ndiswrapper invalid buffer

Bug #136814 reported by Thomas Pryds
8
Affects Status Importance Assigned to Milestone
linux-ubuntu-modules-2.6.24 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Running Gutsy tribe 5, latest updates installed. Suddenly system beep, thereafter no netrwork connection. dmesg shows ndiswrapper crash.

$ lspci | grep -i wireless
02:03.0 Network controller: Broadcom Corporation BCM4318 [AirForce One 54g] 802.11g Wireless LAN Controller (rev 02)

From dmesg:

[ 3979.192000] ndiswrapper (NdisFreeBuffer:1180): invalid buffer
[ 3979.192000] BUG: unable to handle kernel NULL pointer dereference at virtual address 00000494
[ 3979.192000] printing eip:
[ 3979.192000] c027da66
[ 3979.192000] *pde = 00000000
[ 3979.192000] Oops: 0000 [#1]
[ 3979.192000] SMP
[ 3979.192000] Modules linked in: binfmt_misc i915 drm rfcomm l2cap bluetooth capability ppdev cpufreq_ondemand cpufreq_conservative cpufreq_powersave cpufreq_userspace cpufreq_stats freq_table battery button container video ac sbs dock ipv6 ndiswrapper parport_pc lp parport fuse joydev snd_hda_intel snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_dummy snd_seq_oss pcspkr psmouse serio_raw snd_seq_midi snd_rawmidi snd_seq_midi_event iTCO_wdt iTCO_vendor_support snd_seq snd_timer snd_seq_device af_packet intel_agp snd soundcore snd_page_alloc agpgart shpchp pci_hotplug evdev ext3 jbd mbcache sg sr_mod cdrom sd_mod ata_piix ata_generic libata scsi_mod b44 mii ehci_hcd uhci_hcd usbcore thermal processor fan apparmor commoncap aamatch_pcre
[ 3979.192000] CPU: 0
[ 3979.192000] EIP: 0060:[<c027da66>] Tainted: P VLI
[ 3979.192000] EFLAGS: 00010206 (2.6.22-10-generic #1)
[ 3979.192000] EIP is at kfree_skb+0x6/0x30
[ 3979.192000] eax: 000003e8 ebx: df411500 ecx: 000003e8 edx: 000003e8
[ 3979.192000] esi: d668be40 edi: d668be40 ebp: df1fd02c esp: d3ce5efc
[ 3979.192000] ds: 007b es: 007b fs: 00d8 gs: 0000 ss: 0068
[ 3979.192000] Process ntos_wq/0 (pid: 4168, ti=d3ce4000 task=de3fd480 task.ti=d3ce4000)
[ 3979.192000] Stack: e0464722 00000000 df411500 df1fd000 d668be40 e045720a e030e000 e030f4ac
[ 3979.192000] e0458b70 df1fd000 00000000 df1fd0ec df1fd000 e048b718 cfcf1200 d668be40
[ 3979.192000] 00000000 00000000 e0458b70 d3ce5f64 e048c8aa e045a5a0 e047d10c df411500
[ 3979.192000] Call Trace:
[ 3979.192000] [<e0464722>] free_tx_packet+0x62/0xb0 [ndiswrapper]
[ 3979.192000] [<e045720a>] NdisMSendComplete+0x8a/0xd0 [ndiswrapper]
[ 3979.192000] [<e0458b70>] NdisAcquireSpinLock+0x0/0x60 [ndiswrapper]
[ 3979.192000] [<e0458b70>] NdisAcquireSpinLock+0x0/0x60 [ndiswrapper]
[ 3979.192000] [<e045a5a0>] kdpc_worker+0x0/0xd0 [ndiswrapper]
[ 3979.192000] [<e0455de4>] deserialized_irq_handler+0x14/0x40 [ndiswrapper]
[ 3979.192000] [<e045a5cc>] kdpc_worker+0x2c/0xd0 [ndiswrapper]
[ 3979.192000] [<c0138251>] run_workqueue+0x81/0x110
[ 3979.192000] [<c013bea0>] prepare_to_wait+0x20/0x70
[ 3979.192000] [<c0138c50>] worker_thread+0x0/0x100
[ 3979.192000] [<c0138cf0>] worker_thread+0xa0/0x100
[ 3979.192000] [<c013bcf0>] autoremove_wake_function+0x0/0x50
[ 3979.192000] [<c0138c50>] worker_thread+0x0/0x100
[ 3979.192000] [<c013ba32>] kthread+0x42/0x70
[ 3979.192000] [<c013b9f0>] kthread+0x0/0x70
[ 3979.192000] [<c0105487>] kernel_thread_helper+0x7/0x10
[ 3979.192000] =======================
[ 3979.192000] Code: 44 24 04 2c 24 39 c0 c7 04 24 fe 2b 37 c0 e8 b2 b1 ea ff e8 7d 8a e8 ff e9 f4 fe ff ff 90 8d b4 26 00 00 00 00 85 c0 89 c2 74 23 <83> b8 ac 00 00 00 01 75 0c 0f ae e8 89 f6 89 d0 e9 b5 fe ff ff
[ 3979.192000] EIP: [<c027da66>] kfree_skb+0x6/0x30 SS:ESP 0068:d3ce5efc
[ 3979.192000] note: ntos_wq/0[4168] exited with preempt_count 2

If more info is necessary, please ask :-)

Tags: kernel-oops
Revision history for this message
Jason Rothfuss (jason-rothfuss) wrote :
Download full text (4.6 KiB)

I also have encountered this problem in Gutsy Tribe5 amd64.

# lspci -vv | grep -i wireless
06:02.0 Network controller: Broadcom Corporation BCM4318 [AirForce One 54g] 802.11g Wireless LAN Controller (rev 02)

Information from /var/log/syslog below:

kernel: [51868.249251] ndiswrapper (NdisFreeBuffer:1180): invalid buffer
kernel: [51868.249275] Unable to handle kernel NULL pointer dereference at 00000000000005f5 RIP:
kernel: [51868.249278] [kfree_skb+5/48] kfree_skb+0x5/0x30
kernel: [51868.249286] PGD ccc8067 PUD 1d5de067 PMD 0
kernel: [51868.249289] Oops: 0000 [1] SMP
kernel: [51868.249292] CPU 0
kernel: [51868.249293] Modules linked in: binfmt_misc rfcomm l2cap bluetooth capability nfsd exportfs fglrx(P) ppdev ipv6 powernow_k8 cpufreq_powersave cpufreq_stats cpufreq_userspace cpufreq_ondemand cpufreq_conservative freq_table video battery container sbs button dock ac nfs lockd sunrpc af_packet tun ndiswrapper sbp2 parport_pc lp parport fuse joydev snd_atiixp snd_seq_dummy snd_seq_oss snd_seq_midi snd_rawmidi pcmcia snd_atiixp_modem snd_ac97_codec snd_seq_midi_event tifm_7xx1 tifm_core ac97_bus snd_pcm_oss snd_mixer_oss snd_pcm sdhci mmc_core snd_seq snd_timer snd_seq_device pcspkr yenta_socket rsrc_nonstatic pcmcia_core psmouse serio_raw snd soundcore snd_page_alloc k8temp i2c_piix4 i2c_core shpchp pci_hotplug evdev reiserfs ide_cd cdrom 8139cp ide_disk atiixp ide_core 8139too mii ohci1394 ieee1394 ata_generic libata scsi_mod ehci_hcd ohci_hcd usbcore dm_mirror dm_snapshot dm_mod thermal processor fan apparmor commoncap aamatch_pcre
kernel: [51868.249340] Pid: 3744, comm: ntos_wq/0 Tainted: P 2.6.22-10-generic #1
kernel: [51868.249343] RIP: 0010:[kfree_skb+5/48] [kfree_skb+5/48] kfree_skb+0x5/0x30
kernel: [51868.249348] RSP: 0018:ffff81003763dd38 EFLAGS: 00010206
kernel: [51868.249352] RAX: 0000000000000246 RBX: ffff81003d0e1780 RCX: ffffffff80534ee8
kernel: [51868.249355] RDX: ffffffff80534ee8 RSI: 0000000000000086 RDI: 0000000000000511
kernel: [51868.249358] RBP: ffffffff8831a160 R08: 0000000000000000 R09: 0000000000000000
kernel: [51868.249361] R10: 0000000000000000 R11: 0000000000000006 R12: ffff81003d2e11a0
kernel: [51868.249364] R13: ffff8100217a9400 R14: 0000000000000000 R15: ffff8100217a9768
kernel: [51868.249368] FS: 00002b3f7bb32360(0000) GS:ffffffff80561000(0000) knlGS:00000000f7596b70
kernel: [51868.249371] CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
kernel: [51868.249374] CR2: 00000000000005f5 CR3: 000000001de23000 CR4: 00000000000006e0
kernel: [51868.249378] Process ntos_wq/0 (pid: 3744, threadinfo ffff81003763c000, task ffff81003d280000)
kernel: [51868.249380] Stack: ffffffff883243de 0000000000000000 ffff81003d2e1000 ffffffff8831a160
kernel: [51868.249386] ffff81003d2e11a0 ffff81003e005a88 0000000000000000 0000000000000000
kernel: [51868.249390] ffffffff8832854b ffff81003d2e1048 ffff8100217a9400 ffffc2000081c3f0
kernel: [51868.249395] Call Trace:
kernel: [51868.249430] [_end+130838614/2130324600] :ndiswrapper:free_tx_packet+0x6e/0x170
kernel: [51868.249449] [_end+130797016/2130324600] :ndiswrapper:kdpc_worker+0x0/0xd0
kernel: [51868.249470] [_end+130855363/2130324600] :ndiswrapper:win2lin3+0x11/0x14...

