NULL pointer deref at wext ioctl (Re: [PATCH] compat-2.6: adding ethtool.h to compat-2.6.31.h)

NULL pointer deref at wext ioctl (Re: [PATCH] compat-2.6: adding ethtool.h to compat-2.6.31.h)

[Hin-Tak Leung]

On Wed, Oct 7, 2009 at 4:22 PM, Luis R. Rodriguez
<lrodriguez@atheros.com> wrote:
> On Wed, Oct 7, 2009 at 10:45 AM, John W. Linville
> <linville@tuxdriver.com> wrote:
>> On Wed, Oct 07, 2009 at 01:40:04AM -0400, Luis R. Rodriguez wrote:
>>> On Tue, Oct 6, 2009 at 11:39 PM, Hin-Tak Leung <hintak.leung@gmail.com> wrote:
>>> > Between 2.6.30 and 2.6.31, linux/netdevice.h started
>>> > to include linux/ethtool.h (commit b1b67dd45a6b629eb41553856805aaa1614fbb83,
>>> > "net: factor out ethtool invocation of vlan/macvlan drivers"),
>>> > and commit 7508e486965b0af13984bc6d9da62a8d8f0dc5f9,
>>> > "cfg80211: add firmware and hardware version to wiphy", introduces
>>> > dependency of ETHTOOL_BUSINFO_LEN from linux/ethtool.h
>>> > to net/cfg80211.h .
>>>
>>> John's patch titled "cfg80211: fix compile error from missing
>>> ethtool.h" seems to address this upstream. I'll wait until he applies
>>> that to the tree.
>>
>> As Hin-Tak points-out, linux/netdevice.h is alreadying "doing the needful". :-)
>>
>> I'll just drop my patch and let this get sorted in compat-wireless.
>
> Heh ok applied, thanks.
>
>  Luis
>

It is probably just a transient problem with recent activities - I had
a NULL pointer deref from loading rtl8187 of compat-wireless
v2.6.32-rc3-39563-g98c2609 -

BUG: unable to handle kernel NULL pointer dereference at 000000000000003d
IP: [<ffffffff8147822c>] wext_ioctl_dispatch+0xd9/0x180
PGD 61c2b067 PUD 6246f067 PMD 0
Oops: 0000 [#1] SMP
...
Call Trace:
 [<ffffffff814783f5>] wext_handle_ioctl+0x4d/0x98
 [<ffffffff813e53a5>] dev_ioctl+0x625/0x662
 [<ffffffff813cfa45>] sock_ioctl+0x225/0x248
 [<ffffffff811237a3>] vfs_ioctl+0x31/0xaa
 [<ffffffff811e1801>] ? security_d_instantiate+0x37/0x4d
 [<ffffffff81123c88>] do_vfs_ioctl+0x46c/0x4c3
 [<ffffffff81123d44>] sys_ioctl+0x65/0x9c
 [<ffffffff81012082>] system_call_fastpath+0x16/0x1b

I'm sure whatever changes made this happen will go away soon, so I'll
just re-try in a few days... but if anybody knows what commit causes
this (and what fixes it!), I'd like to know.

Re: NULL pointer deref at wext ioctl (Re: [PATCH] compat-2.6: adding ethtool.h to compat-2.6.31.h)

[Hin-Tak Leung]

On Wed, Oct 7, 2009 at 8:16 PM, Hin-Tak Leung <hintak.leung@gmail.com> wrote:

> It is probably just a transient problem with recent activities - I had
> a NULL pointer deref from loading rtl8187 of compat-wireless
> v2.6.32-rc3-39563-g98c2609 -
>
> BUG: unable to handle kernel NULL pointer dereference at 000000000000003d
> IP: [<ffffffff8147822c>] wext_ioctl_dispatch+0xd9/0x180
> PGD 61c2b067 PUD 6246f067 PMD 0
> Oops: 0000 [#1] SMP
> ...
> Call Trace:
>  [<ffffffff814783f5>] wext_handle_ioctl+0x4d/0x98
>  [<ffffffff813e53a5>] dev_ioctl+0x625/0x662
>  [<ffffffff813cfa45>] sock_ioctl+0x225/0x248
>  [<ffffffff811237a3>] vfs_ioctl+0x31/0xaa
>  [<ffffffff811e1801>] ? security_d_instantiate+0x37/0x4d
>  [<ffffffff81123c88>] do_vfs_ioctl+0x46c/0x4c3
>  [<ffffffff81123d44>] sys_ioctl+0x65/0x9c
>  [<ffffffff81012082>] system_call_fastpath+0x16/0x1b
>
> I'm sure whatever changes made this happen will go away soon, so I'll
> just re-try in a few days... but if anybody knows what commit causes
> this (and what fixes it!), I'd like to know.
>

Hiya, It looks like I last used compat-wireless successfully was on
25th (I am not saying it breaks after - I just haven't tried until
yesterday, possibly), and most of the recent changes are per-driver,
but there is a big code drop from Johannes dated 27th on 'wext:
refactor' . Changes from that or dependent changes?

Re: NULL pointer deref at wext ioctl (Re: [PATCH] compat-2.6: adding ethtool.h to compat-2.6.31.h)

[Johannes Berg]

[-- Attachment #1: Type: text/plain, Size: 1777 bytes --]

On Wed, 2009-10-07 at 20:28 +0100, Hin-Tak Leung wrote:
> On Wed, Oct 7, 2009 at 8:16 PM, Hin-Tak Leung <hintak.leung@gmail.com> wrote:
> 
> > It is probably just a transient problem with recent activities - I had
> > a NULL pointer deref from loading rtl8187 of compat-wireless
> > v2.6.32-rc3-39563-g98c2609 -
> >
> > BUG: unable to handle kernel NULL pointer dereference at 000000000000003d
> > IP: [<ffffffff8147822c>] wext_ioctl_dispatch+0xd9/0x180
> > PGD 61c2b067 PUD 6246f067 PMD 0
> > Oops: 0000 [#1] SMP
> > ...
> > Call Trace:
> >  [<ffffffff814783f5>] wext_handle_ioctl+0x4d/0x98
> >  [<ffffffff813e53a5>] dev_ioctl+0x625/0x662
> >  [<ffffffff813cfa45>] sock_ioctl+0x225/0x248
> >  [<ffffffff811237a3>] vfs_ioctl+0x31/0xaa
> >  [<ffffffff811e1801>] ? security_d_instantiate+0x37/0x4d
> >  [<ffffffff81123c88>] do_vfs_ioctl+0x46c/0x4c3
> >  [<ffffffff81123d44>] sys_ioctl+0x65/0x9c
> >  [<ffffffff81012082>] system_call_fastpath+0x16/0x1b
> >
> > I'm sure whatever changes made this happen will go away soon, so I'll
> > just re-try in a few days... but if anybody knows what commit causes
> > this (and what fixes it!), I'd like to know.
> >
> 
> Hiya, It looks like I last used compat-wireless successfully was on
> 25th (I am not saying it breaks after - I just haven't tried until
> yesterday, possibly), and most of the recent changes are per-driver,
> but there is a big code drop from Johannes dated 27th on 'wext:
> refactor' . Changes from that or dependent changes?

Probably -- but I don't see this problem on stock kernel and I'm not
sure what could be causing it for compat-wireless.

