Latest working kernel version: None Earliest failing kernel version: All Distribution: openSUSE 11.0 Hardware Environment: x86_64 Software Environment: rtl8187 Problem Description: Unloading driver rtl8187 generates a GPF if SLUB debugging is enabled and the system is booted with the 'slub_debug=P' option. The reason for the GPF is that the driver attempts to free a urb that has already been freed - a classic 'use-after-free' situation. The crash dump is as follows: kernel: general protection fault: 0000 [#1] SMP kernel: last sysfs file: /sys/devices/system/cpu/cpu1/cache/index2shared_cpu_map kernel: CPU 0 kernel: Modules linked in: rtl8187(-) eeprom_93cx6 snd_pcm_oss snd_mixer_oss snd_seq snd_seq_device af_packet sunrpc rfkill_input cpufreq_conservative cpufreq_userspace cpufreq_powersave powernow_k8 fuse loop dm_mod ide_cd_mod cdrom arc4 ecb b43 rfkill snd_hda_intel mac80211 led_class amd74xx snd_pcm input_polldev snd_timer snd cfg80211 k8temp soundcore hwmon ide_pci_generic ssb serio_raw forcedeth sg snd_page_alloc ide_core battery ac button joydev sd_mod ohci_hcd uhci_hcd ehci_hcd usbcore edd fan thermal processor ext3 mbcache jbd ahci libata scsi_mod [last unloaded: usbtest] kernel: Pid: 8057, comm: modprobe Not tainted 2.6.28-rc7 #29 kernel: RIP: 0010:[<ffffffff8031cf99>] [<ffffffff8031cf99>] kref_get+0xc/0x2b kernel: RSP: 0018:ffff8800b9eb5b48 EFLAGS: 00010096 kernel: RAX: 0000000000000000 RBX: 6b6b6b6b6b6b6dbb RCX: 0000000000000016 kernel: RDX: 0000000000000301 RSI: ffffffff8020bf3b RDI: 6b6b6b6b6b6b6dbb kernel: RBP: ffff8800b9eb5b58 R08: 00000003b9fdc830 R09: ffffffffa00fc2a0 kernel: R10: ffffffff8025b866 R11: ffffffff8089a2b0 R12: ffff8800b8f1bc80 kernel: R13: 0000000000000286 R14: 00000000fffffffe R15: ffff8800b8dd2020 kernel: FS: 00007f320f7086f0(0000) GS:ffffffff8070a600(0000) knlGS:00000000f7d1c6c0 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b kernel: CR2: 00007f770e627000 CR3: 00000000b9f17000 CR4: 00000000000006e0 kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 kernel: DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 kernel: Process modprobe (pid: 8057, threadinfo ffff8800b9eb4000, task ffff8800b9fdc830) kernel: Stack: kernel: ffff8800b9eb5b78 6b6b6b6b6b6b6d83 ffff8800b9eb5b78 ffffffff8031c1cd kernel: ffff8800b9f69cc0 6b6b6b6b6b6b6b6b ffff8800b9eb5b88 ffffffff80399f75 kernel: ffff8800b9eb5ba8 ffffffffa00f7401 00000000ffffffd5 0000000000000000 kernel: Call Trace: kernel: [<ffffffff8031c1cd>] kobject_get+0x1a/0x22 kernel: [<ffffffff80399f75>] get_device+0x17/0x1f kernel: [<ffffffffa00f7401>] usb_get_dev+0x1d/0x24 [usbcore] kernel: [<ffffffffa00fc2b7>] usb_hcd_unlink_urb+0x39/0x81 [usbcore] kernel: [<ffffffffa00fd594>] usb_kill_urb+0x6b/0xfa [usbcore] kernel: [<ffffffff803c3a61>] ? skb_dequeue+0x5b/0x66 kernel: [<ffffffffa048f32d>] rtl8187_stop+0x278/0x28d [rtl8187] A fix is now undergoing testing and will be submitted through the wireless-testing tree. This bug may be related to bugzilla entry 11887. Steps to reproduce: Use SLUB with debugging enabled, boot with the option 'slub_debug=P', and 'modprobe -r rtl8187'.
The patch doesn't improve bug 11887 (i.e. possibly unrelated).
Which patch is/was this?
commit c1db52b9d27ee6e15a7136e67e4a21dc916cd07f Author: Larry Finger <Larry.Finger@lwfinger.net> Date: Tue Dec 9 23:34:27 2008 -0600 rtl8187: Use usb anchor facilities to manage urbs When SLUB debugging is enabled in the kernel, and the boot command includes the option "slub_debug=P", rtl8187 encounters a GPF due to a read-after-free of a urb. Following the example of changes in p54usb to fix the same problem, the code has been modified to use the usb_anchor_urb() method. With this change, the USB core handles the freeing of urb's. This patch fixes the problem reported in Kernel Bugzilla #12185 (http://bugzilla.kernel.org/show_bug.cgi?id=12185). Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Tested-by: Hin-Tak Leung <htl10@users.sourceforge.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>