1
linux/drivers/net/wireless
Jiri Slaby 3a0f2c8718 Ath5k: fix memory corruption
When signal is noisy, hardware can use all RX buffers and since the last
entry in the list is self-linked, it overwrites the entry until we link
new buffers.

Ensure that we don't free this last one until we are 100% sure that it
is not used by the hardware anymore to not cause memory curruption as
can be seen below.

This is done by checking next buffer in the list. Even after that we
know that the hardware refetched the new link and proceeded further
(the next buffer is ready) we can finally free the overwritten buffer.

We discard it since the status in its descriptor is overwritten (OR-ed
by new status) too.

=============================================================================
BUG kmalloc-4096: Poison overwritten
-----------------------------------------------------------------------------

INFO: 0xffff810067419060-0xffff810067419667. First byte 0x8 instead of 0x6b
INFO: Allocated in dev_alloc_skb+0x18/0x30 age=1118 cpu=1 pid=0
INFO: Freed in skb_release_data+0x85/0xd0 age=1105 cpu=1 pid=3718
INFO: Slab 0xffffe200019d0600 objects=7 used=0 fp=0xffff810067419048 flags=0x40000000000020c3
INFO: Object 0xffff810067419048 @offset=4168 fp=0xffff81006741c120

Bytes b4 0xffff810067419038:  4f 0b 02 00 01 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a O.......ZZZZZZZZ
  Object 0xffff810067419048:  6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
  Object 0xffff810067419058:  6b 6b 6b 6b 6b 6b 6b 6b 08 42 30 00 00 0b 6b 80 kkkkkkkk.B0...k.
  Object 0xffff810067419068:  f0 5d 00 4f 62 08 a3 64 00 0c 42 16 52 e4 f0 5a 360].Ob.243d..B.R344360Z
  Object 0xffff810067419078:  68 81 00 00 7b a5 b4 be 7d 3b 8f 53 cd d5 de 12 h...{245264276};.S315325336.
  Object 0xffff810067419088:  96 10 0b 89 48 54 23 41 0f 4e 2d b9 37 c3 cb 29 ....HT#A.N-2717303313)
  Object 0xffff810067419098:  d1 e0 de 14 8a 57 2a cc 3b 44 0d 78 7a 19 12 15 321340336..W*314;D.xz...
  Object 0xffff8100674190a8:  a9 ec d4 35 a8 10 ec 8c 40 a7 06 0a 51 a7 48 bb 2513543245250.354.@247..Q247H273
  Object 0xffff8100674190b8:  3e cf a1 c7 38 60 63 3f 51 15 c7 20 eb ba 65 30 >ϡ3078`c?Q.307.353272e0
 Redzone 0xffff81006741a048:  bb bb bb bb bb bb bb bb                         273273273273273273273273
 Padding 0xffff81006741a088:  5a 5a 5a 5a 5a 5a 5a 5a                         ZZZZZZZZ
Pid: 3297, comm: ath5k_pci Not tainted 2.6.26-rc8-mm1_64 #427

Call Trace:
 [<ffffffff802a7306>] print_trailer+0xf6/0x150
 [<ffffffff802a7485>] check_bytes_and_report+0x125/0x180
 [<ffffffff802a75dc>] check_object+0xac/0x260
 [<ffffffff802a9308>] __slab_alloc+0x368/0x6d0
 [<ffffffff80544f82>] ? wireless_send_event+0x142/0x310
 [<ffffffff804b1bd4>] ? __alloc_skb+0x44/0x150
 [<ffffffff80544f82>] ? wireless_send_event+0x142/0x310
 [<ffffffff802aa853>] __kmalloc_track_caller+0xc3/0xf0
 [<ffffffff804b1bfe>] __alloc_skb+0x6e/0x150
[... stack snipped]

FIX kmalloc-4096: Restoring 0xffff810067419060-0xffff810067419667=0x6b

FIX kmalloc-4096: Marking all objects used

Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
Acked-by: Nick Kossifidis <mickflemm@gmail.com>
Cc: Luis R. Rodriguez <mcgrof@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2008-07-29 16:36:25 -04:00
..
ath5k Ath5k: fix memory corruption 2008-07-29 16:36:25 -04:00
b43 mac80211: remove IEEE80211_HW_HOST_GEN_BEACON_TEMPLATE flag 2008-07-29 16:36:24 -04:00
b43legacy mac80211: remove IEEE80211_HW_HOST_GEN_BEACON_TEMPLATE flag 2008-07-29 16:36:24 -04:00
hostap netdev: Handle ->addr_list_lock just like ->_xmit_lock for lockdep. 2008-07-22 14:16:42 -07:00
iwlwifi mac80211: remove IEEE80211_HW_HOST_GEN_BEACON_TEMPLATE flag 2008-07-29 16:36:24 -04:00
libertas Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6 2008-07-18 02:39:39 -07:00
p54 Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6 2008-07-18 02:39:39 -07:00
prism54 Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/linville/wireless-next-2.6 2008-06-28 22:57:58 -07:00
rt2x00 mac80211: remove IEEE80211_HW_HOST_GEN_BEACON_TEMPLATE flag 2008-07-29 16:36:24 -04:00
zd1211rw mac80211: remove IEEE80211_HW_HOST_GEN_BEACON_TEMPLATE flag 2008-07-29 16:36:24 -04:00
adm8211.c
adm8211.h
airo_cs.c
airo.c
airo.h
airport.c
arlan-main.c
arlan-proc.c
arlan.h
atmel_cs.c
atmel_pci.c
atmel.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6 2008-07-18 02:39:39 -07:00
atmel.h
hermes_rid.h
hermes.c
hermes.h
i82586.h
i82593.h
ipw2100.c
ipw2100.h
ipw2200.c ipw2200: Call netif_*_queue() interfaces properly. 2008-07-22 18:32:47 -07:00
ipw2200.h
Kconfig Revert "remove the strip driver" 2008-07-18 03:58:52 -07:00
mac80211_hwsim.c mac80211_hwsim.c: fix: BUG: unable to handle kernel NULL pointer dereference at 0000000000000370 2008-07-21 13:19:35 -07:00
Makefile Revert "remove the strip driver" 2008-07-18 03:58:52 -07:00
netwave_cs.c
orinoco_cs.c
orinoco_nortel.c
orinoco_pci.c
orinoco_pci.h
orinoco_plx.c
orinoco_tmd.c
orinoco.c
orinoco.h
ray_cs.c
ray_cs.h
rayctl.h
rndis_wlan.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/linville/wireless-next-2.6 2008-06-28 22:57:58 -07:00
rtl818x.h rtl8187: Change detection of RTL8187B with USB ID of 8187 2008-07-08 14:16:07 -04:00
rtl8180_dev.c
rtl8180_grf5101.c
rtl8180_grf5101.h
rtl8180_max2820.c
rtl8180_max2820.h
rtl8180_rtl8225.c
rtl8180_rtl8225.h
rtl8180_sa2400.c
rtl8180_sa2400.h
rtl8180.h
rtl8187_dev.c rtl8187: use different ANAPARAM*_OFF values for 8187B 2008-07-14 14:52:56 -04:00
rtl8187_rtl8225.c rtl8187: use different ANAPARAM*_OFF values for 8187B 2008-07-14 14:52:56 -04:00
rtl8187_rtl8225.h rtl8187: use different ANAPARAM*_OFF values for 8187B 2008-07-14 14:52:56 -04:00
rtl8187.h rtl8187: updating rtl8187.h to support RTL8187B 2008-07-08 14:16:06 -04:00
spectrum_cs.c
strip.c Fix strip driver back up for ldisc/tty changes 2008-07-20 17:12:38 -07:00
wavelan_cs.c
wavelan_cs.h
wavelan_cs.p.h
wavelan.c
wavelan.h
wavelan.p.h
wl3501_cs.c
wl3501.h
zd1201.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux-2.6 2008-07-18 02:39:39 -07:00
zd1201.h