Re: wpa2 hangs v2.6.32-rc5-402-gb6727b1. Revert7d930bc33653d5592dc386a76a38f39c2e962344 fixed it.

From: Johannes Berg
Date: Mon Nov 02 2009 - 03:49:22 EST

Next message: Jiri Slaby: "[PATCH 1/1] MM: slqb, fix per_cpu access"
Previous message: KAMEZAWA Hiroyuki: "Re: [RFC][-mm][PATCH 4/6] oom-killer: fork bomb detector"
In reply to: Linus Torvalds: "Re: wpa2 hangs v2.6.32-rc5-402-gb6727b1. Revert7d930bc33653d5592dc386a76a38f39c2e962344 fixed it."
Next in thread: John W. Linville: "Re: wpa2 hangs v2.6.32-rc5-402-gb6727b1. Revert7d930bc33653d5592dc386a76a38f39c2e962344 fixed it."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 2009-11-01 at 16:53 -0800, Linus Torvalds wrote:

> That decodes to
>
> cfg80211_conn_work+89:
>
> 3: 89 ef mov %ebp,%edi
> 5: e8 6f be 41 e1 callq 0xffffffffe141be79
> a: 48 8b 43 20 mov 0x20(%rbx),%rax
> e: f6 40 48 01 testb $0x1,0x48(%rax)
> 12: 74 5d je 0x71
> 14: 83 bb 8c 00 00 00 01 cmpl $0x1,0x8c(%rbx)
> 1b: 75 54 jne 0x71
> 1d: 48 ?? 50 08 ??? 0x8(%rax) ???? uncertain instruction ????
> 21:* 8b 02 mov (%rdx),%eax <-- trapping instruction
> 23: 41 89 45 00 mov %eax,0x0(%r13)
> 27: 66 8b 42 04 mov 0x4(%rdx),%ax
> 2b: 66 41 89 45 04 mov %ax,0x4(%r13)
> 30: e8 f5 ea ff ff callq 0xffffffffffffeb2a
>
> trace:
> __cfg80111_scan_done
> worker_thread
>
> which looks like it matches this code:
>
> movq %r14, %rdi # D.43604,
> call mutex_lock #
> movq 32(%rbx), %rax # <variable>.netdev, <variable>.netdev
> testb $1, 72(%rax) #, <variable>.state
> je .L215 #,
> cmpl $1, 140(%rbx) #, <variable>.sme_state
> jne .L215 #,
> movq 144(%rbx), %rax # <variable>.conn, <variable>.conn
> movq %rbx, %rdi # wdev,
> movq 8(%rax), %rax # <variable>.params.bssid, <variable>.params.bssid
> movl (%rax), %edx #* <variable>.params.bssid, tmp74
> movl %edx, 0(%r13) # tmp74, bssid
> movw 4(%rax), %ax #, tmp75
> movw %ax, 4(%r13) # tmp75, bssid
> call cfg80211_conn_do_work #
>
> ie it looks like 'conn->params.bssid' is NULL and we oops when we try to
> load bssid from there. The code is:
>
> memcpy(bssid, wdev->conn->params.bssid, ETH_ALEN);
>
> where ETH_ALEN is 6 bytes, so the memcpy is inlined..
>
> And yes, that "memcpy()" was added in that buggy commit.

Indeed, thank you. I'd analysed this before but not made the connection
with Jeff's report.

> So reverting 7d930bc33653d5592dc386a76a38f39c2e962344 is the correct thing
> to do. Or somebody needs to fix that piece-of-shit code.

Yes ... that params.bssid was != NULL was a bad assumption in that
commit. The right thing to do is to add a check and pass NULL through,
like I did here:
http://thread.gmane.org/gmane.linux.kernel.wireless.general/41695

johannes

Attachment: signature.asc
Description: This is a digitally signed message part

Next message: Jiri Slaby: "[PATCH 1/1] MM: slqb, fix per_cpu access"
Previous message: KAMEZAWA Hiroyuki: "Re: [RFC][-mm][PATCH 4/6] oom-killer: fork bomb detector"
In reply to: Linus Torvalds: "Re: wpa2 hangs v2.6.32-rc5-402-gb6727b1. Revert7d930bc33653d5592dc386a76a38f39c2e962344 fixed it."
Next in thread: John W. Linville: "Re: wpa2 hangs v2.6.32-rc5-402-gb6727b1. Revert7d930bc33653d5592dc386a76a38f39c2e962344 fixed it."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]