[PATCH] Fix SLAB corruption during

[PATCH] Fix SLAB corruption during

[Ivo van Doorn]

At rmmod stage, the code path is the following one :

rt2x00lib_remove_dev
=C2=A0 -> =C2=A0rt2x00lib_uninitialize()
=C2=A0 =C2=A0 =C2=A0 =C2=A0 -> rt2x00rfkill_unregister()
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-> rfkill_unregister()
=C2=A0 =C2=A0 =C2=A0 =C2=A0 -> rt2x00rfkill_free()
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-> rfkill_free()

The problem is that rfkill_free should not be called after rfkill_free
otherwise put_device(&rfkill->dev) will be called 2 times. This patch
fix this by removing the call to rfkill_free

Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
Tested-by: Arnaud Patard <apatard@mandriva.com>
Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>

---
John, this patch is for 2.6.29 and only 2.6.29 since rfkill support its=
elf
was removed from later versions (replaced by input_polldev).
The patch is quite big to be merged in a late state of the release cycl=
e,
but since the SLAB corruption is a serious problem, I hope this can get=
 in regardless.

Thanks.

diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireles=
s/rt2x00/rt2x00.h
index 39ecf3b..820fdb2 100644
--- a/drivers/net/wireless/rt2x00/rt2x00.h
+++ b/drivers/net/wireless/rt2x00/rt2x00.h
@@ -687,8 +687,7 @@ struct rt2x00_dev {
 	 */
 #ifdef CONFIG_RT2X00_LIB_RFKILL
 	unsigned long rfkill_state;
-#define RFKILL_STATE_ALLOCATED		1
-#define RFKILL_STATE_REGISTERED		2
+#define RFKILL_STATE_REGISTERED		1
 	struct rfkill *rfkill;
 	struct delayed_work rfkill_work;
 #endif /* CONFIG_RT2X00_LIB_RFKILL */
diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wire=
less/rt2x00/rt2x00dev.c
index 87c0f2c..e694bb7 100644
--- a/drivers/net/wireless/rt2x00/rt2x00dev.c
+++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
@@ -1105,7 +1105,6 @@ int rt2x00lib_probe_dev(struct rt2x00_dev *rt2x00=
dev)
 	 * Register extra components.
 	 */
 	rt2x00leds_register(rt2x00dev);
-	rt2x00rfkill_allocate(rt2x00dev);
 	rt2x00debug_register(rt2x00dev);
=20
 	set_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags);
@@ -1137,7 +1136,6 @@ void rt2x00lib_remove_dev(struct rt2x00_dev *rt2x=
00dev)
 	 * Free extra components
 	 */
 	rt2x00debug_deregister(rt2x00dev);
-	rt2x00rfkill_free(rt2x00dev);
 	rt2x00leds_unregister(rt2x00dev);
=20
 	/*
diff --git a/drivers/net/wireless/rt2x00/rt2x00lib.h b/drivers/net/wire=
less/rt2x00/rt2x00lib.h
index 86cd26f..49309d4 100644
--- a/drivers/net/wireless/rt2x00/rt2x00lib.h
+++ b/drivers/net/wireless/rt2x00/rt2x00lib.h
@@ -260,8 +260,6 @@ static inline void rt2x00crypto_rx_insert_iv(struct=
 sk_buff *skb,
 #ifdef CONFIG_RT2X00_LIB_RFKILL
 void rt2x00rfkill_register(struct rt2x00_dev *rt2x00dev);
 void rt2x00rfkill_unregister(struct rt2x00_dev *rt2x00dev);
-void rt2x00rfkill_allocate(struct rt2x00_dev *rt2x00dev);
-void rt2x00rfkill_free(struct rt2x00_dev *rt2x00dev);
 #else
 static inline void rt2x00rfkill_register(struct rt2x00_dev *rt2x00dev)
 {
@@ -270,14 +268,6 @@ static inline void rt2x00rfkill_register(struct rt=
2x00_dev *rt2x00dev)
 static inline void rt2x00rfkill_unregister(struct rt2x00_dev *rt2x00de=
v)
 {
 }
-
-static inline void rt2x00rfkill_allocate(struct rt2x00_dev *rt2x00dev)
-{
-}
-
-static inline void rt2x00rfkill_free(struct rt2x00_dev *rt2x00dev)
-{
-}
 #endif /* CONFIG_RT2X00_LIB_RFKILL */
=20
 /*
diff --git a/drivers/net/wireless/rt2x00/rt2x00rfkill.c b/drivers/net/w=
ireless/rt2x00/rt2x00rfkill.c
index 3298cae..08ffc6d 100644
--- a/drivers/net/wireless/rt2x00/rt2x00rfkill.c
+++ b/drivers/net/wireless/rt2x00/rt2x00rfkill.c
@@ -94,14 +94,50 @@ static void rt2x00rfkill_poll(struct work_struct *w=
ork)
 			   &rt2x00dev->rfkill_work, RFKILL_POLL_INTERVAL);
 }
=20
+static int rt2x00rfkill_allocate(struct rt2x00_dev *rt2x00dev)
+{
+	struct device *dev =3D wiphy_dev(rt2x00dev->hw->wiphy);
+
+	rt2x00dev->rfkill =3D rfkill_allocate(dev, RFKILL_TYPE_WLAN);
+	if (!rt2x00dev->rfkill)
+		return -ENOMEM;
+
+	rt2x00dev->rfkill->name =3D rt2x00dev->ops->name;
+	rt2x00dev->rfkill->data =3D rt2x00dev;
+	rt2x00dev->rfkill->toggle_radio =3D rt2x00rfkill_toggle_radio;
+	if (test_bit(CONFIG_SUPPORT_HW_BUTTON, &rt2x00dev->flags)) {
+		rt2x00dev->rfkill->get_state =3D rt2x00rfkill_get_state;
+		rt2x00dev->rfkill->state =3D
+			rt2x00dev->ops->lib->rfkill_poll(rt2x00dev) ?
+			    RFKILL_STATE_SOFT_BLOCKED : RFKILL_STATE_UNBLOCKED;
+	} else {
+		rt2x00dev->rfkill->state =3D RFKILL_STATE_UNBLOCKED;
+	}
+
+	INIT_DELAYED_WORK(&rt2x00dev->rfkill_work, rt2x00rfkill_poll);
+
+	return 0;
+}
+
+static void rt2x00rfkill_free(struct rt2x00_dev *rt2x00dev)
+{
+	rfkill_free(rt2x00dev->rfkill);
+	rt2x00dev->rfkill =3D NULL;
+}
+
 void rt2x00rfkill_register(struct rt2x00_dev *rt2x00dev)
 {
-	if (!test_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state) ||
-	    test_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state))
+	if (test_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state))
+		return;
+
+	if (rt2x00rfkill_allocate(rt2x00dev)) {
+		ERROR(rt2x00dev, "Failed to allocate rfkill handler.\n");
 		return;
+	}
=20
 	if (rfkill_register(rt2x00dev->rfkill)) {
 		ERROR(rt2x00dev, "Failed to register rfkill handler.\n");
+		rt2x00rfkill_free(rt2x00dev);
 		return;
 	}
=20
@@ -117,8 +153,7 @@ void rt2x00rfkill_register(struct rt2x00_dev *rt2x0=
0dev)
=20
 void rt2x00rfkill_unregister(struct rt2x00_dev *rt2x00dev)
 {
-	if (!test_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state) ||
-	    !test_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state))
+	if (!test_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state))
 		return;
=20
 	cancel_delayed_work_sync(&rt2x00dev->rfkill_work);
@@ -127,46 +162,3 @@ void rt2x00rfkill_unregister(struct rt2x00_dev *rt=
2x00dev)
=20
 	__clear_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state);
 }
-
-void rt2x00rfkill_allocate(struct rt2x00_dev *rt2x00dev)
-{
-	struct device *dev =3D wiphy_dev(rt2x00dev->hw->wiphy);
-
-	if (test_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state))
-		return;
-
-	rt2x00dev->rfkill =3D rfkill_allocate(dev, RFKILL_TYPE_WLAN);
-	if (!rt2x00dev->rfkill) {
-		ERROR(rt2x00dev, "Failed to allocate rfkill handler.\n");
-		return;
-	}
-
-	__set_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state);
-
-	rt2x00dev->rfkill->name =3D rt2x00dev->ops->name;
-	rt2x00dev->rfkill->data =3D rt2x00dev;
-	rt2x00dev->rfkill->toggle_radio =3D rt2x00rfkill_toggle_radio;
-	if (test_bit(CONFIG_SUPPORT_HW_BUTTON, &rt2x00dev->flags)) {
-		rt2x00dev->rfkill->get_state =3D rt2x00rfkill_get_state;
-		rt2x00dev->rfkill->state =3D
-			rt2x00dev->ops->lib->rfkill_poll(rt2x00dev) ?
-			    RFKILL_STATE_SOFT_BLOCKED : RFKILL_STATE_UNBLOCKED;
-	} else {
-		rt2x00dev->rfkill->state =3D RFKILL_STATE_UNBLOCKED;
-	}
-
-	INIT_DELAYED_WORK(&rt2x00dev->rfkill_work, rt2x00rfkill_poll);
-
-	return;
-}
-
-void rt2x00rfkill_free(struct rt2x00_dev *rt2x00dev)
-{
-	if (!test_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state))
-		return;
-
-	cancel_delayed_work_sync(&rt2x00dev->rfkill_work);
-
-	rfkill_free(rt2x00dev->rfkill);
-	rt2x00dev->rfkill =3D NULL;
-}
--
To unsubscribe from this list: send the line "unsubscribe linux-wireles=
s" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] Fix SLAB corruption during

