#12197 NORM 13.1.0: xo-4 page faults and silent hangs on boot. mwifiex?
Zarro Boogs per Child
bugtracker at laptop.org
Mon Jan 7 14:15:48 EST 2013
#12197: xo-4 page faults and silent hangs on boot. mwifiex?
---------------------------------+------------------------------------------
Reporter: pgf | Owner: shep
Type: defect | Status: new
Priority: normal | Milestone: 13.1.0
Component: wireless | Version: Development build as of this date
Resolution: | Keywords:
Next_action: reproduce | Verified: 0
Deployment_affected: | Blockedby:
Blocking: |
---------------------------------+------------------------------------------
Comment(by shep):
Hmmm... very suspicious code in mwifiex_sta_init_cmd where it allocates
{{{
struct mwifiex_ds_11n_tx_cfg tx_cfg;
}}}
on the stack and then later
{{{
tx_cfg.tx_htcap = MWIFIEX_FW_DEF_HTTXCFG;
ret = mwifiex_send_cmd_async(priv, HostCmd_CMD_11N_CFG,
HostCmd_ACT_GEN_SET, 0, &tx_cfg);
}}}
so the pointer to struct mwifiex_ds_11n_tx_cfg on the stack gets copied
into the command and then when the command response comes back,
mwifiex_process_sta_cmdresp (in a different kernel thread) calls
{{{
case HostCmd_CMD_11N_CFG:
ret = mwifiex_ret_11n_cfg(resp, data_buf);
break;
}}}
{{{
int mwifiex_ret_11n_cfg(struct host_cmd_ds_command *resp,
struct mwifiex_ds_11n_tx_cfg *tx_cfg)
{
struct host_cmd_ds_11n_cfg *htcfg = &resp->params.htcfg;
if (tx_cfg) {
tx_cfg->tx_htcap = le16_to_cpu(htcfg->ht_tx_cap);
tx_cfg->tx_htinfo = le16_to_cpu(htcfg->ht_tx_info);
}
return 0;
}
}}}
I think this might be the stack corruption bug I've been looking for. Now
to try and verify this, and look around to see if there are other similar
bugs nearby. Oh, and of course, fix it.
--
Ticket URL: <http://dev.laptop.org/ticket/12197#comment:7>
One Laptop Per Child <http://laptop.org/>
OLPC bug tracking system
More information about the Bugs
mailing list