Read more...

Revision history for this message
Andreas Gnau (rondom) wrote :

Could you try with ndiswrapper 1.49rc1 and paste dmesg output again if it still doesn't work (run make uninstall before make install!).

Changed in ndiswrapper:
status: New → Confirmed
Revision history for this message
Adolfo González Blázquez (infinito) wrote :

This problem happens with Gutsy-rc ndiswrapper-common and ndiswrapper-utils-1.9 and with 1.49rc2 downloaded from upstream.

Using a Netgear WG111v2 wifi dongle which has a rtl8187 chip.

Revision history for this message
Adolfo González Blázquez (infinito) wrote :

I've tried a Zyxel ZyAir B-220 which has a zd1201 chip and this bug happens again.

Very big regression in here...

Revision history for this message
Adolfo González Blázquez (infinito) wrote :

BTW, it happens while high network load, so maybe it's related to this:
https://bugs.launchpad.net/ubuntu/+bug/147464

This is 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux

Revision history for this message
Adolfo González Blázquez (infinito) wrote :
Download full text (5.4 KiB)

With 2.6.20-16-server everything works ok.

With 2.6.22-14-server and ndiswrapper 1.43-1ubuntu2 kernel oops (see below).
With 2.6.22-14-server and ndiswrapper 1.49rc1 and 1.49rc3 the wifi dongle can't connect to the AP, so i don't know if once connect it will oops again.

Note that this happens when amule is running, so high network load is going on... (#147464 again)

Kernel oops with 2.6.22-14-server and ndiswrapper 1.43-1ubuntu2:
[ 25.079236] ndiswrapper version 1.45 loaded (smp=yes)
[ 25.243121] usb 4-3: reset high speed USB device using ehci_hcd and address 2
[ 25.456137] ndiswrapper: driver net111v2 (NETGEAR Inc.,11/20/2006,5.1254.1120.2006) loaded
[ 27.689593] wlan0: ethernet device 00:18:4d:42:14:fe using NDIS driver: net111v2, version: 0x1, NDIS version: 0x500, vendor: 'Realtek Wireless LAN', 0846:6A00.F.conf
[ 27.689625] wlan0: encryption modes supported: WEP; TKIP with WPA, WPA2, WPA2PSK; AES/CCMP with WPA, WPA2, WPA2PSK
[ 27.689657] usbcore: registered new interface driver ndiswrapper
[ 28.538114] i2c-adapter i2c-0: Client creation failed at 0x2f (-22)
[ 29.130456] Adding 746980k swap on /dev/sda5. Priority:-1 extents:1 across:746980k
[ 29.437781] EXT3 FS on sda1, internal journal
[ 33.095795] No dock devices found.
[ 33.510551] eth0: no IPv6 routers present
[ 38.023705] wlan0: no IPv6 routers present
[ 104.323484] BUG: unable to handle kernel NULL pointer dereference at virtual address 00000004
[ 104.323496] printing eip:
[ 104.323499] c02b60f9
[ 104.323501] *pdpt = 000000002dbe6001
[ 104.323503] *pde = 0000000000000000
[ 104.323508] Oops: 0002 [#1]
[ 104.323509] SMP
[ 104.323514] Modules linked in: video sbs dock battery container ac eeprom w83781d hwmon_vid ndiswrapper button lp snd_cmipci gameport snd_opl3_lib snd_hwdep snd_mpu401_uart snd_pcm_oss snd_pcm snd_page_alloc snd_mixer_oss snd_seq_dummy snd_seq_oss snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq snd_timer snd_seq_device parport_pc parport snd pcspkr i2c_sis96x soundcore shpchp pci_hotplug i2c_core sis_agp agpgart evdev ipv6 8139too ext3 jbd mbcache sg sr_mod cdrom sd_mod 8139cp mii ehci_hcd ohci_hcd usbcore pata_sis ata_generic libata scsi_mod thermal processor fan fuse apparmor commoncap
[ 104.323577] CPU: 0
[ 104.323578] EIP: 0060:[<c02b60f9>] Tainted: P VLI
[ 104.323579] EFLAGS: 00010246 (2.6.22-14-server #1)
[ 104.323591] EIP is at tcp_disconnect+0xf9/0x480
[ 104.323595] eax: 00000000 ebx: e8b9a000 ecx: 00000286 edx: e8b9a06c
[ 104.323598] esi: e8b9a07c edi: ef32a300 ebp: ee5506a0 esp: edb7df34
[ 104.323601] ds: 007b es: 007b fs: 00d8 gs: 0033 ss: 0068
[ 104.323604] Process amuled (pid: 4306, ti=edb7c000 task=ef354f90 task.ti=edb7c000)
[ 104.323606] Stack: e8b8a088 c1517140 00000287 efffa780 e8b8a088 e8b9a000 00000002 e8b89600
[ 104.323615] 00000000 c02d13ab e8b89600 09261d20 091dcd70 edb7c000 c027c730 00000001
[ 104.323623] 00000000 0000000d c027e56e 0000003f 00000001 4714af74 14b6a168 bfd066bc
[ 104.323631] Call Trace:
[ 104.323649] [<c02d13ab>] inet_shutdown+0xcb/0xe0
[ 104.323662] [<c027c730>] sys_shutdown+0x50/0x70
[ 104.323673] [<c027e56e>] sys_sock...

