf_mod = tsf & (BIT(10) - 1);
	tsf_hi = tsf >> 32;
	tsf_lo = ((u32) tsf) >> 10;

	mod_hi = tsf_hi % div_tu;
	mod_lo = ((mod_hi << 22) + tsf_lo) % div_tu;

	return (mod_lo << 10) | tsf_mod;
}


root@ath9k-138:~# [   94.018877] divide error: 0000 [#1] PREEMPT SMP
[   94.019023] Modules linked in: iptable_raw xt_CT nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntr]
[   94.057180] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G        WC O 3.14.0+ #6
[   94.057180] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./To be filled by O.E.M., BIOS 080015  0
[   94.057180] task: c0cdc9a0 ti: f600a000 task.ti: c0cd0000
[   94.057180] EIP: 0060:[<f87fb043>] EFLAGS: 00210082 CPU: 0
[   94.057180] EIP is at ath9k_get_next_tbtt+0x43/0x70 [ath9k]
[   94.057180] EAX: 00000000 EBX: 0326536e ECX: 00000000 EDX: 00000000
[   94.057180] ESI: 00000000 EDI: f1d8d1a0 EBP: f600be34 ESP: f600be2c
[   94.057180]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
[   94.057180] CR0: 8005003b CR2: 0a9d5718 CR3: 33e1a000 CR4: 000007e0
[   94.057180] Stack:
[   94.057180]  00000000 00000000 f600be98 f87fb3df 00000000 f600be74 c0418f64 000007b6
[   94.057180]  f600be64 c0938d52 00000900 00000000 00000900 eacc8900 c0bebe4d f560a034
[   94.057180]  f560a014 f61f3064 f600be98 c0419110 2acc8940 00000000 000007b6 0000009c
[   94.057180] Call Trace:
[   94.057180]  [<f87fb3df>] ath9k_set_beacon+0x6f/0x410 [ath9k]
[   94.057180]  [<c0418f64>] ? check_addr+0x34/0xb0
[   94.057180]  [<c0938d52>] ? build_skb+0x32/0xd0
[   94.057180]  [<c0419110>] ? nommu_map_page+0x50/0x90
[   94.057180]  [<f8803257>] ath_rx_tasklet+0xed7/0x11e0 [ath9k]
[   94.057180]  [<f8801a8c>] ath9k_tasklet+0xec/0x2d0 [ath9k]
[   94.057180]  [<c0469c3e>] ? run_timer_softirq+0x13e/0x200
[   94.057180]  [<c04626a6>] tasklet_action+0x96/0xb0
[   94.057180]  [<c0462b34>] __do_softirq+0xd4/0x2b0
[   94.057180]  [<c045930b>] ? cbc_encrypt+0xb/0xf0
[   94.057180]  [<c09bca3b>] ? ping_get_port+0x15b/0x230
[   94.057180]  [<c0462a60>] ? irq_enter+0x70/0x70
[   94.057180]  <IRQ>
[   94.057180]  [<c0462e15>] ? irq_exit+0xb5/0xc0
[   94.057180]  [<c0a39edb>] ? do_IRQ+0x4b/0xe0
[   94.057180]  [<c0a39cec>] ? common_interrupt+0x2c/0x34
[   94.057180]  [<c0a324fd>] ? _raw_spin_unlock_irq+0xd/0x30
[   94.057180]  [<c0487311>] ? finish_task_switch+0x41/0xd0
[   94.057180]  [<c0a2ee20>] ? __schedule+0x360/0x7b0
[   94.057180]  [<c0481276>] ? hrtimer_start_range_ns+0x26/0x30
[   94.057180]  [<c0a2f393>] ? schedule+0x23/0x60
[   94.057180]  [<c0a2f4d4>] ? schedule_preempt_disabled+0x14/0x20
[   94.057180]  [<c04b30ab>] ? cpu_startup_entry+0x14b/0x240
[   94.057180]  [<c0a2a771>] ? rest_init+0x71/0x80
[   94.057180]  [<c0d72caa>] ? start_kernel+0x408/0x40e
[   94.057180]  [<c0d72713>] ? repair_env_string+0x5b/0x5b
[   94.057180]  [<c0d7237e>] ? i386_start_kernel+0x139/0x13c
[   94.057180] Code: ec 07 00 00 89 f1 8b 80 28 01 00 00 83 c0 02 c1 e0 0a 89 c2 c1 fa 1f 01 45 f0 11 55 f4 31 d24
[   94.057180] EIP: [<f87fb043>] ath9k_get_next_tbtt+0x43/0x70 [ath9k] SS:ESP 0068:f600be2c
[   94.057180] ---[ end trace add644cae91bacc4 ]---

-- 
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc  http://www.candelatech.com

[ath9k-devel] Crash in 3.14.0+, divide error.

[Ben Greear]

On 04/11/2014 01:21 PM, Ben Greear wrote:
> This is a bit modified from stock upstream, but not many patches
> to ath9k.  Seems beacon_interval can be zero or something like that?

I'm not sure how much this matters, but this particular AP was on
an Ubuntu machine, and the reg-domain is all weird and I cannot
figure out how to make it more normal.  The upshot is that the AP
was trying to start on a channel it could not actually start on.

Maybe the crash can happen if we receive a PS beacon before
the VAP interface is properly configured with beacon interval?

