From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from he.sipsolutions.net ([78.46.109.217]:33557 "EHLO sipsolutions.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752313Ab1BPLKH (ORCPT ); Wed, 16 Feb 2011 06:10:07 -0500 Subject: Re: [PATCH] mac80211: fix conn_mon_timer running after disassociate From: Johannes Berg To: Stanislaw Gruszka Cc: wwguy , Intel Linux Wireless , "linux-wireless@vger.kernel.org" In-Reply-To: <20110216095443.GC2812@redhat.com> References: <1297693947-15310-1-git-send-email-sgruszka@redhat.com> <1297698696.4723.16.camel@wwguy-ubuntu> <20110215113444.GC2162@redhat.com> <1297770602.3935.3.camel@jlt3.sipsolutions.net> <20110215130428.GA2515@redhat.com> <1297775393.3935.15.camel@jlt3.sipsolutions.net> <20110215132202.GC2515@redhat.com> <1297776631.3935.16.camel@jlt3.sipsolutions.net> <20110216095443.GC2812@redhat.com> Content-Type: text/plain; charset="UTF-8" Date: Wed, 16 Feb 2011 12:10:01 +0100 Message-ID: <1297854601.3736.0.camel@jlt3.sipsolutions.net> Mime-Version: 1.0 Sender: linux-wireless-owner@vger.kernel.org List-ID: On Wed, 2011-02-16 at 10:54 +0100, Stanislaw Gruszka wrote: > Low level driver could pass rx frames to us after disassociate, what > can lead to run conn_mon_timer by ieee80211_sta_rx_notify(). Thats > is obviously wrong, but nothing happens until we unload modules and > resources are used after free. If kernel debugging is enabled following > warning could be observed: > > WARNING: at lib/debugobjects.c:259 debug_print_object+0x65/0x70() > Hardware name: HP xw8600 Workstation > ODEBUG: free active (active state 0) object type: timer_list > Modules linked in: iwlagn(-) iwlcore mac80211 cfg80211 ... > Pid: 13827, comm: rmmod Tainted: G W 2.6.38-rc4-wl+ #22 > Call Trace: > [] ? warn_slowpath_common+0x7f/0xc0 > [] ? warn_slowpath_fmt+0x46/0x50 > [] ? debug_print_object+0x65/0x70 > [] ? debug_check_no_obj_freed+0x125/0x210 > [] ? debug_check_no_locks_freed+0xf7/0x170 > [] ? kfree+0xc2/0x2f0 > [] ? netdev_release+0x45/0x60 > [] ? device_release+0x27/0xa0 > [] ? kobject_release+0x8d/0x1a0 > [] ? kobject_release+0x0/0x1a0 > [] ? kref_put+0x37/0x70 > [] ? kobject_put+0x27/0x60 > [] ? netdev_run_todo+0x1ab/0x270 > [] ? rtnl_unlock+0xe/0x10 > [] ? ieee80211_unregister_hw+0x58/0x120 [mac80211] > [] ? iwl_pci_remove+0xdb/0x22a [iwlagn] > [] ? pci_device_remove+0x52/0x120 > [] ? __device_release_driver+0x75/0xe0 > [] ? driver_detach+0xd8/0xe0 > [] ? bus_remove_driver+0x91/0x100 > [] ? driver_unregister+0x62/0xa0 > [] ? pci_unregister_driver+0x44/0xa0 > [] ? iwl_exit+0x15/0x1c [iwlagn] > [] ? sys_delete_module+0x1a2/0x270 > [] ? trace_hardirqs_on_thunk+0x3a/0x3f > [] ? system_call_fastpath+0x16/0x1b > > Signed-off-by: Stanislaw Gruszka > --- > net/mac80211/mlme.c | 6 ++++++ > 1 files changed, 6 insertions(+), 0 deletions(-) > > diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c > index d89e878..7b3f9df 100644 > --- a/net/mac80211/mlme.c > +++ b/net/mac80211/mlme.c > @@ -1071,6 +1071,12 @@ void ieee80211_sta_rx_notify(struct ieee80211_sub_if_data *sdata, > if (is_multicast_ether_addr(hdr->addr1)) > return; > > + /* > + * In case we receive pending frames after disassociation. > + */ > + if (!sdata->u.mgd.associated) > + return; > + > ieee80211_sta_reset_conn_monitor(sdata); > } > good catch, thanks. johannes