Bug 589819

Summary:	[abrt] crash in wpa_supplicant-1:0.6.8-8.fc13: Process /usr/sbin/wpa_supplicant was killed by signal 11 (SIGSEGV)
Product:	Red Hat Enterprise Linux 6	Reporter:	Dan Williams <dcbw>
Component:	wpa_supplicant	Assignee:	Dan Williams <dcbw>
Status:	CLOSED CURRENTRELEASE	QA Contact:	desktop-bugs <desktop-bugs>
Severity:	medium	Docs Contact:
Priority:	low
Version:	6.0	CC:	cmeadors, dcbw, mads, syeghiay, vbenes
Target Milestone:	rc
Target Release:	---
Hardware:	i686
OS:	Linux
Whiteboard:	abrt_hash:a2204c74184b289bb94103a13762bdd2115b01b2
Fixed In Version:	wpa_supplicant-0.6.8-10.el6	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:	589507	Environment:
Last Closed:	2010-11-12 13:44:45 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	589507
Bug Blocks:

Description Dan Williams 2010-05-07 01:17:47 UTC

+++ This bug was initially created as a clone of Bug #589507 +++

abrt 1.1.0 detected a crash.

architecture: i686
Attached file: backtrace
cmdline: /usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -B -u -f /var/log/wpa_supplicant.log -P /var/run/wpa_supplicant.pid
component: wpa_supplicant
executable: /usr/sbin/wpa_supplicant
global_uuid: a2204c74184b289bb94103a13762bdd2115b01b2
kernel: 2.6.33.3-72.fc13.i686.PAE
package: wpa_supplicant-1:0.6.8-8.fc13
rating: 3
reason: Process /usr/sbin/wpa_supplicant was killed by signal 11 (SIGSEGV)
release: Fedora release 13 (Goddard)
How to reproduce: I was playing around with NetworkManager and starting and stopping things. But nothing that justifies a sig11.

--- Additional comment from mads on 2010-05-06 06:52:34 EDT ---

abrt failed to attach the stacktrace - probably because of bug 589511

[New Thread 28072]
Core was generated by `/usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -B -u -f /v'.
Program terminated with signal 11, Segmentation fault.
#0  0x0b000065 in ?? ()

Thread 1 (Thread 28072):
#0  0x0b000065 in ?? ()
No symbol table info available.
#1  0x0807fef3 in wpa_drv_disassociate (eloop_ctx=<value optimized out>, 
    timeout_ctx=<value optimized out>) at wpa_supplicant_i.h:588
No locals.
#2  wpa_disconnect_spam_handle (eloop_ctx=<value optimized out>, 
    timeout_ctx=<value optimized out>) at wpa_supplicant.c:477
        wpa_s = 0x84fe0b8
        bssid = "\377\377\377\377\377\377"
        __FUNCTION__ = "wpa_disconnect_spam_handle"
#3  0x08051ce1 in eloop_run () at ../src/utils/eloop.c:496
        tmp = <value optimized out>
        efds = <value optimized out>
        res = 0
        _tv = {tv_sec = 0, tv_usec = 0}
        now = {sec = 1273136928, usec = 728426}
#4  0x0807fd66 in wpa_supplicant_run (global=<value optimized out>)
    at wpa_supplicant.c:2179
        wpa_s = <value optimized out>
#5  0x08087ace in main (argc=<value optimized out>, 
    argv=<value optimized out>) at main.c:253
        c = <value optimized out>
        i = <value optimized out>
        ifaces = <value optimized out>
        iface = <value optimized out>
        exitcode = <value optimized out>
        params = {daemonize = 1, wait_for_monitor = 0, 
          pid_file = 0x84fb028 "/var/run/wpa_supplicant.pid", 
          wpa_debug_level = 2, wpa_debug_show_keys = 0, 
          wpa_debug_timestamp = 0, ctrl_interface = 0x0, 
          dbus_ctrl_interface = 1, 
          wpa_debug_file_path = 0xbfde4f26 "/var/log/wpa_supplicant.log"}
From        To          Syms Read   Shared Object Library
0x0451fdc0  0x045573f8  Yes         /usr/lib/libssl.so.10
0x0413ee80  0x04221fd8  Yes         /usr/lib/libcrypto.so.10
0x004cba60  0x004cca88  Yes         /lib/libdl.so.2
0x009db220  0x00a07578  Yes         /lib/libdbus-1.so.3
0x004b25e0  0x004be568  Yes         /lib/libpthread.so.0
0x004e8880  0x004ec6b8  Yes         /lib/librt.so.1
0x0030aaa0  0x0042a554  Yes         /lib/libc.so.6
0x04420750  0x044423b8  Yes         /lib/libgssapi_krb5.so.2
0x00d2fe50  0x00d92ea8  Yes         /lib/libkrb5.so.3
0x00d1cd10  0x00d1d938  Yes         /lib/libcom_err.so.2
0x0444f7f0  0x0446a208  Yes         /lib/libk5crypto.so.3
0x00616650  0x00624f58  Yes         /lib/libresolv.so.2
0x004d3620  0x004de8e8  Yes         /lib/libz.so.1
0x002d2830  0x002ea37f  Yes         /lib/ld-linux.so.2
0x00de2c60  0x00de7238  Yes         /lib/libkrb5support.so.0
0x00ddc860  0x00ddcfc8  Yes         /lib/libkeyutils.so.1
0x005f8190  0x006093b8  Yes         /lib/libselinux.so.1
$1 = 0x0
No symbol "__glib_assert_msg" in current context.
eax            0xb000065	184549477
ecx            0x0	0
edx            0x850ed68	139521384
ebx            0x84fe0b8	139452600
esp            0xbfde369c	0xbfde369c
ebp            0xbfde36c8	0xbfde36c8
esi            0x84fddd8	139451864
edi            0x0	0
eip            0xb000065	0xb000065
eflags         0x210206	[ PF IF RF ID ]
cs             0x73	115
ss             0x7b	123
ds             0x7b	123
es             0x7b	123
fs             0x0	0
gs             0x33	51
No function contains program counter for selected frame.

--- Additional comment from mads on 2010-05-06 08:11:44 EDT ---

Package: wpa_supplicant-1:0.6.8-8.fc13
Architecture: i686
OS Release: Fedora release 13 (Goddard)


How to reproduce
-----
I was playing around with NetworkManager and starting and stopping things. But nothing that justifies a sig11.

Comment 1 Dan Williams 2010-05-07 01:19:35 UTC

While the impact of this crash is not huge, this fix is pretty obvious and worth getting into RHEL6 I believe.

Comment 2 Dan Williams 2010-05-07 01:23:58 UTC

Fix is to ensure the timeout gets removed when the interface goes away in wpa_supplicant-0.6.8-handle-driver-disconnect-spam.patch so that it doesn't get fired after the wpa_supplicant structure is deallocated and thus try to access invalid memory.

diff -up wpa_supplicant-0.6.8/wpa_supplicant/wpa_supplicant.c.disconnect-spam wpa_supplicant-0.6.8/wpa_supplicant/wpa_supplicant.c
--- wpa_supplicant-0.6.8/wpa_supplicant/wpa_supplicant.c.disconnect-spam        2010-05-06 18:10:51.340288662 -0700
+++ wpa_supplicant-0.6.8/wpa_supplicant/wpa_supplicant.c        2010-05-06 18:12:06.090413976 -0700
@@ -382,6 +382,9 @@ static void wpa_supplicant_cleanup(struc
        wpa_supplicant_cancel_scan(wpa_s);
        wpa_supplicant_cancel_auth_timeout(wpa_s);
 
+       if (eloop_is_timeout_registered(wpa_disconnect_spam_handle, wpa_s, NULL))
+               eloop_cancel_timeout(wpa_disconnect_spam_handle, wpa_s, NULL);
+
        ieee80211_sta_deinit(wpa_s);
 
        wpas_wps_deinit(wpa_s);

Comment 3 RHEL Program Management 2010-05-07 01:33:42 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.

Comment 6 Dan Williams 2010-07-12 22:20:43 UTC

Requesting exception; fix is easy and low-risk, and has been present in Fedora for quite a while.

Comment 9 Dan Williams 2010-07-14 15:21:06 UTC

Fixed in May

Comment 11 Vladimir Benes 2010-11-12 09:22:58 UTC

cannot see any related crashes any more
-> VERIFIED

Comment 12 releng-rhel@redhat.com 2010-11-12 13:44:45 UTC

Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.