Bug 183702 - wpa_supplicant triggers slab error
wpa_supplicant triggers slab error
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
5
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: John W. Linville
Brian Brock
NeedsRetesting
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-02 17:28 EST by Bernard Johnson
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version: kernel-2.6.18-1.2798.fc6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-11-02 13:01:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
jwltest-bcm43xx-wx-overflow.patch (914 bytes, patch)
2006-03-07 13:43 EST, John W. Linville
no flags Details | Diff
sysreport output (391.43 KB, application/octet-stream)
2006-08-28 17:39 EDT, Bernard Johnson
no flags Details

  None (edit)
Description Bernard Johnson 2006-03-02 17:28:49 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060223 Fedora/1.5.0.1-5 Firefox/1.5.0.1

Description of problem:
I was experimenting with wpa_supplicant.  I changed the interface in /etc/sysconfig/wpa_supplicant from wlan0 to eth1 (my bcm43xx) and then ran 'service start wpa_supplicant'.

My log file showed this:
Mar  2 15:13:31 localhost kernel: slab error in cache_free_debugcheck(): cache `size-512': double free, or memory outside object was overwritten
Mar  2 15:13:31 localhost kernel:  [<c0150ac3>] cache_free_debugcheck+0xc5/0x198     [<c0295e13>] wireless_process_ioctl+0x543/0x5bd
Mar  2 15:13:31 localhost kernel:  [<c0151161>] kfree+0x49/0x79     [<c0295e13>] wireless_process_ioctl+0x543/0x5bd
Mar  2 15:13:31 localhost kernel:  [<e09e9a8d>] bcm43xx_wx_sprom_write+0x0/0x39b [bcm43xx]     [<c028dc12>] dev_ioctl+0x472/0x4ab
Mar  2 15:13:31 localhost kernel:  [<c0144994>] __handle_mm_fault+0x41d/0x7c3   [<c0283f8c>] sock_map_file+0x8b/0xf9
Mar  2 15:13:31 localhost kernel:  [<c028517c>] sock_ioctl+0x0/0x232     [<c0163522>] do_ioctl+0x16/0x48
Mar  2 15:13:31 localhost kernel:  [<c0163753>] vfs_ioctl+0x1ff/0x216     [<c01637b2>] sys_ioctl+0x48/0x62
Mar  2 15:13:31 localhost kernel:  [<c0102bc1>] syscall_call+0x7/0xb    <3>d47e3a74: redzone 1: 0xfc2a5, redzone 2: 0x170fc2a5.



Version-Release number of selected component (if applicable):
kernel-2.6.15-1.1996_FC5

How reproducible:
Always

Steps to Reproduce:
1. Setup interface in /etc/sysconfig/wpa_supplicant
2. service wpa_supplicant start
3.
  

Actual Results:  slab error

Expected Results:  no error

Additional info:
Comment 1 John W. Linville 2006-03-06 14:41:15 EST
There was a recent bcm43xx update in rawhide.  Is this still a problem? 
Comment 2 Bernard Johnson 2006-03-06 15:06:26 EST
It gives a slightly different slab error, but is current as of
kernel-2.6.15-1.2009.4.2_FC5:

Mar  6 13:06:15 localhost kernel: bcm43xx: set security called
Mar  6 13:06:15 localhost kernel: bcm43xx:    .level = 0
Mar  6 13:06:15 localhost kernel: bcm43xx:    .enabled = 0
Mar  6 13:06:15 localhost kernel: bcm43xx:    .encrypt = 0
Mar  6 13:06:15 localhost kernel: bcm43xx: SPROM input data: Invalid CRC
Mar  6 13:06:15 localhost kernel: slab error in cache_free_debugcheck(): cache
`size-512': double free, or memory outside object was overwritten
Mar  6 13:06:15 localhost kernel:  [<c0150e43>]
cache_free_debugcheck+0xc5/0x198Mar  6 13:06:15 localhost kernel:  [<c029625f>]
wireless_process_ioctl+0x543/0x5bd     [<c01514e1>] kfree+0x49/0x79
Mar  6 13:06:15 localhost kernel:  [<c029625f>]
wireless_process_ioctl+0x543/0x5bd     [<e09e9a8d>]
bcm43xx_wx_sprom_write+0x0/0x39b [bcm43xx]
Mar  6 13:06:15 localhost kernel:  [<c028e05e>] dev_ioctl+0x472/0x4ab    
[<c0144ccc>] __handle_mm_fault+0x41d/0x7c3
Mar  6 13:06:15 localhost kernel:  [<c02843dc>] sock_map_file+0x8b/0xf9    
[<c02855cc>] sock_ioctl+0x0/0x232
Mar  6 13:06:15 localhost kernel:  [<c01638ae>] do_ioctl+0x16/0x48    
[<c0163adf>] vfs_ioctl+0x1ff/0x216
Mar  6 13:06:15 localhost kernel:  [<c0163b3e>] sys_ioctl+0x48/0x62    
[<c0102bc1>] syscall_call+0x7/0xb
Mar  6 13:06:15 localhost kernel: c9f062c4: redzone 1: 0xfc2a5, redzone 2:
0x170fc2a5.
Comment 3 John W. Linville 2006-03-07 13:43:10 EST
Created attachment 125766 [details]
jwltest-bcm43xx-wx-overflow.patch
Comment 4 John W. Linville 2006-03-07 13:45:09 EST
Test kernels w/ above patch available here: 
 
