wifi driver中的一次kernel panic分析

软件开发过程中，最怕遇见kernel panic的错误，本文记录了一次发生在wifi driver中的kernel panic的简要分析过程。

• 问题描述

使用VERIWAVE下APP进行无线多用户连接测试，包括关联+认证+流量+去关联过程。配置63个clients，wep加密，第一次测试能正确完成，第二次测试时AP出现kernel panic错误。系统重启后同样操作必现该panic。

• 日志信息

Line 001:    Unable to handle kernel NULL pointer dereference at virtual address 00000020Line 002:    pgd = c0004000Line 003:    [00000020] *pgd=00000000Line 004:    Internal error: Oops: 17 [#1]Line 005:    Modules linked in: xfrm4_mode_tunnel xfrm4_mode_transport l2tp_ppp l2tp_core l2_drv ath_pktlog(P) umac ath_dev(P) hst_tx99(P) ath_dfs(P) ath_spectral(P) ath_rate_atheros(P) ath_hal(P) asf(P) adf(P) eth_drv iptable_filter iptable_nat nf_nat ip6table_filter ip_tables ip6_tables nf_conntrack_ipv6 nf_defrag_ipv6 nf_conntrack_tftp nf_conntrack_ftp ppp_async crc_ccitt pppoe pppox ppp_generic slhc xt_state mdr_dbg_mod misc_modLine 006:    CPU: 0    Tainted: P        W    (3.0.6_cig002 #14)Line 007:    PC is at cwm_get_width+0x14/0x24 [umac]Line 008:    LR is at ieee80211_alloc_node+0x234/0x444 [umac]Line 009:    pc : [<bf66fee4>]    lr : [<bf6495ec>]    psr: a0000113Line 010:    sp : c03ff8d8  ip : c03ff8e8  fp : c03ff8e4Line 011:    r10: c5fca028  r9 : ffffffff  r8 : cbca9988Line 012:    r7 : bf6e5558  r6 : 00000000  r5 : c5854000  r4 : c5fca000Line 013:    r3 : 00000000  r2 : bf66fed0  r1 : 00003068  r0 : cbca83c0Line 014:    Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment kernelLine 015:    Control: 10c5387d  Table: 09cb4019  DAC: 00000015Line 016:    Process swapper (pid: 0, stack limit = 0xc03fe2e8)Line 017:    Stack: (0xc03ff8d8 to 0xc0400000)Line 018:    f8c0:                                                       c03ff944 c03ff8e8Line 019:    f8e0: bf6495ec bf66fedc ffffffff 00000016 00000000 00000000 00000000 cbca0000Line 020:    f900: 00000400 00000080 c44c809a c5fcaae1 bf65829c cbca83c0 00000000 c5854000Line 021:    f920: c5854000 c44c809a c44c80ae c44c8090 00000001 00000000 c03ff964 c03ff948Line 022:    f940: bf64a3f4 bf6493c4 00000000 c5854000 c5806000 c44c809a c03ff9c4 c03ff968Line 023:    f960: bf689aec bf64a3d8 00000001 c5fca108 00000000 00000000 c44c609a c5fca108Line 024:    f980: 00000000 00000001 00000071 ca3ef2c0 c5806000 c5fca111 c03ff9f4 00000000Line 025:    f9a0: 00000006 cbceff20 c44c80ae c5806000 cbceff20 00000000 c03ff9f4 c03ff9c8Line 026:    f9c0: bf6855a0 bf689690 00000000 00000000 cbceff20 bf6cffb0 c44c8090 c5854000Line 027:    f9e0: 00000000 c5806ae0 c03ffa84 c03ff9f8 bf67de78 bf685568 