This will be the old copy of wext_ioctl_dispatch. It'd certainly help to
get disassembly/the source line of the oops.

johannes

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: NULL pointer deref at wext ioctl (Re: [PATCH] compat-2.6: adding ethtool.h to compat-2.6.31.h)

[Hin-Tak Leung]

[-- Attachment #1: Type: text/plain, Size: 2916 bytes --]

On Wed, Oct 7, 2009 at 11:01 PM, Johannes Berg
<johannes@sipsolutions.net> wrote:
> On Wed, 2009-10-07 at 20:28 +0100, Hin-Tak Leung wrote:
>> On Wed, Oct 7, 2009 at 8:16 PM, Hin-Tak Leung <hintak.leung@gmail.com> wrote:
>>
>> > It is probably just a transient problem with recent activities - I had
>> > a NULL pointer deref from loading rtl8187 of compat-wireless
>> > v2.6.32-rc3-39563-g98c2609 -
>> >
>> > BUG: unable to handle kernel NULL pointer dereference at 000000000000003d
>> > IP: [<ffffffff8147822c>] wext_ioctl_dispatch+0xd9/0x180
>> > PGD 61c2b067 PUD 6246f067 PMD 0
>> > Oops: 0000 [#1] SMP
>> > ...
>> > Call Trace:
>> >  [<ffffffff814783f5>] wext_handle_ioctl+0x4d/0x98
>> >  [<ffffffff813e53a5>] dev_ioctl+0x625/0x662
>> >  [<ffffffff813cfa45>] sock_ioctl+0x225/0x248
>> >  [<ffffffff811237a3>] vfs_ioctl+0x31/0xaa
>> >  [<ffffffff811e1801>] ? security_d_instantiate+0x37/0x4d
>> >  [<ffffffff81123c88>] do_vfs_ioctl+0x46c/0x4c3
>> >  [<ffffffff81123d44>] sys_ioctl+0x65/0x9c
>> >  [<ffffffff81012082>] system_call_fastpath+0x16/0x1b
>> >
>> > I'm sure whatever changes made this happen will go away soon, so I'll
>> > just re-try in a few days... but if anybody knows what commit causes
>> > this (and what fixes it!), I'd like to know.
>> >
>>
>> Hiya, It looks like I last used compat-wireless successfully was on
>> 25th (I am not saying it breaks after - I just haven't tried until
>> yesterday, possibly), and most of the recent changes are per-driver,
>> but there is a big code drop from Johannes dated 27th on 'wext:
>> refactor' . Changes from that or dependent changes?
>
> Probably -- but I don't see this problem on stock kernel and I'm not
> sure what could be causing it for compat-wireless.
>
> This will be the old copy of wext_ioctl_dispatch. It'd certainly help to
> get disassembly/the source line of the oops.
>
> johannes
>

The crash came from the fedora koji kernel 2.6.30.8-67.fc11.x86_64 (+
bleed-edge compat-wireless), so John can probably correct me if I am
doing wrong or he can probably provide a better answer based on the
info.

I installed the debug packages kernel-debuginfo-2.6.30.8-67.fc11 ,
kernel-debuginfo-common-x86_64-2.6.30.8-67.fc11 , then dump the whole
thing to work out the address, before selecting the adress as:

objdump -l -d --start-address=0xffffffff81478153
--stop-address=0xffffffff81478440 -S
/usr/lib/debug/lib/modules/2.6.30.8-67.fc11.x86_64/vmlinux

It looks like it is the 2nd of thes two lines around
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:448
 which resulted in the null pointer dereference:

if (index < dev->wireless_handlers->num_private)
              return dev->wireless_handlers->private[index];

Is there a more clever way of working out the addresses? I guess I
should have just subtracted and added a few k off the crash message,
rather than dumping the whole kernel to work out the addresses...

[-- Attachment #2: kernel-objdump-withlines --]
[-- Type: application/octet-stream, Size: 27217 bytes --]


/usr/lib/debug/lib/modules/2.6.30.8-67.fc11.x86_64/vmlinux:     file format elf64-x86-64


Disassembly of section .text:

ffffffff81478153 <wext_ioctl_dispatch>:
wext_ioctl_dispatch():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1087
/* entry point from dev ioctl */
static int wext_ioctl_dispatch(struct net *net, struct ifreq *ifr,
			       unsigned int cmd, struct iw_request_info *info,
			       wext_ioctl_func standard,
			       wext_ioctl_func private)
{
ffffffff81478153:	55                   	push   %rbp
ffffffff81478154:	48 89 e5             	mov    %rsp,%rbp
ffffffff81478157:	41 56                	push   %r14
ffffffff81478159:	41 55                	push   %r13
ffffffff8147815b:	41 54                	push   %r12
ffffffff8147815d:	53                   	push   %rbx
ffffffff8147815e:	48 83 ec 20          	sub    $0x20,%rsp
ffffffff81478162:	e8 99 9c b9 ff       	callq  ffffffff81011e00 <mcount>
ffffffff81478167:	65 48 8b 04 25 28 00 	mov    %gs:0x28,%rax
ffffffff8147816e:	00 00 
ffffffff81478170:	48 89 45 d8          	mov    %rax,-0x28(%rbp)
ffffffff81478174:	31 c0                	xor    %eax,%eax
wext_permission_check():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1075
/* If command is `set a parameter', or `get the encoding parameters',
 * check if the user has the right to do it.
 */
static int wext_permission_check(unsigned int cmd)
{
	if ((IW_IS_SET(cmd) || cmd == SIOCGIWENCODE || cmd == SIOCGIWENCODEEXT)
ffffffff81478176:	f6 c2 01             	test   $0x1,%dl
wext_ioctl_dispatch():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1087
/* entry point from dev ioctl */
static int wext_ioctl_dispatch(struct net *net, struct ifreq *ifr,
			       unsigned int cmd, struct iw_request_info *info,
			       wext_ioctl_func standard,
			       wext_ioctl_func private)
{
ffffffff81478179:	49 89 fd             	mov    %rdi,%r13
ffffffff8147817c:	48 89 f3             	mov    %rsi,%rbx
ffffffff8147817f:	4d 89 c4             	mov    %r8,%r12
ffffffff81478182:	4d 89 ce             	mov    %r9,%r14
wext_permission_check():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1075
/* If command is `set a parameter', or `get the encoding parameters',
 * check if the user has the right to do it.
 */
static int wext_permission_check(unsigned int cmd)
{
	if ((IW_IS_SET(cmd) || cmd == SIOCGIWENCODE || cmd == SIOCGIWENCODEEXT)
ffffffff81478185:	74 14                	je     ffffffff8147819b <wext_ioctl_dispatch+0x48>
ffffffff81478187:	81 fa 2b 8b 00 00    	cmp    $0x8b2b,%edx
ffffffff8147818d:	74 0c                	je     ffffffff8147819b <wext_ioctl_dispatch+0x48>
ffffffff8147818f:	81 fa 35 8b 00 00    	cmp    $0x8b35,%edx
ffffffff81478195:	0f 85 ef 00 00 00    	jne    ffffffff8147828a <wext_ioctl_dispatch+0x137>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1076
	    && !capable(CAP_NET_ADMIN))
ffffffff8147819b:	bf 0c 00 00 00       	mov    $0xc,%edi
ffffffff814781a0:	89 55 c8             	mov    %edx,-0x38(%rbp)
ffffffff814781a3:	48 89 4d c0          	mov    %rcx,-0x40(%rbp)
ffffffff814781a7:	e8 78 8c be ff       	callq  ffffffff81060e24 <capable>
ffffffff814781ac:	89 c6                	mov    %eax,%esi
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1075
/* If command is `set a parameter', or `get the encoding parameters',
 * check if the user has the right to do it.
 */
static int wext_permission_check(unsigned int cmd)
{
	if ((IW_IS_SET(cmd) || cmd == SIOCGIWENCODE || cmd == SIOCGIWENCODEEXT)
ffffffff814781ae:	83 c8 ff             	or     $0xffffffffffffffff,%eax
ffffffff814781b1:	8b 55 c8             	mov    -0x38(%rbp),%edx
ffffffff814781b4:	85 f6                	test   %esi,%esi
ffffffff814781b6:	48 8b 4d c0          	mov    -0x40(%rbp),%rcx
ffffffff814781ba:	0f 84 b9 00 00 00    	je     ffffffff81478279 <wext_ioctl_dispatch+0x126>
ffffffff814781c0:	e9 c5 00 00 00       	jmpq   ffffffff8147828a <wext_ioctl_dispatch+0x137>
wireless_process_ioctl():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1043
		return -ENODEV;

