BUG: kernel panic when loading hostap_cs driver

尤晓杰 yxj790222 at 163.com
Tue May 3 23:56:54 PDT 2022 

pcmcia_socket pcmcia_socket0: pccard: PCMCIA card inserted into slot 0
[   93.725847] pcmcia_socket pcmcia_socket0: cs: memory probe 0xf8000000-0xfb7fffff:
[   93.728955]  excluding 0xf8e00000-0xf917ffff 0xf9f80000-0xfa2fffff 0xfad80000-0xfb0fffff
[   93.735437] pcmcia 0.0: pcmcia: registering new device pcmcia0.0 (IRQ: 21)
[   93.751665] lib80211: common routines for IEEE802.11 drivers
[   93.751784] lib80211_crypt: registered algorithm 'NULL'
[   93.766734] hostap_cs: setting Vcc=33 (constant)
[   93.767468] hostap_cs: Registered netdevice wifi0
[   94.007603] prism2_hw_init: initialized in 192 ms
[   94.008738] wifi0: NIC: id=0x801b v1.0.0
[   94.008959] wifi0: PRI: id=0x15 v1.1.1
[   94.009170] wifi0: STA: id=0x1f v1.8.0
[   94.013604] wifi0: registered netdevice wlan0
[   94.065764] wifi0: Deauthenticate all stations
[   94.085347] prism2: wifi0: operating mode changed 3 -> 2
[   94.147965] wifi0: Preferred AP (SIOCSIWAP) is used only in Managed mode when host_roaming is enabled
[   94.158922] wifi0: LinkStatus=2 (Disconnected)
[   94.159164] wifi0: LinkStatus: BSSID=44:44:44:44:44:44
[   94.193395] wifi0: LinkStatus=2 (Disconnected)
[   94.193642] wifi0: LinkStatus: BSSID=44:44:44:44:44:44
[   94.221293] wifi0: LinkStatus=2 (Disconnected)
[   94.221533] wifi0: LinkStatus: BSSID=44:44:44:44:44:44
[   94.255313] wlan0: Trying to join BSSID 00:00:00:00:00:00
[   94.268349] wifi0: LinkStatus=2 (Disconnected)
[   94.268591] wifi0: LinkStatus: BSSID=44:44:44:44:44:44
[   94.292285] wifi0: LinkStatus=2 (Disconnected)
[   94.304589] wifi0: LinkStatus: BSSID=44:44:44:44:44:44
[   95.789355] ------------[ cut here ]------------
[   95.789439] refcount_t: addition on 0; use-after-free.
[   95.789529] WARNING: CPU: 1 PID: 0 at lib/refcount.c:25 refcount_warn_saturate+0x7a/0x100
[   95.789653] Modules linked in: hostap_cs hostap lib80211 xfrm_user xfrm_algo l2tp_ppp l2tp_netlink l2tp_core ip6_udp_tunnel udp_tunnel pppox ppp_generic slhc snd_seq_dummy snd_hrtimer snd_seq snd_seq_device qrtr rt2800usb rt2x00usb rt2800lib rt2x00lib mac80211 snd_hda_codec_realtek pcmcia libarc4 snd_hda_codec_generic ledtrig_audio iTCO_wdt intel_pmc_bxt cfg80211 iTCO_vendor_support snd_hda_intel watchdog snd_intel_dspcfg coretemp snd_intel_sdw_acpi rfkill snd_hda_codec pcspkr sg snd_hda_core serio_raw snd_hwdep yenta_socket snd_pcm rng_core pcmcia_rsrc snd_timer pcmcia_core snd soundcore evdev acpi_cpufreq ipmi_devintf ipmi_msghandler msr parport_pc ppdev lp parport fuse configfs ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 crc32c_generic hid_generic usbhid hid sd_mod t10_pi crc_t10dif crct10dif_generic crct10dif_common ata_generic i915 video i2c_algo_bit ata_piix ttm ehci_pci drm_kms_helper uhci_hcd libata ehci_hcd usbcore r8169 i2c_i801 psmouse i2c_smbus scsi_mod scsi_common
[   95.789839]  lpc_ich cec rc_core usb_common drm realtek mdio_devres libphy fan floppy button
[   95.791064] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.17.0-1-686-pae #1  Debian 5.17.3-1
[   95.791179] Hardware name: OEM OEM/MS-G31MEL, BIOS 6.00 PG 09/29/2009
[   95.791268] EIP: refcount_warn_saturate+0x7a/0x100
[   95.791341] Code: 01 e8 23 d5 40 00 0f 0b 58 c9 c3 8d 74 26 00 90 80 3d a7 4b c5 d1 00 75 c6 68 ec e8 a6 d1 c6 05 a7 4b c5 d1 01 e8 ff d4 40 00 <0f> 0b 58 c9 c3 90 80 3d a9 4b c5 d1 00 75 a6 68 c4 e8 a6 d1 c6 05