[Dan Williams]

On Mon, 2009-03-16 at 19:25 +0100, Ivo van Doorn wrote:
> At rmmod stage, the code path is the following one :
> 
> rt2x00lib_remove_dev
>   ->  rt2x00lib_uninitialize()
>         -> rt2x00rfkill_unregister()
>              -> rfkill_unregister()
>         -> rt2x00rfkill_free()
>              -> rfkill_free()
> 
> The problem is that rfkill_free should not be called after rfkill_free
> otherwise put_device(&rfkill->dev) will be called 2 times. This patch
> fix this by removing the call to rfkill_free

Needs a better patch title :)  During what?  And I assume you mean
"rfkill_free() should not be called after rfkill_unregister(), right?

Dan

> Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
> Tested-by: Arnaud Patard <apatard@mandriva.com>
> Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>
> 
> ---
> John, this patch is for 2.6.29 and only 2.6.29 since rfkill support itself
> was removed from later versions (replaced by input_polldev).
> The patch is quite big to be merged in a late state of the release cycle,
> but since the SLAB corruption is a serious problem, I hope this can get in regardless.
> 
> Thanks.
> 
> diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h
> index 39ecf3b..820fdb2 100644
> --- a/drivers/net/wireless/rt2x00/rt2x00.h
> +++ b/drivers/net/wireless/rt2x00/rt2x00.h
> @@ -687,8 +687,7 @@ struct rt2x00_dev {
>  	 */
>  #ifdef CONFIG_RT2X00_LIB_RFKILL
>  	unsigned long rfkill_state;
> -#define RFKILL_STATE_ALLOCATED		1
> -#define RFKILL_STATE_REGISTERED		2
> +#define RFKILL_STATE_REGISTERED		1
>  	struct rfkill *rfkill;
>  	struct delayed_work rfkill_work;
>  #endif /* CONFIG_RT2X00_LIB_RFKILL */
> diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c
> index 87c0f2c..e694bb7 100644
> --- a/drivers/net/wireless/rt2x00/rt2x00dev.c
> +++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
> @@ -1105,7 +1105,6 @@ int rt2x00lib_probe_dev(struct rt2x00_dev *rt2x00dev)
>  	 * Register extra components.
>  	 */
>  	rt2x00leds_register(rt2x00dev);
> -	rt2x00rfkill_allocate(rt2x00dev);
>  	rt2x00debug_register(rt2x00dev);
>  
>  	set_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags);
> @@ -1137,7 +1136,6 @@ void rt2x00lib_remove_dev(struct rt2x00_dev *rt2x00dev)
>  	 * Free extra components
>  	 */
>  	rt2x00debug_deregister(rt2x00dev);
> -	rt2x00rfkill_free(rt2x00dev);
>  	rt2x00leds_unregister(rt2x00dev);
>  
>  	/*
> diff --git a/drivers/net/wireless/rt2x00/rt2x00lib.h b/drivers/net/wireless/rt2x00/rt2x00lib.h
> index 86cd26f..49309d4 100644
> --- a/drivers/net/wireless/rt2x00/rt2x00lib.h
> +++ b/drivers/net/wireless/rt2x00/rt2x00lib.h
> @@ -260,8 +260,6 @@ static inline void rt2x00crypto_rx_insert_iv(struct sk_buff *skb,
>  #ifdef CONFIG_RT2X00_LIB_RFKILL
>  void rt2x00rfkill_register(struct rt2x00_dev *rt2x00dev);
>  void rt2x00rfkill_unregister(struct rt2x00_dev *rt2x00dev);
> -void rt2x00rfkill_allocate(struct rt2x00_dev *rt2x00dev);
> -void rt2x00rfkill_free(struct rt2x00_dev *rt2x00dev);
>  #else
>  static inline void rt2x00rfkill_register(struct rt2x00_dev *rt2x00dev)
>  {
> @@ -270,14 +268,6 @@ static inline void rt2x00rfkill_register(struct rt2x00_dev *rt2x00dev)
>  static inline void rt2x00rfkill_unregister(struct rt2x00_dev *rt2x00dev)
>  {
>  }
> -
> -static inline void rt2x00rfkill_allocate(struct rt2x00_dev *rt2x00dev)
> -{
> -}
> -
> -static inline void rt2x00rfkill_free(struct rt2x00_dev *rt2x00dev)
> -{
> -}
>  #endif /* CONFIG_RT2X00_LIB_RFKILL */
>  
>  /*
> diff --git a/drivers/net/wireless/rt2x00/rt2x00rfkill.c b/drivers/net/wireless/rt2x00/rt2x00rfkill.c
> index 3298cae..08ffc6d 100644
> --- a/drivers/net/wireless/rt2x00/rt2x00rfkill.c
> +++ b/drivers/net/wireless/rt2x00/rt2x00rfkill.c