	/* A bunch of special cases, then the generic case...
	 * Note that 'cmd' is already filtered in dev_ioctl() with
	 * (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST) */
	if (cmd == SIOCGIWSTATS)
ffffffff814781c5:	81 fa 0f 8b 00 00    	cmp    $0x8b0f,%edx
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1044
		return standard(dev, iwr, cmd, info,
ffffffff814781cb:	49 c7 c0 06 7c 47 81 	mov    $0xffffffff81477c06,%r8
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1043
		return -ENODEV;

	/* A bunch of special cases, then the generic case...
	 * Note that 'cmd' is already filtered in dev_ioctl() with
	 * (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST) */
	if (cmd == SIOCGIWSTATS)
ffffffff814781d2:	74 69                	je     ffffffff8147823d <wext_ioctl_dispatch+0xea>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1047
		return standard(dev, iwr, cmd, info,
				&iw_handler_get_iwstats);

	if (cmd == SIOCGIWPRIV && dev->wireless_handlers)
ffffffff814781d4:	81 fa 0d 8b 00 00    	cmp    $0x8b0d,%edx
ffffffff814781da:	75 11                	jne    ffffffff814781ed <wext_ioctl_dispatch+0x9a>
ffffffff814781dc:	48 83 bf 38 01 00 00 	cmpq   $0x0,0x138(%rdi)
ffffffff814781e3:	00 
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1048
		return standard(dev, iwr, cmd, info,
ffffffff814781e4:	49 c7 c0 86 7b 47 81 	mov    $0xffffffff81477b86,%r8
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1047
	 * (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST) */
	if (cmd == SIOCGIWSTATS)
		return standard(dev, iwr, cmd, info,
				&iw_handler_get_iwstats);

	if (cmd == SIOCGIWPRIV && dev->wireless_handlers)
ffffffff814781eb:	75 50                	jne    ffffffff8147823d <wext_ioctl_dispatch+0xea>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1052
		return standard(dev, iwr, cmd, info,
				&iw_handler_get_private);

	/* Basic check */
	if (!netif_device_present(dev))
ffffffff814781ed:	f6 47 48 02          	testb  $0x2,0x48(%rdi)
ffffffff814781f1:	74 76                	je     ffffffff81478269 <wext_ioctl_dispatch+0x116>
get_handler():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:437
{
	/* Don't "optimise" the following variable, it will crash */
	unsigned int	index;		/* *MUST* be unsigned */

	/* Check if we have some wireless handlers defined */
	if (dev->wireless_handlers == NULL)
ffffffff814781f3:	48 8b 87 38 01 00 00 	mov    0x138(%rdi),%rax
ffffffff814781fa:	48 85 c0             	test   %rax,%rax
ffffffff814781fd:	74 4e                	je     ffffffff8147824d <wext_ioctl_dispatch+0xfa>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:442
		return NULL;

	/* Try as a standard command */
	index = cmd - SIOCIWFIRST;
	if (index < dev->wireless_handlers->num_standard)
ffffffff814781ff:	44 0f b7 00          	movzwl (%rax),%r8d
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:441
	/* Check if we have some wireless handlers defined */
	if (dev->wireless_handlers == NULL)
		return NULL;

	/* Try as a standard command */
	index = cmd - SIOCIWFIRST;
ffffffff81478203:	8d b2 00 75 ff ff    	lea    -0x8b00(%rdx),%esi
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:442
	if (index < dev->wireless_handlers->num_standard)
ffffffff81478209:	44 39 c6             	cmp    %r8d,%esi
ffffffff8147820c:	73 08                	jae    ffffffff81478216 <wext_ioctl_dispatch+0xc3>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:443
		return dev->wireless_handlers->standard[index];
ffffffff8147820e:	89 f6                	mov    %esi,%esi
ffffffff81478210:	48 8b 40 08          	mov    0x8(%rax),%rax
ffffffff81478214:	eb 16                	jmp    ffffffff8147822c <wext_ioctl_dispatch+0xd9>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:447

	/* Try as a private command */
	index = cmd - SIOCIWFIRSTPRIV;
	if (index < dev->wireless_handlers->num_private)
ffffffff81478216:	44 0f b7 40 02       	movzwl 0x2(%rax),%r8d
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:446
	index = cmd - SIOCIWFIRST;
	if (index < dev->wireless_handlers->num_standard)
		return dev->wireless_handlers->standard[index];

	/* Try as a private command */
	index = cmd - SIOCIWFIRSTPRIV;
ffffffff8147821b:	8d b2 20 74 ff ff    	lea    -0x8be0(%rdx),%esi
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:447
	if (index < dev->wireless_handlers->num_private)
ffffffff81478221:	44 39 c6             	cmp    %r8d,%esi
ffffffff81478224:	73 27                	jae    ffffffff8147824d <wext_ioctl_dispatch+0xfa>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:448
		return dev->wireless_handlers->private[index];
ffffffff81478226:	48 8b 40 10          	mov    0x10(%rax),%rax
ffffffff8147822a:	89 f6                	mov    %esi,%esi
ffffffff8147822c:	4c 8b 04 f0          	mov    (%rax,%rsi,8),%r8
wireless_process_ioctl():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1057
	if (!netif_device_present(dev))
		return -ENODEV;

	/* New driver API : try to find the handler */
	handler = get_handler(dev, cmd);
	if (handler) {
ffffffff81478230:	4d 85 c0             	test   %r8,%r8
ffffffff81478233:	74 18                	je     ffffffff8147824d <wext_ioctl_dispatch+0xfa>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1059
		/* Standard and private are not the same */
		if (cmd < SIOCIWFIRSTPRIV)
ffffffff81478235:	81 fa df 8b 00 00    	cmp    $0x8bdf,%edx
ffffffff8147823b:	77 08                	ja     ffffffff81478245 <wext_ioctl_dispatch+0xf2>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1060
			return standard(dev, iwr, cmd, info, handler);
ffffffff8147823d:	48 89 de             	mov    %rbx,%rsi
ffffffff81478240:	41 ff d4             	callq  *%r12
ffffffff81478243:	eb 29                	jmp    ffffffff8147826e <wext_ioctl_dispatch+0x11b>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1062
		else
			return private(dev, iwr, cmd, info, handler);
ffffffff81478245:	48 89 de             	mov    %rbx,%rsi
ffffffff81478248:	41 ff d6             	callq  *%r14
ffffffff8147824b:	eb 21                	jmp    ffffffff8147826e <wext_ioctl_dispatch+0x11b>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1065
	}
	/* Old driver API : call driver ioctl handler */
	if (dev->netdev_ops->ndo_do_ioctl)
ffffffff8147824d:	48 8b 87 48 01 00 00 	mov    0x148(%rdi),%rax
ffffffff81478254:	48 8b 48 58          	mov    0x58(%rax),%rcx
ffffffff81478258:	b8 a1 ff ff ff       	mov    $0xffffffa1,%eax
ffffffff8147825d:	48 85 c9             	test   %rcx,%rcx
ffffffff81478260:	74 0c                	je     ffffffff8147826e <wext_ioctl_dispatch+0x11b>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1066
		return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
ffffffff81478262:	48 89 de             	mov    %rbx,%rsi
ffffffff81478265:	ff d1                	callq  *%rcx
ffffffff81478267:	eb 05                	jmp    ffffffff8147826e <wext_ioctl_dispatch+0x11b>
ffffffff81478269:	b8 ed ff ff ff       	mov    $0xffffffed,%eax
wext_ioctl_dispatch():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1096
		return ret;