[   95.791584] EAX: 0000002a EBX: c50ce380 ECX: 00000027 EDX: 00010003
[   95.791673] ESI: c3bfa710 EDI: c3bfa000 EBP: c1201f7c ESP: c1201f78
[   95.791761] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00210092
[   95.791856] CR0: 80050033 CR2: bf9afe5c CR3: 047cc000 CR4: 000006f0
[   95.791944] Call Trace:
[   95.797035]  <IRQ>
[   95.802101]  prism2_interrupt+0x72d/0x8a0 [hostap_cs]
[   95.807218]  ? prism2_hw_enable+0xc0/0xc0 [hostap_cs]
[   95.812350]  __handle_irq_event_percpu+0x43/0x160
[   95.817507]  handle_irq_event+0x2e/0x70
[   95.822610]  handle_fasteoi_irq+0x81/0x1c0
[   95.827666]  ? handle_edge_irq+0x10d/0x220
[   95.832682]  ? handle_level_irq+0x170/0x170
[   95.837653]  __handle_irq+0x86/0x90
[   95.842576]  </IRQ>
[   95.847463]  __common_interrupt+0x59/0xf0
[   95.852341]  common_interrupt+0x34/0x50
[   95.857183]  asm_common_interrupt+0x102/0x140
[   95.862019] EIP: mwait_idle+0x49/0x80
[   95.866838] Code: d5 d1 84 d2 78 3b 31 d2 89 d1 64 a1 40 d8 d5 d1 0f 01 c8 8b 00 a8 08 75 18 eb 07 0f 00 2d e2 fb 88 d1 31 c0 89 c1 fb 0f 01 c9 <eb> 06 8d 74 26 00 90 fb 64 a1 40 d8 d5 d1 f0 80 60 02 df 5d c3 66
[   95.876799] EAX: 00000000 EBX: 00000001 ECX: 00000000 EDX: 00000000
[   95.881723] ESI: c1123ac0 EDI: 00000000 EBP: c119bf5c ESP: c119bf5c
[   95.886608] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00200246
[   95.891566]  ? mwait_idle+0x49/0x80
[   95.896546]  arch_cpu_idle+0x12/0x20
[   95.901551]  default_idle_call+0x38/0xf0
[   95.906505]  do_idle+0x1b5/0x220
[   95.911482]  cpu_startup_entry+0x25/0x30
[   95.916501]  start_secondary+0xfd/0x130
[   95.921542]  startup_32_smp+0x161/0x164
[   95.926584] ---[ end trace 0000000000000000 ]---
[   95.931582] ------------[ cut here ]------------
[   95.936560] refcount_t: underflow; use-after-free.
[   95.941505] WARNING: CPU: 1 PID: 0 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x100
[   95.946524] Modules linked in: hostap_cs hostap lib80211 xfrm_user xfrm_algo l2tp_ppp l2tp_netlink l2tp_core ip6_udp_tunnel udp_tunnel pppox ppp_generic slhc snd_seq_dummy snd_hrtimer snd_seq snd_seq_device qrtr rt2800usb rt2x00usb rt2800lib rt2x00lib mac80211 snd_hda_codec_realtek pcmcia libarc4 snd_hda_codec_generic ledtrig_audio iTCO_wdt intel_pmc_bxt cfg80211 iTCO_vendor_support snd_hda_intel watchdog snd_intel_dspcfg coretemp snd_intel_sdw_acpi rfkill snd_hda_codec pcspkr sg snd_hda_core serio_raw snd_hwdep yenta_socket snd_pcm rng_core pcmcia_rsrc snd_timer pcmcia_core snd soundcore evdev acpi_cpufreq ipmi_devintf ipmi_msghandler msr parport_pc ppdev lp parport fuse configfs ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 crc32c_generic hid_generic usbhid hid sd_mod t10_pi crc_t10dif crct10dif_generic crct10dif_common ata_generic i915 video i2c_algo_bit ata_piix ttm ehci_pci drm_kms_helper uhci_hcd libata ehci_hcd usbcore r8169 i2c_i801 psmouse i2c_smbus scsi_mod scsi_common
[   95.946694]  lpc_ich cec rc_core usb_common drm realtek mdio_devres libphy fan floppy button
[   95.989293] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G        W         5.17.0-1-686-pae #1  Debian 5.17.3-1
[   95.994834] Hardware name: OEM OEM/MS-G31MEL, BIOS 6.00 PG 09/29/2009
[   96.000393] EIP: refcount_warn_saturate+0xba/0x100
