Bug 147105

Summary: double free and then oops in madwifi
Product: [openSUSE] SUSE Linux 10.1 Reporter: Robert Love <rml>
Component: KernelAssignee: Joachim Gleissner <joachim.gleissner>
Status: VERIFIED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None    
Version: Beta 2   
Target Milestone: ---   
Hardware: i686   
OS: SuSE Linux 10.1   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Love 2006-01-31 21:02:43 UTC 
Hit a double free and then a subsequent oops.  Looks like it originates in the madwifi driver.  I was changing wireless networks via wpa_supplicant, but nothing out of the ordinary.

Running current STABLE tree.  Specific versions:

kernel-default-2.6.16_rc1_git3-20060130162402
wireless-tools-28pre13-7
wpa_supplicant-0.4.7-4
Comment 1 Robert Love 2006-01-31 21:03:13 UTC 
slab error in cache_free_debugcheck(): cache `size-512': double free, or memory outside object was overwritten
 [<c014bdbf>] cache_free_debugcheck+0xbf/0x192
 [<c0230f3d>] pskb_expand_head+0xd8/0x121
 [<c014c40d>] kfree+0x3c/0x6c
 [<c0230f3d>] pskb_expand_head+0xd8/0x121
 [<f92cf1cf>] ath_tx_capture+0xc7/0x134 [ath_pci]
 [<f92cf602>] ath_tx_processq+0x3c6/0x4e8 [ath_pci]
 [<f92d00a8>] ath_tx_tasklet+0x55/0xf4 [ath_pci]
 [<c011c283>] tasklet_action+0x37/0x57
 [<c011c19e>] __do_softirq+0x35/0x7f
 [<c011c20a>] do_softirq+0x22/0x26
 [<c0104f1d>] do_IRQ+0x4b/0x56
 [<c0103afa>] common_interrupt+0x1a/0x20
 [<f92df3e9>] acpi_processor_idle+0x156/0x321 [processor]
 [<c0101d31>] cpu_idle+0x38/0x4d
 [<c03245d0>] start_kernel+0x24d/0x24f
d0370284: redzone 1: 0x5a5a5a5a, redzone 2: 0x170fc2a5.
Unable to handle kernel paging request at virtual address 5a5a0100
 printing eip:
c0246a38
*pde = 00000000
Oops: 0002 [#1]
last sysfs file: /devices/system/cpu/cpu0/cpufreq/scaling_cur_freq
Modules linked in: wlan_tkip wlan_wep aes wlan_ccmp dm_mod joydev sg st af_packet ipv6 cpufreq_ondemand cpufreq_userspace cpufreq_powersave speedstep_centrino freq_table snd_pcm_oss snd_mixer_oss snd_seq snd_seq_device edd ibm_acpi thermal processor fan button battery ac loop pcmcia firmware_class wlan_scan_sta e1000 ath_pci ath_rate_sample wlan ath_hal yenta_socket rsrc_nonstatic pcmcia_core usbhid i2c_i801 i2c_core ehci_hcd generic shpchp pci_hotplug snd_intel8x0 snd_ac97_codec snd_ac97_bus snd_pcm snd_timer snd soundcore snd_page_alloc intel_agp agpgart i8xx_tco uhci_hcd usbcore parport_pc lp parport ext3 jbd piix ide_cd sr_mod cdrom sd_mod scsi_mod ide_disk ide_core
CPU:    0
EIP:    0060:[<c0246a38>]    Tainted: P     U VLI
EFLAGS: 00210206   (2.6.16-rc1-git3-20060130162402-default)
EIP is at netlink_release+0x174/0x20a
eax: 5a5a0000   ebx: d0370178   ecx: 00000001   edx: 00006288
esi: d037007c   edi: f67309dc   ebp: f6730a10   esp: e62aff60
ds: 007b   es: 007b   ss: 0068
Process wpa_supplicant (pid: 25224, threadinfo=e62ae000 task=d37d0570)
Stack: <0>00000000 db75807c 00000000 f67309dc e3896084 c022b9f9 f6730a10 db75807c
       c022c13d 00000008 c0150046 e3896084 dfff45c8 f6730a10 db75807c 00000000
       d7e4e9fc e62ae000 c014db67 00000005 08089008 00000000 c0102a99 00000005
Call Trace:
 [<c022b9f9>] sock_release+0x11/0x63
 [<c022c13d>] sock_close+0x26/0x2a
 [<c0150046>] __fput+0xb3/0x152
 [<c014db67>] filp_close+0x4e/0x54
 [<c0102a99>] syscall_call+0x7/0xb
Code: 00 75 1e 8a 46 25 89 e1 89 14 24 ba 01 00 00 00 0f b6 c0 89 44 24 04 b8 28 4d 3a c0 e8 63 d0 03 00 8b 86 dc 01 00 00 85 c0 74 16 <ff> 88 00 01 00 00 83 38 02 75 0b 8b 80 88 01 00 00 e8 bb ee ec
 <6>ADDRCONF(NETDEV_UP): ath0: link is not ready
Comment 2 Robert Love 2006-02-02 18:43:24 UTC 
Got it again, this time during a `ping -b` (not sure if it was related).

I am including the updated oops, because it appears a bit different.  This is from today's kotd (2.6.16-rc1-git6-20060202155503-default):

Feb  2 13:37:58 molly klogd: slab error in cache_free_debugcheck(): cache `size-512': double free, or memory outside object was overwritten
Feb  2 13:37:58 molly klogd:  [<c014bf7f>] cache_free_debugcheck+0xbf/0x192
Feb  2 13:37:58 molly klogd:  [<c022f134>] pskb_expand_head+0xdc/0x125
Feb  2 13:37:58 molly klogd:  [<c014c3fc>] kfree+0x3c/0x6c
Feb  2 13:37:58 molly klogd:  [<c022f134>] pskb_expand_head+0xdc/0x125
Feb  2 13:37:58 molly klogd:  [<f92c41d3>] ath_tx_capture+0xc7/0x134 [ath_pci]
Feb  2 13:37:58 molly klogd:  [<f92c4606>] ath_tx_processq+0x3c6/0x4e8 [ath_pci]Feb  2 13:37:58 molly klogd:  [<f92c50ac>] ath_tx_tasklet+0x55/0xf4 [ath_pci]
Feb  2 13:37:58 molly klogd:  [<c011c32f>] tasklet_action+0x37/0x57
Feb  2 13:37:58 molly klogd:  [<c011c24a>] __do_softirq+0x35/0x7f
Feb  2 13:37:58 molly klogd:  [<c011c2b6>] do_softirq+0x22/0x26
Feb  2 13:37:58 molly klogd:  [<c0104f1d>] do_IRQ+0x4b/0x56
Feb  2 13:37:58 molly klogd:  [<c0103afa>] common_interrupt+0x1a/0x20
Feb  2 13:37:58 molly klogd:  [<f93aa130>] acpi_processor_idle+0x156/0x322 [processor]
Feb  2 13:37:58 molly klogd:  [<c0101d31>] cpu_idle+0x38/0x4d
Feb  2 13:37:58 molly klogd:  [<c03225d0>] start_kernel+0x24d/0x24f
Feb  2 13:37:58 molly klogd: e37f4d80: redzone 1: 0x5a5a5a5a, redzone 2: 0x170fc2a5.
Feb  2 13:37:58 molly klogd: Slab corruption: start=e37f4b78, len=512
Feb  2 13:37:58 molly klogd: Redzone: 0x5a2cf071/0x5a5a5a5a.
Feb  2 13:37:58 molly klogd: Last user: [<5a5a5a5a>](0x5a5a5a5a)
Feb  2 13:37:58 molly klogd: 1d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 5a 5a
Feb  2 13:37:58 molly klogd: 1e0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a
Feb  2 13:37:58 molly klogd: 1f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a
Feb  2 13:37:58 molly klogd: Prev obj: start=e37f496c, len=512
Feb  2 13:37:58 molly klogd: Redzone: 0x170fc2a5/0x170fc2a5.
Feb  2 13:37:58 molly klogd: Last user: [<c022bb5d>](sock_alloc_send_skb+0x58/0x196)
Feb  2 13:37:58 molly klogd: 000: 3c 31 32 3e 46 65 62 20 20 32 20 31 33 3a 33 37
Feb  2 13:37:58 molly klogd: 010: 3a 35 38 20 6b 6c 6f 67 64 3a 20 20 5b 3c 63 30
Feb  2 13:37:58 molly klogd: Next obj: start=e37f4d84, len=512
Feb  2 13:37:58 molly klogd: Redzone: 0x170fc2a5/0x170fc2a5.
Feb  2 13:37:58 molly klogd: Last user: [<c022bb5d>](sock_alloc_send_skb+0x58/0x196)
Feb  2 13:37:58 molly klogd: 000: 3c 31 31 3e 46 65 62 20 20 32 20 31 33 3a 33 37
Feb  2 13:37:58 molly klogd: 010: 3a 35 38 20 6b 6c 6f 67 64 3a 20 73 6c 61 62 20
Feb  2 13:37:58 molly klogd: slab error in cache_alloc_debugcheck_after(): cache
 `size-512': double free, or memory outside object was overwritten
Feb  2 13:37:58 molly klogd:  [<c014be51>] cache_alloc_debugcheck_after+0x7b/0xea
Feb  2 13:37:58 molly klogd:  [<c022bb5d>] sock_alloc_send_skb+0x58/0x196
Feb  2 13:37:58 molly klogd:  [<c014ca53>] __kmalloc_track_caller+0xa8/0xb2
Feb  2 13:37:58 molly klogd:  [<c022bb5d>] sock_alloc_send_skb+0x58/0x196
Feb  2 13:37:58 molly klogd:  [<c022ea5f>] __alloc_skb+0x4f/0xf9
Feb  2 13:37:58 molly klogd:  [<c022bb5d>] sock_alloc_send_skb+0x58/0x196
Feb  2 13:37:58 molly klogd:  [<c0114e63>] __wake_up+0x2a/0x3d
Feb  2 13:37:58 molly klogd:  [<c027c57a>] unix_dgram_sendmsg+0x14e/0x464
Feb  2 13:37:58 molly klogd:  [<f92c5dc4>] ath_intr+0x516/0xa09 [ath_pci]
Feb  2 13:37:58 molly klogd:  [<c0229b9e>] sock_sendmsg+0xd2/0xec
Feb  2 13:37:58 molly klogd:  [<c0127ad3>] autoremove_wake_function+0x0/0x2d
Feb  2 13:37:58 molly klogd:  [<c015c558>] __link_path_walk+0xb15/0xc52
Feb  2 13:37:58 molly klogd:  [<c0115908>] try_to_wake_up+0xf0/0xfa
Feb  2 13:37:58 molly klogd:  [<c016668a>] mntput_no_expire+0x11/0x6d
Feb  2 13:37:58 molly klogd:  [<c015c744>] link_path_walk+0xaf/0xb9
Feb  2 13:37:58 molly klogd:  [<c022ad0e>] sys_sendto+0xf2/0x113
Feb  2 13:37:58 molly klogd:  [<c014c04a>] cache_free_debugcheck+0x18a/0x192
Feb  2 13:37:58 molly klogd:  [<c01ae22e>] copy_to_user+0x54/0x6a
Feb  2 13:37:58 molly klogd:  [<c0156f24>] cp_new_stat64+0xf6/0x108
Feb  2 13:37:58 molly klogd:  [<c022ad48>] sys_send+0x19/0x1d
Feb  2 13:37:58 molly klogd:  [<c022af60>] sys_socketcall+0xed/0x19e
Feb  2 13:37:59 molly klogd:  [<c0102a99>] syscall_call+0x7/0xb
Feb  2 13:37:59 molly klogd: e37f4b74: redzone 1: 0x5a2cf071, redzone 2: 0x5a5a5a5a.
Comment 3 Greg Kroah-Hartman 2006-02-09 01:40:57 UTC 
Joachim?
Comment 4 Joachim Gleissner 2006-02-09 10:12:44 UTC 
Could you test it with the latest madwifi-default package from STABLE?
Comment 5 Robert Love 2006-02-15 18:15:52 UTC 
I am no longer seeing the oopses with kernel-default-2.6.16_rc3-5 and madwifi-kmp-default-1451_2.6.16_rc3_5-2.  Timo, however, says that he is still seeing the problem.
Comment 6 Robert Love 2006-03-03 17:39:39 UTC 
Have not seen this in nearly a month.  Closing as FIXED.  I will reopen if I see it again.
Comment 7 Joachim Gleissner 2006-03-08 11:46:39 UTC 
I still see madwifi oopsing the kernel when using a Gigabyte GN-WLMA101 (may be a different bug, though). I've reported it here: http://madwifi.org/ticket/400
Comment 8 Joachim Gleissner 2006-03-09 21:22:26 UTC 
Fixed package submitted.