	dev_load(net, ifr->ifr_name);
	rtnl_lock();
	ret = wireless_process_ioctl(net, ifr, cmd, info, standard, private);
	rtnl_unlock();
ffffffff8147826e:	89 45 c8             	mov    %eax,-0x38(%rbp)
ffffffff81478271:	e8 91 58 f7 ff       	callq  ffffffff813edb07 <rtnl_unlock>
ffffffff81478276:	8b 45 c8             	mov    -0x38(%rbp),%eax
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1099

	return ret;
}
ffffffff81478279:	48 8b 55 d8          	mov    -0x28(%rbp),%rdx
ffffffff8147827d:	65 48 33 14 25 28 00 	xor    %gs:0x28,%rdx
ffffffff81478284:	00 00 
ffffffff81478286:	74 3e                	je     ffffffff814782c6 <wext_ioctl_dispatch+0x173>
ffffffff81478288:	eb 37                	jmp    ffffffff814782c1 <wext_ioctl_dispatch+0x16e>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1093
	int ret = wext_permission_check(cmd);

	if (ret)
		return ret;

	dev_load(net, ifr->ifr_name);
ffffffff8147828a:	48 89 de             	mov    %rbx,%rsi
ffffffff8147828d:	4c 89 ef             	mov    %r13,%rdi
ffffffff81478290:	89 55 c8             	mov    %edx,-0x38(%rbp)
ffffffff81478293:	48 89 4d c0          	mov    %rcx,-0x40(%rbp)
ffffffff81478297:	e8 df c0 f6 ff       	callq  ffffffff813e437b <dev_load>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1094
	rtnl_lock();
ffffffff8147829c:	e8 db 58 f7 ff       	callq  ffffffff813edb7c <rtnl_lock>
wireless_process_ioctl():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1037

	/* Permissions are already checked in dev_ioctl() before calling us.
	 * The copy_to/from_user() of ifr is also dealt with in there */

	/* Make sure the device exist */
	if ((dev = __dev_get_by_name(net, ifr->ifr_name)) == NULL)
ffffffff814782a1:	4c 89 ef             	mov    %r13,%rdi
ffffffff814782a4:	48 89 de             	mov    %rbx,%rsi
ffffffff814782a7:	e8 44 83 f6 ff       	callq  ffffffff813e05f0 <__dev_get_by_name>
ffffffff814782ac:	48 85 c0             	test   %rax,%rax
ffffffff814782af:	48 89 c7             	mov    %rax,%rdi
ffffffff814782b2:	8b 55 c8             	mov    -0x38(%rbp),%edx
ffffffff814782b5:	48 8b 4d c0          	mov    -0x40(%rbp),%rcx
ffffffff814782b9:	0f 85 06 ff ff ff    	jne    ffffffff814781c5 <wext_ioctl_dispatch+0x72>
ffffffff814782bf:	eb a8                	jmp    ffffffff81478269 <wext_ioctl_dispatch+0x116>
wext_ioctl_dispatch():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1099
	rtnl_lock();
	ret = wireless_process_ioctl(net, ifr, cmd, info, standard, private);
	rtnl_unlock();

	return ret;
}
ffffffff814782c1:	e8 c3 ef bd ff       	callq  ffffffff81057289 <__stack_chk_fail>
ffffffff814782c6:	48 83 c4 20          	add    $0x20,%rsp
ffffffff814782ca:	5b                   	pop    %rbx
ffffffff814782cb:	41 5c                	pop    %r12
ffffffff814782cd:	41 5d                	pop    %r13
ffffffff814782cf:	41 5e                	pop    %r14
ffffffff814782d1:	c9                   	leaveq 
ffffffff814782d2:	c3                   	retq   

ffffffff814782d3 <compat_wext_handle_ioctl>:
compat_wext_handle_ioctl():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1188
	return ret;
}

int compat_wext_handle_ioctl(struct net *net, unsigned int cmd,
			     unsigned long arg)
{
ffffffff814782d3:	55                   	push   %rbp
ffffffff814782d4:	48 89 e5             	mov    %rsp,%rbp
ffffffff814782d7:	41 56                	push   %r14
ffffffff814782d9:	41 55                	push   %r13
ffffffff814782db:	41 54                	push   %r12
ffffffff814782dd:	53                   	push   %rbx
ffffffff814782de:	48 83 ec 40          	sub    $0x40,%rsp
ffffffff814782e2:	e8 19 9b b9 ff       	callq  ffffffff81011e00 <mcount>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1195
	struct iw_request_info info;
	struct iwreq iwr;
	char *colon;
	int ret;

	if (copy_from_user(&iwr, argp, sizeof(struct iwreq)))
ffffffff814782e7:	4c 8d 65 b0          	lea    -0x50(%rbp),%r12
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1188
	return ret;
}

int compat_wext_handle_ioctl(struct net *net, unsigned int cmd,
			     unsigned long arg)
{
ffffffff814782eb:	49 89 d5             	mov    %rdx,%r13
ffffffff814782ee:	49 89 fe             	mov    %rdi,%r14
ffffffff814782f1:	89 f3                	mov    %esi,%ebx
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1195
	struct iw_request_info info;
	struct iwreq iwr;
	char *colon;
	int ret;

	if (copy_from_user(&iwr, argp, sizeof(struct iwreq)))
ffffffff814782f3:	ba 20 00 00 00       	mov    $0x20,%edx
ffffffff814782f8:	4c 89 ee             	mov    %r13,%rsi
ffffffff814782fb:	4c 89 e7             	mov    %r12,%rdi
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1188
	return ret;
}

int compat_wext_handle_ioctl(struct net *net, unsigned int cmd,
			     unsigned long arg)
{
ffffffff814782fe:	65 48 8b 04 25 28 00 	mov    %gs:0x28,%rax
ffffffff81478305:	00 00 
ffffffff81478307:	48 89 45 d8          	mov    %rax,-0x28(%rbp)
ffffffff8147830b:	31 c0                	xor    %eax,%eax
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1195
	struct iw_request_info info;
	struct iwreq iwr;
	char *colon;
	int ret;

	if (copy_from_user(&iwr, argp, sizeof(struct iwreq)))
ffffffff8147830d:	e8 3e 51 db ff       	callq  ffffffff8122d450 <copy_from_user>
ffffffff81478312:	48 85 c0             	test   %rax,%rax
ffffffff81478315:	75 67                	jne    ffffffff8147837e <compat_wext_handle_ioctl+0xab>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1199
		return -EFAULT;

	iwr.ifr_name[IFNAMSIZ-1] = 0;
	colon = strchr(iwr.ifr_name, ':');
ffffffff81478317:	be 3a 00 00 00       	mov    $0x3a,%esi
ffffffff8147831c:	4c 89 e7             	mov    %r12,%rdi
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1198
	int ret;

	if (copy_from_user(&iwr, argp, sizeof(struct iwreq)))
		return -EFAULT;

