Re: [PATCH] mac80211: fix conn_mon_timer running after disassociate

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Johannes Berg <johannes@sipsolutions.net>
To: Stanislaw Gruszka <sgruszka@redhat.com>
Cc: wwguy <wey-yi.w.guy@intel.com>,
	Intel Linux Wireless <ilw@linux.intel.com>,
	"linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>
Subject: Re: [PATCH] mac80211: fix conn_mon_timer running after disassociate
Date: Wed, 16 Feb 2011 12:10:01 +0100	[thread overview]
Message-ID: <1297854601.3736.0.camel@jlt3.sipsolutions.net> (raw)
In-Reply-To: <20110216095443.GC2812@redhat.com>

On Wed, 2011-02-16 at 10:54 +0100, Stanislaw Gruszka wrote:
> Low level driver could pass rx frames to us after disassociate, what
> can lead to run conn_mon_timer by ieee80211_sta_rx_notify(). Thats
> is obviously wrong, but nothing happens until we unload modules and
> resources are used after free. If kernel debugging is enabled following
> warning could be observed:
> 
> WARNING: at lib/debugobjects.c:259 debug_print_object+0x65/0x70()
> Hardware name: HP xw8600 Workstation
> ODEBUG: free active (active state 0) object type: timer_list
> Modules linked in: iwlagn(-) iwlcore mac80211 cfg80211 ...
> Pid: 13827, comm: rmmod Tainted: G        W   2.6.38-rc4-wl+ #22
> Call Trace:
>  [<ffffffff810649cf>] ? warn_slowpath_common+0x7f/0xc0
>  [<ffffffff81064ac6>] ? warn_slowpath_fmt+0x46/0x50
>  [<ffffffff81226fc5>] ? debug_print_object+0x65/0x70
>  [<ffffffff81227625>] ? debug_check_no_obj_freed+0x125/0x210
>  [<ffffffff8109ebd7>] ? debug_check_no_locks_freed+0xf7/0x170
>  [<ffffffff81156092>] ? kfree+0xc2/0x2f0
>  [<ffffffff813ec5c5>] ? netdev_release+0x45/0x60
>  [<ffffffff812f1067>] ? device_release+0x27/0xa0
>  [<ffffffff81216ddd>] ? kobject_release+0x8d/0x1a0
>  [<ffffffff81216d50>] ? kobject_release+0x0/0x1a0
>  [<ffffffff812183b7>] ? kref_put+0x37/0x70
>  [<ffffffff81216c57>] ? kobject_put+0x27/0x60
>  [<ffffffff813d5d1b>] ? netdev_run_todo+0x1ab/0x270
>  [<ffffffff813e771e>] ? rtnl_unlock+0xe/0x10
>  [<ffffffffa0581188>] ? ieee80211_unregister_hw+0x58/0x120 [mac80211]
>  [<ffffffffa0377ed7>] ? iwl_pci_remove+0xdb/0x22a [iwlagn]
>  [<ffffffff8123cde2>] ? pci_device_remove+0x52/0x120
>  [<ffffffff812f5205>] ? __device_release_driver+0x75/0xe0
>  [<ffffffff812f5348>] ? driver_detach+0xd8/0xe0
>  [<ffffffff812f4111>] ? bus_remove_driver+0x91/0x100
>  [<ffffffff812f5b62>] ? driver_unregister+0x62/0xa0
>  [<ffffffff8123d194>] ? pci_unregister_driver+0x44/0xa0
>  [<ffffffffa0377df5>] ? iwl_exit+0x15/0x1c [iwlagn]
>  [<ffffffff810ab492>] ? sys_delete_module+0x1a2/0x270
>  [<ffffffff81498889>] ? trace_hardirqs_on_thunk+0x3a/0x3f
>  [<ffffffff8100bf42>] ? system_call_fastpath+0x16/0x1b
> 
> Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
> ---
>  net/mac80211/mlme.c |    6 ++++++
>  1 files changed, 6 insertions(+), 0 deletions(-)
> 
> diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
> index d89e878..7b3f9df 100644
> --- a/net/mac80211/mlme.c
> +++ b/net/mac80211/mlme.c
> @@ -1071,6 +1071,12 @@ void ieee80211_sta_rx_notify(struct ieee80211_sub_if_data *sdata,
>  	if (is_multicast_ether_addr(hdr->addr1))
>  		return;
>  
> +	/*
> +	 * In case we receive pending frames after disassociation.
> +	 */
> +	if (!sdata->u.mgd.associated)
> +		return;
> +
>  	ieee80211_sta_reset_conn_monitor(sdata);
>  }
>  

good catch, thanks.

johannes

next prev parent reply	other threads:[~2011-02-16 11:10 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-02-14 14:32 [PATCH v2] iwlwifi: fix dma mappings and skbs leak Stanislaw Gruszka
2011-02-14 15:51 ` wwguy
2011-02-15 11:34   ` Stanislaw Gruszka
2011-02-15 11:50     ` Johannes Berg
2011-02-15 13:04       ` Stanislaw Gruszka
2011-02-15 13:09         ` Johannes Berg
2011-02-15 13:22           ` Stanislaw Gruszka
2011-02-15 13:30             ` Johannes Berg
2011-02-16  9:49               ` Stanislaw Gruszka
2011-02-16  9:54               ` [PATCH] mac80211: fix conn_mon_timer running after disassociate Stanislaw Gruszka
2011-02-16 11:10                 ` Johannes Berg [this message]
2011-02-18  2:19                 ` Sujith
2011-02-18  7:48                   ` Stanislaw Gruszka
2011-02-19  9:04         ` [PATCH v2] iwlwifi: fix dma mappings and skbs leak Johannes Berg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1297854601.3736.0.camel@jlt3.sipsolutions.net \
    --to=johannes@sipsolutions.net \
    --cc=ilw@linux.intel.com \
    --cc=linux-wireless@vger.kernel.org \
    --cc=sgruszka@redhat.com \
    --cc=wey-yi.w.guy@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).