> @@ -94,14 +94,50 @@ static void rt2x00rfkill_poll(struct work_struct *work)
>  			   &rt2x00dev->rfkill_work, RFKILL_POLL_INTERVAL);
>  }
>  
> +static int rt2x00rfkill_allocate(struct rt2x00_dev *rt2x00dev)
> +{
> +	struct device *dev = wiphy_dev(rt2x00dev->hw->wiphy);
> +
> +	rt2x00dev->rfkill = rfkill_allocate(dev, RFKILL_TYPE_WLAN);
> +	if (!rt2x00dev->rfkill)
> +		return -ENOMEM;
> +
> +	rt2x00dev->rfkill->name = rt2x00dev->ops->name;
> +	rt2x00dev->rfkill->data = rt2x00dev;
> +	rt2x00dev->rfkill->toggle_radio = rt2x00rfkill_toggle_radio;
> +	if (test_bit(CONFIG_SUPPORT_HW_BUTTON, &rt2x00dev->flags)) {
> +		rt2x00dev->rfkill->get_state = rt2x00rfkill_get_state;
> +		rt2x00dev->rfkill->state =
> +			rt2x00dev->ops->lib->rfkill_poll(rt2x00dev) ?
> +			    RFKILL_STATE_SOFT_BLOCKED : RFKILL_STATE_UNBLOCKED;
> +	} else {
> +		rt2x00dev->rfkill->state = RFKILL_STATE_UNBLOCKED;
> +	}
> +
> +	INIT_DELAYED_WORK(&rt2x00dev->rfkill_work, rt2x00rfkill_poll);
> +
> +	return 0;
> +}
> +
> +static void rt2x00rfkill_free(struct rt2x00_dev *rt2x00dev)
> +{
> +	rfkill_free(rt2x00dev->rfkill);
> +	rt2x00dev->rfkill = NULL;
> +}
> +
>  void rt2x00rfkill_register(struct rt2x00_dev *rt2x00dev)
>  {
> -	if (!test_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state) ||
> -	    test_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state))
> +	if (test_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state))
> +		return;
> +
> +	if (rt2x00rfkill_allocate(rt2x00dev)) {
> +		ERROR(rt2x00dev, "Failed to allocate rfkill handler.\n");
>  		return;
> +	}
>  
>  	if (rfkill_register(rt2x00dev->rfkill)) {
>  		ERROR(rt2x00dev, "Failed to register rfkill handler.\n");
> +		rt2x00rfkill_free(rt2x00dev);
>  		return;
>  	}
>  
> @@ -117,8 +153,7 @@ void rt2x00rfkill_register(struct rt2x00_dev *rt2x00dev)
>  
>  void rt2x00rfkill_unregister(struct rt2x00_dev *rt2x00dev)
>  {
> -	if (!test_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state) ||
> -	    !test_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state))
> +	if (!test_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state))
>  		return;
>  
>  	cancel_delayed_work_sync(&rt2x00dev->rfkill_work);
> @@ -127,46 +162,3 @@ void rt2x00rfkill_unregister(struct rt2x00_dev *rt2x00dev)
>  
>  	__clear_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state);
>  }
> -
> -void rt2x00rfkill_allocate(struct rt2x00_dev *rt2x00dev)
> -{
> -	struct device *dev = wiphy_dev(rt2x00dev->hw->wiphy);
> -
> -	if (test_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state))
> -		return;
> -
> -	rt2x00dev->rfkill = rfkill_allocate(dev, RFKILL_TYPE_WLAN);
> -	if (!rt2x00dev->rfkill) {
> -		ERROR(rt2x00dev, "Failed to allocate rfkill handler.\n");
> -		return;
> -	}
> -
> -	__set_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state);
> -
> -	rt2x00dev->rfkill->name = rt2x00dev->ops->name;
> -	rt2x00dev->rfkill->data = rt2x00dev;
> -	rt2x00dev->rfkill->toggle_radio = rt2x00rfkill_toggle_radio;
> -	if (test_bit(CONFIG_SUPPORT_HW_BUTTON, &rt2x00dev->flags)) {
> -		rt2x00dev->rfkill->get_state = rt2x00rfkill_get_state;
> -		rt2x00dev->rfkill->state =
> -			rt2x00dev->ops->lib->rfkill_poll(rt2x00dev) ?
> -			    RFKILL_STATE_SOFT_BLOCKED : RFKILL_STATE_UNBLOCKED;
> -	} else {
> -		rt2x00dev->rfkill->state = RFKILL_STATE_UNBLOCKED;
> -	}
> -
> -	INIT_DELAYED_WORK(&rt2x00dev->rfkill_work, rt2x00rfkill_poll);
> -
> -	return;
> -}
> -
> -void rt2x00rfkill_free(struct rt2x00_dev *rt2x00dev)
> -{
> -	if (!test_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state))
> -		return;
> -
> -	cancel_delayed_work_sync(&rt2x00dev->rfkill_work);
> -
> -	rfkill_free(rt2x00dev->rfkill);
> -	rt2x00dev->rfkill = NULL;
> -}
> --
> To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] Fix SLAB corruption during

[Ivo van Doorn]

On Monday 16 March 2009, Dan Williams wrote:
> On Mon, 2009-03-16 at 19:25 +0100, Ivo van Doorn wrote:
> > At rmmod stage, the code path is the following one :
> > 
> > rt2x00lib_remove_dev
> >   ->  rt2x00lib_uninitialize()
> >         -> rt2x00rfkill_unregister()
> >              -> rfkill_unregister()
> >         -> rt2x00rfkill_free()
> >              -> rfkill_free()
> > 
> > The problem is that rfkill_free should not be called after rfkill_free
> > otherwise put_device(&rfkill->dev) will be called 2 times. This patch
> > fix this by removing the call to rfkill_free
> 
> Needs a better patch title :)  During what?  And I assume you mean
> "rfkill_free() should not be called after rfkill_unregister(), right?

Oops, me and copy & pasting. :)
Will resend with correct information.

Ivo

> Dan
> 
> > Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
> > Tested-by: Arnaud Patard <apatard@mandriva.com>
> > Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>
> > 
> > ---
> > John, this patch is for 2.6.29 and only 2.6.29 since rfkill support itself
> > was removed from later versions (replaced by input_polldev).
> > The patch is quite big to be merged in a late state of the release cycle,
> > but since the SLAB corruption is a serious problem, I hope this can get in regardless.
> > 
> > Thanks.
> > 
> > diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h
> > index 39ecf3b..820fdb2 100644
> > --- a/drivers/net/wireless/rt2x00/rt2x00.h
> > +++ b/drivers/net/wireless/rt2x00/rt2x00.h
> > @@ -687,8 +687,7 @@ struct rt2x00_dev {
> >  	 */
> >  #ifdef CONFIG_RT2X00_LIB_RFKILL
> >  	unsigned long rfkill_state;
> > -#define RFKILL_STATE_ALLOCATED		1
> > -#define RFKILL_STATE_REGISTERED		2
> > +#define RFKILL_STATE_REGISTERED		1
> >  	struct rfkill *rfkill;
> >  	struct delayed_work rfkill_work;
> >  #endif /* CONFIG_RT2X00_LIB_RFKILL */
> > diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c
> > index 87c0f2c..e694bb7 100644
> > --- a/drivers/net/wireless/rt2x00/rt2x00dev.c
> > +++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
> > @@ -1105,7 +1105,6 @@ int rt2x00lib_probe_dev(struct rt2x00_dev *rt2x00dev)
> >  	 * Register extra components.
> >  	 */
> >  	rt2x00leds_register(rt2x00dev);
> > -	rt2x00rfkill_allocate(rt2x00dev);
> >  	rt2x00debug_register(rt2x00dev);
> >  
> >  	set_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags);
> > @@ -1137,7 +1136,6 @@ void rt2x00lib_remove_dev(struct rt2x00_dev *rt2x00dev)
> >  	 * Free extra components
> >  	 */
> >  	rt2x00debug_deregister(rt2x00dev);
> > -	rt2x00rfkill_free(rt2x00dev);
> >  	rt2x00leds_unregister(rt2x00dev);
> >  
> >  	/*
> > diff --git a/drivers/net/wireless/rt2x00/rt2x00lib.h b/drivers/net/wireless/rt2x00/rt2x00lib.h
> > index 86cd26f..49309d4 100644
> > --- a/drivers/net/wireless/rt2x00/rt2x00lib.h
> > +++ b/drivers/net/wireless/rt2x00/rt2x00lib.h
> > @@ -260,8 +260,6 @@ static inline void rt2x00crypto_rx_insert_iv(struct sk_buff *skb,
> >  #ifdef CONFIG_RT2X00_LIB_RFKILL
> >  void rt2x00rfkill_register(struct rt2x00_dev *rt2x00dev);
> >  void rt2x00rfkill_unregister(struct rt2x00_dev *rt2x00dev);
> > -void rt2x00rfkill_allocate(struct rt2x00_dev *rt2x00dev);
> > -void rt2x00rfkill_free(struct rt2x00_dev *rt2x00dev);
> >  #else
> >  static inline void rt2x00rfkill_register(struct rt2x00_dev *rt2x00dev)
> >  {
> > @@ -270,14 +268,6 @@ static inline void rt2x00rfkill_register(struct rt2x00_dev *rt2x00dev)
> >  static inline void rt2x00rfkill_unregister(struct rt2x00_dev *rt2x00dev)
> >  {
> >  }
> > -
> > -static inline void rt2x00rfkill_allocate(struct rt2x00_dev *rt2x00dev)
> > -{
> > -}
> > -
> > -static inline void rt2x00rfkill_free(struct rt2x00_dev *rt2x00dev)
> > -{
> > -}
> >  #endif /* CONFIG_RT2X00_LIB_RFKILL */
> >  
> >  /*
> > diff --git a/drivers/net/wireless/rt2x00/rt2x00rfkill.c b/drivers/net/wireless/rt2x00/rt2x00rfkill.c
> > index 3298cae..08ffc6d 100644
> > --- a/drivers/net/wireless/rt2x00/rt2x00rfkill.c
> > +++ b/drivers/net/wireless/rt2x00/rt2x00rfkill.c
> > @@ -94,14 +94,50 @@ static void rt2x00rfkill_poll(struct work_struct *work)
> >  			   &rt2x00dev->rfkill_work, RFKILL_POLL_INTERVAL);
> >  }
> >  
> > +static int rt2x00rfkill_allocate(struct rt2x00_dev *rt2x00dev)
> > +{
> > +	struct device *dev = wiphy_dev(rt2x00dev->hw->wiphy);
> > +
