On 1/7/20 11:33 AM, Jouni Malinen wrote: > On Tue, Jan 07, 2020 at 09:01:57AM +0100, Markus Theil wrote: >> While running the hwsim test suite with address sanitizer and undefined >> behavior sanitizer enabled, I got the following output from the p2p code. It >> seems unrelated to my current work on nl80211 control port rx. >> >> I saw it in autogo_pbc and it is reproducible for me, if I run: >> >> ./run-tests.py autogo_2cli autogo_pbc > Can you reproduce this with unmodified hostap.git snapshot? Which > compiler version and which sanitizer parameters are you using with the > compiler and linker? Could you please also send me wpa_supplicant debug > log from such a case? No, I am not able to reproduce it with an unmodified hostap.git. I realized, that this bug originates from registering the socket owner flag on the nl80211 event socket in my rx path patch. Even after a bss gets freed, events related to this bss are received over the event socket. I'm currently working on an updated patch. > I was unable to reproduce this at least with minimal > -fsanitize=address,undefined check using that test case sequence. > >> ==53565==ERROR: AddressSanitizer: heap-use-after-free on address >> #0 0x5651c04b7bec in wpa_driver_nl80211_mlme >> ../src/drivers/driver_nl80211.c:3339 > This is the struct wpa_driver_nl80211_data instance for the group > interface. > >> /home/mtheil/Code/hostap/wpa_supplicant/wpa_supplicant.c:3821 >> #5 0x5651bff5a86c in wpas_p2p_group_delete > And this code path should not be hit if the interface had already been > removed. > >> #9 0x5651c0344e35 in wpa_supplicant_ctrl_iface_flush >> /home/mtheil/Code/hostap/wpa_supplicant/ctrl_iface.c:8045 > This is from the FLUSH command that is issued at the end of each test > case. > >> freed by thread T0 here: >> #2 0x5651c04c08e8 in wpa_driver_nl80211_deinit >> ../src/drivers/driver_nl80211.c:2888 >> /home/mtheil/Code/hostap/wpa_supplicant/wpa_supplicant.c:6618 >> #7 0x5651bff5b0b5 in wpas_p2p_group_delete >> /home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:957 >> #8 0x5651bff8260b in wpas_p2p_deauth_notif > And this is where the group interface was first removed based on > disconnection notification from the GO. > > In other words, that wpas_p2p_group_delete() operation from FLUSH should > not really have happened after this.. > Thanks for your explanation, they helped me finding the root cause described above! _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
