Bug 207703 - kernel BUG at mm/slub.c:306!
Summary: kernel BUG at mm/slub.c:306!
Alias: None
Product: Networking
Classification: Unclassified
Component: Wireless (show other bugs)
Hardware: x86-64 Linux
: P1 high
Assignee: Brian Norris
: 207797 (view as bug list)
Depends on:
Reported: 2020-05-12 15:21 UTC by LI AR
Modified: 2020-07-02 03:33 UTC (History)
2 users (show)

See Also:
Kernel Version: 5.4.0-29-generic #33-Ubuntu SMP
Regression: Yes
Bisected commit-id:

Crash due to bug in ath9k (4.58 KB, text/plain)
2020-05-12 15:21 UTC, LI AR

Description LI AR 2020-05-12 15:21:57 UTC
Created attachment 289093 [details]
Crash due to bug in ath9k


I've upgraded my XUbuntu to 20.04. Since then I've encountered several crashes.

Apparently, there's a bug in ath9k...

See attached kernel trace
Comment 1 Brian Norris 2020-05-12 16:50:40 UTC
I believe you're hitting a double-free in a kfree_skb() added by this commit, which first appeared in 5.4:

commit 728c1e2a05e4b5fc52fab3421dce772a806612a2
Author: Navid Emamdoost <navid.emamdoost@gmail.com>
Date:   Fri Sep 6 13:59:30 2019 -0500

    ath9k: release allocated buffer if timed out

It would seem that this patch is buggy and probably should be reverted. IIUC, we've already "submitted" the SKB to another layer at that point, and that layer should be responsible for freeing it (e.g., in hif_usb_regout_cb).

I wonder about the author's other patches, which all seem to be the same sort of mechanical (likely-untested) "leak-fixing" patches...
Comment 2 Brian Norris 2020-05-13 19:00:09 UTC
It looks like this is already reverted in linux-next:

commit ced21a4c726bdc60b1680c050a284b08803bc64c
Author: Qiujun Huang <hqjagain@gmail.com>
Date:   Sat Apr 4 12:18:34 2020 +0800

    ath9k: Fix use-after-free Read in htc_connect_service


It's on its way to 5.8:


If you have the ability to apply that patch to your own kernel, you might give it a try. Hopefully we can get it queued to -stable eventually.
Comment 3 Brian Norris 2020-05-20 20:56:58 UTC
*** Bug 207797 has been marked as a duplicate of this bug. ***
Comment 4 Brian Norris 2020-07-02 03:33:50 UTC
For the record, the patch was merged to v5.4.47 (and other newer kernels)

Note You need to log in before you can comment on or make changes to this bug.