> > +	rt2x00dev->rfkill = rfkill_allocate(dev, RFKILL_TYPE_WLAN);
> > +	if (!rt2x00dev->rfkill)
> > +		return -ENOMEM;
> > +
> > +	rt2x00dev->rfkill->name = rt2x00dev->ops->name;
> > +	rt2x00dev->rfkill->data = rt2x00dev;
> > +	rt2x00dev->rfkill->toggle_radio = rt2x00rfkill_toggle_radio;
> > +	if (test_bit(CONFIG_SUPPORT_HW_BUTTON, &rt2x00dev->flags)) {
> > +		rt2x00dev->rfkill->get_state = rt2x00rfkill_get_state;
> > +		rt2x00dev->rfkill->state =
> > +			rt2x00dev->ops->lib->rfkill_poll(rt2x00dev) ?
> > +			    RFKILL_STATE_SOFT_BLOCKED : RFKILL_STATE_UNBLOCKED;
> > +	} else {
> > +		rt2x00dev->rfkill->state = RFKILL_STATE_UNBLOCKED;
> > +	}
> > +
> > +	INIT_DELAYED_WORK(&rt2x00dev->rfkill_work, rt2x00rfkill_poll);
> > +
> > +	return 0;
> > +}
> > +
> > +static void rt2x00rfkill_free(struct rt2x00_dev *rt2x00dev)
> > +{
> > +	rfkill_free(rt2x00dev->rfkill);
> > +	rt2x00dev->rfkill = NULL;
> > +}
> > +
> >  void rt2x00rfkill_register(struct rt2x00_dev *rt2x00dev)
> >  {
> > -	if (!test_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state) ||
> > -	    test_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state))
> > +	if (test_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state))
> > +		return;
> > +
> > +	if (rt2x00rfkill_allocate(rt2x00dev)) {
> > +		ERROR(rt2x00dev, "Failed to allocate rfkill handler.\n");
> >  		return;
> > +	}
> >  
> >  	if (rfkill_register(rt2x00dev->rfkill)) {
> >  		ERROR(rt2x00dev, "Failed to register rfkill handler.\n");
> > +		rt2x00rfkill_free(rt2x00dev);
> >  		return;
> >  	}
> >  
> > @@ -117,8 +153,7 @@ void rt2x00rfkill_register(struct rt2x00_dev *rt2x00dev)
> >  
> >  void rt2x00rfkill_unregister(struct rt2x00_dev *rt2x00dev)
> >  {
> > -	if (!test_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state) ||
> > -	    !test_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state))
> > +	if (!test_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state))
> >  		return;
> >  
> >  	cancel_delayed_work_sync(&rt2x00dev->rfkill_work);
> > @@ -127,46 +162,3 @@ void rt2x00rfkill_unregister(struct rt2x00_dev *rt2x00dev)
> >  
> >  	__clear_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state);
> >  }
> > -
> > -void rt2x00rfkill_allocate(struct rt2x00_dev *rt2x00dev)
> > -{
> > -	struct device *dev = wiphy_dev(rt2x00dev->hw->wiphy);
> > -
> > -	if (test_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state))
> > -		return;
> > -
> > -	rt2x00dev->rfkill = rfkill_allocate(dev, RFKILL_TYPE_WLAN);
> > -	if (!rt2x00dev->rfkill) {
> > -		ERROR(rt2x00dev, "Failed to allocate rfkill handler.\n");
> > -		return;
> > -	}
> > -
> > -	__set_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state);
> > -
> > -	rt2x00dev->rfkill->name = rt2x00dev->ops->name;
> > -	rt2x00dev->rfkill->data = rt2x00dev;
> > -	rt2x00dev->rfkill->toggle_radio = rt2x00rfkill_toggle_radio;
> > -	if (test_bit(CONFIG_SUPPORT_HW_BUTTON, &rt2x00dev->flags)) {
> > -		rt2x00dev->rfkill->get_state = rt2x00rfkill_get_state;
> > -		rt2x00dev->rfkill->state =
> > -			rt2x00dev->ops->lib->rfkill_poll(rt2x00dev) ?
> > -			    RFKILL_STATE_SOFT_BLOCKED : RFKILL_STATE_UNBLOCKED;
> > -	} else {
> > -		rt2x00dev->rfkill->state = RFKILL_STATE_UNBLOCKED;
> > -	}
> > -
> > -	INIT_DELAYED_WORK(&rt2x00dev->rfkill_work, rt2x00rfkill_poll);
> > -
> > -	return;
> > -}
> > -
> > -void rt2x00rfkill_free(struct rt2x00_dev *rt2x00dev)
> > -{
> > -	if (!test_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state))
> > -		return;
> > -
> > -	cancel_delayed_work_sync(&rt2x00dev->rfkill_work);
> > -
> > -	rfkill_free(rt2x00dev->rfkill);
> > -	rt2x00dev->rfkill = NULL;
> > -}
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 

[PATCH v2] Fix SLAB corruption during rmmod

[Ivo van Doorn]

At rmmod stage, the code path is the following one :

rt2x00lib_remove_dev
=C2=A0 -> =C2=A0rt2x00lib_uninitialize()
=C2=A0 =C2=A0 =C2=A0 =C2=A0 -> rt2x00rfkill_unregister()
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-> rfkill_unregister()
=C2=A0 =C2=A0 =C2=A0 =C2=A0 -> rt2x00rfkill_free()
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-> rfkill_free()

The problem is that rfkill_free should not be called after rfkill_regis=
ter
otherwise put_device(&rfkill->dev) will be called 2 times. This patch
fixes this by only calling rt2x00rfkill_free() when rt2x00rfkill_regist=
er()
hasn't been called or has failed.

Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
Tested-by: Arnaud Patard <apatard@mandriva.com>
Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>

---
John, this patch is for 2.6.29 and only 2.6.29 since rfkill support its=
elf
was removed from later versions (replaced by input_polldev).
The patch is quite big to be merged in a late state of the release cycl=
e,
but since the SLAB corruption is a serious problem, I hope this can get=
 in regardless.

Thanks.

diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireles=
s/rt2x00/rt2x00.h
index 39ecf3b..820fdb2 100644
--- a/drivers/net/wireless/rt2x00/rt2x00.h
+++ b/drivers/net/wireless/rt2x00/rt2x00.h
@@ -687,8 +687,7 @@ struct rt2x00_dev {
 	 */
 #ifdef CONFIG_RT2X00_LIB_RFKILL
 	unsigned long rfkill_state;
-#define RFKILL_STATE_ALLOCATED		1
-#define RFKILL_STATE_REGISTERED		2
+#define RFKILL_STATE_REGISTERED		1
 	struct rfkill *rfkill;
 	struct delayed_work rfkill_work;
 #endif /* CONFIG_RT2X00_LIB_RFKILL */
diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wire=
less/rt2x00/rt2x00dev.c
index 87c0f2c..e694bb7 100644
--- a/drivers/net/wireless/rt2x00/rt2x00dev.c
+++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
@@ -1105,7 +1105,6 @@ int rt2x00lib_probe_dev(struct rt2x00_dev *rt2x00=
dev)
 	 * Register extra components.
 	 */
 	rt2x00leds_register(rt2x00dev);
-	rt2x00rfkill_allocate(rt2x00dev);
 	rt2x00debug_register(rt2x00dev);
=20
 	set_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags);
@@ -1137,7 +1136,6 @@ void rt2x00lib_remove_dev(struct rt2x00_dev *rt2x=
00dev)
 	 * Free extra components
 	 */
 	rt2x00debug_deregister(rt2x00dev);
-	rt2x00rfkill_free(rt2x00dev);
 	rt2x00leds_unregister(rt2x00dev);
=20
 	/*
diff --git a/drivers/net/wireless/rt2x00/rt2x00lib.h b/drivers/net/wire=
less/rt2x00/rt2x00lib.h
index 86cd26f..49309d4 100644
--- a/drivers/net/wireless/rt2x00/rt2x00lib.h
+++ b/drivers/net/wireless/rt2x00/rt2x00lib.h
@@ -260,8 +260,6 @@ static inline void rt2x00crypto_rx_insert_iv(struct=
 sk_buff *skb,
 #ifdef CONFIG_RT2X00_LIB_RFKILL
 void rt2x00rfkill_register(struct rt2x00_dev *rt2x00dev);
 void rt2x00rfkill_unregister(struct rt2x00_dev *rt2x00dev);
-void rt2x00rfkill_allocate(struct rt2x00_dev *rt2x00dev);
-void rt2x00rfkill_free(struct rt2x00_dev *rt2x00dev);
 #else
 static inline void rt2x00rfkill_register(struct rt2x00_dev *rt2x00dev)
 {
@@ -270,14 +268,6 @@ static inline void rt2x00rfkill_register(struct rt=
2x00_dev *rt2x00dev)
 static inline void rt2x00rfkill_unregister(struct rt2x00_dev *rt2x00de=
v)
 {
 }
-
-static inline void rt2x00rfkill_allocate(struct rt2x00_dev *rt2x00dev)
-{
-}
-
-static inline void rt2x00rfkill_free(struct rt2x00_dev *rt2x00dev)
-{
-}
 #endif /* CONFIG_RT2X00_LIB_RFKILL */
=20
 /*
diff --git a/drivers/net/wireless/rt2x00/rt2x00rfkill.c b/drivers/net/w=
ireless/rt2x00/rt2x00rfkill.c
index 3298cae..08ffc6d 100644
--- a/drivers/net/wireless/rt2x00/rt2x00rfkill.c
+++ b/drivers/net/wireless/rt2x00/rt2x00rfkill.c
@@ -94,14 +94,50 @@ static void rt2x00rfkill_poll(struct work_struct *w=
ork)
 			   &rt2x00dev->rfkill_work, RFKILL_POLL_INTERVAL);
 }
=20
+static int rt2x00rfkill_allocate(struct rt2x00_dev *rt2x00dev)
+{
+	struct device *dev =3D wiphy_dev(rt2x00dev->hw->wiphy);
+
+	rt2x00dev->rfkill =3D rfkill_allocate(dev, RFKILL_TYPE_WLAN);
+	if (!rt2x00dev->rfkill)
+		return -ENOMEM;
+
+	rt2x00dev->rfkill->name =3D rt2x00dev->ops->name;
+	rt2x00dev->rfkill->data =3D rt2x00dev;
+	rt2x00dev->rfkill->toggle_radio =3D rt2x00rfkill_toggle_radio;
+	if (test_bit(CONFIG_SUPPORT_HW_BUTTON, &rt2x00dev->flags)) {
+		rt2x00dev->rfkill->get_state =3D rt2x00rfkill_get_state;
+		rt2x00dev->rfkill->state =3D
+			rt2x00dev->ops->lib->rfkill_poll(rt2x00dev) ?
+			    RFKILL_STATE_SOFT_BLOCKED : RFKILL_STATE_UNBLOCKED;
+	} else {
+		rt2x00dev->rfkill->state =3D RFKILL_STATE_UNBLOCKED;
+	}
+
+	INIT_DELAYED_WORK(&rt2x00dev->rfkill_work, rt2x00rfkill_poll);
+
+	return 0;
+}
+
+static void rt2x00rfkill_free(struct rt2x00_dev *rt2x00dev)
+{
+	rfkill_free(rt2x00dev->rfkill);
+	rt2x00dev->rfkill =3D NULL;
+}
+
 void rt2x00rfkill_register(struct rt2x00_dev *rt2x00dev)
 {
-	if (!test_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state) ||
-	    test_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state))
+	if (test_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state))
+		return;
+
+	if (rt2x00rfkill_allocate(rt2x00dev)) {
+		ERROR(rt2x00dev, "Failed to allocate rfkill handler.\n");
 		return;
+	}
=20
 	if (rfkill_register(rt2x00dev->rfkill)) {
 		ERROR(rt2x00dev, "Failed to register rfkill handler.\n");
+		rt2x00rfkill_free(rt2x00dev);
 		return;
 	}
=20
@@ -117,8 +153,7 @@ void rt2x00rfkill_register(struct rt2x00_dev *rt2x0=
0dev)
=20
 void rt2x00rfkill_unregister(struct rt2x00_dev *rt2x00dev)
 {
-	if (!test_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state) ||
-	    !test_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state))
+	if (!test_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state))
 		return;
=20
 	cancel_delayed_work_sync(&rt2x00dev->rfkill_work);
@@ -127,46 +162,3 @@ void rt2x00rfkill_unregister(struct rt2x00_dev *rt=
2x00dev)
=20
 	__clear_bit(RFKILL_STATE_REGISTERED, &rt2x00dev->rfkill_state);
 }
-
-void rt2x00rfkill_allocate(struct rt2x00_dev *rt2x00dev)
-{
-	struct device *dev =3D wiphy_dev(rt2x00dev->hw->wiphy);
-
-	if (test_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state))
-		return;
-
-	rt2x00dev->rfkill =3D rfkill_allocate(dev, RFKILL_TYPE_WLAN);
-	if (!rt2x00dev->rfkill) {
-		ERROR(rt2x00dev, "Failed to allocate rfkill handler.\n");
-		return;
-	}
-
-	__set_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state);
-
-	rt2x00dev->rfkill->name =3D rt2x00dev->ops->name;
-	rt2x00dev->rfkill->data =3D rt2x00dev;
-	rt2x00dev->rfkill->toggle_radio =3D rt2x00rfkill_toggle_radio;
-	if (test_bit(CONFIG_SUPPORT_HW_BUTTON, &rt2x00dev->flags)) {
-		rt2x00dev->rfkill->get_state =3D rt2x00rfkill_get_state;
-		rt2x00dev->rfkill->state =3D
-			rt2x00dev->ops->lib->rfkill_poll(rt2x00dev) ?
-			    RFKILL_STATE_SOFT_BLOCKED : RFKILL_STATE_UNBLOCKED;
-	} else {
-		rt2x00dev->rfkill->state =3D RFKILL_STATE_UNBLOCKED;
-	}
-
-	INIT_DELAYED_WORK(&rt2x00dev->rfkill_work, rt2x00rfkill_poll);
-
-	return;
-}
-
-void rt2x00rfkill_free(struct rt2x00_dev *rt2x00dev)
-{
-	if (!test_bit(RFKILL_STATE_ALLOCATED, &rt2x00dev->rfkill_state))
-		return;
-
-	cancel_delayed_work_sync(&rt2x00dev->rfkill_work);
-
-	rfkill_free(rt2x00dev->rfkill);
-	rt2x00dev->rfkill =3D NULL;
-}
--
To unsubscribe from this list: send the line "unsubscribe linux-wireles=
s" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2] Fix SLAB corruption during rmmod