	iwr.ifr_name[IFNAMSIZ-1] = 0;
ffffffff8147831f:	c6 45 bf 00          	movb   $0x0,-0x41(%rbp)
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1199
	colon = strchr(iwr.ifr_name, ':');
ffffffff81478323:	e8 d1 25 db ff       	callq  ffffffff8122a8f9 <strchr>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1200
	if (colon)
ffffffff81478328:	48 85 c0             	test   %rax,%rax
ffffffff8147832b:	74 03                	je     ffffffff81478330 <compat_wext_handle_ioctl+0x5d>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1201
		*colon = 0;
ffffffff8147832d:	c6 00 00             	movb   $0x0,(%rax)
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1206

	info.cmd = cmd;
	info.flags = IW_REQUEST_FLAG_COMPAT;

	ret = wext_ioctl_dispatch(net, (struct ifreq *) &iwr, cmd, &info,
ffffffff81478330:	4c 8d 65 b0          	lea    -0x50(%rbp),%r12
ffffffff81478334:	48 8d 4d a0          	lea    -0x60(%rbp),%rcx
ffffffff81478338:	4c 89 f7             	mov    %r14,%rdi
ffffffff8147833b:	49 c7 c1 dc 7f 47 81 	mov    $0xffffffff81477fdc,%r9
ffffffff81478342:	49 c7 c0 df 8d 47 81 	mov    $0xffffffff81478ddf,%r8
ffffffff81478349:	89 da                	mov    %ebx,%edx
ffffffff8147834b:	4c 89 e6             	mov    %r12,%rsi
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1203
	iwr.ifr_name[IFNAMSIZ-1] = 0;
	colon = strchr(iwr.ifr_name, ':');
	if (colon)
		*colon = 0;

	info.cmd = cmd;
ffffffff8147834e:	66 89 5d a0          	mov    %bx,-0x60(%rbp)
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1204
	info.flags = IW_REQUEST_FLAG_COMPAT;
ffffffff81478352:	66 c7 45 a2 01 00    	movw   $0x1,-0x5e(%rbp)
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1206

	ret = wext_ioctl_dispatch(net, (struct ifreq *) &iwr, cmd, &info,
ffffffff81478358:	e8 f6 fd ff ff       	callq  ffffffff81478153 <wext_ioctl_dispatch>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1210
				  compat_standard_call,
				  compat_private_call);

	if (ret >= 0 &&
ffffffff8147835d:	85 c0                	test   %eax,%eax
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1206
		*colon = 0;

	info.cmd = cmd;
	info.flags = IW_REQUEST_FLAG_COMPAT;

	ret = wext_ioctl_dispatch(net, (struct ifreq *) &iwr, cmd, &info,
ffffffff8147835f:	41 89 c6             	mov    %eax,%r14d
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1210
				  compat_standard_call,
				  compat_private_call);

	if (ret >= 0 &&
ffffffff81478362:	78 20                	js     ffffffff81478384 <compat_wext_handle_ioctl+0xb1>
ffffffff81478364:	80 e3 01             	and    $0x1,%bl
ffffffff81478367:	74 1b                	je     ffffffff81478384 <compat_wext_handle_ioctl+0xb1>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1212
	    IW_IS_GET(cmd) &&
	    copy_to_user(argp, &iwr, sizeof(struct iwreq)))
ffffffff81478369:	ba 20 00 00 00       	mov    $0x20,%edx
ffffffff8147836e:	4c 89 e6             	mov    %r12,%rsi
ffffffff81478371:	4c 89 ef             	mov    %r13,%rdi
ffffffff81478374:	e8 a7 50 db ff       	callq  ffffffff8122d420 <copy_to_user>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1210

	ret = wext_ioctl_dispatch(net, (struct ifreq *) &iwr, cmd, &info,
				  compat_standard_call,
				  compat_private_call);

	if (ret >= 0 &&
ffffffff81478379:	48 85 c0             	test   %rax,%rax
ffffffff8147837c:	74 06                	je     ffffffff81478384 <compat_wext_handle_ioctl+0xb1>
ffffffff8147837e:	41 be f2 ff ff ff    	mov    $0xfffffff2,%r14d
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1216
	    IW_IS_GET(cmd) &&
	    copy_to_user(argp, &iwr, sizeof(struct iwreq)))
		return -EFAULT;

	return ret;
}
ffffffff81478384:	48 8b 55 d8          	mov    -0x28(%rbp),%rdx
ffffffff81478388:	65 48 33 14 25 28 00 	xor    %gs:0x28,%rdx
ffffffff8147838f:	00 00 
ffffffff81478391:	44 89 f0             	mov    %r14d,%eax
ffffffff81478394:	74 05                	je     ffffffff8147839b <compat_wext_handle_ioctl+0xc8>
ffffffff81478396:	e8 ee ee bd ff       	callq  ffffffff81057289 <__stack_chk_fail>
ffffffff8147839b:	48 83 c4 40          	add    $0x40,%rsp
ffffffff8147839f:	5b                   	pop    %rbx
ffffffff814783a0:	41 5c                	pop    %r12
ffffffff814783a2:	41 5d                	pop    %r13
ffffffff814783a4:	41 5e                	pop    %r14
ffffffff814783a6:	c9                   	leaveq 
ffffffff814783a7:	c3                   	retq   

ffffffff814783a8 <wext_handle_ioctl>:
wext_handle_ioctl():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1103
	return ret;
}

int wext_handle_ioctl(struct net *net, struct ifreq *ifr, unsigned int cmd,
		      void __user *arg)
{
ffffffff814783a8:	55                   	push   %rbp
ffffffff814783a9:	48 89 e5             	mov    %rsp,%rbp
ffffffff814783ac:	41 56                	push   %r14
ffffffff814783ae:	41 55                	push   %r13
ffffffff814783b0:	41 54                	push   %r12
ffffffff814783b2:	53                   	push   %rbx
ffffffff814783b3:	48 83 ec 10          	sub    $0x10,%rsp
ffffffff814783b7:	e8 44 9a b9 ff       	callq  ffffffff81011e00 <mcount>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1107
	struct iw_request_info info = { .cmd = cmd, .flags = 0 };
	int ret;

	ret = wext_ioctl_dispatch(net, ifr, cmd, &info,
ffffffff814783bc:	49 c7 c1 b4 80 47 81 	mov    $0xffffffff814780b4,%r9
ffffffff814783c3:	49 c7 c0 10 8d 47 81 	mov    $0xffffffff81478d10,%r8
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1103
	return ret;
}

int wext_handle_ioctl(struct net *net, struct ifreq *ifr, unsigned int cmd,
		      void __user *arg)
{
ffffffff814783ca:	49 89 cd             	mov    %rcx,%r13
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1107
	struct iw_request_info info = { .cmd = cmd, .flags = 0 };
	int ret;

	ret = wext_ioctl_dispatch(net, ifr, cmd, &info,
ffffffff814783cd:	48 8d 4d d0          	lea    -0x30(%rbp),%rcx
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1103
	return ret;
}

int wext_handle_ioctl(struct net *net, struct ifreq *ifr, unsigned int cmd,
		      void __user *arg)
{
ffffffff814783d1:	48 89 f3             	mov    %rsi,%rbx
ffffffff814783d4:	65 48 8b 04 25 28 00 	mov    %gs:0x28,%rax
ffffffff814783db:	00 00 
ffffffff814783dd:	48 89 45 d8          	mov    %rax,-0x28(%rbp)
ffffffff814783e1:	31 c0                	xor    %eax,%eax
ffffffff814783e3:	41 89 d4             	mov    %edx,%r12d
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1104
	struct iw_request_info info = { .cmd = cmd, .flags = 0 };
ffffffff814783e6:	66 89 55 d0          	mov    %dx,-0x30(%rbp)
ffffffff814783ea:	66 c7 45 d2 00 00    	movw   $0x0,-0x2e(%rbp)
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1107
	int ret;

