05e7c99136
Low level driver could pass rx frames to us after disassociate, what can lead to run conn_mon_timer by ieee80211_sta_rx_notify(). That is obviously wrong, but nothing happens until we unload modules and resources are used after free. If kernel debugging is enabled following warning could be observed: WARNING: at lib/debugobjects.c:259 debug_print_object+0x65/0x70() Hardware name: HP xw8600 Workstation ODEBUG: free active (active state 0) object type: timer_list Modules linked in: iwlagn(-) iwlcore mac80211 cfg80211 aes_x86_64 aes_generic fuse cpufreq_ondemand acpi_cpufreq freq_table mperf xt_physdev ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ipv6 ext3 jbd dm_mirror dm_region_hash dm_log dm_mod uinput hp_wmi sparse_keymap sg wmi arc4 microcode serio_raw ecb tg3 shpchp rfkill ext4 mbcache jbd2 sr_mod cdrom sd_mod crc_t10dif firewire_ohci firewire_core crc_itu_t mptsas mptscsih mptbase scsi_transport_sas ahci libahci pata_acpi ata_generic ata_piix floppy nouveau ttm drm_kms_helper drm i2c_algo_bit i2c_core video [last unloaded: cfg80211] Pid: 13827, comm: rmmod Tainted: G W 2.6.38-rc4-wl+ #22 Call Trace: [<ffffffff810649cf>] ? warn_slowpath_common+0x7f/0xc0 [<ffffffff81064ac6>] ? warn_slowpath_fmt+0x46/0x50 [<ffffffff81226fc5>] ? debug_print_object+0x65/0x70 [<ffffffff81227625>] ? debug_check_no_obj_freed+0x125/0x210 [<ffffffff8109ebd7>] ? debug_check_no_locks_freed+0xf7/0x170 [<ffffffff81156092>] ? kfree+0xc2/0x2f0 [<ffffffff813ec5c5>] ? netdev_release+0x45/0x60 [<ffffffff812f1067>] ? device_release+0x27/0xa0 [<ffffffff81216ddd>] ? kobject_release+0x8d/0x1a0 [<ffffffff81216d50>] ? kobject_release+0x0/0x1a0 [<ffffffff812183b7>] ? kref_put+0x37/0x70 [<ffffffff81216c57>] ? kobject_put+0x27/0x60 [<ffffffff813d5d1b>] ? netdev_run_todo+0x1ab/0x270 [<ffffffff813e771e>] ? rtnl_unlock+0xe/0x10 [<ffffffffa0581188>] ? ieee80211_unregister_hw+0x58/0x120 [mac80211] [<ffffffffa0377ed7>] ? iwl_pci_remove+0xdb/0x22a [iwlagn] [<ffffffff8123cde2>] ? pci_device_remove+0x52/0x120 [<ffffffff812f5205>] ? __device_release_driver+0x75/0xe0 [<ffffffff812f5348>] ? driver_detach+0xd8/0xe0 [<ffffffff812f4111>] ? bus_remove_driver+0x91/0x100 [<ffffffff812f5b62>] ? driver_unregister+0x62/0xa0 [<ffffffff8123d194>] ? pci_unregister_driver+0x44/0xa0 [<ffffffffa0377df5>] ? iwl_exit+0x15/0x1c [iwlagn] [<ffffffff810ab492>] ? sys_delete_module+0x1a2/0x270 [<ffffffff81498889>] ? trace_hardirqs_on_thunk+0x3a/0x3f [<ffffffff8100bf42>] ? system_call_fastpath+0x16/0x1b Acked-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> |
||
---|---|---|
.. | ||
aes_ccm.c | ||
aes_ccm.h | ||
aes_cmac.c | ||
aes_cmac.h | ||
agg-rx.c | ||
agg-tx.c | ||
cfg.c | ||
cfg.h | ||
chan.c | ||
debugfs_key.c | ||
debugfs_key.h | ||
debugfs_netdev.c | ||
debugfs_netdev.h | ||
debugfs_sta.c | ||
debugfs_sta.h | ||
debugfs.c | ||
debugfs.h | ||
driver-ops.h | ||
driver-trace.c | ||
driver-trace.h | ||
event.c | ||
ht.c | ||
ibss.c | ||
ieee80211_i.h | ||
iface.c | ||
Kconfig | ||
key.c | ||
key.h | ||
led.c | ||
led.h | ||
main.c | ||
Makefile | ||
mesh_hwmp.c | ||
mesh_pathtbl.c | ||
mesh_plink.c | ||
mesh.c | ||
mesh.h | ||
michael.c | ||
michael.h | ||
mlme.c | ||
offchannel.c | ||
pm.c | ||
rate.c | ||
rate.h | ||
rc80211_minstrel_debugfs.c | ||
rc80211_minstrel_ht_debugfs.c | ||
rc80211_minstrel_ht.c | ||
rc80211_minstrel_ht.h | ||
rc80211_minstrel.c | ||
rc80211_minstrel.h | ||
rc80211_pid_algo.c | ||
rc80211_pid_debugfs.c | ||
rc80211_pid.h | ||
rx.c | ||
scan.c | ||
spectmgmt.c | ||
sta_info.c | ||
sta_info.h | ||
status.c | ||
tkip.c | ||
tkip.h | ||
tx.c | ||
util.c | ||
wep.c | ||
wep.h | ||
wme.c | ||
wme.h | ||
work.c | ||
wpa.c | ||
wpa.h |