[   96.005989] Code: a9 4b c5 d1 01 e8 df d4 40 00 0f 0b 58 c9 c3 90 80 3d a6 4b c5 d1 00 75 86 68 18 e9 a6 d1 c6 05 a6 4b c5 d1 01 e8 bf d4 40 00 <0f> 0b 59 c9 c3 80 3d a4 4b c5 d1 00 0f 85 63 ff ff ff 68 70 e9 a6
[   96.017662] EAX: 00000026 EBX: c50ce380 ECX: 00000027 EDX: 00010003
[   96.023558] ESI: 00000000 EDI: c3bfa000 EBP: c1201f7c ESP: c1201f78
[   96.029403] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00210092
[   96.035171] CR0: 80050033 CR2: bf9afe5c CR3: 047cc000 CR4: 000006f0
[   96.040846] Call Trace:
[   96.046355]  <IRQ>
[   96.051720]  prism2_interrupt+0x4c8/0x8a0 [hostap_cs]
[   96.057009]  ? prism2_hw_enable+0xc0/0xc0 [hostap_cs]
[   96.062165]  __handle_irq_event_percpu+0x43/0x160
[   96.067203]  handle_irq_event+0x2e/0x70
[   96.072179]  handle_fasteoi_irq+0x81/0x1c0
[   96.077097]  ? handle_edge_irq+0x10d/0x220
[   96.081960]  ? handle_level_irq+0x170/0x170
[   96.086790]  __handle_irq+0x86/0x90
[   96.091486]  </IRQ>
[   96.096032]  __common_interrupt+0x59/0xf0
[   96.100559]  common_interrupt+0x34/0x50
[   96.105077]  asm_common_interrupt+0x102/0x140
[   96.109570] EIP: mwait_idle+0x49/0x80
[   96.114027] Code: d5 d1 84 d2 78 3b 31 d2 89 d1 64 a1 40 d8 d5 d1 0f 01 c8 8b 00 a8 08 75 18 eb 07 0f 00 2d e2 fb 88 d1 31 c0 89 c1 fb 0f 01 c9 <eb> 06 8d 74 26 00 90 fb 64 a1 40 d8 d5 d1 f0 80 60 02 df 5d c3 66
[   96.123425] EAX: 00000000 EBX: 00000001 ECX: 00000000 EDX: 00000000
[   96.128178] ESI: c1123ac0 EDI: 00000000 EBP: c119bf5c ESP: c119bf5c
[   96.132943] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00200246
[   96.137743]  ? mwait_idle+0x49/0x80
[   96.142524]  arch_cpu_idle+0x12/0x20
[   96.147304]  default_idle_call+0x38/0xf0
[   96.152090]  do_idle+0x1b5/0x220
[   96.156873]  cpu_startup_entry+0x25/0x30
[   96.161663]  start_secondary+0xfd/0x130
[   96.166458]  startup_32_smp+0x161/0x164
[   96.171243] ---[ end trace 0000000000000000 ]---
[  164.422115] hostap_cs: CS_EVENT_PM_SUSPEND
[  164.422254] wifi0: hfa384x_cmd: entry still in list? (entry=42967eb0, type=0, res=500)
[  164.422268] wifi0: hfa384x_cmd: command was not completed (res=500, entry=42967eb0, type=0, cmd=0x0002, param0=0x0000, EVSTAT=0000 INTEN=0010)
[  164.422277] hostap_cs: Shutdown failed
[  165.323984] hostap_cs: CS_EVENT_PM_RESUME
[  165.517893] prism2_hw_init: initialized in 192 ms
[  177.814277] pcmcia_socket pcmcia_socket0: pccard: card ejected from slot 0
[  177.816627] wifi0: card already removed or not configured during shutdown
[  177.833482] wifi0: card already removed or not configured during shutdown
[10300.780113] perf: interrupt took too long (2502 > 2500), lowering kernel.perf_event_max_sample_rate to 79750
[14959.449901] perf: interrupt took too long (3129 > 3127), lowering kernel.perf_event_max_sample_rate to 63750
[21719.990276] rfkill: input handler disabled
[21736.845411] systemd-journald[235]: File /var/log/journal/65fa24862de84bcf938ce426090a6ac5/user-1000.journal corrupted or uncleanly shut down, renaming and replacing.
[21737.132527] rfkill: input handler enabled
[21739.040620] perf: interrupt took too long (3912 > 3911), lowering kernel.perf_event_max_sample_rate to 51000
[21741.281120] rfkill: input handler disabled
allan at debian:~$ 



chip set: isl3871ik18
hfa3841 also panic.

another bug:
when pccardctl eject, only wlan0 removed, wifi0 still exist, then pccard insert, wifi1 newly added.

More information about the Hostap mailing list