crash in wpa_supplicant

Alexandru Costache alexandru.costache.100 at gmail.com
Fri Mar 28 05:12:49 EDT 2014


Hi,

I was running a stress test with connman 1.19 and wpa_supplicant 2.0, more
exactly a script which enables and disables tethering in a loop

for i in {1..100};
do
connmanctl tether wifi on test12 testTest123!
sleep 1;
connmanctl tether wifi off
sleep 1;
done

Sooner or later a race occurs and wpa_supplicant crashes, at different
points. It looks like when wpa_supplicant_scan() or
wpa_supplicant_delayed_sched_scan_timeout() are scheduled to run, that
wpa_supplicant data provided is no longer valid.

Usually backtraces are similar to the ones below:

0xb7738424 in __kernel_vsyscall ()
(gdb) bt
#0  0xb7738424 in __kernel_vsyscall ()
#1  0xb7394cc1 in raise () from /lib/libc.so.6
#2  0xb73980ee in abort () from /lib/libc.so.6
#3  0xb74fcc95 in _dbus_abort () from /usr/lib/libdbus-1.so.3
#4  0xb74f1e46 in _dbus_warn_check_failed () from /usr/lib/libdbus-1.so.3
#5  0xb74e052e in dbus_message_unref () from /usr/lib/libdbus-1.so.3
#6  0xb74d295b in _dbus_connection_unlock () from /usr/lib/libdbus-1.so.3
#7  0xb74d7f41 in  () from /usr/lib/libdbus-1.so.3
#8  0x080c4aea in wpa_dbus_mark_property_changed (iface=0xb74c4660,
path=0x82c3318 "\210G,\b\360'+\b\020", interface=0x8118940
"fi.w1.wpa_supplicant1.Interface",
    property=0x8118690 "ApScan") at dbus/dbus_new_helpers.c:882
#9  0x080c6c35 in wpas_dbus_signal_prop_changed (wpa_s=0x82b9430,
property=WPAS_DBUS_PROP_AP_SCAN) at dbus/dbus_new.c:1763
#10 0x0805299a in wpas_notify_ap_scan_changed (wpa_s=0x82b9430) at
notify.c:114
#11 0x080de495 in wpa_supplicant_scan (eloop_ctx=0x82b9430,
timeout_ctx=0x0) at scan.c:620
#12 0x080579d3 in eloop_run () at ../src/utils/eloop.c:783
#13 0x080d486e in wpa_supplicant_run (global=0x82ae630) at
wpa_supplicant.c:3381
#14 0x080dff86 in main (argc=4, argv=0xbfbc42d4) at main.c:307

    Invalid path


=============================================


#0  0xb74e07f0 in __memcpy_ssse3 () from /lib/libc.so.6
#1  0x080dee33 in wpa_supplicant_build_filter_ssids (eloop_ctx=0x988d1f0,
timeout_ctx=0x0) at /usr/include/bits/string3.h:52
#2  wpa_supplicant_scan (eloop_ctx=0x988d1f0, timeout_ctx=0x0) at scan.c:829
#3  0x080579d3 in eloop_run () at ../src/utils/eloop.c:783
#4  0x080d490e in wpa_supplicant_run (global=0x9877630) at
wpa_supplicant.c:3381
#5  0x080e0026 in main (argc=3, argv=0xbf826c54) at main.c:307

 ssid->ssid = 0x80


=============================================


(gdb) bt
#0  wpa_supplicant_req_sched_scan (wpa_s=0x90c87d0) at scan.c:1011
#1  0x080de2eb in wpa_supplicant_delayed_sched_scan_timeout
(eloop_ctx=0x90c87d0, timeout_ctx=0x0) at scan.c:246
#2  0x080579d3 in eloop_run () at ../src/utils/eloop.c:783
#3  0x080d490e in wpa_supplicant_run (global=0x90b6630) at
wpa_supplicant.c:3381
#4  0x080e0026 in main (argc=3, argv=0xbf96e414) at main.c:307

(gdb) p wpa_s->max_sched_scan_ssids
$1 = -1217658744


==============================================

(gdb) bt
#0  0x080dd803 in wpa_supplicant_enabled_networks (wpa_s=0x9b95178) at
scan.c:96
#1  0x080de3f8 in wpa_supplicant_scan (eloop_ctx=0x9b95178,
timeout_ctx=0x0) at scan.c:607
#2  0x080579d3 in eloop_run () at ../src/utils/eloop.c:783
#3  0x080d490e in wpa_supplicant_run (global=0x9b7e630) at
wpa_supplicant.c:3381
#4  0x080e0026 in main (argc=3, argv=0xbffae3e4) at main.c:307

(gdb) p wpa_s->conf
$1 = (struct wpa_config *) 0x0


==============================================

(gdb) bt
#0  wpa_drv_set_operstate (wpa_s=0x869e378, state=WPA_DISCONNECTED) at
driver_i.h:214
#1  wpa_supplicant_set_state (wpa_s=0x869e378, state=WPA_DISCONNECTED) at
wpa_supplicant.c:680
#2  0x080de630 in wpa_supplicant_scan (eloop_ctx=0x869e378,
timeout_ctx=0x0) at scan.c:602
#3  0x080579d3 in eloop_run () at ../src/utils/eloop.c:783
#4  0x080d490e in wpa_supplicant_run (global=0x8693630) at
wpa_supplicant.c:3381
#5  0x080e0026 in main (argc=3, argv=0xbfc615b4) at main.c:307

==============================================
I'm not very familiar with what happens here so I don't know how the fix
should look like. Maybe this has already been fixed in a later version?
Please let me know if there's other info that I should provide, like
detailed debug logs.

Thank you,
Alexandru
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20140328/6d0fe519/attachment-0001.htm>


More information about the HostAP mailing list