From: "Jory A. Pratt" <geekypenguin@gmail.com>
To: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Johannes Berg <johannes@sipsolutions.net>,
John Linville <linville@tuxdriver.com>,
wireless <linux-wireless@vger.kernel.org>
Subject: Re: mac80211 crash in ieee80211_sta_scan_work
Date: Mon, 28 Jan 2008 11:25:55 -0600 [thread overview]
Message-ID: <479E1023.3040604@gmail.com> (raw)
In-Reply-To: <479D9B5F.5000304@lwfinger.net>
Larry Finger wrote:
> Johannes,
>
> With the latest wireless-2.6 git tree on my x86_64 system, I am getting a GPF in
> ieee80211_sta_scan_work. I tracked it down to the following astatement:
>
> if (!sband ||
> (local->scan_channel_idx >= sband->n_channels &&
> local->scan_band >= IEEE80211_NUM_BANDS)) {
>
> Specifically, it is the "local->scan_channel_idx >= sband->n_channels" part of the if test. When I
> added test prints of local->scan_channel_idx, local->scan_band, and sband, I got the following:
>
> mac80211: scan_channel_idx = 0, scan_band = 0, sband = ffffffff882c2f10
> mac80211: scan_channel_idx = 1, scan_band = 0, sband = ffffffff882c2f10
> ...
> ...
> mac80211: scan_channel_idx = 13, scan_band = 0, sband = ffffffff882c2f10
> mac80211: scan_channel_idx = 0, scan_band = 2, sband = dead4ead00000001
> general protection fault: 0000 [1] SMP
>
> As can be seen, "sband" is some kind of magic number and is an invalid pointer when scan_band is
> larger than IEEE80211_NUM_BANDS, which causes the GPF.
>
> With the following patch, it works:
>
> Index: wireless-2.6/net/mac80211/ieee80211_sta.c
> ===================================================================
> --- wireless-2.6.orig/net/mac80211/ieee80211_sta.c
> +++ wireless-2.6/net/mac80211/ieee80211_sta.c
> @@ -3237,8 +3237,7 @@ void ieee80211_sta_scan_work(struct work
> }
>
> if (!sband ||
> - (local->scan_channel_idx >= sband->n_channels &&
> - local->scan_band >= IEEE80211_NUM_BANDS)) {
> + local->scan_band >= IEEE80211_NUM_BANDS) {
> ieee80211_scan_completed(local_to_hw(local));
> return;
> }
>
> It seems to me that it should be OK to skip the scan_chan_idx >= sband->n_channels part of the test
> as scan_band won't get to be >= to IEEE80211_NUM_BANDS until all the channels have been tested in
> the legal bands.
>
> Larry
>
Larry patch works great it puts the development tree back into a useable
state for broadcom devices. This should be pushed to wireless-2.6 if
Johannes will ack it.
-Jory
prev parent reply other threads:[~2008-01-28 17:27 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-28 9:07 mac80211 crash in ieee80211_sta_scan_work Larry Finger
2008-01-28 9:29 ` Tomas Winkler
2008-01-28 9:37 ` stefano.brivio
2008-01-28 9:48 ` Tomas Winkler
2008-01-28 15:12 ` John W. Linville
2008-01-28 17:07 ` Michael Buesch
2008-01-28 17:46 ` Larry Finger
2008-01-28 18:19 ` John W. Linville
2008-01-28 18:39 ` Michael Buesch
2008-01-28 15:18 ` Michael Buesch
2008-01-28 12:35 ` Bas Hulsken
2008-01-28 17:25 ` Jory A. Pratt [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=479E1023.3040604@gmail.com \
--to=geekypenguin@gmail.com \
--cc=Larry.Finger@lwfinger.net \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).