From: Frederic Weisbecker <fweisbec@gmail.com>
To: Sitsofe Wheeler <sitsofe@yahoo.com>
Cc: Ingo Molnar <mingo@elte.hu>,
Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org,
Rusty Russell <rusty@rustcorp.com.au>
Subject: Re: Poking ieee80211_default_rc_algo causes kernel lockups
Date: Sun, 15 Feb 2009 20:35:23 +0100 [thread overview]
Message-ID: <20090215193522.GA5790@nowhere> (raw)
In-Reply-To: <slrngpgfil.5gc.sitsofe@sitsofe.eeepc.localdomain>
On Sun, Feb 15, 2009 at 04:09:57PM +0000, Sitsofe Wheeler wrote:
> Hi,
>
> As mentioned on
> http://groups.google.com/group/fa.linux.kernel/browse_frm/thread/d4a6ce26360613fa/b362792a2debced6?#b362792a2debced6
> , poking /sys/module/mac80211/parameters/ieee80211_default_rc_algo and
> then trying to read values back is currently causing the kernel to go
> funny. E.g.
> echo blah > /sys/module/mac80211/parameters/ieee80211_default_rc_algo
> cat /sys/module/mac80211/parameters/ieee80211_default_rc_algo
>
> Causes 2.6.29rc5 on my EeePC 900 to lock up.
>
> --
> Sitsofe
>
On Sun, Feb 15, 2009 at 04:09:57PM +0000, Sitsofe Wheeler wrote:
> Hi,
>
> As mentioned on
> http://groups.google.com/group/fa.linux.kernel/browse_frm/thread/d4a6ce26360613fa/b362792a2debced6?#b362792a2debced6
> , poking /sys/module/mac80211/parameters/ieee80211_default_rc_algo and
> then trying to read values back is currently causing the kernel to go
> funny. E.g.
> echo blah > /sys/module/mac80211/parameters/ieee80211_default_rc_algo
> cat /sys/module/mac80211/parameters/ieee80211_default_rc_algo
>
> Causes 2.6.29rc5 on my EeePC 900 to lock up.
>
I think I've found something:
When you set a new value to a module parameter through
sysfs, here is what happens (traced with the function_graph_tracer,
I've zapped a lot of entries to keep it clear)
1) | sys_open() {
1) | sysfs_open_file() {
1) | kmem_cache_alloc() {
1) 0.609 us | __might_sleep();
1) 2.046 us | }
1) + 58.976 us | }
1) ! 471.823 us | }
The file is opened here, and sysfs will allocate a private buffer for this
file...
1) | sys_write() {
1) | vfs_write() {
1) | sysfs_write_file() {
1) + 26.446 us | get_zeroed_page();
1) 0.789 us | sysfs_get_active_two();
1) | module_attr_store() {
1) | param_attr_store() {
1) 5.625 us | param_set_charp();
1) 7.279 us | }
1) 8.919 us | }
1) 4.113 us | }
1) + 62.502 us | }
1) + 64.961 us | }
Then we go to write the file, the buffer we allocated is used to store what
the user gave us as the new value of the module parameter.
This filled buffer is relayed to the module parameter and the address of the buffer
is directly assigned to the pointer of the module parameter:
int param_set_charp(const char *val, struct kernel_param *kp)
{
[...]
*(char **)kp->arg = (char *)val;
return 0;
}
At this stage, all is good.
But just after we close the file:
1) | sysfs_release() {
1) | kfree() {
1) 1.105 us | __phys_addr();
1) 2.842 us | }
1) | free_pages() {
1) 0.609 us | __phys_addr();
1) | __free_pages() {
1) | free_hot_page() {
1) | free_hot_cold_page() {
1) 1.113 us | get_pageblock_flags_group();
1) 3.061 us | }
1) 4.466 us | }
1) 5.744 us | }
1) 8.166 us | }
1) | kfree() {
1) 0.601 us | __phys_addr();
1) 2.052 us | }
1) + 18.686 us | }
The buffer we just assigned to the module parameter is freed. So we can't reuse it later,
but that's what is done later when we read it, since this bad address is dereferenced:
int param_get_charp(char *buffer, struct kernel_param *kp)
{
return sprintf(buffer, "%s", *((char **)kp->arg));
}
So the problem seems not related to mac80211 but actually to module parameter management.
I'm not sure what is the right fix.
I guess we should use the following field in struct kernel_param:
struct kparam_string *str;
But this implies that string module params must not be simply pointers but static arrays.
Although I find it a bit insane to modify a string parameter at runtime.
The string is parsed by a module on load but not after, so a callback given by the module
seems to me more sane...
next prev parent reply other threads:[~2009-02-15 19:35 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-15 16:09 Poking ieee80211_default_rc_algo causes kernel lockups Sitsofe Wheeler
2009-02-15 17:02 ` Frederic Weisbecker
2009-02-15 19:24 ` Sitsofe Wheeler
2009-02-15 19:41 ` Frederic Weisbecker
2009-02-15 21:02 ` Sitsofe Wheeler
2009-02-16 1:40 ` Frederic Weisbecker
2009-02-16 2:37 ` Frederic Weisbecker
2009-02-15 19:35 ` Frederic Weisbecker [this message]
2009-02-16 10:10 ` Rusty Russell
2009-02-16 17:59 ` Frederic Weisbecker
2009-02-16 23:37 ` Rusty Russell
2009-02-20 10:27 ` What made this bug report better? (was Re: Poking ieee80211_default_rc_algo causes kernel lockups) Sitsofe Wheeler
2009-02-20 11:31 ` Ingo Molnar
2009-02-24 3:13 ` Rusty Russell
2009-02-24 8:16 ` What made this bug report better? Sitsofe Wheeler
2009-02-24 17:58 ` Frederic Weisbecker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090215193522.GA5790@nowhere \
--to=fweisbec@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=rusty@rustcorp.com.au \
--cc=sitsofe@yahoo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox