On Monday 26 October 2009 20:11:20 Michael Buesch wrote: > On Monday 26 October 2009 19:59:02 John W. Linville wrote: > > > Bug-Entry : http://bugzilla.kernel.org/show_bug.cgi?id=14277 > > > Subject : Caught 8-bit read from freed memory in b43 driver at association > > > Submitter : Christian Casteyde <casteyde.christian@xxxxxxx> > > > Date : 2009-09-30 18:06 (27 days old) > > Does this still trigger with a recent kernel (and thus recent memory debugging). > I'm still not convinced that this is a wireless bug. > Ok, it just turns out this actually is a driver bug. Thanks to Johannes Berg for tracking it down. I think it's caused by the DMA bouncebuffer stuff that does not copy the skb->cb and does not adjust the "tx-info" pointer. I wonder why this didn't blow up easlier, because this bug is there since mac80211 switched to using the CB. Here's a completely untested patch. --- drivers/net/wireless/b43/dma.c | 2 ++ 1 file changed, 2 insertions(+) --- wireless-testing.orig/drivers/net/wireless/b43/dma.c +++ wireless-testing/drivers/net/wireless/b43/dma.c @@ -1224,6 +1224,8 @@ static int dma_tx_fragment(struct b43_dm } memcpy(skb_put(bounce_skb, skb->len), skb->data, skb->len); + memcpy(bounce_skb->cb, skb->cb, sizeof(skb->cb)); + info = IEEE80211_SKB_CB(bounce_skb); dev_kfree_skb_any(skb); skb = bounce_skb; meta->skb = skb; -- Greetings, Michael. -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
