Bug 7245 - zd1211rw + restricted key: slab corruption
Summary: zd1211rw + restricted key: slab corruption
Alias: None
Product: Drivers
Classification: Unclassified
Component: network-wireless (show other bugs)
Hardware: i386 Linux
: P2 normal
Assignee: Daniel Drake
Depends on:
Reported: 2006-10-01 09:14 UTC by Laurent Riffard
Modified: 2006-11-15 13:28 UTC (History)
0 users

See Also:
Kernel Version: 2.6.18-mm2
Tree: Mainline
Regression: ---

.config (48.21 KB, text/plain)
2006-10-01 09:15 UTC, Laurent Riffard
dmesg (does not includes slab corruption messages) (24.71 KB, text/plain)
2006-10-01 09:18 UTC, Laurent Riffard
sotftmac-fix-restricted-key-association.patch (785 bytes, patch)
2006-10-11 14:20 UTC, Laurent Riffard
Details | Diff
sotftmac-fix-slab-corrpution-in-restricted-key-association.patch (918 bytes, patch)
2006-10-11 15:13 UTC, Laurent Riffard
Details | Diff

Description Laurent Riffard 2006-10-01 09:14:58 UTC
Distribution: Mandriva 2007 RC2

Hardware Environment: i686-based desktop, USB Wifi adapter which appears to be a
"Sagem XG76NA" (USB ID is 079b:0062, RF Type is AL2230). 

Software Environment: zd1211rw driver from http://dsd.object4.net/git/zd1211.git 

Problem Description: using key in restricted mode cause slab corruption error.
These corruption is fully reproducible and may cause the system to freeze.

Steps to reproduce:
- boot to runlevel 1
- be sure udevd is up and firmware_class module is loaded
- plug the adapter and run the following commands:
    ifconfig eth1 up
    iwconfig eth1 key restricted [your key]
    iwconfig eth1 essid [your essid]

[root@calimero ~]# sh -x /test-zd.sh
+ iwconfig eth1
eth1      IEEE 802.11b/g  ESSID:off/any  Nickname:"zd1211"
         Mode:Managed  Access Point: Invalid  
         Encryption key:off
         Link Quality:0  Signal level:0  Noise level:0
         Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
         Tx excessive retries:0  Invalid misc:0   Missed beacon:0

+ ifconfig eth1 up
+ iwlist eth1 scanning
eth1      Scan completed :
         Cell 01 - Address: 00:16:41:8F:79:0D
                   Protocol:IEEE 802.11bg
                   Encryption key:on
                   Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s
                             11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
                             48 Mb/s; 54 Mb/s
                   Quality=100/100  Signal level=11/100 
                   IE: WPA Version 1
                       Group Cipher : TKIP
                       Pairwise Ciphers (1) : TKIP
                       Authentication Suites (1) : PSK 
                   Extra: Last beacon: 292ms ago

+ iwconfig eth1 key restricted 1234-5678-9012-3456-7890-1234-56
+ iwconfig eth1 essid Livebox-8ae5
[root@calimero ~]#
[root@calimero ~]# dmesg | tail -20
zd1211rw 1-1:1.0: firmware version 4725
zd1211rw 1-1:1.0: zd1211b chip 079b:0062 v4810 full 00-60-b3 AL2230_RF pa0 g---
zd1211rw 1-1:1.0: eth1
usbcore: registered new interface driver zd1211rw
ieee80211_crypt: registered algorithm 'WEP'
slab error in verify_redzone_free(): cache `size-32': memory outside object was
[<c0103939>] show_trace_log_lvl+0x12/0x25
[<c0103a1a>] show_trace+0xd/0x10
[<c010412c>] dump_stack+0x19/0x1b
[<c01504a1>] __slab_error+0x17/0x1c
[<c015055a>] cache_free_debugcheck+0xb4/0x18b
[<c0150bfd>] kfree+0x71/0xbd
[<e104a681>] ieee80211softmac_send_mgt_frame+0x3b1/0x3c0 [ieee80211softmac]
[<e104a865>] ieee80211softmac_auth_challenge_response+0x1b/0x21 [ieee80211softmac]
[<c012488f>] run_workqueue+0x82/0xc4
[<c0124db5>] worker_thread+0xe1/0x114
[<c012728c>] kthread+0xb0/0xdc
[<c0103853>] kernel_thread_helper+0x7/0x10
cc32d3a8: redzone 1:0x170fc2a5, redzone 2:0xb666c946
Comment 1 Laurent Riffard 2006-10-01 09:15:56 UTC
Created attachment 9142 [details]
Comment 2 Laurent Riffard 2006-10-01 09:18:19 UTC
Created attachment 9143 [details]
dmesg (does not includes slab corruption messages)
Comment 3 Laurent Riffard 2006-10-11 14:20:14 UTC
Created attachment 9225 [details]

This patch fixed the problem for me. I'm now able to connect to my AP:

# iwconfig eth1
eth1	  IEEE 802.11b/g  ESSID:"Livebox-8ae5"	Nickname:"zd1211"
	  Mode:Managed	Frequency:2.437 GHz  Access Point: 00:16:41:8F:79:0D   

	  Bit Rate=11 Mb/s   
	  Encryption key:xxxx-xxxx-...	 Security mode:restricted
	  Link Quality=96/100  Signal level=100/100  
	  Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
	  Tx excessive retries:0  Invalid misc:0   Missed beacon:0
# ifconfig eth1
eth1	  Link encap:Ethernet  HWaddr 00:60:B3:49:10:78  
	  inet adr:  Bcast:  Masque:
	  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
	  TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
	  collisions:0 lg file transmission:1000 
	  RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Please confirm this is the right thing to do.
Comment 4 Daniel Drake 2006-10-11 14:39:00 UTC
Thanks, that's correct. Just for clarity, it would be nicer if the logic wasn't
inverted, i.e. do it like this:

+		(is_shared_response ? 1 + 1 + net->challenge_len : 0)

Please add the URL of this bug to the description, add "Acked-by: Daniel Drake
<dsd@gentoo.org>" and email this patch to linville@tuxdriver.com with the
following people on CC: dsd@gentoo.org netdev@vger.kernel.org

Comment 5 Laurent Riffard 2006-10-11 15:13:50 UTC
Created attachment 9226 [details]

Updated patch
Comment 6 Laurent Riffard 2006-11-15 13:28:20 UTC
Patch merged in kernel 2.6.19-rc3 by commit

Note You need to log in before you can comment on or make changes to this bug.