	ret = wext_ioctl_dispatch(net, ifr, cmd, &info,
ffffffff814783f0:	e8 5e fd ff ff       	callq  ffffffff81478153 <wext_ioctl_dispatch>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1110
				  ioctl_standard_call,
				  ioctl_private_call);
	if (ret >= 0 &&
ffffffff814783f5:	85 c0                	test   %eax,%eax
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1107
		      void __user *arg)
{
	struct iw_request_info info = { .cmd = cmd, .flags = 0 };
	int ret;

	ret = wext_ioctl_dispatch(net, ifr, cmd, &info,
ffffffff814783f7:	41 89 c6             	mov    %eax,%r14d
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1110
				  ioctl_standard_call,
				  ioctl_private_call);
	if (ret >= 0 &&
ffffffff814783fa:	78 22                	js     ffffffff8147841e <wext_handle_ioctl+0x76>
ffffffff814783fc:	41 80 e4 01          	and    $0x1,%r12b
ffffffff81478400:	74 1c                	je     ffffffff8147841e <wext_handle_ioctl+0x76>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1112
	    IW_IS_GET(cmd) &&
	    copy_to_user(arg, ifr, sizeof(struct iwreq)))
ffffffff81478402:	ba 20 00 00 00       	mov    $0x20,%edx
ffffffff81478407:	48 89 de             	mov    %rbx,%rsi
ffffffff8147840a:	4c 89 ef             	mov    %r13,%rdi
ffffffff8147840d:	e8 0e 50 db ff       	callq  ffffffff8122d420 <copy_to_user>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1110
	int ret;

	ret = wext_ioctl_dispatch(net, ifr, cmd, &info,
				  ioctl_standard_call,
				  ioctl_private_call);
	if (ret >= 0 &&
ffffffff81478412:	48 85 c0             	test   %rax,%rax
ffffffff81478415:	b8 f2 ff ff ff       	mov    $0xfffffff2,%eax
ffffffff8147841a:	44 0f 45 f0          	cmovne %eax,%r14d
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1116
	    IW_IS_GET(cmd) &&
	    copy_to_user(arg, ifr, sizeof(struct iwreq)))
		return -EFAULT;

	return ret;
}
ffffffff8147841e:	48 8b 55 d8          	mov    -0x28(%rbp),%rdx
ffffffff81478422:	65 48 33 14 25 28 00 	xor    %gs:0x28,%rdx
ffffffff81478429:	00 00 
ffffffff8147842b:	44 89 f0             	mov    %r14d,%eax
ffffffff8147842e:	74 05                	je     ffffffff81478435 <wext_handle_ioctl+0x8d>
ffffffff81478430:	e8 54 ee bd ff       	callq  ffffffff81057289 <__stack_chk_fail>
ffffffff81478435:	5b                   	pop    %rbx
ffffffff81478436:	5e                   	pop    %rsi
ffffffff81478437:	5b                   	pop    %rbx
ffffffff81478438:	41 5c                	pop    %r12
ffffffff8147843a:	41 5d                	pop    %r13
ffffffff8147843c:	41 5e                	pop    %r14
ffffffff8147843e:	c9                   	leaveq 
ffffffff8147843f:	c3                   	retq   

Re: NULL pointer deref at wext ioctl (Re: [PATCH] compat-2.6: adding ethtool.h to compat-2.6.31.h)

[Johannes Berg]

[-- Attachment #1: Type: text/plain, Size: 1104 bytes --]

On Thu, 2009-10-08 at 07:28 +0100, Hin-Tak Leung wrote:

> It looks like it is the 2nd of thes two lines around
> /usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:448
>  which resulted in the null pointer dereference:
> 
> if (index < dev->wireless_handlers->num_private)
>               return dev->wireless_handlers->private[index];

Ok, that's odd. Is it possible that somehow cfg80211 is picking up an
#ifdef'ed copy of "struct iw_handler_def", and thus the struct it is
defining is simply too small? You can figure that out with debug info,
presumably, but I'm not entirely sure how. Actually maybe nm would tell
you too, if you look for cfg80211_wext_handler.

What I mean is this -- cfg80211 defines cfg80211_wext_handler:

const struct iw_handler_def cfg80211_wext_handler
	.num_standard
	.standard
	.get_wireless_stats

but the core expects
	.num_standard
	.standard
	.num_private
	.num_private_args
	.private
	.private_args
	.get_wireless_stats

as such .num_private ends up non-zero because it's shadowed
by .get_wireles_stats.

johannes

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: NULL pointer deref at wext ioctl (Re: [PATCH] compat-2.6: adding ethtool.h to compat-2.6.31.h)

[Johannes Berg]

[-- Attachment #1: Type: text/plain, Size: 447 bytes --]

On Thu, 2009-10-08 at 11:51 +0200, Johannes Berg wrote:

> Ok, that's odd. Is it possible that somehow cfg80211 is picking up an
> #ifdef'ed copy of "struct iw_handler_def", and thus the struct it is
> defining is simply too small?

That is apparently what is happening since compat-wireless ships
iw_handler.h. This is wrong, as wext functionality is built into the
kernel image so you can't use a newer header file with it.

johannes

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: NULL pointer deref at wext ioctl (Re: [PATCH] compat-2.6: adding ethtool.h to compat-2.6.31.h)

[Luis R. Rodriguez]

On Thu, Oct 8, 2009 at 7:50 AM, Johannes Berg <johannes@sipsolutions.net> wrote:
> On Thu, 2009-10-08 at 11:51 +0200, Johannes Berg wrote:
>
>> Ok, that's odd. Is it possible that somehow cfg80211 is picking up an
>> #ifdef'ed copy of "struct iw_handler_def", and thus the struct it is
>> defining is simply too small?
>
> That is apparently what is happening since compat-wireless ships
> iw_handler.h. This is wrong, as wext functionality is built into the
> kernel image so you can't use a newer header file with it.

Dah, thanks for looking into this! This must've been there this way
for ages and we hadn't noticed until now. This is now fixed, and a new
tarball pushed out. I'll fix on the stable stuff as well, although I
doubt the header has changed much except now.

  Luis

Re: NULL pointer deref at wext ioctl (Re: [PATCH] compat-2.6: adding ethtool.h to compat-2.6.31.h)

[Luis R. Rodriguez]

On Thu, Oct 8, 2009 at 9:43 AM, Luis R. Rodriguez
<lrodriguez@atheros.com> wrote:
> On Thu, Oct 8, 2009 at 7:50 AM, Johannes Berg <johannes@sipsolutions.net> wrote:
>> On Thu, 2009-10-08 at 11:51 +0200, Johannes Berg wrote:
>>
>>> Ok, that's odd. Is it possible that somehow cfg80211 is picking up an
>>> #ifdef'ed copy of "struct iw_handler_def", and thus the struct it is
>>> defining is simply too small?
>>
>> That is apparently what is happening since compat-wireless ships
>> iw_handler.h. This is wrong, as wext functionality is built into the
>> kernel image so you can't use a newer header file with it.
>
> Dah, thanks for looking into this! This must've been there this way
> for ages and we hadn't noticed until now. This is now fixed, and a new
> tarball pushed out. I'll fix on the stable stuff as well, although I
> doubt the header has changed much except now.