Read more...

Revision history for this message
Chow Loong Jin (hyperair) wrote :

I have that problem too. Both with ndiswrapper 1.45 and 1.48.

Revision history for this message
Chow Loong Jin (hyperair) wrote :

Erm I forgot to mention, but my kernel is 2.6.20-14-generic, and my card is supported by the "acx" module, the D-Link DWL-520+ card.

Currently I'm using the acx module, but would prefer not to. Signal's better with ndiswrapper.

Revision history for this message
Andreas Gnau (rondom) wrote :

Please try if the problem still exists in 1.49. Install 1.49 from ndiswrapper.sf.net (don't forget to run sudo make uninstall before make and sudo make install).

hyperair, please note that the link quality is calculated differently from driver to driver. Make sure it's not just a different value but a real difference in regards of range, speed and so on.

Revision history for this message
Chow Loong Jin (hyperair) wrote :

I'd like to note that with the ACX driver, wireless connectivity hangs every 20 hours or so. Then I have to unload the ACX module, wait for 30 seconds and reload it. Using ndiswrapper I can do torrenting 24/7.

Also I found the problem. Ndiswrapper kept trying to connect to my network using restricted key mode. My network uses open authentication. I solved the problem by changing this in my /etc/network/interfaces:

wireless-key s:<key>

to

wireless-key open s:<key>

Revision history for this message
Chow Loong Jin (hyperair) wrote :

This problem still exists in Ubuntu Hardy. I noticed that Ubuntu Hardy, even with 2.6.24-2-generic kernel still uses 1.45. Why?

Revision history for this message
Andreas Gnau (rondom) wrote :

It makes more sense to add a recent release of ndiswrapper as late as possible, because there are new ndiswrapper-releases quite often.f

To be honest I no longer understand what this bug is actually about. If your problem is different from the first one in the actual bugreport, you have to open a new bug.
Bugs regarding the native acx-driver don't belong to the ndiswrapper-package.
Only post problems regarding ndiswrapper here, and use on bugreport per problem, othwerwise there is a lot of confusion for everyone, the original reporter of the bug, the developers, people like me...
If your problem is fixed by installing the latest version of ndiswrapper the bug is duplicate of bug 136814.

Hint: If your bug isn't fixed by installing the latest version, report your bug directly on ndiswrapper.sf.net.
http://ndiswrapper.sourceforge.net/joomla/index.php?/component/option,com_openwiki/Itemid,33/id,bugs/

Revision history for this message
Andreas Gnau (rondom) wrote :

Is this bug still present in hardy?

Changed in ndiswrapper:
status: Confirmed → Incomplete
Revision history for this message
Jonathan Thomas (echidnaman) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to "New". Thanks again!

Changed in linux-ubuntu-modules-2.6.24:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.