00000000 00000000Line 028:    fa00: cbceff20 00000001 c03ffa2c c03ffa18 c5854000 c00c3cf4 0000027b c03ffc10Line 029:    fa20: 00000000 00000001 c021cfb8 c021ccf4 c03ffa4c c03ffa40 c022667c c021cf7cLine 030:    fa40: c03ffa5c c03ffa50 bf53e14c c0226644 c03ffa84 c03ffa60 bf6cf950 c5854000Line 031:    fa60: 00000000 c5806000 00000000 000000b0 cbceff20 c03ffc10 c03ffb14 c03ffa88Line 032:    fa80: bf6b5cf0 bf67ce58 c03ffc10 c43af134 c03ffab4 c03ffaa0 bf60aed8 c006a644Line 033:    faa0: c03ffad4 cb6575c0 c03ffacc c03ffab8 bf5f9ecc c5854110 c03ffadc c03ffad4Line 034:    fac0: c03ffb04 c03ffad8 bf53e4f4 c43ae000 000000b0 c43ae000 00000000 c03ffae8Line 035:    fae0: 00000000 00000008 c03ffb04 00000000 00000000 00000001 c5806000 c5854000Line 036:    fb00: ffffffff 000012ec c03ffb8c c03ffb18 bf6b6ccc bf6b58f4 c03ffc10 00000000Line 037:    fb20: c5806000 c6017000 c5806000 c5854000 c03ffb7c c03ffb40 bf648100 bf664a40Line 038:    fb40: 00000000 c03ffb50 bf570484 c03ffbd0 00000000 00000000 c6017000 c473f380Line 039:    fb60: 00000006 00000000 00000000 00005dc0 ca420000 0000096c cbca83c0 c03ffd28Line 040:    fb80: c03ffc94 c03ffb90 bf66c1d0 bf6b6bfc c03ffbac c03ffba0 c021cfb8 c021ccf4Line 041:    fba0: c03ffbbc c03ffbb0 c022667c 0000003b ca420000 c03ffd34 c03ffd31 cbceff20Line 042:    fbc0: 00000000 0000003b ffffffdc 00005dc0 00000030 00000009 0005103b cbca0000Line 043:    fbe0: 00000008 0000096c 00000000 00000000 ff960000 c03f096c 00000000 00000000Line 044:    fc00: 00000000 00000000 00000000 000f9c87 00000000 0000003b ffffffdc 00005dc0Line 045:    fc20: 00000030 00000009 0005103b 00000000 00000008 0000096c 00000000 00000000Line 046:    fc40: ff960000 bf61096c 00000000 c03ffc58 00000000 00000000 00000000 00000000Line 047:    fc60: 00000000 00000000 00000000 00000001 00000000 cbca0000 cbea7984 0000027cLine 048:    fc80: 00000000 00000022 c03ffcbc c03ffc98 bf622530 bf66b860 cbca0000 c03ffd28Line 049:    fca0: cbcba17c cbea7984 cbceff20 000000b0 c03ffcfc c03ffcc0 bf6080a8 bf6224ecLine 050:    fcc0: 0000037b c4698000 00000022 00000000 c03ffcf4 c03ffd8f 000037d4 c44c8090Line 051:    fce0: cbca0000 cbceff20 00000052 cbca1ce0 c03ffdbc c03ffd00 bf61d9ec bf607d14Line 052:    fd00: c03ffd28 c03ffd8f cbceff20 743dd000 00000001 00000000 cbca37f8 ca420000Line 053:    fd20: c03ffd28 ca1a8798 00000000 00000000 05103b3b dc000000 00010930 00005dc0Line 054:    fd40: 00000018 00000000 00000000 ff960000 0000096c 00000000 00000000 00000000Line 055:    fd60: c44c8060 cbcba17c cbea7984 00000000 00000000 00000000 00000000 00000000Line 056:    fd80: cbca37f8 cbca83c0 c03ffdd4 003ffd98 bf61bd60 cbca0000 000025f6 00000000Line 057:    fda0: 00000100 c0453700 00000000 0000000a c03ffddc c03ffdc0 bf61dfc0 bf61d6dcLine 058:    fdc0: bf61df84 cbca0000 00000002 00000000 c03ffdec c03ffde0 bf6224dc bf61df90Line 059:    fde0: c03ffeb4 c03ffdf0 bf5fb110 bf6224bc cbca0000 ca420000 c03ffe50 00000001Line 060:    fe00: c03ffe34 cbca0000 c03ffe84 c03ffe18 bf55e748 bf54e024 bf55e4c8 cbca0000Line 061:    fe20: 00000000 ca420000 cbca25c0 000025d4 00003428 bf5fbfc4 00000002 f0010473Line 062:    fe40: 3b9ac9ff cbca25ec 00022c09 00000002 00000001 c03ffe60 c007fc60 cbca8000Line 063:    fe60: 000031e8 000031ec 00000000 00000000 00000000 cbca8000 c03ffeac c03ffe88Line 064:    fe80: bf6bdf30 c0064c90 000d0b98 00000000 c0453700 c040a314 00000000 00000100Line 065:    fea0: c0453700 0000000a c03ffec4 c03ffeb8 bf6bc890 bf5faf90 c03ffee4 c03ffec8Line 066:    fec0: c0065044 bf6bc878 c0064fc8 00000001 c045373c c03fe000 c03fff24 c03ffee8Line 067:    fee0: c0065200 c0064fd4 c03fff0c c03ffef8 c008f0ec 00000006 00000000 0000003aLine 068:    ff00: 00000000 0000001f c0404754 00004059 561f5811 00000000 c03fff34 c03fff28Line 069:    ff20: c00655dc c0065188 c03fff4c c03fff38 c002706c c00655a0 ffffffff fbb21000Line 070:    ff40: c03fffb4 c03fff50 c02f1334 c002700c 00000001 c040be20 c03fff88 c0038324Line 071:    ff60: c03fe000 c040475c c04306c4 c0404754 00004059 561f5811 00000000 c03fffb4Line 072:    ff80: c03fff98 c03fff98 c002db60 c002dcd4 60000013 ffffffff 00000000 c040011cLine 073:    ffa0: c0023534 c0c6d9e0 c03fffc4 c03fffb8 c02e67e4 c002dc90 c03ffff4 c03fffc8Line 074:    ffc0: c00088a4 c02e6790 c0008314 00000000 00000000 c0023534 00000000 10c53c7dLine 075:    ffe0: c0400070 c0023530 00000000 c03ffff8 0000803c c000867c 00000000 00000000Line 076:    Backtrace:Line 077:    [<bf66fed0>] (cwm_get_width+0x0/0x24 [umac]) from [<bf6495ec>] (ieee80211_alloc_node+0x234/0x444 [umac])Line 078:    [<bf6493b8>] (ieee80211_alloc_node+0x0/0x444 [umac]) from [<bf64a3f4>] (ieee80211_dup_bss+0x28/0xb4 [umac])Line 079:    [<bf64a3cc>] (ieee80211_dup_bss+0x0/0xb4 [umac]) from [<bf689aec>] (mlme_recv_auth_ap+0x468/0x874 [umac])Line 080:     r6:c44c809a r5:c5806000 r4:c5854000 r3:00000000Line 081:    [<bf689684>] (mlme_recv_auth_ap+0x0/0x874 [umac]) from [<bf6855a0>] (ieee80211_mlme_recv_auth+0x44/0x6c [umac])Line 082:    [<bf68555c>] (ieee80211_mlme_recv_auth+0x0/0x6c [umac]) from [<bf67de78>] (ieee80211_recv_mgmt+0x102c/0x1a98 [umac])Line 083:     r6:c5806ae0 r5:00000000 r4:c5854000Line 084:    [<bf67ce4c>] (ieee80211_recv_mgmt+0x0/0x1a98 [umac]) from [<bf6b5cf0>] (ieee80211_input+0x408/0x1308 [umac])Line 085:    [<bf6b58e8>] (ieee80211_input+0x0/0x1308 [umac]) from [<bf6b6ccc>] (ieee80211_input_all+0xdc/0x16c [umac])Line 086:    [<bf6b6bf0>] (ieee80211_input_all+0x0/0x16c [umac]) from [<bf66c1d0>] (ath_net80211_rx+0x97c/0xa7c [umac])Line 087:    [<bf66b854>] (ath_net80211_rx+0x0/0xa7c [umac]) from [<bf622530>] (ath_rx_indicate+0x50/0xbc [ath_dev])Line 088:    [<bf6224e0>] (ath_rx_indicate+0x0/0xbc [ath_dev]) from [<bf6080a8>] (ath_rx_process+0x3a0/0x6e0 [ath_dev])Line 089:     r9:000000b0 r8:cbceff20 r7:cbea7984 r6:cbcba17c r5:c03ffd28Line 090:    r4:cbca0000Line 091:    [<bf607d08>] (ath_rx_process+0x0/0x6e0 [ath_dev]) from [<bf61d9ec>] (ath_rx_handler+0x31c/0x8b4 [ath_dev])Line 092:    [<bf61d6d0>] (ath_rx_handler+0x0/0x8b4 [ath_dev]) from [<bf61dfc0>] (ath_rx_edma_tasklet+0x3c/0x50 [ath_dev])Line 093:    [<bf61df84>] (ath_rx_edma_tasklet+0x0/0x50 [ath_dev]) from [<bf6224dc>] (ath_handle_rx_intr+0x2c/0x30 [ath_dev])Line 094:     r6:00000000 r5:00000002 r4:cbca0000 r3:bf61df84Line 095:    [<bf6224b0>] (ath_handle_rx_intr+0x0/0x30 [ath_dev]) from [<bf5fb110>] (ath_handle_intr+0x18c/0x8d0 [ath_dev])Line 096:    [<bf5faf84>] (ath_handle_intr+0x0/0x8d0 [ath_dev]) from [<bf6bc890>] (ath_tasklet+0x24/0x28 [umac])Line 097:    [<bf6bc86c>] (ath_tasklet+0x0/0x28 [umac]) from [<c0065044>] (tasklet_action+0x7c/0xc4)Line 098:    [<c0064fc8>] (tasklet_action+0x0/0xc4) from [<c0065200>] (__do_softirq+0x84/0x114)Line 099:     r6:c03fe000 r5:c045373c r4:00000001 r3:c0064fc8Line 100:    [<c006517c>] (__do_softirq+0x0/0x114) from [<c00655dc>] (irq_exit+0x48/0x98)Line 101:    [<c0065594>] (irq_exit+0x0/0x98) from [<c002706c>] (asm_do_IRQ+0x6c/0x8c)Line 102:    [<c0027000>] (asm_do_IRQ+0x0/0x8c) from [<c02f1334>] (__irq_svc+0x34/0x1c0)Line 103:    Exception stack(0xc03fff50 to 0xc03fff98)Line 104:    ff40:                                     00000001 c040be20 c03fff88 c0038324Line 105:    ff60: c03fe000 c040475c c04306c4 c0404754 00004059 561f5811 00000000 c03fffb4Line 106:    ff80: c03fff98 c03fff98 c002db60 c002dcd4 60000013 ffffffffLine 107:     r5:fbb21000 r4:ffffffffLine 108:    [<c002dc84>] (cpu_idle+0x0/0x90) from [<c02e67e4>] (rest_init+0x60/0x78)Line 109:     r6:c0c6d9e0 r5:c0023534 r4:c040011c r3:00000000Line 110:    [<c02e6784>] (rest_init+0x0/0x78) from [<c00088a4>] (start_kernel+0x234/0x27c)Line 111:    [<c0008670>] (start_kernel+0x0/0x27c) from [<0000803c>] (0x803c)Line 112:    Code: e92dd800 e24cb004 e3031068 e7903001 (e5930020)Line 113:    ---[ end trace 56ce92b11c53b5a8 ]---Line 114:    Kernel panic - not syncing: Fatal exception in interruptLine 115:    Backtrace:Line 116:    [<c0030478>] (dump_backtrace+0x0/0x110) from [<c02ecb34>] (dump_stack+0x18/0x1c)Line 117:     r6:c03fe2e8 r5:c0403730 r4:c0432de8 r3:c040a284Line 118:    [<c02ecb1c>] (dump_stack+0x0/0x1c) from [<c02eccd8>] (panic+0x5c/0x178)Line 119:    [<c02ecc7c>] (panic+0x0/0x178) from [<c00308e4>] (die+0x17c/0x1bc)Line 120:     r3:00000100 r2:c03ff6f8 r1:c0433230 r0:c039c190Line 121:     r7:00000000Line 122:    [<c0030768>] (die+0x0/0x1bc) from [<c02ecb94>] (__do_kernel_fault.part.1+0x5c/0x7c)Line 123:     r8:00000000 r7:c03ff890 r6:00000000 r5:00000017 r4:00000020Line 124:    [<c02ecb38>] (__do_kernel_fault.part.1+0x0/0x7c) from [<c02f3734>] (do_page_fault.part.2+0x260/0x278)Line 125:     r7:00000020 r3:c03ff890Line 126:    [<c02f34d4>] (do_page_fault.part.2+0x0/0x278) from [<c02f37a0>] (do_page_fault+0x54/0x60)Line 127:    [<c02f374c>] (do_page_fault+0x0/0x60) from [<c0027284>] (do_DataAbort+0x3c/0xa0)Line 128:     r6:00000020 r5:c0404d10 r4:00000017 r3:c02f374cLine 129:    [<c0027248>] (do_DataAbort+0x0/0xa0) from [<c02f12ec>] (__dabt_svc+0x4c/0x60)Line 130:    Exception stack(0xc03ff890 to 0xc03ff8d8)Line 131:    f880:                                     cbca83c0 00003068 bf66fed0 00000000Line 132:    f8a0: c5fca000 c5854000 00000000 bf6e5558 cbca9988 ffffffff c5fca028 c03ff8e4Line 133:    f8c0: c03ff8e8 c03ff8d8 bf6495ec bf66fee4 a0000113 ffffffffLine 134:     r7:bf6e5558 r6:00000000 r5:c03ff8c4 r4:ffffffffLine 135:    [<bf66fed0>] (cwm_get_width+0x0/0x24 [umac]) from [<bf6495ec>] (ieee80211_alloc_node+0x234/0x444 [umac])Line 136:    [<bf6493b8>] (ieee80211_alloc_node+0x0/0x444 [umac]) from [<bf64a3f4>] (ieee80211_dup_bss+0x28/0xb4 [umac])Line 137:    [<bf64a3cc>] (ieee80211_dup_bss+0x0/0xb4 [umac]) from [<bf689aec>] (mlme_recv_auth_ap+0x468/0x874 [umac])Line 138:     r6:c44c809a r5:c5806000 r4:c5854000 r3:00000000Line 139:    [<bf689684>] (mlme_recv_auth_ap+0x0/0x874 [umac]) from [<bf6855a0>] (ieee80211_mlme_recv_auth+0x44/0x6c [umac])Line 140:    [<bf68555c>] (ieee80211_mlme_recv_auth+0x0/0x6c [umac]) from [<bf67de78>] (ieee80211_recv_mgmt+0x102c/0x1a98 [umac])Line 141:     r6:c5806ae0 r5:00000000 r4:c5854000Line 142:    [<bf67ce4c>] (ieee80211_recv_mgmt+0x0/0x1a98 [umac]) from [<bf6b5cf0>] (ieee80211_input+0x408/0x1308 [umac])Line 143:    [<bf6b58e8>] (ieee80211_input+0x0/0x1308 [umac]) from [<bf6b6ccc>] (ieee80211_input_all+0xdc/0x16c [umac])Line 144:    [<bf6b6bf0>] (ieee80211_input_all+0x0/0x16c [umac]) from [<bf66c1d0>] (ath_net80211_rx+0x97c/0xa7c [umac])Line 145:    [<bf66b854>] (ath_net80211_rx+0x0/0xa7c [umac]) from [<bf622530>] (ath_rx_indicate+0x50/0xbc [ath_dev])Line 146:    [<bf6224e0>] (ath_rx_indicate+0x0/0xbc [ath_dev]) from [<bf6080a8>] (ath_rx_process+0x3a0/0x6e0 [ath_dev])Line 147:     r9:000000b0 r8:cbceff20 r7:cbea7984 r6:cbcba17c r5:c03ffd28Line 148:    r4:cbca0000Line 149:    [<bf607d08>] (ath_rx_process+0x0/0x6e0 [ath_dev]) from [<bf61d9ec>] (ath_rx_handler+0x31c/0x8b4 [ath_dev])Line 150:    [<bf61d6d0>] (ath_rx_handler+0x0/0x8b4 [ath_dev]) from [<bf61dfc0>] (ath_rx_edma_tasklet+0x3c/0x50 [ath_dev])Line 151:    [<bf61df84>] (ath_rx_edma_tasklet+0x0/0x50 [ath_dev]) from [<bf6224dc>] (ath_handle_rx_intr+0x2c/0x30 [ath_dev])Line 152:     r6:00000000 r5:00000002 r4:cbca0000 r3:bf61df84Line 153:    [<bf6224b0>] (ath_handle_rx_intr+0x0/0x30 [ath_dev]) from [<bf5fb110>] (ath_handle_intr+0x18c/0x8d0 [ath_dev])Line 154:    [<bf5faf84>] (ath_handle_intr+0x0/0x8d0 [ath_dev]) from [<bf6bc890>] (ath_tasklet+0x24/0x28 [umac])Line 155:    [<bf6bc86c>] (ath_tasklet+0x0/0x28 [umac]) from [<c0065044>] (tasklet_action+0x7c/0xc4)Line 156:    [<c0064fc8>] (tasklet_action+0x0/0xc4) from [<c0065200>] (__do_softirq+0x84/0x114)Line 157:     r6:c03fe000 r5:c045373c r4:00000001 r3:c0064fc8Line 158:    [<c006517c>] (__do_softirq+0x0/0x114) from [<c00655dc>] (irq_exit+0x48/0x98)Line 159:    [<c0065594>] (irq_exit+0x0/0x98) from [<c002706c>] (asm_do_IRQ+0x6c/0x8c)Line 160:    [<c0027000>] (asm_do_IRQ+0x0/0x8c) from [<c02f1334>] (__irq_svc+0x34/0x1c0)Line 161:    Exception stack(0xc03fff50 to 0xc03fff98)Line 162:    ff40:                                     00000001 c040be20 c03fff88 c0038324Line 163:    ff60: c03fe000 c040475c c04306c4 c0404754 00004059 561f5811 00000000 c03fffb4Line 164:    ff80: c03fff98 c03fff98 c002db60 c002dcd4 60000013 ffffffffLine 165:     r5:fbb21000 r4:ffffffffLine 166:    [<c002dc84>] (cpu_idle+0x0/0x90) from [<c02e67e4>] (rest_init+0x60/0x78)Line 167:     r6:c0c6d9e0 r5:c0023534 r4:c040011c r3:00000000Line 168:    [<c02e6784>] (rest_init+0x0/0x78) from [<c00088a4>] (start_kernel+0x234/0x27c)Line 169:    [<c0008670>] (start_kernel+0x0/0x27c) from [<0000803c>] (0x803c)

• 分析

1.  从panic的点入手

    首先找到panic发生的地方：

        Line 001:    Unable to handle kernel NULL pointer dereference at virtual address 00000020            ...        Line 077:    [<bf66fed0>] (cwm_get_width+0x0/0x24 [umac]) from [<bf6495ec>] (ieee80211_alloc_node+0x234/0x444 [umac])

 
    panic发生在AP收到sta的auth frame时，需要给sta分配ieee80211 node。调用ieee80211_alloc_node()中的cwm_get_width()函数时，系统出现空指针。
    
    查看源代码：

        CWM_IEEE80211_WIDTH cwm_get_width(COM_DEV *dev)        {            CWM_IEEE80211_WIDTH width;            CWM_TO_IEEE80211_WIDTH(CWM_HANDLE(dev)->cw_width, width);            return width;        }    

    这段代码根据dev，获取width=dev->sc_cwm->cw_width, 返回width.
    

2. 分析panic的函数

     再来看看cwm_get_width到底在哪里panic的
   

        Line 007:    PC is at cwm_get_width+0x14/0x24 [umac]        Line 008:    LR is at ieee80211_alloc_node+0x234/0x444 [umac]        Line 009:    pc : [<bf66fee4>]    lr : [<bf6495ec>]    psr: a0000113        Line 010:    sp : c03ff8d8  ip : c03ff8e8  fp : c03ff8e4        Line 011:    r10: c5fca028  r9 : ffffffff  r8 : cbca9988        Line 012:    r7 : bf6e5558  r6 : 00000000  r5 : c5854000  r4 : c5fca000        Line 013:    r3 : 00000000  r2 : bf66fed0  r1 : 00003068  r0 : cbca83c0        Line 014:    Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment kernel        Line 015:    Control: 10c5387d  Table: 09cb4019  DAC: 00000015        Line 016:    Process swapper (pid: 0, stack limit = 0xc03fe2e8)        Line 017:    Stack: (0xc03ff8d8 to 0xc0400000)

    
     这里能知道cwm_get_width定义在umac.ko中    
     
     用objdump反汇编        

        objdump -d file     反汇编test中的需要执行指令的那些section        objdump -D file     与-d类似，但反汇编test中的所有section

     这里我用了-d参数：     objdump -d umac.ko > tmp.txt     
     
     在tmp.txt中找到    cwm_get_width 的汇编语句：

         00030ed0 <cwm_get_width>:           30ed0:    e1a0c00d     mov    ip, sp           30ed4:    e92dd800     push    {fp, ip, lr, pc}           30ed8:    e24cb004     sub    fp, ip, #4           30edc:    e3031068     movw    r1, #12392    ; 0x3068           30ee0:    e7903001     ldr    r3, [r0, r1]                             30ee4:    e5930020     ldr    r0, [r3, #32]                           30ee8:    e2900000     adds    r0, r0, #0           30eec:    13a00001     movne    r0, #1           30ef0:    e89da800     ldm    sp, {fp, sp, pc}     

        根据Line 007, crash发生在+0x14语句, 30ed0+14=30ee4  
        该语句为30ee4:    e5930020     ldr    r0, [r3, #32]，翻看ARM的汇编语法，查找ldr的具体用法,该语句将r3地址偏移#32(0x20)取其中的值放入r0中。
        此时，Line 013:    r3 : 00000000  r2 : bf66fed0  r1 : 00003068  r0 : cbca83c0  ---> r3里的值已经为全0了,此时00000020就为空指针
        那r3本来应该是什么值呢，不难看出，r3中存放了dev->sc_cwm. 所以dev结构体中的sc_cwm在某些个时刻被清0了。
        

3. 分析panic的原因

    接下来分析sc_cwm在什么时候被清0
    首先梳理一遍sc_cwm的初始化、赋值代码，查看是否有可疑处，我发现一切正常。然后查看sc_cwm变量在结构体中的位置，前后的变量如下：

        struct ieee80211_node    *sc_keyixmap[ATH_KEYMAX];/* key ix->node map */                struct ath_cwm          *sc_cwm;            /* Channel Width Management */        TAILQ_HEAD(ath_amsdu_txq,ath_amsdu_tx)    sc_amsdu_txq;    /* amsdu tx requests */

    其中，sc_keyixmap[]很可疑，因为测试过程中第一次测试是正常的，第二次测试发生异常，很可能在第一次测试过程中对sc_keyixmap[]数组操作越界，导致sc_cwm被误清除。
    经过检查果然是在ath_key_delete()时，对数组做了赋值NULL操作，此处包含了一个bug,导致数组可能越界。
    

综上： kernel panic并不可怕，尤其是这种必现的bug。