   http://people.redhat.com/linville/kernels/fc5/ 
 
Please give those a try and post the results (probably NM problems, but not 
the above messages) here...thanks! 
Comment 5 Bernard Johnson 2006-03-07 15:05:29 EST
Same results - slab error.

I would not necessarily know if it causes NetworkManager problems, as I'm having
a problem with NetworkManager as well (bug #180369).

slab error - 2.6.15-1.2021.2.1_FC5.jwltest.13

Mar  7 12:33:55 localhost kernel: slab error in cache_free_debugcheck(): cache
`size-512': double free, or memory outside object was overwritten
Mar  7 12:33:55 localhost kernel:  [<c0150e73>] cache_free_debugcheck+0xc5/0x198
    [<c02962af>] wireless_process_ioctl+0x543/0x5bd
Mar  7 12:33:55 localhost kernel:  [<c0151511>] kfree+0x49/0x79     [<c02962af>]
wireless_process_ioctl+0x543/0x5bd
Mar  7 12:33:55 localhost kernel:  [<e09e81f2>] bcm43xx_wx_sprom_write+0x0/0x7a
[bcm43xx]     [<c028e0ae>] dev_ioctl+0x472/0x4ab
Mar  7 12:33:55 localhost kernel:  [<c0144cfc>] __handle_mm_fault+0x41d/0x7c3  
[<c028442c>] sock_map_file+0x8b/0xf9
Mar  7 12:33:55 localhost kernel:  [<c028561c>] sock_ioctl+0x0/0x232    
[<c01638de>] do_ioctl+0x16/0x48
Mar  7 12:33:55 localhost kernel:  [<c0163b0f>] vfs_ioctl+0x1ff/0x216    
[<c0163b6e>] sys_ioctl+0x48/0x62
Mar  7 12:33:55 localhost kernel:  [<c0102bc1>] syscall_call+0x7/0xb   
<3>d9c4aaf4: redzone 1: 0xfc2a5, redzone 2: 0x170fc2a5.
Comment 6 John W. Linville 2006-05-18 15:33:42 EDT
Is this issue still occurring w/ current Fedora kernels
Comment 7 Bernard Johnson 2006-05-19 01:01:52 EDT
Yes, here is a current set of messages from kernel-2.6.16-1.2206_FC6:

May 18 23:04:01 localhost kernel: bcm43xx: set security called
May 18 23:04:01 localhost kernel: bcm43xx:    .level = 0
May 18 23:04:01 localhost kernel: bcm43xx:    .enabled = 0
May 18 23:04:01 localhost kernel: bcm43xx:    .encrypt = 0
May 18 23:04:01 localhost kernel: bcm43xx: set security called
May 18 23:04:01 localhost kernel: bcm43xx:    .level = 0
May 18 23:04:01 localhost kernel: bcm43xx:    .enabled = 0
May 18 23:04:01 localhost kernel: bcm43xx:    .encrypt = 0
May 18 23:04:01 localhost kernel: bcm43xx: set security called
May 18 23:04:01 localhost kernel: bcm43xx:    .level = 0
May 18 23:04:01 localhost kernel: bcm43xx:    .enabled = 0
May 18 23:04:01 localhost kernel: bcm43xx:    .encrypt = 0
May 18 23:04:01 localhost kernel: bcm43xx: set security called
May 18 23:04:01 localhost avahi-daemon[1715]: Interface eth1.IPv4 no longer
relevant for mDNS.
May 18 23:04:01 localhost dhclient: receive_packet failed on eth1: Network is down
May 18 23:04:01 localhost kernel: bcm43xx:    .level = 0
May 18 23:04:01 localhost avahi-daemon[1715]: Leaving mDNS multicast group on
interface eth1.IPv4 with address 192.168.1.106.
May 18 23:04:01 localhost kernel: bcm43xx:    .enabled = 0
May 18 23:04:01 localhost avahi-daemon[1715]: Withdrawing address record for
192.168.1.106 on eth1.
May 18 23:04:01 localhost kernel: bcm43xx:    .encrypt = 0
May 18 23:04:01 localhost kernel: bcm43xx: SPROM input data: Invalid CRC
May 18 23:04:01 localhost kernel: slab error in cache_free_debugcheck(): cache
`size-512': double free, or memory outside object was overwritten
May 18 23:04:01 localhost kernel:  <c04635c5> cache_free_debugcheck+0x135/0x23a
  <c0463c2d> kfree+0x61/0x93
May 18 23:04:01 localhost kernel:  <c05b9989> wireless_process_ioctl+0x2be/0x33d
  <e09830e0> bcm43xx_wx_sprom_write+0x0/0x10f [bcm43xx]
May 18 23:04:01 localhost kernel:  <c05a5c0d> sock_ioctl+0x0/0x1cd   <c05b0171>
dev_ioctl+0x432/0x46b
May 18 23:04:01 localhost kernel:  <c045676d> __handle_mm_fault+0x43a/0x7e7  
<c05a5c0d> sock_ioctl+0x0/0x1cd
May 18 23:04:01 localhost kernel:  <c047894b> do_ioctl+0x1f/0x62   <c0478bd8>
vfs_ioctl+0x24a/0x25c
May 18 23:04:01 localhost kernel:  <c0478c36> sys_ioctl+0x4c/0x66   <c0403e1f>
syscall_call+0x7/0xb
May 18 23:04:01 localhost kernel: ce6d175c: redzone 1:0xfc2a5, redzone 2:0x170fc2a5.
May 18 23:04:01 localhost kernel: bcm43xx: SPROM input data: Invalid CRC
May 18 23:04:01 localhost kernel: slab error in cache_free_debugcheck(): cache
`size-512': double free, or memory outside object was overwritten
May 18 23:04:01 localhost kernel:  <c04635c5> cache_free_debugcheck+0x135/0x23a
  <c0463c2d> kfree+0x61/0x93
May 18 23:04:01 localhost kernel:  <c05b9989> wireless_process_ioctl+0x2be/0x33d
  <e09830e0> bcm43xx_wx_sprom_write+0x0/0x10f [bcm43xx]
May 18 23:04:01 localhost kernel:  <c05a5c0d> sock_ioctl+0x0/0x1cd   <c05b0171>
dev_ioctl+0x432/0x46b
May 18 23:04:01 localhost kernel:  <c041f930> __wake_up+0x2a/0x3d   <c05a5c0d>
sock_ioctl+0x0/0x1cd
May 18 23:04:01 localhost kernel:  <c047894b> do_ioctl+0x1f/0x62   <c0478bd8>
vfs_ioctl+0x24a/0x25c
May 18 23:04:01 localhost kernel:  <c0478c36> sys_ioctl+0x4c/0x66   <c0403e1f>
syscall_call+0x7/0xb
May 18 23:04:01 localhost kernel: ce6d175c: redzone 1:0xfc2a5, redzone 2:0x170fc2a5.
May 18 23:04:01 localhost kernel: bcm43xx: Radio turned off
May 18 23:04:01 localhost kernel: bcm43xx: DMA 0x0260 (RX) max used slots: 1/64
May 18 23:04:01 localhost kernel: bcm43xx: DMA 0x0200 (RX) max used slots: 1/64
May 18 23:04:01 localhost kernel: bcm43xx: DMA 0x0260 (TX) max used slots: 0/512
May 18 23:04:01 localhost kernel: bcm43xx: DMA 0x0240 (TX) max used slots: 0/512
May 18 23:04:01 localhost kernel: bcm43xx: DMA 0x0220 (TX) max used slots: 13/512
May 18 23:04:01 localhost kernel: bcm43xx: DMA 0x0200 (TX) max used slots: 0/512
Comment 8 John W. Linville 2006-08-28 15:44:45 EDT
Could you attach the output of running 'sysreport' on the box in question?  
Thanks!
Comment 9 Bernard Johnson 2006-08-28 17:39:43 EDT
Created attachment 135089 [details]
sysreport output

I removed some (encrypted) passwords and hardware addresses before posting.  If
you think any of these are necessary, contact me privately and I'll provide you
whatever you need.
Comment 10 Bernard Johnson 2006-08-28 17:40:56 EDT
Attached sysreport logs.
Comment 11 Dave Jones 2006-10-16 16:09:32 EDT
A new kernel update has been released (Version: 2.6.18-1.2200.fc5)
based upon a new upstream kernel release.

Please retest against this new kernel, as a large number of patches
go into each upstream release, possibly including changes that
may address this problem.

This bug has been placed in NEEDINFO state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.

Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.

In the last few updates, some users upgrading from FC4->FC5
have reported that installing a kernel update has left their
systems unbootable. If you have been affected by this problem
please check you only have one version of device-mapper & lvm2
installed.  See bug 207474 for further details.

If this bug is a problem preventing you from installing the
release this version is filed against, please see bug 169613.

If this bug has been fixed, but you are now experiencing a different
problem, please file a separate bug for the new problem.

Thank you.
Comment 12 Bernard Johnson 2006-11-02 12:12:36 EST
No longer happening as of Fedora Core 6 kernel-2.6.18-1.2798.fc6.
Comment 13 Bernard Johnson 2006-11-02 13:00:08 EST
Removing NEEDINFO.

Note You need to log in before you can comment on or make changes to this bug.