OK so iw_handler added the libipw pointer, so libipw and friends are
now messed up on compat-wireless. Do we care? I'll disable them for
now. Can't think of a way to backport this easily.

  CC [M]  /home/mcgrof/devel/compat-wireless-2.6/drivers/net/wireless/ipw2x00/ipw2100.o
/home/mcgrof/devel/compat-wireless-2.6/drivers/net/wireless/ipw2x00/ipw2100.c:
In function ‘ipw2100_alloc_device’:
/home/mcgrof/devel/compat-wireless-2.6/drivers/net/wireless/ipw2x00/ipw2100.c:6060:
error: ‘struct iw_public_data’ has no member named ‘libipw’
make[4]: *** [/home/mcgrof/devel/compat-wireless-2.6/drivers/net/wireless/ipw2x00/ipw2100.o]
Error 1


  Luis

Re: NULL pointer deref at wext ioctl (Re: [PATCH] compat-2.6: adding ethtool.h to compat-2.6.31.h)

[John W. Linville]

On Thu, Oct 08, 2009 at 10:28:33AM -0400, Luis R. Rodriguez wrote:
> On Thu, Oct 8, 2009 at 9:43 AM, Luis R. Rodriguez
> <lrodriguez@atheros.com> wrote:
> > On Thu, Oct 8, 2009 at 7:50 AM, Johannes Berg <johannes@sipsolutions.net> wrote:
> >> On Thu, 2009-10-08 at 11:51 +0200, Johannes Berg wrote:
> >>
> >>> Ok, that's odd. Is it possible that somehow cfg80211 is picking up an
> >>> #ifdef'ed copy of "struct iw_handler_def", and thus the struct it is
> >>> defining is simply too small?
> >>
> >> That is apparently what is happening since compat-wireless ships
> >> iw_handler.h. This is wrong, as wext functionality is built into the
> >> kernel image so you can't use a newer header file with it.
> >
> > Dah, thanks for looking into this! This must've been there this way
> > for ages and we hadn't noticed until now. This is now fixed, and a new
> > tarball pushed out. I'll fix on the stable stuff as well, although I
> > doubt the header has changed much except now.
> 
> OK so iw_handler added the libipw pointer, so libipw and friends are
> now messed up on compat-wireless. Do we care? I'll disable them for
> now. Can't think of a way to backport this easily.
> 
>   CC [M]  /home/mcgrof/devel/compat-wireless-2.6/drivers/net/wireless/ipw2x00/ipw2100.o
> /home/mcgrof/devel/compat-wireless-2.6/drivers/net/wireless/ipw2x00/ipw2100.c:
> In function ‘ipw2100_alloc_device’:
> /home/mcgrof/devel/compat-wireless-2.6/drivers/net/wireless/ipw2x00/ipw2100.c:6060:
> error: ‘struct iw_public_data’ has no member named ‘libipw’
> make[4]: *** [/home/mcgrof/devel/compat-wireless-2.6/drivers/net/wireless/ipw2x00/ipw2100.o]
> Error 1

-       /* Structure managed by the in-kernel IEEE 802.11 layer */
-       struct ieee80211_device *       ieee80211;
+       /* Legacy structure managed by the ipw2x00-specific IEEE 802.11 layer */
+       struct libipw_device *          libipw;

Really just a name change, FWIW...

John
-- 
John W. Linville		Someday the world will need a hero, and you
linville@tuxdriver.com			might be all we have.  Be ready.

Re: NULL pointer deref at wext ioctl (Re: [PATCH] compat-2.6: adding ethtool.h to compat-2.6.31.h)

[Luis R. Rodriguez]

On Thu, Oct 8, 2009 at 10:43 AM, John W. Linville
<linville@tuxdriver.com> wrote:
> On Thu, Oct 08, 2009 at 10:28:33AM -0400, Luis R. Rodriguez wrote:
>> On Thu, Oct 8, 2009 at 9:43 AM, Luis R. Rodriguez
>> <lrodriguez@atheros.com> wrote:
>> > On Thu, Oct 8, 2009 at 7:50 AM, Johannes Berg <johannes@sipsolutions.net> wrote:
>> >> On Thu, 2009-10-08 at 11:51 +0200, Johannes Berg wrote:
>> >>
>> >>> Ok, that's odd. Is it possible that somehow cfg80211 is picking up an
>> >>> #ifdef'ed copy of "struct iw_handler_def", and thus the struct it is
>> >>> defining is simply too small?
>> >>
>> >> That is apparently what is happening since compat-wireless ships
>> >> iw_handler.h. This is wrong, as wext functionality is built into the
>> >> kernel image so you can't use a newer header file with it.
>> >
>> > Dah, thanks for looking into this! This must've been there this way
>> > for ages and we hadn't noticed until now. This is now fixed, and a new
>> > tarball pushed out. I'll fix on the stable stuff as well, although I
>> > doubt the header has changed much except now.
>>
>> OK so iw_handler added the libipw pointer, so libipw and friends are
>> now messed up on compat-wireless. Do we care? I'll disable them for
>> now. Can't think of a way to backport this easily.
>>
>>   CC [M]  /home/mcgrof/devel/compat-wireless-2.6/drivers/net/wireless/ipw2x00/ipw2100.o
>> /home/mcgrof/devel/compat-wireless-2.6/drivers/net/wireless/ipw2x00/ipw2100.c:
>> In function ‘ipw2100_alloc_device’:
>> /home/mcgrof/devel/compat-wireless-2.6/drivers/net/wireless/ipw2x00/ipw2100.c:6060:
>> error: ‘struct iw_public_data’ has no member named ‘libipw’
>> make[4]: *** [/home/mcgrof/devel/compat-wireless-2.6/drivers/net/wireless/ipw2x00/ipw2100.o]
>> Error 1
>
> -       /* Structure managed by the in-kernel IEEE 802.11 layer */
> -       struct ieee80211_device *       ieee80211;
> +       /* Legacy structure managed by the ipw2x00-specific IEEE 802.11 layer */
> +       struct libipw_device *          libipw;
>
> Really just a name change, FWIW...

oh ok thanks, thought the struct changed too -- then is be easy to backport

  Luis

Re: NULL pointer deref at wext ioctl (Re: [PATCH] compat-2.6: adding ethtool.h to compat-2.6.31.h)

[Hin-Tak Leung]

On Thu, Oct 8, 2009 at 2:43 PM, Luis R. Rodriguez
<lrodriguez@atheros.com> wrote:
> On Thu, Oct 8, 2009 at 7:50 AM, Johannes Berg <johannes@sipsolutions.net> wrote:
>> On Thu, 2009-10-08 at 11:51 +0200, Johannes Berg wrote:
>>
>>> Ok, that's odd. Is it possible that somehow cfg80211 is picking up an
>>> #ifdef'ed copy of "struct iw_handler_def", and thus the struct it is
>>> defining is simply too small?
>>
>> That is apparently what is happening since compat-wireless ships
>> iw_handler.h. This is wrong, as wext functionality is built into the
>> kernel image so you can't use a newer header file with it.
>
> Dah, thanks for looking into this! This must've been there this way
> for ages and we hadn't noticed until now. This is now fixed, and a new
> tarball pushed out. I'll fix on the stable stuff as well, although I
> doubt the header has changed much except now.
>
>  Luis
>

Thanks everybody! Works alright now, after 'compat-2.6: stop shipping
bleeding edge iw_handler.h' .