[John W. Linville]

On Mon, Mar 16, 2009 at 08:24:27PM +0100, Ivo van Doorn wrote:
> At rmmod stage, the code path is the following one :
>=20
> rt2x00lib_remove_dev
> =A0 -> =A0rt2x00lib_uninitialize()
> =A0 =A0 =A0 =A0 -> rt2x00rfkill_unregister()
> =A0 =A0 =A0 =A0 =A0 =A0 =A0-> rfkill_unregister()
> =A0 =A0 =A0 =A0 -> rt2x00rfkill_free()
> =A0 =A0 =A0 =A0 =A0 =A0 =A0-> rfkill_free()
>=20
> The problem is that rfkill_free should not be called after rfkill_reg=
ister
> otherwise put_device(&rfkill->dev) will be called 2 times. This patch
> fixes this by only calling rt2x00rfkill_free() when rt2x00rfkill_regi=
ster()
> hasn't been called or has failed.
>=20
> Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
> Tested-by: Arnaud Patard <apatard@mandriva.com>
> Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>
>=20
> ---
> John, this patch is for 2.6.29 and only 2.6.29 since rfkill support i=
tself
> was removed from later versions (replaced by input_polldev).
> The patch is quite big to be merged in a late state of the release cy=
cle,
> but since the SLAB corruption is a serious problem, I hope this can g=
et in regardless.

Could you send me a version of this that applies on top of
wireless-testing?

Also, is there a bug report somewhere that describes this issue
this addresses?

Thanks,

John
--=20
John W. Linville		Someday the world will need a hero, and you
linville@tuxdriver.com			might be all we have.  Be ready.
--
To unsubscribe from this list: send the line "unsubscribe linux-wireles=
s" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2] Fix SLAB corruption during rmmod

[Ivo van Doorn]

On Tuesday 17 March 2009, John W. Linville wrote:
> On Mon, Mar 16, 2009 at 08:24:27PM +0100, Ivo van Doorn wrote:
> > At rmmod stage, the code path is the following one :
> >=20
> > rt2x00lib_remove_dev
> > =A0 -> =A0rt2x00lib_uninitialize()
> > =A0 =A0 =A0 =A0 -> rt2x00rfkill_unregister()
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0-> rfkill_unregister()
> > =A0 =A0 =A0 =A0 -> rt2x00rfkill_free()
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0-> rfkill_free()
> >=20
> > The problem is that rfkill_free should not be called after rfkill_r=
egister
> > otherwise put_device(&rfkill->dev) will be called 2 times. This pat=
ch
> > fixes this by only calling rt2x00rfkill_free() when rt2x00rfkill_re=
gister()
> > hasn't been called or has failed.
> >=20
> > Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
> > Tested-by: Arnaud Patard <apatard@mandriva.com>
> > Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>
> >=20
> > ---
> > John, this patch is for 2.6.29 and only 2.6.29 since rfkill support=
 itself
> > was removed from later versions (replaced by input_polldev).
> > The patch is quite big to be merged in a late state of the release =
cycle,
> > but since the SLAB corruption is a serious problem, I hope this can=
 get in regardless.
>=20
> Could you send me a version of this that applies on top of
> wireless-testing?

Actually no, the code isn't present at all in wireless-testing.
As I said, after 2.6.29 the entire rfkill structure is removed from rt2=
x00
and replaced by input_polldev.

> Also, is there a bug report somewhere that describes this issue
> this addresses?

I got the report on the rt2400-devel mailinglist, GertJan provided the =
patch
through that mailinglist as well, here is the reference to the mails fr=
om the archive:

https://sourceforge.net/mailarchive/forum.php?thread_name=3Dm3iqmwjaor.=
fsf%40anduin.mandriva.com&forum_name=3Drt2400-devel

Ivo
--
To unsubscribe from this list: send the line "unsubscribe linux-wireles=
s" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2] Fix SLAB corruption during rmmod

[John W. Linville]

On Tue, Mar 17, 2009 at 10:56:35PM +0100, Ivo van Doorn wrote:
> On Tuesday 17 March 2009, John W. Linville wrote:
> > On Mon, Mar 16, 2009 at 08:24:27PM +0100, Ivo van Doorn wrote:
> > > At rmmod stage, the code path is the following one :
> > >=20
> > > rt2x00lib_remove_dev
> > > =A0 -> =A0rt2x00lib_uninitialize()
> > > =A0 =A0 =A0 =A0 -> rt2x00rfkill_unregister()
> > > =A0 =A0 =A0 =A0 =A0 =A0 =A0-> rfkill_unregister()
> > > =A0 =A0 =A0 =A0 -> rt2x00rfkill_free()
> > > =A0 =A0 =A0 =A0 =A0 =A0 =A0-> rfkill_free()
> > >=20
> > > The problem is that rfkill_free should not be called after rfkill=
_register
> > > otherwise put_device(&rfkill->dev) will be called 2 times. This p=
atch
> > > fixes this by only calling rt2x00rfkill_free() when rt2x00rfkill_=
register()
> > > hasn't been called or has failed.
> > >=20
> > > Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
> > > Tested-by: Arnaud Patard <apatard@mandriva.com>
> > > Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>
> > >=20
> > > ---
> > > John, this patch is for 2.6.29 and only 2.6.29 since rfkill suppo=
rt itself
> > > was removed from later versions (replaced by input_polldev).
> > > The patch is quite big to be merged in a late state of the releas=
e cycle,
> > > but since the SLAB corruption is a serious problem, I hope this c=
an get in regardless.
> >=20
> > Could you send me a version of this that applies on top of
> > wireless-testing?
>=20
> Actually no, the code isn't present at all in wireless-testing.
> As I said, after 2.6.29 the entire rfkill structure is removed from r=
t2x00
> and replaced by input_polldev.

I guess I misunderstood.  So just to be clear, no remnant or shadow
of this patch should live-on to 2.6.30?

It's just that the merge conflicts created by this patch were awful.
With 2.6.29's release presumably close, maybe this is a candidate
for the stable tree?

John
--=20
John W. Linville		Someday the world will need a hero, and you
linville@tuxdriver.com			might be all we have.  Be ready.
--
To unsubscribe from this list: send the line "unsubscribe linux-wireles=
s" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2] Fix SLAB corruption during rmmod

[Ivo van Doorn]

On Wednesday 18 March 2009, John W. Linville wrote:
> On Tue, Mar 17, 2009 at 10:56:35PM +0100, Ivo van Doorn wrote:
> > On Tuesday 17 March 2009, John W. Linville wrote:
> > > On Mon, Mar 16, 2009 at 08:24:27PM +0100, Ivo van Doorn wrote:
> > > > At rmmod stage, the code path is the following one :
> > > >=20
> > > > rt2x00lib_remove_dev
> > > > =A0 -> =A0rt2x00lib_uninitialize()
> > > > =A0 =A0 =A0 =A0 -> rt2x00rfkill_unregister()
> > > > =A0 =A0 =A0 =A0 =A0 =A0 =A0-> rfkill_unregister()
> > > > =A0 =A0 =A0 =A0 -> rt2x00rfkill_free()
> > > > =A0 =A0 =A0 =A0 =A0 =A0 =A0-> rfkill_free()
> > > >=20
> > > > The problem is that rfkill_free should not be called after rfki=
ll_register
> > > > otherwise put_device(&rfkill->dev) will be called 2 times. This=
 patch
> > > > fixes this by only calling rt2x00rfkill_free() when rt2x00rfkil=
l_register()
> > > > hasn't been called or has failed.
> > > >=20
> > > > Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
> > > > Tested-by: Arnaud Patard <apatard@mandriva.com>
> > > > Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>
> > > >=20
> > > > ---
> > > > John, this patch is for 2.6.29 and only 2.6.29 since rfkill sup=
port itself
> > > > was removed from later versions (replaced by input_polldev).
> > > > The patch is quite big to be merged in a late state of the rele=
ase cycle,
> > > > but since the SLAB corruption is a serious problem, I hope this=
 can get in regardless.
> > >=20
> > > Could you send me a version of this that applies on top of
> > > wireless-testing?
> >=20
> > Actually no, the code isn't present at all in wireless-testing.
> > As I said, after 2.6.29 the entire rfkill structure is removed from=
 rt2x00
> > and replaced by input_polldev.
>=20
> I guess I misunderstood.  So just to be clear, no remnant or shadow
> of this patch should live-on to 2.6.30?

Exactly. :)

> It's just that the merge conflicts created by this patch were awful.
> With 2.6.29's release presumably close, maybe this is a candidate
> for the stable tree?

That would be fine as well. :)
Should I resend it to -stable when 2.6.29 final is out?

Ivo
--
To unsubscribe from this list: send the line "unsubscribe linux-wireles=
s" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2] Fix SLAB corruption during rmmod

[John W. Linville]

On Wed, Mar 18, 2009 at 02:32:24PM +0100, Ivo van Doorn wrote:
> On Wednesday 18 March 2009, John W. Linville wrote:

> > It's just that the merge conflicts created by this patch were awful.
> > With 2.6.29's release presumably close, maybe this is a candidate
> > for the stable tree?
> 
> That would be fine as well. :)
> Should I resend it to -stable when 2.6.29 final is out?

Honestly, I think that is the best bet.  Please do so!

Thanks,

John
-- 
John W. Linville		Someday the world will need a hero, and you
linville@tuxdriver.com			might be all we have.  Be ready.