Thanks,
Ben

> 
> It appears to crash in this method, so div_tu must be zero
> in some cases.
> 
> 
> /* Calculate the modulo of a 64 bit TSF snapshot with a TU divisor */
> static u32 ath9k_mod_tsf64_tu(u64 tsf, u32 div_tu)
> {
> 	u32 tsf_mod, tsf_hi, tsf_lo, mod_hi, mod_lo;
> 
> 	tsf_mod = tsf & (BIT(10) - 1);
> 	tsf_hi = tsf >> 32;
> 	tsf_lo = ((u32) tsf) >> 10;
> 
> 	mod_hi = tsf_hi % div_tu;
> 	mod_lo = ((mod_hi << 22) + tsf_lo) % div_tu;
> 
> 	return (mod_lo << 10) | tsf_mod;
> }
> 
> 
> root at ath9k-138:~# [   94.018877] divide error: 0000 [#1] PREEMPT SMP
> [   94.019023] Modules linked in: iptable_raw xt_CT nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntr]
> [   94.057180] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G        WC O 3.14.0+ #6
> [   94.057180] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./To be filled by O.E.M., BIOS 080015  0
> [   94.057180] task: c0cdc9a0 ti: f600a000 task.ti: c0cd0000
> [   94.057180] EIP: 0060:[<f87fb043>] EFLAGS: 00210082 CPU: 0
> [   94.057180] EIP is at ath9k_get_next_tbtt+0x43/0x70 [ath9k]
> [   94.057180] EAX: 00000000 EBX: 0326536e ECX: 00000000 EDX: 00000000
> [   94.057180] ESI: 00000000 EDI: f1d8d1a0 EBP: f600be34 ESP: f600be2c
> [   94.057180]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
> [   94.057180] CR0: 8005003b CR2: 0a9d5718 CR3: 33e1a000 CR4: 000007e0
> [   94.057180] Stack:
> [   94.057180]  00000000 00000000 f600be98 f87fb3df 00000000 f600be74 c0418f64 000007b6
> [   94.057180]  f600be64 c0938d52 00000900 00000000 00000900 eacc8900 c0bebe4d f560a034
> [   94.057180]  f560a014 f61f3064 f600be98 c0419110 2acc8940 00000000 000007b6 0000009c
> [   94.057180] Call Trace:
> [   94.057180]  [<f87fb3df>] ath9k_set_beacon+0x6f/0x410 [ath9k]
> [   94.057180]  [<c0418f64>] ? check_addr+0x34/0xb0
> [   94.057180]  [<c0938d52>] ? build_skb+0x32/0xd0
> [   94.057180]  [<c0419110>] ? nommu_map_page+0x50/0x90
> [   94.057180]  [<f8803257>] ath_rx_tasklet+0xed7/0x11e0 [ath9k]
> [   94.057180]  [<f8801a8c>] ath9k_tasklet+0xec/0x2d0 [ath9k]
> [   94.057180]  [<c0469c3e>] ? run_timer_softirq+0x13e/0x200
> [   94.057180]  [<c04626a6>] tasklet_action+0x96/0xb0
> [   94.057180]  [<c0462b34>] __do_softirq+0xd4/0x2b0
> [   94.057180]  [<c045930b>] ? cbc_encrypt+0xb/0xf0
> [   94.057180]  [<c09bca3b>] ? ping_get_port+0x15b/0x230
> [   94.057180]  [<c0462a60>] ? irq_enter+0x70/0x70
> [   94.057180]  <IRQ>
> [   94.057180]  [<c0462e15>] ? irq_exit+0xb5/0xc0
> [   94.057180]  [<c0a39edb>] ? do_IRQ+0x4b/0xe0
> [   94.057180]  [<c0a39cec>] ? common_interrupt+0x2c/0x34
> [   94.057180]  [<c0a324fd>] ? _raw_spin_unlock_irq+0xd/0x30
> [   94.057180]  [<c0487311>] ? finish_task_switch+0x41/0xd0
> [   94.057180]  [<c0a2ee20>] ? __schedule+0x360/0x7b0
> [   94.057180]  [<c0481276>] ? hrtimer_start_range_ns+0x26/0x30
> [   94.057180]  [<c0a2f393>] ? schedule+0x23/0x60
> [   94.057180]  [<c0a2f4d4>] ? schedule_preempt_disabled+0x14/0x20
> [   94.057180]  [<c04b30ab>] ? cpu_startup_entry+0x14b/0x240
> [   94.057180]  [<c0a2a771>] ? rest_init+0x71/0x80
> [   94.057180]  [<c0d72caa>] ? start_kernel+0x408/0x40e
> [   94.057180]  [<c0d72713>] ? repair_env_string+0x5b/0x5b
> [   94.057180]  [<c0d7237e>] ? i386_start_kernel+0x139/0x13c
> [   94.057180] Code: ec 07 00 00 89 f1 8b 80 28 01 00 00 83 c0 02 c1 e0 0a 89 c2 c1 fa 1f 01 45 f0 11 55 f4 31 d24
> [   94.057180] EIP: [<f87fb043>] ath9k_get_next_tbtt+0x43/0x70 [ath9k] SS:ESP 0068:f600be2c
> [   94.057180] ---[ end trace add644cae91bacc4 ]---
> 


-- 
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc  http://www.candelatech.com