On 17 November 2014 13:29, Johannes Berg <johannes@xxxxxxxxxxxxxxxx> wrote: > On Mon, 2014-11-17 at 12:27 +0100, Michal Kazior wrote: >> After fragmentation reassembly was complete code >> tried to dereference hdr pointer which pointed to >> data of an sk_buff that has been freed. > > Curious. This bug has been around forever (since the introduction of > mac80211). I wonder what changed that you *also* found it now - because > we also found it recently! I was puzzled at this as well. I hadn't tested fragmentation in a while and when I did I hit this bug. [..2 kernel compiles later..] My hunch was right. Apparently this happens when I use my kernel .config with some debug stuff enabled. In case you're interested: * http://pastebin.com/7shTYtFy -- good * http://pastebin.com/pxwdJ5hS -- panic >> --- a/net/mac80211/rx.c >> +++ b/net/mac80211/rx.c >> @@ -1854,6 +1854,7 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) >> /* Complete frame has been reassembled - process it now */ >> status = IEEE80211_SKB_RXCB(rx->skb); >> status->rx_flags |= IEEE80211_RX_FRAGMENTED; >> + hdr = (struct ieee80211_hdr *)rx->skb->data; > > This is technically correct, but useless. I already have this patch in > my tree instead: > > https://git.kernel.org/cgit/linux/kernel/git/jberg/mac80211.git/commit/?id=b8fff407a180286aa683d543d878d98d9fc57b13 Oh. I've missed this. Thanks for pointing out :-) Michał -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
