Search Linux Wireless

More breakage in wireless-dev.git

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello!

There are more problems with today's wireless-dev.git even after I
applied the two Johannes' patches.

Even after updating DadWifi to the new API, it keeps crashing, and
debugging shows that it doesn't happens around the changes code.

One of the crashes happens in spin_lock_init() on a spinlock that has
just been allocated by ieee80211_alloc_hw().  Maybe the size of the
private area is miscalculated.  I have most checks enabled, including
Ingo's lockdep checker, but everything worked with the yesterday's tree.

In another case, access to another field in the private are causes
kernel oops.  Looking at the code now, I see that both fields are close
to the end on the structure used for private data.  I guess something is
either messing with the private data or not enough space is allocated.

To exclude issues with DadWifi, I tried bcm43xx_d80211 from the kernel.
It has always worked for me, but this time I got a message:

FOUND UNSUPPORTED PHY (Analog 4, Type 0, Revision 7)

Attempt to bring the interface down resulted in this:

slab error in verify_redzone_free(): cache `size-64': double free detected
Call Trace:
 [<ffffffff8027c091>] __slab_error+0x21/0x30
 [<ffffffff8027c908>] cache_free_debugcheck+0xf8/0x220
 [<ffffffff880371cf>] :bcm43xx_d80211:bcm43xx_wireless_core_exit+0x3f/0x90
 [<ffffffff8027cc00>] kfree+0xb0/0x120
 [<ffffffff880371cf>] :bcm43xx_d80211:bcm43xx_wireless_core_exit+0x3f/0x90
 [<ffffffff8803789c>] :bcm43xx_d80211:bcm43xx_remove_interface+0xfc/0x140
 [<ffffffff8800d086>] :80211:ieee80211_stop+0x106/0x130
 [<ffffffff804612a2>] dev_close+0x62/0x90
 [<ffffffff804606bd>] dev_change_flags+0x6d/0x150
 [<ffffffff8049c97c>] devinet_ioctl+0x30c/0x730
 [<ffffffff804623b4>] dev_ioctl+0x304/0x370
 [<ffffffff802435b6>] up_read+0x26/0x30
 [<ffffffff8049d08c>] inet_ioctl+0x4c/0x70
 [<ffffffff804556c0>] sock_ioctl+0x210/0x240
 [<ffffffff8028dcdb>] do_ioctl+0x1b/0x60
 [<ffffffff8028df81>] vfs_ioctl+0x261/0x280
 [<ffffffff8028dfea>] sys_ioctl+0x4a/0x80
 [<ffffffff80209b1e>] system_call+0x7e/0x83

ffff81001d775c38: redzone 1:0x5a2cf071, redzone 2:0x5a2cf071.
slab: double free detected in cache 'size-64', objp ffff81001d775c38

Again, phy is a private part of the network device, and both direct
kfree() calls in bcm43xx_wireless_core_exit() are applied to pointers
kept in phy.

Copying to bcm43xx folks to alert them of the breakage.

-- 
Regards,
Pavel Roskin

-
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux