From: Hin-Tak Leung <hintak.leung@gmail.com>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: "Luis R. Rodriguez" <lrodriguez@atheros.com>,
"John W. Linville" <linville@tuxdriver.com>,
linux-wireless@vger.kernel.org
Subject: Re: NULL pointer deref at wext ioctl (Re: [PATCH] compat-2.6: adding ethtool.h to compat-2.6.31.h)
Date: Thu, 8 Oct 2009 07:28:23 +0100 [thread overview]
Message-ID: <3ace41890910072328n1460ee34v1fe7ca9b78eb646f@mail.gmail.com> (raw)
In-Reply-To: <1254952886.3713.4.camel@johannes.local>
[-- Attachment #1: Type: text/plain, Size: 2916 bytes --]
On Wed, Oct 7, 2009 at 11:01 PM, Johannes Berg
<johannes@sipsolutions.net> wrote:
> On Wed, 2009-10-07 at 20:28 +0100, Hin-Tak Leung wrote:
>> On Wed, Oct 7, 2009 at 8:16 PM, Hin-Tak Leung <hintak.leung@gmail.com> wrote:
>>
>> > It is probably just a transient problem with recent activities - I had
>> > a NULL pointer deref from loading rtl8187 of compat-wireless
>> > v2.6.32-rc3-39563-g98c2609 -
>> >
>> > BUG: unable to handle kernel NULL pointer dereference at 000000000000003d
>> > IP: [<ffffffff8147822c>] wext_ioctl_dispatch+0xd9/0x180
>> > PGD 61c2b067 PUD 6246f067 PMD 0
>> > Oops: 0000 [#1] SMP
>> > ...
>> > Call Trace:
>> > [<ffffffff814783f5>] wext_handle_ioctl+0x4d/0x98
>> > [<ffffffff813e53a5>] dev_ioctl+0x625/0x662
>> > [<ffffffff813cfa45>] sock_ioctl+0x225/0x248
>> > [<ffffffff811237a3>] vfs_ioctl+0x31/0xaa
>> > [<ffffffff811e1801>] ? security_d_instantiate+0x37/0x4d
>> > [<ffffffff81123c88>] do_vfs_ioctl+0x46c/0x4c3
>> > [<ffffffff81123d44>] sys_ioctl+0x65/0x9c
>> > [<ffffffff81012082>] system_call_fastpath+0x16/0x1b
>> >
>> > I'm sure whatever changes made this happen will go away soon, so I'll
>> > just re-try in a few days... but if anybody knows what commit causes
>> > this (and what fixes it!), I'd like to know.
>> >
>>
>> Hiya, It looks like I last used compat-wireless successfully was on
>> 25th (I am not saying it breaks after - I just haven't tried until
>> yesterday, possibly), and most of the recent changes are per-driver,
>> but there is a big code drop from Johannes dated 27th on 'wext:
>> refactor' . Changes from that or dependent changes?
>
> Probably -- but I don't see this problem on stock kernel and I'm not
> sure what could be causing it for compat-wireless.
>
> This will be the old copy of wext_ioctl_dispatch. It'd certainly help to
> get disassembly/the source line of the oops.
>
> johannes
>
The crash came from the fedora koji kernel 2.6.30.8-67.fc11.x86_64 (+
bleed-edge compat-wireless), so John can probably correct me if I am
doing wrong or he can probably provide a better answer based on the
info.
I installed the debug packages kernel-debuginfo-2.6.30.8-67.fc11 ,
kernel-debuginfo-common-x86_64-2.6.30.8-67.fc11 , then dump the whole
thing to work out the address, before selecting the adress as:
objdump -l -d --start-address=0xffffffff81478153
--stop-address=0xffffffff81478440 -S
/usr/lib/debug/lib/modules/2.6.30.8-67.fc11.x86_64/vmlinux
It looks like it is the 2nd of thes two lines around
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:448
which resulted in the null pointer dereference:
if (index < dev->wireless_handlers->num_private)
return dev->wireless_handlers->private[index];
Is there a more clever way of working out the addresses? I guess I
should have just subtracted and added a few k off the crash message,
rather than dumping the whole kernel to work out the addresses...
[-- Attachment #2: kernel-objdump-withlines --]
[-- Type: application/octet-stream, Size: 27217 bytes --]
/usr/lib/debug/lib/modules/2.6.30.8-67.fc11.x86_64/vmlinux: file format elf64-x86-64
Disassembly of section .text:
ffffffff81478153 <wext_ioctl_dispatch>:
wext_ioctl_dispatch():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1087
/* entry point from dev ioctl */
static int wext_ioctl_dispatch(struct net *net, struct ifreq *ifr,
unsigned int cmd, struct iw_request_info *info,
wext_ioctl_func standard,
wext_ioctl_func private)
{
ffffffff81478153: 55 push %rbp
ffffffff81478154: 48 89 e5 mov %rsp,%rbp
ffffffff81478157: 41 56 push %r14
ffffffff81478159: 41 55 push %r13
ffffffff8147815b: 41 54 push %r12
ffffffff8147815d: 53 push %rbx
ffffffff8147815e: 48 83 ec 20 sub $0x20,%rsp
ffffffff81478162: e8 99 9c b9 ff callq ffffffff81011e00 <mcount>
ffffffff81478167: 65 48 8b 04 25 28 00 mov %gs:0x28,%rax
ffffffff8147816e: 00 00
ffffffff81478170: 48 89 45 d8 mov %rax,-0x28(%rbp)
ffffffff81478174: 31 c0 xor %eax,%eax
wext_permission_check():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1075
/* If command is `set a parameter', or `get the encoding parameters',
* check if the user has the right to do it.
*/
static int wext_permission_check(unsigned int cmd)
{
if ((IW_IS_SET(cmd) || cmd == SIOCGIWENCODE || cmd == SIOCGIWENCODEEXT)
ffffffff81478176: f6 c2 01 test $0x1,%dl
wext_ioctl_dispatch():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1087
/* entry point from dev ioctl */
static int wext_ioctl_dispatch(struct net *net, struct ifreq *ifr,
unsigned int cmd, struct iw_request_info *info,
wext_ioctl_func standard,
wext_ioctl_func private)
{
ffffffff81478179: 49 89 fd mov %rdi,%r13
ffffffff8147817c: 48 89 f3 mov %rsi,%rbx
ffffffff8147817f: 4d 89 c4 mov %r8,%r12
ffffffff81478182: 4d 89 ce mov %r9,%r14
wext_permission_check():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1075
/* If command is `set a parameter', or `get the encoding parameters',
* check if the user has the right to do it.
*/
static int wext_permission_check(unsigned int cmd)
{
if ((IW_IS_SET(cmd) || cmd == SIOCGIWENCODE || cmd == SIOCGIWENCODEEXT)
ffffffff81478185: 74 14 je ffffffff8147819b <wext_ioctl_dispatch+0x48>
ffffffff81478187: 81 fa 2b 8b 00 00 cmp $0x8b2b,%edx
ffffffff8147818d: 74 0c je ffffffff8147819b <wext_ioctl_dispatch+0x48>
ffffffff8147818f: 81 fa 35 8b 00 00 cmp $0x8b35,%edx
ffffffff81478195: 0f 85 ef 00 00 00 jne ffffffff8147828a <wext_ioctl_dispatch+0x137>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1076
&& !capable(CAP_NET_ADMIN))
ffffffff8147819b: bf 0c 00 00 00 mov $0xc,%edi
ffffffff814781a0: 89 55 c8 mov %edx,-0x38(%rbp)
ffffffff814781a3: 48 89 4d c0 mov %rcx,-0x40(%rbp)
ffffffff814781a7: e8 78 8c be ff callq ffffffff81060e24 <capable>
ffffffff814781ac: 89 c6 mov %eax,%esi
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1075
/* If command is `set a parameter', or `get the encoding parameters',
* check if the user has the right to do it.
*/
static int wext_permission_check(unsigned int cmd)
{
if ((IW_IS_SET(cmd) || cmd == SIOCGIWENCODE || cmd == SIOCGIWENCODEEXT)
ffffffff814781ae: 83 c8 ff or $0xffffffffffffffff,%eax
ffffffff814781b1: 8b 55 c8 mov -0x38(%rbp),%edx
ffffffff814781b4: 85 f6 test %esi,%esi
ffffffff814781b6: 48 8b 4d c0 mov -0x40(%rbp),%rcx
ffffffff814781ba: 0f 84 b9 00 00 00 je ffffffff81478279 <wext_ioctl_dispatch+0x126>
ffffffff814781c0: e9 c5 00 00 00 jmpq ffffffff8147828a <wext_ioctl_dispatch+0x137>
wireless_process_ioctl():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1043
return -ENODEV;
/* A bunch of special cases, then the generic case...
* Note that 'cmd' is already filtered in dev_ioctl() with
* (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST) */
if (cmd == SIOCGIWSTATS)
ffffffff814781c5: 81 fa 0f 8b 00 00 cmp $0x8b0f,%edx
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1044
return standard(dev, iwr, cmd, info,
ffffffff814781cb: 49 c7 c0 06 7c 47 81 mov $0xffffffff81477c06,%r8
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1043
return -ENODEV;
/* A bunch of special cases, then the generic case...
* Note that 'cmd' is already filtered in dev_ioctl() with
* (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST) */
if (cmd == SIOCGIWSTATS)
ffffffff814781d2: 74 69 je ffffffff8147823d <wext_ioctl_dispatch+0xea>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1047
return standard(dev, iwr, cmd, info,
&iw_handler_get_iwstats);
if (cmd == SIOCGIWPRIV && dev->wireless_handlers)
ffffffff814781d4: 81 fa 0d 8b 00 00 cmp $0x8b0d,%edx
ffffffff814781da: 75 11 jne ffffffff814781ed <wext_ioctl_dispatch+0x9a>
ffffffff814781dc: 48 83 bf 38 01 00 00 cmpq $0x0,0x138(%rdi)
ffffffff814781e3: 00
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1048
return standard(dev, iwr, cmd, info,
ffffffff814781e4: 49 c7 c0 86 7b 47 81 mov $0xffffffff81477b86,%r8
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1047
* (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST) */
if (cmd == SIOCGIWSTATS)
return standard(dev, iwr, cmd, info,
&iw_handler_get_iwstats);
if (cmd == SIOCGIWPRIV && dev->wireless_handlers)
ffffffff814781eb: 75 50 jne ffffffff8147823d <wext_ioctl_dispatch+0xea>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1052
return standard(dev, iwr, cmd, info,
&iw_handler_get_private);
/* Basic check */
if (!netif_device_present(dev))
ffffffff814781ed: f6 47 48 02 testb $0x2,0x48(%rdi)
ffffffff814781f1: 74 76 je ffffffff81478269 <wext_ioctl_dispatch+0x116>
get_handler():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:437
{
/* Don't "optimise" the following variable, it will crash */
unsigned int index; /* *MUST* be unsigned */
/* Check if we have some wireless handlers defined */
if (dev->wireless_handlers == NULL)
ffffffff814781f3: 48 8b 87 38 01 00 00 mov 0x138(%rdi),%rax
ffffffff814781fa: 48 85 c0 test %rax,%rax
ffffffff814781fd: 74 4e je ffffffff8147824d <wext_ioctl_dispatch+0xfa>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:442
return NULL;
/* Try as a standard command */
index = cmd - SIOCIWFIRST;
if (index < dev->wireless_handlers->num_standard)
ffffffff814781ff: 44 0f b7 00 movzwl (%rax),%r8d
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:441
/* Check if we have some wireless handlers defined */
if (dev->wireless_handlers == NULL)
return NULL;
/* Try as a standard command */
index = cmd - SIOCIWFIRST;
ffffffff81478203: 8d b2 00 75 ff ff lea -0x8b00(%rdx),%esi
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:442
if (index < dev->wireless_handlers->num_standard)
ffffffff81478209: 44 39 c6 cmp %r8d,%esi
ffffffff8147820c: 73 08 jae ffffffff81478216 <wext_ioctl_dispatch+0xc3>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:443
return dev->wireless_handlers->standard[index];
ffffffff8147820e: 89 f6 mov %esi,%esi
ffffffff81478210: 48 8b 40 08 mov 0x8(%rax),%rax
ffffffff81478214: eb 16 jmp ffffffff8147822c <wext_ioctl_dispatch+0xd9>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:447
/* Try as a private command */
index = cmd - SIOCIWFIRSTPRIV;
if (index < dev->wireless_handlers->num_private)
ffffffff81478216: 44 0f b7 40 02 movzwl 0x2(%rax),%r8d
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:446
index = cmd - SIOCIWFIRST;
if (index < dev->wireless_handlers->num_standard)
return dev->wireless_handlers->standard[index];
/* Try as a private command */
index = cmd - SIOCIWFIRSTPRIV;
ffffffff8147821b: 8d b2 20 74 ff ff lea -0x8be0(%rdx),%esi
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:447
if (index < dev->wireless_handlers->num_private)
ffffffff81478221: 44 39 c6 cmp %r8d,%esi
ffffffff81478224: 73 27 jae ffffffff8147824d <wext_ioctl_dispatch+0xfa>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:448
return dev->wireless_handlers->private[index];
ffffffff81478226: 48 8b 40 10 mov 0x10(%rax),%rax
ffffffff8147822a: 89 f6 mov %esi,%esi
ffffffff8147822c: 4c 8b 04 f0 mov (%rax,%rsi,8),%r8
wireless_process_ioctl():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1057
if (!netif_device_present(dev))
return -ENODEV;
/* New driver API : try to find the handler */
handler = get_handler(dev, cmd);
if (handler) {
ffffffff81478230: 4d 85 c0 test %r8,%r8
ffffffff81478233: 74 18 je ffffffff8147824d <wext_ioctl_dispatch+0xfa>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1059
/* Standard and private are not the same */
if (cmd < SIOCIWFIRSTPRIV)
ffffffff81478235: 81 fa df 8b 00 00 cmp $0x8bdf,%edx
ffffffff8147823b: 77 08 ja ffffffff81478245 <wext_ioctl_dispatch+0xf2>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1060
return standard(dev, iwr, cmd, info, handler);
ffffffff8147823d: 48 89 de mov %rbx,%rsi
ffffffff81478240: 41 ff d4 callq *%r12
ffffffff81478243: eb 29 jmp ffffffff8147826e <wext_ioctl_dispatch+0x11b>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1062
else
return private(dev, iwr, cmd, info, handler);
ffffffff81478245: 48 89 de mov %rbx,%rsi
ffffffff81478248: 41 ff d6 callq *%r14
ffffffff8147824b: eb 21 jmp ffffffff8147826e <wext_ioctl_dispatch+0x11b>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1065
}
/* Old driver API : call driver ioctl handler */
if (dev->netdev_ops->ndo_do_ioctl)
ffffffff8147824d: 48 8b 87 48 01 00 00 mov 0x148(%rdi),%rax
ffffffff81478254: 48 8b 48 58 mov 0x58(%rax),%rcx
ffffffff81478258: b8 a1 ff ff ff mov $0xffffffa1,%eax
ffffffff8147825d: 48 85 c9 test %rcx,%rcx
ffffffff81478260: 74 0c je ffffffff8147826e <wext_ioctl_dispatch+0x11b>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1066
return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
ffffffff81478262: 48 89 de mov %rbx,%rsi
ffffffff81478265: ff d1 callq *%rcx
ffffffff81478267: eb 05 jmp ffffffff8147826e <wext_ioctl_dispatch+0x11b>
ffffffff81478269: b8 ed ff ff ff mov $0xffffffed,%eax
wext_ioctl_dispatch():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1096
return ret;
dev_load(net, ifr->ifr_name);
rtnl_lock();
ret = wireless_process_ioctl(net, ifr, cmd, info, standard, private);
rtnl_unlock();
ffffffff8147826e: 89 45 c8 mov %eax,-0x38(%rbp)
ffffffff81478271: e8 91 58 f7 ff callq ffffffff813edb07 <rtnl_unlock>
ffffffff81478276: 8b 45 c8 mov -0x38(%rbp),%eax
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1099
return ret;
}
ffffffff81478279: 48 8b 55 d8 mov -0x28(%rbp),%rdx
ffffffff8147827d: 65 48 33 14 25 28 00 xor %gs:0x28,%rdx
ffffffff81478284: 00 00
ffffffff81478286: 74 3e je ffffffff814782c6 <wext_ioctl_dispatch+0x173>
ffffffff81478288: eb 37 jmp ffffffff814782c1 <wext_ioctl_dispatch+0x16e>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1093
int ret = wext_permission_check(cmd);
if (ret)
return ret;
dev_load(net, ifr->ifr_name);
ffffffff8147828a: 48 89 de mov %rbx,%rsi
ffffffff8147828d: 4c 89 ef mov %r13,%rdi
ffffffff81478290: 89 55 c8 mov %edx,-0x38(%rbp)
ffffffff81478293: 48 89 4d c0 mov %rcx,-0x40(%rbp)
ffffffff81478297: e8 df c0 f6 ff callq ffffffff813e437b <dev_load>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1094
rtnl_lock();
ffffffff8147829c: e8 db 58 f7 ff callq ffffffff813edb7c <rtnl_lock>
wireless_process_ioctl():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1037
/* Permissions are already checked in dev_ioctl() before calling us.
* The copy_to/from_user() of ifr is also dealt with in there */
/* Make sure the device exist */
if ((dev = __dev_get_by_name(net, ifr->ifr_name)) == NULL)
ffffffff814782a1: 4c 89 ef mov %r13,%rdi
ffffffff814782a4: 48 89 de mov %rbx,%rsi
ffffffff814782a7: e8 44 83 f6 ff callq ffffffff813e05f0 <__dev_get_by_name>
ffffffff814782ac: 48 85 c0 test %rax,%rax
ffffffff814782af: 48 89 c7 mov %rax,%rdi
ffffffff814782b2: 8b 55 c8 mov -0x38(%rbp),%edx
ffffffff814782b5: 48 8b 4d c0 mov -0x40(%rbp),%rcx
ffffffff814782b9: 0f 85 06 ff ff ff jne ffffffff814781c5 <wext_ioctl_dispatch+0x72>
ffffffff814782bf: eb a8 jmp ffffffff81478269 <wext_ioctl_dispatch+0x116>
wext_ioctl_dispatch():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1099
rtnl_lock();
ret = wireless_process_ioctl(net, ifr, cmd, info, standard, private);
rtnl_unlock();
return ret;
}
ffffffff814782c1: e8 c3 ef bd ff callq ffffffff81057289 <__stack_chk_fail>
ffffffff814782c6: 48 83 c4 20 add $0x20,%rsp
ffffffff814782ca: 5b pop %rbx
ffffffff814782cb: 41 5c pop %r12
ffffffff814782cd: 41 5d pop %r13
ffffffff814782cf: 41 5e pop %r14
ffffffff814782d1: c9 leaveq
ffffffff814782d2: c3 retq
ffffffff814782d3 <compat_wext_handle_ioctl>:
compat_wext_handle_ioctl():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1188
return ret;
}
int compat_wext_handle_ioctl(struct net *net, unsigned int cmd,
unsigned long arg)
{
ffffffff814782d3: 55 push %rbp
ffffffff814782d4: 48 89 e5 mov %rsp,%rbp
ffffffff814782d7: 41 56 push %r14
ffffffff814782d9: 41 55 push %r13
ffffffff814782db: 41 54 push %r12
ffffffff814782dd: 53 push %rbx
ffffffff814782de: 48 83 ec 40 sub $0x40,%rsp
ffffffff814782e2: e8 19 9b b9 ff callq ffffffff81011e00 <mcount>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1195
struct iw_request_info info;
struct iwreq iwr;
char *colon;
int ret;
if (copy_from_user(&iwr, argp, sizeof(struct iwreq)))
ffffffff814782e7: 4c 8d 65 b0 lea -0x50(%rbp),%r12
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1188
return ret;
}
int compat_wext_handle_ioctl(struct net *net, unsigned int cmd,
unsigned long arg)
{
ffffffff814782eb: 49 89 d5 mov %rdx,%r13
ffffffff814782ee: 49 89 fe mov %rdi,%r14
ffffffff814782f1: 89 f3 mov %esi,%ebx
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1195
struct iw_request_info info;
struct iwreq iwr;
char *colon;
int ret;
if (copy_from_user(&iwr, argp, sizeof(struct iwreq)))
ffffffff814782f3: ba 20 00 00 00 mov $0x20,%edx
ffffffff814782f8: 4c 89 ee mov %r13,%rsi
ffffffff814782fb: 4c 89 e7 mov %r12,%rdi
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1188
return ret;
}
int compat_wext_handle_ioctl(struct net *net, unsigned int cmd,
unsigned long arg)
{
ffffffff814782fe: 65 48 8b 04 25 28 00 mov %gs:0x28,%rax
ffffffff81478305: 00 00
ffffffff81478307: 48 89 45 d8 mov %rax,-0x28(%rbp)
ffffffff8147830b: 31 c0 xor %eax,%eax
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1195
struct iw_request_info info;
struct iwreq iwr;
char *colon;
int ret;
if (copy_from_user(&iwr, argp, sizeof(struct iwreq)))
ffffffff8147830d: e8 3e 51 db ff callq ffffffff8122d450 <copy_from_user>
ffffffff81478312: 48 85 c0 test %rax,%rax
ffffffff81478315: 75 67 jne ffffffff8147837e <compat_wext_handle_ioctl+0xab>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1199
return -EFAULT;
iwr.ifr_name[IFNAMSIZ-1] = 0;
colon = strchr(iwr.ifr_name, ':');
ffffffff81478317: be 3a 00 00 00 mov $0x3a,%esi
ffffffff8147831c: 4c 89 e7 mov %r12,%rdi
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1198
int ret;
if (copy_from_user(&iwr, argp, sizeof(struct iwreq)))
return -EFAULT;
iwr.ifr_name[IFNAMSIZ-1] = 0;
ffffffff8147831f: c6 45 bf 00 movb $0x0,-0x41(%rbp)
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1199
colon = strchr(iwr.ifr_name, ':');
ffffffff81478323: e8 d1 25 db ff callq ffffffff8122a8f9 <strchr>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1200
if (colon)
ffffffff81478328: 48 85 c0 test %rax,%rax
ffffffff8147832b: 74 03 je ffffffff81478330 <compat_wext_handle_ioctl+0x5d>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1201
*colon = 0;
ffffffff8147832d: c6 00 00 movb $0x0,(%rax)
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1206
info.cmd = cmd;
info.flags = IW_REQUEST_FLAG_COMPAT;
ret = wext_ioctl_dispatch(net, (struct ifreq *) &iwr, cmd, &info,
ffffffff81478330: 4c 8d 65 b0 lea -0x50(%rbp),%r12
ffffffff81478334: 48 8d 4d a0 lea -0x60(%rbp),%rcx
ffffffff81478338: 4c 89 f7 mov %r14,%rdi
ffffffff8147833b: 49 c7 c1 dc 7f 47 81 mov $0xffffffff81477fdc,%r9
ffffffff81478342: 49 c7 c0 df 8d 47 81 mov $0xffffffff81478ddf,%r8
ffffffff81478349: 89 da mov %ebx,%edx
ffffffff8147834b: 4c 89 e6 mov %r12,%rsi
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1203
iwr.ifr_name[IFNAMSIZ-1] = 0;
colon = strchr(iwr.ifr_name, ':');
if (colon)
*colon = 0;
info.cmd = cmd;
ffffffff8147834e: 66 89 5d a0 mov %bx,-0x60(%rbp)
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1204
info.flags = IW_REQUEST_FLAG_COMPAT;
ffffffff81478352: 66 c7 45 a2 01 00 movw $0x1,-0x5e(%rbp)
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1206
ret = wext_ioctl_dispatch(net, (struct ifreq *) &iwr, cmd, &info,
ffffffff81478358: e8 f6 fd ff ff callq ffffffff81478153 <wext_ioctl_dispatch>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1210
compat_standard_call,
compat_private_call);
if (ret >= 0 &&
ffffffff8147835d: 85 c0 test %eax,%eax
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1206
*colon = 0;
info.cmd = cmd;
info.flags = IW_REQUEST_FLAG_COMPAT;
ret = wext_ioctl_dispatch(net, (struct ifreq *) &iwr, cmd, &info,
ffffffff8147835f: 41 89 c6 mov %eax,%r14d
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1210
compat_standard_call,
compat_private_call);
if (ret >= 0 &&
ffffffff81478362: 78 20 js ffffffff81478384 <compat_wext_handle_ioctl+0xb1>
ffffffff81478364: 80 e3 01 and $0x1,%bl
ffffffff81478367: 74 1b je ffffffff81478384 <compat_wext_handle_ioctl+0xb1>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1212
IW_IS_GET(cmd) &&
copy_to_user(argp, &iwr, sizeof(struct iwreq)))
ffffffff81478369: ba 20 00 00 00 mov $0x20,%edx
ffffffff8147836e: 4c 89 e6 mov %r12,%rsi
ffffffff81478371: 4c 89 ef mov %r13,%rdi
ffffffff81478374: e8 a7 50 db ff callq ffffffff8122d420 <copy_to_user>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1210
ret = wext_ioctl_dispatch(net, (struct ifreq *) &iwr, cmd, &info,
compat_standard_call,
compat_private_call);
if (ret >= 0 &&
ffffffff81478379: 48 85 c0 test %rax,%rax
ffffffff8147837c: 74 06 je ffffffff81478384 <compat_wext_handle_ioctl+0xb1>
ffffffff8147837e: 41 be f2 ff ff ff mov $0xfffffff2,%r14d
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1216
IW_IS_GET(cmd) &&
copy_to_user(argp, &iwr, sizeof(struct iwreq)))
return -EFAULT;
return ret;
}
ffffffff81478384: 48 8b 55 d8 mov -0x28(%rbp),%rdx
ffffffff81478388: 65 48 33 14 25 28 00 xor %gs:0x28,%rdx
ffffffff8147838f: 00 00
ffffffff81478391: 44 89 f0 mov %r14d,%eax
ffffffff81478394: 74 05 je ffffffff8147839b <compat_wext_handle_ioctl+0xc8>
ffffffff81478396: e8 ee ee bd ff callq ffffffff81057289 <__stack_chk_fail>
ffffffff8147839b: 48 83 c4 40 add $0x40,%rsp
ffffffff8147839f: 5b pop %rbx
ffffffff814783a0: 41 5c pop %r12
ffffffff814783a2: 41 5d pop %r13
ffffffff814783a4: 41 5e pop %r14
ffffffff814783a6: c9 leaveq
ffffffff814783a7: c3 retq
ffffffff814783a8 <wext_handle_ioctl>:
wext_handle_ioctl():
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1103
return ret;
}
int wext_handle_ioctl(struct net *net, struct ifreq *ifr, unsigned int cmd,
void __user *arg)
{
ffffffff814783a8: 55 push %rbp
ffffffff814783a9: 48 89 e5 mov %rsp,%rbp
ffffffff814783ac: 41 56 push %r14
ffffffff814783ae: 41 55 push %r13
ffffffff814783b0: 41 54 push %r12
ffffffff814783b2: 53 push %rbx
ffffffff814783b3: 48 83 ec 10 sub $0x10,%rsp
ffffffff814783b7: e8 44 9a b9 ff callq ffffffff81011e00 <mcount>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1107
struct iw_request_info info = { .cmd = cmd, .flags = 0 };
int ret;
ret = wext_ioctl_dispatch(net, ifr, cmd, &info,
ffffffff814783bc: 49 c7 c1 b4 80 47 81 mov $0xffffffff814780b4,%r9
ffffffff814783c3: 49 c7 c0 10 8d 47 81 mov $0xffffffff81478d10,%r8
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1103
return ret;
}
int wext_handle_ioctl(struct net *net, struct ifreq *ifr, unsigned int cmd,
void __user *arg)
{
ffffffff814783ca: 49 89 cd mov %rcx,%r13
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1107
struct iw_request_info info = { .cmd = cmd, .flags = 0 };
int ret;
ret = wext_ioctl_dispatch(net, ifr, cmd, &info,
ffffffff814783cd: 48 8d 4d d0 lea -0x30(%rbp),%rcx
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1103
return ret;
}
int wext_handle_ioctl(struct net *net, struct ifreq *ifr, unsigned int cmd,
void __user *arg)
{
ffffffff814783d1: 48 89 f3 mov %rsi,%rbx
ffffffff814783d4: 65 48 8b 04 25 28 00 mov %gs:0x28,%rax
ffffffff814783db: 00 00
ffffffff814783dd: 48 89 45 d8 mov %rax,-0x28(%rbp)
ffffffff814783e1: 31 c0 xor %eax,%eax
ffffffff814783e3: 41 89 d4 mov %edx,%r12d
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1104
struct iw_request_info info = { .cmd = cmd, .flags = 0 };
ffffffff814783e6: 66 89 55 d0 mov %dx,-0x30(%rbp)
ffffffff814783ea: 66 c7 45 d2 00 00 movw $0x0,-0x2e(%rbp)
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1107
int ret;
ret = wext_ioctl_dispatch(net, ifr, cmd, &info,
ffffffff814783f0: e8 5e fd ff ff callq ffffffff81478153 <wext_ioctl_dispatch>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1110
ioctl_standard_call,
ioctl_private_call);
if (ret >= 0 &&
ffffffff814783f5: 85 c0 test %eax,%eax
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1107
void __user *arg)
{
struct iw_request_info info = { .cmd = cmd, .flags = 0 };
int ret;
ret = wext_ioctl_dispatch(net, ifr, cmd, &info,
ffffffff814783f7: 41 89 c6 mov %eax,%r14d
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1110
ioctl_standard_call,
ioctl_private_call);
if (ret >= 0 &&
ffffffff814783fa: 78 22 js ffffffff8147841e <wext_handle_ioctl+0x76>
ffffffff814783fc: 41 80 e4 01 and $0x1,%r12b
ffffffff81478400: 74 1c je ffffffff8147841e <wext_handle_ioctl+0x76>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1112
IW_IS_GET(cmd) &&
copy_to_user(arg, ifr, sizeof(struct iwreq)))
ffffffff81478402: ba 20 00 00 00 mov $0x20,%edx
ffffffff81478407: 48 89 de mov %rbx,%rsi
ffffffff8147840a: 4c 89 ef mov %r13,%rdi
ffffffff8147840d: e8 0e 50 db ff callq ffffffff8122d420 <copy_to_user>
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1110
int ret;
ret = wext_ioctl_dispatch(net, ifr, cmd, &info,
ioctl_standard_call,
ioctl_private_call);
if (ret >= 0 &&
ffffffff81478412: 48 85 c0 test %rax,%rax
ffffffff81478415: b8 f2 ff ff ff mov $0xfffffff2,%eax
ffffffff8147841a: 44 0f 45 f0 cmovne %eax,%r14d
/usr/src/debug/kernel-2.6.30/linux-2.6.30.x86_64/net/wireless/wext.c:1116
IW_IS_GET(cmd) &&
copy_to_user(arg, ifr, sizeof(struct iwreq)))
return -EFAULT;
return ret;
}
ffffffff8147841e: 48 8b 55 d8 mov -0x28(%rbp),%rdx
ffffffff81478422: 65 48 33 14 25 28 00 xor %gs:0x28,%rdx
ffffffff81478429: 00 00
ffffffff8147842b: 44 89 f0 mov %r14d,%eax
ffffffff8147842e: 74 05 je ffffffff81478435 <wext_handle_ioctl+0x8d>
ffffffff81478430: e8 54 ee bd ff callq ffffffff81057289 <__stack_chk_fail>
ffffffff81478435: 5b pop %rbx
ffffffff81478436: 5e pop %rsi
ffffffff81478437: 5b pop %rbx
ffffffff81478438: 41 5c pop %r12
ffffffff8147843a: 41 5d pop %r13
ffffffff8147843c: 41 5e pop %r14
ffffffff8147843e: c9 leaveq
ffffffff8147843f: c3 retq
next prev parent reply other threads:[~2009-10-08 6:29 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-07 19:16 NULL pointer deref at wext ioctl (Re: [PATCH] compat-2.6: adding ethtool.h to compat-2.6.31.h) Hin-Tak Leung
2009-10-07 19:28 ` Hin-Tak Leung
2009-10-07 22:01 ` Johannes Berg
2009-10-08 6:28 ` Hin-Tak Leung [this message]
2009-10-08 9:51 ` Johannes Berg
2009-10-08 11:50 ` Johannes Berg
2009-10-08 13:43 ` Luis R. Rodriguez
2009-10-08 14:28 ` Luis R. Rodriguez
2009-10-08 14:43 ` John W. Linville
2009-10-08 14:59 ` Luis R. Rodriguez
2009-10-08 23:22 ` Hin-Tak Leung
2009-10-09 0:14 ` Luis R. Rodriguez
2009-10-09 8:05 ` Johannes Berg
2009-10-13 21:04 ` Luis R. Rodriguez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3ace41890910072328n1460ee34v1fe7ca9b78eb646f@mail.gmail.com \
--to=hintak.leung@gmail.com \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=lrodriguez@atheros.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox