Bugzilla – Bug 147105
double free and then oops in madwifi
Last modified: 2007-06-05 10:05:15 UTC
Hit a double free and then a subsequent oops. Looks like it originates in the madwifi driver. I was changing wireless networks via wpa_supplicant, but nothing out of the ordinary. Running current STABLE tree. Specific versions: kernel-default-2.6.16_rc1_git3-20060130162402 wireless-tools-28pre13-7 wpa_supplicant-0.4.7-4
slab error in cache_free_debugcheck(): cache `size-512': double free, or memory outside object was overwritten [<c014bdbf>] cache_free_debugcheck+0xbf/0x192 [<c0230f3d>] pskb_expand_head+0xd8/0x121 [<c014c40d>] kfree+0x3c/0x6c [<c0230f3d>] pskb_expand_head+0xd8/0x121 [<f92cf1cf>] ath_tx_capture+0xc7/0x134 [ath_pci] [<f92cf602>] ath_tx_processq+0x3c6/0x4e8 [ath_pci] [<f92d00a8>] ath_tx_tasklet+0x55/0xf4 [ath_pci] [<c011c283>] tasklet_action+0x37/0x57 [<c011c19e>] __do_softirq+0x35/0x7f [<c011c20a>] do_softirq+0x22/0x26 [<c0104f1d>] do_IRQ+0x4b/0x56 [<c0103afa>] common_interrupt+0x1a/0x20 [<f92df3e9>] acpi_processor_idle+0x156/0x321 [processor] [<c0101d31>] cpu_idle+0x38/0x4d [<c03245d0>] start_kernel+0x24d/0x24f d0370284: redzone 1: 0x5a5a5a5a, redzone 2: 0x170fc2a5. Unable to handle kernel paging request at virtual address 5a5a0100 printing eip: c0246a38 *pde = 00000000 Oops: 0002 [#1] last sysfs file: /devices/system/cpu/cpu0/cpufreq/scaling_cur_freq Modules linked in: wlan_tkip wlan_wep aes wlan_ccmp dm_mod joydev sg st af_packet ipv6 cpufreq_ondemand cpufreq_userspace cpufreq_powersave speedstep_centrino freq_table snd_pcm_oss snd_mixer_oss snd_seq snd_seq_device edd ibm_acpi thermal processor fan button battery ac loop pcmcia firmware_class wlan_scan_sta e1000 ath_pci ath_rate_sample wlan ath_hal yenta_socket rsrc_nonstatic pcmcia_core usbhid i2c_i801 i2c_core ehci_hcd generic shpchp pci_hotplug snd_intel8x0 snd_ac97_codec snd_ac97_bus snd_pcm snd_timer snd soundcore snd_page_alloc intel_agp agpgart i8xx_tco uhci_hcd usbcore parport_pc lp parport ext3 jbd piix ide_cd sr_mod cdrom sd_mod scsi_mod ide_disk ide_core CPU: 0 EIP: 0060:[<c0246a38>] Tainted: P U VLI EFLAGS: 00210206 (2.6.16-rc1-git3-20060130162402-default) EIP is at netlink_release+0x174/0x20a eax: 5a5a0000 ebx: d0370178 ecx: 00000001 edx: 00006288 esi: d037007c edi: f67309dc ebp: f6730a10 esp: e62aff60 ds: 007b es: 007b ss: 0068 Process wpa_supplicant (pid: 25224, threadinfo=e62ae000 task=d37d0570) Stack: <0>00000000 db75807c 00000000 f67309dc e3896084 c022b9f9 f6730a10 db75807c c022c13d 00000008 c0150046 e3896084 dfff45c8 f6730a10 db75807c 00000000 d7e4e9fc e62ae000 c014db67 00000005 08089008 00000000 c0102a99 00000005 Call Trace: [<c022b9f9>] sock_release+0x11/0x63 [<c022c13d>] sock_close+0x26/0x2a [<c0150046>] __fput+0xb3/0x152 [<c014db67>] filp_close+0x4e/0x54 [<c0102a99>] syscall_call+0x7/0xb Code: 00 75 1e 8a 46 25 89 e1 89 14 24 ba 01 00 00 00 0f b6 c0 89 44 24 04 b8 28 4d 3a c0 e8 63 d0 03 00 8b 86 dc 01 00 00 85 c0 74 16 <ff> 88 00 01 00 00 83 38 02 75 0b 8b 80 88 01 00 00 e8 bb ee ec <6>ADDRCONF(NETDEV_UP): ath0: link is not ready
Got it again, this time during a `ping -b` (not sure if it was related). I am including the updated oops, because it appears a bit different. This is from today's kotd (2.6.16-rc1-git6-20060202155503-default): Feb 2 13:37:58 molly klogd: slab error in cache_free_debugcheck(): cache `size-512': double free, or memory outside object was overwritten Feb 2 13:37:58 molly klogd: [<c014bf7f>] cache_free_debugcheck+0xbf/0x192 Feb 2 13:37:58 molly klogd: [<c022f134>] pskb_expand_head+0xdc/0x125 Feb 2 13:37:58 molly klogd: [<c014c3fc>] kfree+0x3c/0x6c Feb 2 13:37:58 molly klogd: [<c022f134>] pskb_expand_head+0xdc/0x125 Feb 2 13:37:58 molly klogd: [<f92c41d3>] ath_tx_capture+0xc7/0x134 [ath_pci] Feb 2 13:37:58 molly klogd: [<f92c4606>] ath_tx_processq+0x3c6/0x4e8 [ath_pci]Feb 2 13:37:58 molly klogd: [<f92c50ac>] ath_tx_tasklet+0x55/0xf4 [ath_pci] Feb 2 13:37:58 molly klogd: [<c011c32f>] tasklet_action+0x37/0x57 Feb 2 13:37:58 molly klogd: [<c011c24a>] __do_softirq+0x35/0x7f Feb 2 13:37:58 molly klogd: [<c011c2b6>] do_softirq+0x22/0x26 Feb 2 13:37:58 molly klogd: [<c0104f1d>] do_IRQ+0x4b/0x56 Feb 2 13:37:58 molly klogd: [<c0103afa>] common_interrupt+0x1a/0x20 Feb 2 13:37:58 molly klogd: [<f93aa130>] acpi_processor_idle+0x156/0x322 [processor] Feb 2 13:37:58 molly klogd: [<c0101d31>] cpu_idle+0x38/0x4d Feb 2 13:37:58 molly klogd: [<c03225d0>] start_kernel+0x24d/0x24f Feb 2 13:37:58 molly klogd: e37f4d80: redzone 1: 0x5a5a5a5a, redzone 2: 0x170fc2a5. Feb 2 13:37:58 molly klogd: Slab corruption: start=e37f4b78, len=512 Feb 2 13:37:58 molly klogd: Redzone: 0x5a2cf071/0x5a5a5a5a. Feb 2 13:37:58 molly klogd: Last user: [<5a5a5a5a>](0x5a5a5a5a) Feb 2 13:37:58 molly klogd: 1d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 5a 5a Feb 2 13:37:58 molly klogd: 1e0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a Feb 2 13:37:58 molly klogd: 1f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a Feb 2 13:37:58 molly klogd: Prev obj: start=e37f496c, len=512 Feb 2 13:37:58 molly klogd: Redzone: 0x170fc2a5/0x170fc2a5. Feb 2 13:37:58 molly klogd: Last user: [<c022bb5d>](sock_alloc_send_skb+0x58/0x196) Feb 2 13:37:58 molly klogd: 000: 3c 31 32 3e 46 65 62 20 20 32 20 31 33 3a 33 37 Feb 2 13:37:58 molly klogd: 010: 3a 35 38 