* Weird oops in mac80211's skb_orphan call
@ 2008-06-23 23:32 Michael Buesch
0 siblings, 0 replies; only message in thread
From: Michael Buesch @ 2008-06-23 23:32 UTC (permalink / raw)
To: Johannes Berg; +Cc: linux-wireless
I have a 100% reproducable oops inside of the skb_orphan
call of mac80211's ieee80211_tx_status function.
I could only reproduce it with the CompactFlash bcm4318 card, yet.
So maybe the it's somehow related to b43's PIO code.
Here's the oops:
http://bu3sch.de/misc/sk_oops.JPG
As you can see, I added some debugging printks.
So let me explain what is going on.
After fireing up wpa_supplicant, ieee80211_tx_status is invoked several times
without crashing. But then suddenly it crashes on the skb_orphan call.
The skb_orphan call will call the skb destructor. You can see the
skb->destructor and skb->sk pointers right above the oops message.
The destructor pointer is assigned to sock_wfree() and the sk pointer is NULL.
So skb_orphan calls skb->destructor with skb->sk as parameter and sock_wfree (which
is the destructor) will dereference skb->sk. That will obviously crash.
Any ideas why skb->sk is NULL while the destructor is not NULL?
They should either be both NULL or not NULL.
--
Greetings Michael.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2008-06-23 23:32 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-06-23 23:32 Weird oops in mac80211's skb_orphan call Michael Buesch
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).