From: Ben Greear <greearb@candelatech.com>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: "linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>
Subject: Re: Crash in cfg80211_unlink_bss
Date: Wed, 06 Oct 2010 11:08:20 -0700 [thread overview]
Message-ID: <4CACBB14.1090507@candelatech.com> (raw)
In-Reply-To: <1286388245.3655.392.camel@jlt3.sipsolutions.net>
On 10/06/2010 11:04 AM, Johannes Berg wrote:
> On Wed, 2010-10-06 at 10:28 -0700, Ben Greear wrote:
>> This test scenario has 72 stations on ath5k trying to connect to a cisco AP
>> that supposedly only supports 63 stations.
>>
>> The 72 STA were created without ssid's configured, then we re-configured all
>> 72 'at once' to give them the proper SSID (ifdown, ifup, iwconfig to set values).
>
> Eww, iwconfig ;-)
Heh, one thing at a time :)
>> The system crashed and rebooted.
>>
>> Kernel is wireless-testing as of later yesterday, with a few additional
>> patches mostly dealing with counters in /proc/net/wireless and some lockdep
>> fixes pulled in from lkml etc.
>>
>> We have seen this before, but this is the first good stacktrace we got.
>>
>> Likely we can reproduce this if extra information is needed.
>
>> list_del corruption, next is LIST_POISON1 (00100100)
>
> This one's interesting.
>
> But anyway, now that I look at it in more detail, it seems fairly
> obvious. You should be able to trigger it with two stations, but it's
> probably harder ...
>
> I need to analyse the refcounting here again and in more detail, but in
> the meantime can you try below patch?
Yes, will do so and let you know the results.
Thanks,
Ben
>
> johannes
>
> ---
> net/wireless/scan.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> --- wireless-testing.orig/net/wireless/scan.c 2010-10-06 19:59:41.000000000 +0200
> +++ wireless-testing/net/wireless/scan.c 2010-10-06 20:01:20.000000000 +0200
> @@ -668,11 +668,11 @@ void cfg80211_unlink_bss(struct wiphy *w
> bss = container_of(pub, struct cfg80211_internal_bss, pub);
>
> spin_lock_bh(&dev->bss_lock);
> -
> - list_del(&bss->list);
> - dev->bss_generation++;
> - rb_erase(&bss->rbn,&dev->bss_tree);
> -
> + if (!list_empty(&bss->list)) {
> + list_del_init(&bss->list);
> + dev->bss_generation++;
> + rb_erase(&bss->rbn,&dev->bss_tree);
> + }
> spin_unlock_bh(&dev->bss_lock);
>
> kref_put(&bss->ref, bss_release);
>
--
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc http://www.candelatech.com
next prev parent reply other threads:[~2010-10-06 18:08 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-06 17:28 Crash in cfg80211_unlink_bss Ben Greear
2010-10-06 18:04 ` Johannes Berg
2010-10-06 18:08 ` Ben Greear [this message]
2010-10-06 18:16 ` Johannes Berg
2010-10-06 18:20 ` Ben Greear
2010-10-06 19:14 ` Ben Greear
2010-10-06 19:19 ` Johannes Berg
2010-10-06 18:11 ` Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CACBB14.1090507@candelatech.com \
--to=greearb@candelatech.com \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.