468613 – hostap skb->cb corruption

Bug 468613 - hostap skb->cb corruption

Summary: hostap skb->cb corruption

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	rawhide
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	John W. Linville
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-10-26 18:27 UTC by Fabrice Bellet
Modified:	2008-10-28 17:16 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2008-10-28 17:16:17 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Fabrice Bellet 2008-10-26 18:27:27 UTC

The hostap driver doesn't work since a few months in rawhide. The problem is that the data stored in skb->cb at the end of function hostap_data_start_xmit() are corrupted when entering hostap_master_start_xmit(), causing the xmit function to fail. Here is a log, with a dump of skb->cb before (1) and after (2) the corruption.

As a workaround, padding  hostap_skb_tx_data with 4 bytes at the beginning of the struct seems to be enough to make the hostap driver work again :)

(1)cb=a2368af055555555803494d255555555dd86555500000000000000000000000000000000000000000000000000000000
(2)cb=5800000055555555803494d255555555dd86555500000000000000000000000000000000000000000000000000000000
wifi0: invalid skb->cb magic (0x00000058, expected 0xf08a36a2)
Pid: 0, comm: swapper Not tainted 2.6.27.4-47.rc3.fc10.i686 #1
 [<c06c3d77>] ? printk+0xf/0x18
 [<d494f419>] hostap_master_start_xmit+0x152/0x50d [hostap]
 [<c0631825>] dev_hard_start_xmit+0x1c2/0x231
 [<c064008e>] __qdisc_run+0xc7/0x1c5
 [<c062ff42>] qdisc_run+0x2c/0x2f
 [<c0631cd9>] dev_queue_xmit+0x360/0x466
 [<d494f1b9>] hostap_data_start_xmit+0x604/0x60e [hostap]
 [<c0631825>] dev_hard_start_xmit+0x1c2/0x231
 [<c0631d26>] dev_queue_xmit+0x3ad/0x466
 [<c0636952>] neigh_resolve_output+0x1f2/0x23c
 [<d4a4b688>] ip6_output_finish+0x92/0xdb [ipv6]
 [<d4a4d46f>] ip6_output2+0x1d2/0x1da [ipv6]
 [<d4a4deaa>] ip6_output+0xa33/0xa41 [ipv6]
 [<c062cc5b>] ? __alloc_skb+0x49/0xf8
 [<c062980d>] ? sock_alloc_send_skb+0x89/0x1c1
 [<d4a59a81>] __ndisc_send+0x2d9/0x3b7 [ipv6]
 [<d4a59cca>] ndisc_send_rs+0x7f/0x8a [ipv6]
 [<d4a50e44>] addrconf_rs_timer+0x90/0xba [ipv6]
 [<c04340f1>] run_timer_softirq+0x14b/0x1bb
 [<d4a50db4>] ? addrconf_rs_timer+0x0/0xba [ipv6]
 [<d4a50db4>] ? addrconf_rs_timer+0x0/0xba [ipv6]
 [<c043066b>] __do_softirq+0x84/0x109
 [<c04305e7>] ? __do_softirq+0x0/0x109
 [<c0405eec>] do_softirq+0x77/0xdb
 [<c04640b3>] ? handle_level_irq+0x0/0xbe
 [<c04302d2>] irq_exit+0x44/0x83
 [<c0405e5e>] do_IRQ+0xe7/0xfe
 [<c0404654>] common_interrupt+0x28/0x30
 [<c0566f4e>] ? acpi_idle_enter_bm+0x277/0x2c6
 [<c06155f5>] cpuidle_idle_call+0x67/0x97
 [<c0402c4d>] cpu_idle+0x101/0x134
 [<c06b5c52>] rest_init+0x4e/0x50
 =======================

Comment 1 Fabrice Bellet 2008-10-27 16:43:50 UTC

clearly, it's a duplicate of http://bugzilla.kernel.org/show_bug.cgi?id=11802
(thanks to John W. Linville for the link!)

Comment 2 John W. Linville 2008-10-28 17:16:17 UTC

I added Johannes's patch from the link in comment 1 to rawhide kernels for tomorrow...

Note You need to log in before you can comment on or make changes to this bug.