20 6b 6c 6f 67 64 3a 20 20 5b 3c 63 30 Feb 2 13:37:58 molly klogd: Next obj: start=e37f4d84, len=512 Feb 2 13:37:58 molly klogd: Redzone: 0x170fc2a5/0x170fc2a5. Feb 2 13:37:58 molly klogd: Last user: [<c022bb5d>](sock_alloc_send_skb+0x58/0x196) Feb 2 13:37:58 molly klogd: 000: 3c 31 31 3e 46 65 62 20 20 32 20 31 33 3a 33 37 Feb 2 13:37:58 molly klogd: 010: 3a 35 38 20 6b 6c 6f 67 64 3a 20 73 6c 61 62 20 Feb 2 13:37:58 molly klogd: slab error in cache_alloc_debugcheck_after(): cache `size-512': double free, or memory outside object was overwritten Feb 2 13:37:58 molly klogd: [<c014be51>] cache_alloc_debugcheck_after+0x7b/0xea Feb 2 13:37:58 molly klogd: [<c022bb5d>] sock_alloc_send_skb+0x58/0x196 Feb 2 13:37:58 molly klogd: [<c014ca53>] __kmalloc_track_caller+0xa8/0xb2 Feb 2 13:37:58 molly klogd: [<c022bb5d>] sock_alloc_send_skb+0x58/0x196 Feb 2 13:37:58 molly klogd: [<c022ea5f>] __alloc_skb+0x4f/0xf9 Feb 2 13:37:58 molly klogd: [<c022bb5d>] sock_alloc_send_skb+0x58/0x196 Feb 2 13:37:58 molly klogd: [<c0114e63>] __wake_up+0x2a/0x3d Feb 2 13:37:58 molly klogd: [<c027c57a>] unix_dgram_sendmsg+0x14e/0x464 Feb 2 13:37:58 molly klogd: [<f92c5dc4>] ath_intr+0x516/0xa09 [ath_pci] Feb 2 13:37:58 molly klogd: [<c0229b9e>] sock_sendmsg+0xd2/0xec Feb 2 13:37:58 molly klogd: [<c0127ad3>] autoremove_wake_function+0x0/0x2d Feb 2 13:37:58 molly klogd: [<c015c558>] __link_path_walk+0xb15/0xc52 Feb 2 13:37:58 molly klogd: [<c0115908>] try_to_wake_up+0xf0/0xfa Feb 2 13:37:58 molly klogd: [<c016668a>] mntput_no_expire+0x11/0x6d Feb 2 13:37:58 molly klogd: [<c015c744>] link_path_walk+0xaf/0xb9 Feb 2 13:37:58 molly klogd: [<c022ad0e>] sys_sendto+0xf2/0x113 Feb 2 13:37:58 molly klogd: [<c014c04a>] cache_free_debugcheck+0x18a/0x192 Feb 2 13:37:58 molly klogd: [<c01ae22e>] copy_to_user+0x54/0x6a Feb 2 13:37:58 molly klogd: [<c0156f24>] cp_new_stat64+0xf6/0x108 Feb 2 13:37:58 molly klogd: [<c022ad48>] sys_send+0x19/0x1d Feb 2 13:37:58 molly klogd: [<c022af60>] sys_socketcall+0xed/0x19e Feb 2 13:37:59 molly klogd: [<c0102a99>] syscall_call+0x7/0xb Feb 2 13:37:59 molly klogd: e37f4b74: redzone 1: 0x5a2cf071, redzone 2: 0x5a5a5a5a.
Joachim?
Could you test it with the latest madwifi-default package from STABLE?
I am no longer seeing the oopses with kernel-default-2.6.16_rc3-5 and madwifi-kmp-default-1451_2.6.16_rc3_5-2. Timo, however, says that he is still seeing the problem.
Have not seen this in nearly a month. Closing as FIXED. I will reopen if I see it again.
I still see madwifi oopsing the kernel when using a Gigabyte GN-WLMA101 (may be a different bug, though). I've reported it here: http://madwifi.org/ticket/400
Fixed package submitted.