null pointer reference in iwl3945

Bug #318360 reported by David N. Welton on 2009-01-18
This bug affects 10 people
Affects Status Importance Assigned to Milestone
linux-backports-modules-2.6.28 (Ubuntu)
Manoj Iyer
Declined for Jaunty by Leann Ogasawara

Bug Description

Binary package hint: linux-image-2.6.27-11-generic

1) I am using Intrepid

2) I'm using the package from proposed updates:

Linux fortrock 2.6.27-11-generic #1 SMP Thu Jan 15 11:03:58 UTC 2009 i686 GNU/Linux

root@fortrock:~# apt-cache policy linux-image-2.6.27-11-generic
  Installed: 2.6.27-11.24
  Candidate: 2.6.27-11.24
  Version table:
 *** 2.6.27-11.24 0
        500 intrepid-proposed/main Packages
        100 /var/lib/dpkg/status

Here's the problem:

[ 48.491525] ADDRCONF(NETDEV_UP): eth1: link is not ready
[ 48.562653] NET: Registered protocol family 17
[ 49.808050] iwl3945 0000:0b:00.0: Error sending REPLY_TX_PWR_TABLE_CMD: time out after 500ms
[ 49.808059] iwl3945 0000:0b:00.0: Error setting Tx power (-110).
[ 50.046974] iwl3945 0000:0b:00.0: Error: Response NULL in 'REPLY_ADD_STA'
[ 50.050089] BUG: unable to handle kernel NULL pointer dereference at 00000000
[ 50.050099] IP: [<edd133c0>]
[ 50.050107] *pde = 00000000
[ 50.050115] Oops: 0002 [#1] SMP
[ 50.050121] Modules linked in: af_packet i915 drm binfmt_misc bridge stp bnep sco rfcomm l2cap bluetooth ppdev ipv6 acpi_cpufreq cpufreq_conservative cpufreq_userspace cpufreq_ondemand cpufreq_stats freq_table cpufreq_powersave container pci_slot sbs sbshc iptable_filter ip_tables x_tables sbp2 parport_pc lp parport joydev snd_hda_intel snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_dummy snd_seq_oss snd_seq_midi arc4 ecb crypto_blkcipher snd_rawmidi snd_seq_midi_event iwl3945 snd_seq iwlcore snd_timer rfkill snd_seq_device lbm_cw_mac80211 lbm_cw_cfg80211 sdhci_pci snd led_class iTCO_wdt video serio_raw ricoh_mmc output sdhci iTCO_vendor_support button battery mmc_core pcspkr soundcore wmi intel_agp ac psmouse dcdbas snd_page_alloc agpgart shpchp pci_hotplug evdev ext3 jbd usbhid mbcache hid sd_mod sr_mod crc_t10dif cdrom sg ata_generic pata_acpi b44 ata_piix ohci1394 libata scsi_mod dock ieee1394 ssb pcmcia pcmcia_core mii ehci_hcd uhci_hcd usbcore thermal processor fan fbcon tileblit font bitblit softcursor fuse
[ 50.050302]
[ 50.050308] Pid: 3336, comm: phy0 Not tainted (2.6.27-11-generic #1)
[ 50.050313] EIP: 0060:[<edd133c0>] EFLAGS: 00010286 CPU: 0
[ 50.050319] EIP is at 0xedd133c0
[ 50.050323] EAX: 00000000 EBX: f8bbc0e0 ECX: f7b20e60 EDX: f7b20e60
[ 50.050327] ESI: 0000000c EDI: 00000001 EBP: f7a97eb8 ESP: f7a97e6c
[ 50.050332] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
[ 50.050337] Process phy0 (pid: 3336, ti=f7a96000 task=f7b057f0 task.ti=f7a96000)
[ 50.050341] Stack: f7a97e78 f7a97e78 f7b20e60 00000000 0001000d 0001000f 01010005 02010007
[ 50.050357] 03010009 0401000b 05010001 06010003 0001000a 00010014 00010037 0001006e
[ 50.050371] f7b20e60 f7b2c630 f7b2c604 f7a97f1c f8bb2b26 00000000 c21fbfe0 c21fbfe0
[ 50.050386] Call Trace:
[ 50.050392] [<f8bb2b26>] ? iwl3945_commit_rxon+0x346/0x860 [iwl3945]
[ 50.050410] [<c012a007>] ? load_balance_newidle+0x97/0x270
[ 50.050423] [<f8bb429e>] ? iwl3945_radio_kill_sw+0xe/0x1c0 [iwl3945]
[ 50.050437] [<c012853b>] ? finish_task_switch+0x2b/0xe0
[ 50.050447] [<f8bb58f3>] ? iwl3945_mac_config+0x1c3/0x270 [iwl3945]
[ 50.050462] [<f8bec342>] ? ieee80211_hw_config+0xb2/0xc0 [lbm_cw_mac80211]
[ 50.050486] [<f8bf063a>] ? ieee80211_scan_work+0x11a/0x180 [lbm_cw_mac80211]
[ 50.050511] [<f8bf0520>] ? ieee80211_scan_work+0x0/0x180 [lbm_cw_mac80211]
[ 50.050533] [<c01436f5>] ? run_workqueue+0x95/0x160
[ 50.050543] [<c0147626>] ? finish_wait+0x16/0x70
[ 50.050551] [<c0143998>] ? worker_thread+0x88/0xf0
[ 50.050559] [<c0147560>] ? autoremove_wake_function+0x0/0x50
[ 50.050567] [<c0143910>] ? worker_thread+0x0/0xf0
[ 50.050575] [<c01471f1>] ? kthread+0x41/0x80
[ 50.050583] [<c01471b0>] ? kthread+0x0/0x80
[ 50.050591] [<c0105297>] ? kernel_thread_helper+0x7/0x10
[ 50.050600] =======================
[ 50.050603] Code: 00 00 00 00 00 00 00 00 00 00 00 04 e0 d9 ed 00 ec d9 ed 00 e0 d9 ed 04 e0 d9 ed b8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 50.050687] EIP: [<edd133c0>] 0xedd133c0 SS:ESP 0068:f7a97e6c
[ 50.050701] ---[ end trace f6fc3aa4bdbce68a ]---

I was trying to attach to an open wireless network.

David N. Welton (davidnwelton) wrote :
David N. Welton (davidnwelton) wrote :

Here's the lspci output

Hi David,

Can you try installing the linux-backports-modules-intrepid package. It contains an updated compat-wireless stack. Please let us know if this prevents the panic from happening. Thanks.

Changed in linux:
status: New → Incomplete
David N. Welton (davidnwelton) wrote :

I already had that installed:

root@fortrock:~# apt-cache policy linux-backports-modules-intrepid-generic
  Version table:
 *** 0
        500 intrepid-proposed/main Packages
        100 /var/lib/dpkg/status 0
        500 intrepid-updates/main Packages
        500 intrepid-security/main Packages 0
        500 intrepid/main Packages

Thanks David,

I presume with lbm uninstalled that the panic occurs as well? So, if you'd be willing to test a few additional things we'd really appreciate it. First, care to give the most recent pre-release of Jaunty 9.04 (currently Alpha3) a try - . You should be able to test via a LiveCD. It would be helpful to know if this issue remains with this newer upcoming release. If Jaunty still proves to be problematic, we'd also appreiate if you'd be willing to test the latest compat-wireless stack from upstream. See step 4 of . This may be an issue we'll want to escalate upstream. Please let us know your results. Thanks.

Vassily Gavrilyak (gavrilyak) wrote :

I have installed current jaunty and have the same bug. It happens during shutdown/reboot.
The stacktrace looks the same, only the process that caused a bus is either NetworkManager or wpa_supplicant. Killing those processes before shutdown/reboot fixes the problem.
In intrepid everything works fine. At first I thought that I have, but after removing "quiet splash" from kernel command line I see kernel oops with stacktrace at shutdown. Upstream seems to have a patch for this bug May be some reordering of shutdown sequence will help too.
Unfortunately I do not know how to have this stacktrace and attach it here, cause it happens at shutdown and doesn't go to logs.

Vassily Gavrilyak (gavrilyak) wrote :

The same issue is on another laptop (Samsung Q310) with iwlagn driver. And it was already reported

So it looks like all the iwl* drivers affected with this bug.

Vassily Gavrilyak (gavrilyak) wrote :

Installing kernel from fixes this for me. I still have "Response NULL in 'REPLY_ADD_STA'" but this is not-fatal now, so the machine can halt/reboot normally.
Please apply upstream patch in Jaunty kernel, cause this can affect a large quantity of laptops with intel wireless cards.

Changed in linux (Ubuntu):
importance: Undecided → High
status: Incomplete → Triaged
Manoj Iyer (manjo) wrote :

Can you please point me the upstream patch that fixed this for you in jaunty ?

Changed in linux (Ubuntu):
assignee: nobody → manjo
Vassily Gavrilyak (gavrilyak) wrote :

The patch is an attachment in
Direct URL
It is for 2.6.27 kernel, actually, but it should fix the symptom, and computer will shutdown/reboot.

Vassily Gavrilyak (gavrilyak) wrote :

Also please look at this bug
It seems the same.

soc (simon-ochsenreither) wrote :

Same problem here, Ubuntu Jaunty, every update installed.

soc (simon-ochsenreither) wrote :

Oops, sorry; pressed "Save Changes" to early.
Dell Inspiron 6400, Intel Wireless 3945, Ubuntu Jaunty 9.04, latest kernel.

Vassily Gavrilyak (gavrilyak) wrote :

linux-backports-modules-jaunty fixed it for me. Will those changes be applied to "normal" kernel linux-image ?

Almacha (almacha) wrote :

I get the same bug on an ASUS U3S. It happens at shutdown, with the error:
iwlagn: Error: Reponse NULL in 'REPLY_ADD_STA'

Wireless device as reported by lspci:
03:00.0 Network controller: Intel Corporation PRO/Wireless 4965 AG or AGN [Kedron] Network Connection (rev 61)

I am using jaunty RC, kernel 2.6.28-11-generic

Manoj Iyer (manjo) wrote :

The following patch fixes the problem, and is in latest Jaunty kernel. Can you please confirm that you do now see this problem with the latest Jaunty kernel?

commit 73e1a65d3c4a013f6fa56e47133be95143a75fe3
Author: Zhu Yi <email address hidden>
Date: Thu Jan 8 10:19:58 2009 -0800

    iwlwifi: remove CMD_WANT_SKB flag if send_cmd_sync failure

    In function iwl_send_cmd_sync(), if the flag CMD_WANT_SKB is set but
    we are not provided with a valid SKB (cmd->meta.u.skb == NULL), we need
    to remove the CMD_WANT_SKB flag from the TX cmd queue. Otherwise in case
    the cmd comes in later, it will possibly set an invalid address. Thus
    it causes an invalid memory access.

    This fixed the bug

    Signed-off-by: Zhu Yi <email address hidden>
    Signed-off-by: John W. Linville <email address hidden>

Almacha (almacha) wrote :

The bug still occurs for me with kernel package linux-image-2.6.28-11-generic, version 2.6.28-11.42.

It occurs when I reboot or shutdown my computer.

Hi Almacha,

Can you make sure you have linux-backports-modules-jaunty installed:

ogasawara@emiko:~$ apt-cache policy linux-backports-modules-jaunty
  Version table:
 *** 0
        500 jaunty/main Packages
        100 /var/lib/dpkg/status

I think Manoj meant to point you there as patch is available in that package because it has an updated compat-wireless stack as of 2009-03-24. Also see from Vassily who has confirmed the linux-backports-modules-jaunty packages resolves the issue for him.

@Vassily, it is not likely this patch will be pulled into the main kernel source, so please continue to us the linux-backports-modules-jaunty package. Thanks.

affects: linux (Ubuntu) → linux-backports-modules-2.6.28 (Ubuntu)
Almacha (almacha) wrote :

I installed linux-backports-modules-jaunty and now I don't get the bug any more. My machine now shutdown and reboots properly. (I still get the "Reponse NULL in 'REPLY_ADD_STA'" but not the general protection fault)


Setting this to Fix Released. I'm also declining the Jaunty nomination as this is already available through linux-backports-modules-jaunty and does not require a Stable Release Update. Thanks.

Changed in linux-backports-modules-2.6.28 (Ubuntu):
status: Triaged → Fix Released
Rocko (rockorequin) wrote :

The trouble with declining this for Jaunty is that the backports modules with the fix have introduced at least one other bug - for instance, I get if I use the backports modules, or this bug if not.

kkhan (kublakhan) wrote :

Furthermore, people without backports modules will have a crash on every shutdown; that's a pretty serious issue. I'm just a user, so I don't know about bug fixing policy, but installing another package does not seem like a fix to me. It's a work around. The system shouldn't crash just because I happen not to have the right package installed. (Especially since presumably some people won't know that they have to install backports modules to get rid of the crashes.)

Just my two cents.

daemacles (daemacles) wrote :

I have this issue to on HP pavilion dv2700. I also agree with kkhan. At the very least users with this chipset should be informed at some point during installation that there are issues and a possible fix exists, instead of having to resort to google, etc.

Almacha (almacha) wrote :

I also had this bug on a Dell Latitude E4200 and Dell Inspiron 1525. Installing linux-backports-modules-jaunty also solved it.

rt03 (tecnics321) wrote :

I also had this bug on a Dell Inspiron 1525. Installing linux-backports-modules-jaunty also solved it. Thanks. I love gnu-linux.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.