Bug 468613

Summary: hostap skb->cb corruption
Product: [Fedora] Fedora Reporter: Fabrice Bellet <fabrice>
Component: kernelAssignee: John W. Linville <linville>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: fabrice, kernel-maint, quintela
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-10-28 17:16:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Fabrice Bellet 2008-10-26 18:27:27 UTC 
The hostap driver doesn't work since a few months in rawhide. The problem is that the data stored in skb->cb at the end of function hostap_data_start_xmit() are corrupted when entering hostap_master_start_xmit(), causing the xmit function to fail. Here is a log, with a dump of skb->cb before (1) and after (2) the corruption.

As a workaround, padding  hostap_skb_tx_data with 4 bytes at the beginning of the struct seems to be enough to make the hostap driver work again :)

(1)cb=a2368af055555555803494d255555555dd86555500000000000000000000000000000000000000000000000000000000
(2)cb=5800000055555555803494d255555555dd86555500000000000000000000000000000000000000000000000000000000
wifi0: invalid skb->cb magic (0x00000058, expected 0xf08a36a2)
Pid: 0, comm: swapper Not tainted 2.6.27.4-47.rc3.fc10.i686 #1
 [<c06c3d77>] ? printk+0xf/0x18
 [<d494f419>] hostap_master_start_xmit+0x152/0x50d [hostap]
 [<c0631825>] dev_hard_start_xmit+0x1c2/0x231
 [<c064008e>] __qdisc_run+0xc7/0x1c5
 [<c062ff42>] qdisc_run+0x2c/0x2f
 [<c0631cd9>] dev_queue_xmit+0x360/0x466
 [<d494f1b9>] hostap_data_start_xmit+0x604/0x60e [hostap]
 [<c0631825>] dev_hard_start_xmit+0x1c2/0x231
 [<c0631d26>] dev_queue_xmit+0x3ad/0x466
 [<c0636952>] neigh_resolve_output+0x1f2/0x23c
 [<d4a4b688>] ip6_output_finish+0x92/0xdb [ipv6]
 [<d4a4d46f>] ip6_output2+0x1d2/0x1da [ipv6]
 [<d4a4deaa>] ip6_output+0xa33/0xa41 [ipv6]
 [<c062cc5b>] ? __alloc_skb+0x49/0xf8
 [<c062980d>] ? sock_alloc_send_skb+0x89/0x1c1
 [<d4a59a81>] __ndisc_send+0x2d9/0x3b7 [ipv6]
 [<d4a59cca>] ndisc_send_rs+0x7f/0x8a [ipv6]
 [<d4a50e44>] addrconf_rs_timer+0x90/0xba [ipv6]
 [<c04340f1>] run_timer_softirq+0x14b/0x1bb
 [<d4a50db4>] ? addrconf_rs_timer+0x0/0xba [ipv6]
 [<d4a50db4>] ? addrconf_rs_timer+0x0/0xba [ipv6]
 [<c043066b>] __do_softirq+0x84/0x109
 [<c04305e7>] ? __do_softirq+0x0/0x109
 [<c0405eec>] do_softirq+0x77/0xdb
 [<c04640b3>] ? handle_level_irq+0x0/0xbe
 [<c04302d2>] irq_exit+0x44/0x83
 [<c0405e5e>] do_IRQ+0xe7/0xfe
 [<c0404654>] common_interrupt+0x28/0x30
 [<c0566f4e>] ? acpi_idle_enter_bm+0x277/0x2c6
 [<c06155f5>] cpuidle_idle_call+0x67/0x97
 [<c0402c4d>] cpu_idle+0x101/0x134
 [<c06b5c52>] rest_init+0x4e/0x50
 =======================
Comment 1 Fabrice Bellet 2008-10-27 16:43:50 UTC 
clearly, it's a duplicate of http://bugzilla.kernel.org/show_bug.cgi?id=11802
(thanks to John W. Linville for the link!)
Comment 2 John W. Linville 2008-10-28 17:16:17 UTC 
I added Johannes's patch from the link in comment 1 to rawhide kernels for tomorrow...