ieee80211_regdom=EU now causes oops after latest update

Attaching dmesg - BUG occurs at line 647

Bugtask added for intrepid's lbm, problem observed with lbm 2.6.27-14 (intrepid-proposed) too. Does not occur with 2.6.27-11 though. Therefore tagging regression-proposed.

Interestingly (?) on Intrepid the issue prevents the system from booting - I didn't notice this on Jaunty. Specifically, udev runs modprobe, which exits abnormally, which causes udev to get stuck / halt.

I blacklisted atk5k to allow the system to boot, then manually modprobed it. modprobe died with a segfault.

Attaching dmesg.

Hi Max,

Care to just confirm this remains with the 2.6.28-11.11 version of linux-backports-modules. The reason I ask is I see 2.6.28-11.11 was most recently updated to the 2009-03-17 compat-wireless stack - https://edge.launchpad.net/ubuntu/+source/linux-backports-modules-2.6.28 . I'll bring this to the attention of the kernel team as well. Thanks.

Confirmed still a problem with -11.11.

I suspect very much that this is related to the removal of this option as a result of moving to the new CRDA framework. This variable should not be required on Jaunty. Could you test to confirm you do not require it? I will investigate why it causes an ooops.

How do I test? Do I have to reconfigure my AP to channel 12/13 or is there an easier way?

@maxb -- you may get some messages about which frequencies are being allowed i believe, in dmesg. But the only concrete way to check is to find an AP on those channels and test there.

Should you still not be able to connect then there is a new way to specifiy where you are:

    iw reg <two letter iso country code>
    iw reg UK

We are seeing panics coming out of wiphy_update_regulatory() from LBM on
both Jaunty and Intrepid. These two carry the same basic code for the
wireless stack. Sample stack trace as here:

    [ 398.693189] BUG: unable to handle kernel NULL pointer dereference at 00000004
    [ 398.693206] IP: [<f8e1feb4>] :lbm_cw_cfg80211:wiphy_update_regulatory+0x1d4/0x420
    [ 398.693232] *pde = 00000000
    [ 398.693242] Oops: 0000 [#1] SMP
[...]
    [ 398.693479]
    [ 398.693487] Pid: 6314, comm: modprobe Not tainted (2.6.27-14-generic #1)
    [ 398.693496] EIP: 0060:[<f8e1feb4>] EFLAGS: 00010246 CPU: 1
    [ 398.693514] EIP is at wiphy_update_regulatory+0x1d4/0x420 [lbm_cw_cfg80211]
    [ 398.693523] EAX: 00000000 EBX: 00000410 ECX: f52e0060 EDX: 00000001
    [ 398.693532] ESI: f52e0000 EDI: f52e0060 EBP: f520fcb0 ESP: f520fc78
    [ 398.693541] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
    [ 398.693550] Process modprobe (pid: 6314, ti=f520e000 task=f5250000 task.ti=f520e000)
    [ 398.693558] Stack: c018a2ee c0495500 f52e0060 f6603000 f520fcc8 c01050f8 00004e17 013ef000
    [ 398.693581] 00000099 f8e1eece f52e0060 00000410 f52e0000 f52e0060 f520fccc f8e1e52e
    [ 398.693603] 00000002 00000002 fffffff4 00000000 f52e01e0 f520fd00 f8f472f0 00006957

The key thing to note is that we are panicing with a data reference to address 0x4. This is classically a structure offset relative to a NULL pointer. Looking at this function when we are called we may look at the band, and then we will handle beacons, and finally we will give the PHY a chance to see the information via the reg_notifier. None of the referenced information is at offset 0x4 in the structure:

    void wiphy_update_regulatory(struct wiphy *wiphy,
     enum nl80211_reg_initiator initiator)
    {
     enum ieee80211_band band;

     if (ignore_reg_update(wiphy, initiator))
      goto out;
     for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
      if (wiphy->bands[band])
       handle_band(wiphy, band);
     }
    out:
     reg_process_beacons(wiphy);
     if (wiphy->reg_notifier)
      wiphy->reg_notifier(wiphy, last_request);
    }

Looking at the reg_process_beacons() we can see it cals: reg_is_world_romaing():

    /* Reap the advantages of previously found beacons */
    static void reg_process_beacons(struct wiphy *wiphy)
    {
     if (!reg_is_world_roaming(wiphy))
      return;
     wiphy_update_beacon_reg(wiphy);
    }

and that references last_request->initiator:

    static bool reg_is_world_roaming(struct wiphy *wiphy)
    {
     if (is_world_regdom(cfg80211_regdomain->alpha2) ||
  (wiphy->regd && is_world_regdom(wiphy->regd->alpha2)))
      return true;
     if (last_request->initiator != NL80211_REGDOM_SET_BY_COUNTRY_IE &&
  wiphy->custom_regulatory)
      return true;
     return false;
    }

and _that_ is at offset 4, and as these two are static they are likely inlined into wiphy_update_regulatory():

    struct regulatory_request {
     int wiphy_idx;
     enum nl80211_reg_initiator initiator;
    [...]
    };

Note also that the definition of ignore_reg_updates() does the following:

    static bool ignore_reg_update(struct wiphy ...

Ok, linux-backports-modules-2.6.28 packages with the patch alluded to in my previous posting are now available at the URL below. If those of you who can reproduce this could test this out and report back that would help a lot. Packages are here:

    http://people.ubuntu.com/~apw/lp337929-jaunty/

OK, running Andy's deb, I see his printk, and things work (no oops).

Running lbm updated to master-2009-03-24 from ubuntu-jaunty-lbm.git without Andy's patch, things *also* work.

Regarding the comments on the the CRDA framework, I've now shifted my home AP to channel 13.

Using the master-2009-03-24 lbm build, without the module option, I *cannot* connect, and dmesg shows it going into the US regdom:
[ 14.740421] cfg80211: Using static regulatory domain info
[ 14.740445] cfg80211: Regulatory domain: US
[ 14.740451] (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[ 14.740459] (2402000 KHz - 2472000 KHz @ 40000 KHz), (600 mBi, 2700 mBm)
[ 14.740466] (5170000 KHz - 5190000 KHz @ 40000 KHz), (600 mBi, 2300 mBm)
[ 14.740473] (5190000 KHz - 5210000 KHz @ 40000 KHz), (600 mBi, 2300 mBm)
[ 14.740481] (5210000 KHz - 5230000 KHz @ 40000 KHz), (600 mBi, 2300 mBm)
[ 14.740488] (5230000 KHz - 5330000 KHz @ 40000 KHz), (600 mBi, 2300 mBm)
[ 14.740496] (5735000 KHz - 5835000 KHz @ 40000 KHz), (600 mBi, 3000 mBm)
[ 14.740609] cfg80211: Calling CRDA for country: US
[ 14.882164] cfg80211: Regulatory domain changed to country: US
[ 14.882175] (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[ 14.882182] (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2700 mBm)
[ 14.882188] (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 1700 mBm)
[ 14.882193] (5250000 KHz - 5330000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 14.882199] (5490000 KHz - 5710000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 14.882205] (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 3000 mBm)

So, then I *uninstalled* lbm completely to test the cfg80211 shipping in Jaunty's main kernel, removed the lbm modules and modprobed the older ones - and this *did* connect:
[ 374.154294] cfg80211: Calling CRDA to update world regulatory domain
[ 374.253460] cfg80211: World regulatory domain updated:
[ 374.253471] (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[ 374.253480] (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 374.253487] (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[ 374.253495] (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[ 374.253502] (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 374.253509] (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)

Shall we proceed from here by leaving this bug for the oops, and I'll file another concerning the need to manually specify regulatory domain in the backports-modules, but not for the main kernel?

(The -2.6.28 bugtask here could then be marked "Fix Committed" on the strength of what's currently in ubuntu-jaunty-lbm.git, though the Intrepid/-2.6.27 one still needs attention.)

@maxb -- agree completly, the fact that the main kernel is using CRDA and the LBM is not should be the subject of a separate bug. Will close off the Jaunty task on this one as you suggest, and get the Intrepid one sorted out.

CRDA issue reported as bug 349001.

This bug was fixed in the package linux-backports-modules-2.6.28 - 2.6.28-11.12

---------------
linux-backports-modules-2.6.28 (2.6.28-11.12) jaunty; urgency=low

  [Tim Gardner]

  * Update wireless-testing/compat-wireless to master-2009-03-24
    -LP: #329975

 -- Tim Gardner <email address hidden> Tue, 24 Mar 2009 17:40:33 -0600

Ok for Intrepid it is going to be safer to fix the issue in the version we already have in LBM for Intrepid. I believe we have identified the issue there and produced a patch for that release. I have applied this patch to the latest version of LBM and produced some test packages. If those of you who are affected and have Intrepid could test these packages and report back that would be very helpful. Packages may be found at the URL below:

    http://people.ubuntu.com/~apw/lp337929-intrepid/

Has anyone be able to test the intrepid versions of this fix? If you could and report back here that would help.

Tested, it works. :-)

(My AAO is currently dual-booting Jaunty and Intrepid - if you need further testing done, let me know.)

Committed for Andy after user feedback

 linux-backports-modules-2.6.27 (2.6.27-14.16) intrepid-proposed; urgency=low
 .
   [Upstream Kernel Changes]
 .
   * wiphy_update_regulatory: avoid beacons and notifiers if no
     regulatory_domain
     - LP: #337929