There are some harmless warnings from using the old header, but
otherwise it is working as it should:
  CC [M]  /home/Hin-Tak/tmp-git/compat-wireless-2.6/net/wireless/sme.o
/home/Hin-Tak/tmp-git/compat-wireless-2.6/net/wireless/sme.c: In
function ‘__cfg80211_connect_result’:
/home/Hin-Tak/tmp-git/compat-wireless-2.6/net/wireless/sme.c:370:
warning: passing argument 4 of ‘wireless_send_event’ discards
qualifiers from pointer target type
include/net/iw_handler.h:443: note: expected ‘char *’ but argument is
of type ‘const u8 *’
/home/Hin-Tak/tmp-git/compat-wireless-2.6/net/wireless/sme.c:376:
warning: passing argument 4 of ‘wireless_send_event’ discards
qualifiers from pointer target type
include/net/iw_handler.h:443: note: expected ‘char *’ but argument is
of type ‘const u8 *’
/home/Hin-Tak/tmp-git/compat-wireless-2.6/net/wireless/sme.c: In
function ‘__cfg80211_roamed’:
/home/Hin-Tak/tmp-git/compat-wireless-2.6/net/wireless/sme.c:520:
warning: passing argument 4 of ‘wireless_send_event’ discards
qualifiers from pointer target type
include/net/iw_handler.h:443: note: expected ‘char *’ but argument is
of type ‘const u8 *’
/home/Hin-Tak/tmp-git/compat-wireless-2.6/net/wireless/sme.c:527:
warning: passing argument 4 of ‘wireless_send_event’ discards
qualifiers from pointer target type
include/net/iw_handler.h:443: note: expected ‘char *’ but argument is
of type ‘const u8 *’


Hin-Tak

Re: NULL pointer deref at wext ioctl (Re: [PATCH] compat-2.6: adding ethtool.h to compat-2.6.31.h)

[Luis R. Rodriguez]

On Thu, Oct 8, 2009 at 7:22 PM, Hin-Tak Leung <hintak.leung@gmail.com> wrote:
> On Thu, Oct 8, 2009 at 2:43 PM, Luis R. Rodriguez
> <lrodriguez@atheros.com> wrote:
>> On Thu, Oct 8, 2009 at 7:50 AM, Johannes Berg <johannes@sipsolutions.net> wrote:
>>> On Thu, 2009-10-08 at 11:51 +0200, Johannes Berg wrote:
>>>
>>>> Ok, that's odd. Is it possible that somehow cfg80211 is picking up an
>>>> #ifdef'ed copy of "struct iw_handler_def", and thus the struct it is
>>>> defining is simply too small?
>>>
>>> That is apparently what is happening since compat-wireless ships
>>> iw_handler.h. This is wrong, as wext functionality is built into the
>>> kernel image so you can't use a newer header file with it.
>>
>> Dah, thanks for looking into this! This must've been there this way
>> for ages and we hadn't noticed until now. This is now fixed, and a new
>> tarball pushed out. I'll fix on the stable stuff as well, although I
>> doubt the header has changed much except now.
>>
>>  Luis
>>
>
> Thanks everybody! Works alright now, after 'compat-2.6: stop shipping
> bleeding edge iw_handler.h' .
>
> There are some harmless warnings from using the old header, but
> otherwise it is working as it should:
>  CC [M]  /home/Hin-Tak/tmp-git/compat-wireless-2.6/net/wireless/sme.o
> /home/Hin-Tak/tmp-git/compat-wireless-2.6/net/wireless/sme.c: In
> function ‘__cfg80211_connect_result’:
> /home/Hin-Tak/tmp-git/compat-wireless-2.6/net/wireless/sme.c:370:
> warning: passing argument 4 of ‘wireless_send_event’ discards
> qualifiers from pointer target type
> include/net/iw_handler.h:443: note: expected ‘char *’ but argument is
> of type ‘const u8 *’
> /home/Hin-Tak/tmp-git/compat-wireless-2.6/net/wireless/sme.c:376:
> warning: passing argument 4 of ‘wireless_send_event’ discards
> qualifiers from pointer target type
> include/net/iw_handler.h:443: note: expected ‘char *’ but argument is
> of type ‘const u8 *’
> /home/Hin-Tak/tmp-git/compat-wireless-2.6/net/wireless/sme.c: In
> function ‘__cfg80211_roamed’:
> /home/Hin-Tak/tmp-git/compat-wireless-2.6/net/wireless/sme.c:520:
> warning: passing argument 4 of ‘wireless_send_event’ discards
> qualifiers from pointer target type
> include/net/iw_handler.h:443: note: expected ‘char *’ but argument is
> of type ‘const u8 *’
> /home/Hin-Tak/tmp-git/compat-wireless-2.6/net/wireless/sme.c:527:
> warning: passing argument 4 of ‘wireless_send_event’ discards
> qualifiers from pointer target type
> include/net/iw_handler.h:443: note: expected ‘char *’ but argument is
> of type ‘const u8 *’

The last argument to wireless_send_event() was changed to be const on
2.6.32, cant think of a way to avoid this warning.

  Luis

Re: NULL pointer deref at wext ioctl (Re: [PATCH] compat-2.6: adding ethtool.h to compat-2.6.31.h)

[Johannes Berg]

[-- Attachment #1: Type: text/plain, Size: 866 bytes --]

On Thu, 2009-10-08 at 20:14 -0400, Luis R. Rodriguez wrote:

> > There are some harmless warnings from using the old header, but
> > otherwise it is working as it should:
> >  CC [M]  /home/Hin-Tak/tmp-git/compat-wireless-2.6/net/wireless/sme.o
> > /home/Hin-Tak/tmp-git/compat-wireless-2.6/net/wireless/sme.c: In
> > function ‘__cfg80211_connect_result’:
> > /home/Hin-Tak/tmp-git/compat-wireless-2.6/net/wireless/sme.c:370:
> > warning: passing argument 4 of ‘wireless_send_event’ discards
> > qualifiers from pointer target type
> > include/net/iw_handler.h:443: note: expected ‘char *’ but argument is
> > of type ‘const u8 *’

> The last argument to wireless_send_event() was changed to be const on
> 2.6.32, cant think of a way to avoid this warning.

Yeah, it was never modified though so the warning is harmless.

johannes

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: NULL pointer deref at wext ioctl (Re: [PATCH] compat-2.6: adding ethtool.h to compat-2.6.31.h)

[Luis R. Rodriguez]

On Fri, Oct 9, 2009 at 1:05 AM, Johannes Berg <johannes@sipsolutions.net> wrote:
> On Thu, 2009-10-08 at 20:14 -0400, Luis R. Rodriguez wrote:
>
>> > There are some harmless warnings from using the old header, but
>> > otherwise it is working as it should:
>> >  CC [M]  /home/Hin-Tak/tmp-git/compat-wireless-2.6/net/wireless/sme.o
>> > /home/Hin-Tak/tmp-git/compat-wireless-2.6/net/wireless/sme.c: In
>> > function ‘__cfg80211_connect_result’:
>> > /home/Hin-Tak/tmp-git/compat-wireless-2.6/net/wireless/sme.c:370:
>> > warning: passing argument 4 of ‘wireless_send_event’ discards
>> > qualifiers from pointer target type
>> > include/net/iw_handler.h:443: note: expected ‘char *’ but argument is
>> > of type ‘const u8 *’
>
>> The last argument to wireless_send_event() was changed to be const on
>> 2.6.32, cant think of a way to avoid this warning.
>
> Yeah, it was never modified though so the warning is harmless.

OK so casting was enough to avoid these warnings, will use that for
older kernels.

#define wireless_send_event(a, b, c, d) wireless_send_event(a, b, c,
(char * ) d)

  Luis