From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
"Luis R. Rodriguez" <lrodriguez@atheros.com>,
"John W. Linville" <linville@tuxdriver.com>
Subject: [patch 08/71] mac80211: fix panic when splicing unprepared TIDs
Date: Fri, 04 Sep 2009 17:13:43 -0700 [thread overview]
Message-ID: <20090905001448.519998467@mini.kroah.org> (raw)
In-Reply-To: <20090905001824.GA18171@kroah.com>
[-- Attachment #1: mac80211-fix-panic-when-splicing-unprepared-tids.patch --]
[-- Type: text/plain, Size: 3444 bytes --]
2.6.30-stable review patch. If anyone has any objections, please let us know.
------------------
From: Luis R. Rodriguez <lrodriguez@atheros.com>
commit 416fbdff2137e8d8cc8f23f517bee3a26b11526f upstream.
We splice skbs from the pending queue for a TID
onto the local pending queue when tearing down a
block ack request. This is not necessary unless we
actually have received a request to start a block ack
request (rate control, for example). If we never received
that request we should not be splicing the tid pending
queue as it would be null, causing a panic.
Not sure yet how exactly we allowed through a call when the
tid state does not have at least HT_ADDBA_REQUESTED_MSK set,
that will require some further review as it is not quite
obvious.
For more information see the bug report:
http://bugzilla.kernel.org/show_bug.cgi?id=13922
This fixes this oops:
BUG: unable to handle kernel NULL pointer dereference at 00000030
IP: [<f8806c70>] ieee80211_agg_splice_packets+0x40/0xc0 [mac80211]
*pdpt = 0000000002d1e001 *pde = 0000000000000000
Thread overran stack, or stack corrupted
Oops: 0000 [#1] SMP
last sysfs file: /sys/module/aes_generic/initstate
Modules linked in: <bleh>
Pid: 0, comm: swapper Not tainted (2.6.31-rc5-wl #2) Dell DV051
EIP: 0060:[<f8806c70>] EFLAGS: 00010292 CPU: 0
EIP is at ieee80211_agg_splice_packets+0x40/0xc0 [mac80211]
EAX: 00000030 EBX: 0000004c ECX: 00000003 EDX: 00000000
ESI: c1c98000 EDI: f745a1c0 EBP: c076be58 ESP: c076be38
DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
Process swapper (pid: 0, ti=c076a000 task=c0709160 task.ti=c076a000)
Stack: <bleh2>
Call Trace:
[<f8806edb>] ? ieee80211_stop_tx_ba_cb+0xab/0x150 [mac80211]
[<f8802f1e>] ? ieee80211_tasklet_handler+0xce/0x110 [mac80211]
[<c04862ff>] ? net_rx_action+0xef/0x1d0
[<c0149378>] ? tasklet_action+0x58/0xc0
[<c014a0f2>] ? __do_softirq+0xc2/0x190
[<c018eb48>] ? handle_IRQ_event+0x58/0x140
[<c01205fe>] ? ack_apic_level+0x7e/0x270
[<c014a1fd>] ? do_softirq+0x3d/0x40
[<c014a345>] ? irq_exit+0x65/0x90
[<c010a6af>] ? do_IRQ+0x4f/0xc0
[<c014a35d>] ? irq_exit+0x7d/0x90
[<c011d547>] ? smp_apic_timer_interrupt+0x57/0x90
[<c01094a9>] ? common_interrupt+0x29/0x30
[<c010fd9e>] ? mwait_idle+0xbe/0x100
[<c0107e42>] ? cpu_idle+0x52/0x90
[<c054b1a5>] ? rest_init+0x55/0x60
[<c077492d>] ? start_kernel+0x315/0x37d
[<c07743ce>] ? unknown_bootoption+0x0/0x1f9
[<c0774099>] ? i386_start_kernel+0x79/0x81
Code: <bleh3>
EIP: [<f8806c70>] ieee80211_agg_splice_packets+0x40/0xc0 [mac80211] SS:ESP 0068:c076be38
CR2: 0000000000000030
Testedy-by: Jack Lau <jackelectronics@hotmail.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/mac80211/agg-tx.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -376,6 +376,14 @@ static void ieee80211_agg_splice_packets
&local->hw, queue,
IEEE80211_QUEUE_STOP_REASON_AGGREGATION);
+ if (!(sta->ampdu_mlme.tid_state_tx[tid] & HT_ADDBA_REQUESTED_MSK))
+ return;
+
+ if (WARN(!sta->ampdu_mlme.tid_tx[tid],
+ "TID %d gone but expected when splicing aggregates from"
+ "the pending queue\n", tid))
+ return;
+
if (!skb_queue_empty(&sta->ampdu_mlme.tid_tx[tid]->pending)) {
spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
/* mark queue as pending, it is stopped already */
next prev parent reply other threads:[~2009-09-05 0:20 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20090905001335.106974681@mini.kroah.org>
2009-09-05 0:18 ` [patch 00/71] 2.6.30.6-stable review Greg KH
2009-09-05 0:13 ` [patch 01/71] ehea: Fix napi list corruption on ifconfig down Greg KH
2009-09-05 0:13 ` [patch 02/71] poll/select: initialize triggered field of struct poll_wqueues Greg KH
2009-09-05 0:13 ` [patch 03/71] Make bitmask and operators return a result code Greg KH
2009-09-05 0:13 ` [patch 04/71] x86: dont send an IPI to the empty set of CPUs Greg KH
2009-09-05 0:13 ` [patch 05/71] x86: dont call ->send_IPI_mask() with an empty mask Greg KH
2009-09-05 0:13 ` [patch 06/71] mm: build_zonelists(): move clear node_load[] to __build_all_zonelists() Greg KH
2009-09-05 0:13 ` [patch 07/71] rt2x00: fix memory corruption in rf cache, add a sanity check Greg KH
2009-09-05 0:13 ` Greg KH [this message]
2009-09-05 0:13 ` [patch 09/71] Re-introduce page mapping check in mark_buffer_dirty() Greg KH
2009-09-05 0:13 ` [patch 10/71] mm: fix hugetlb bug due to user_shm_unlock call Greg KH
2009-09-05 0:13 ` [patch 11/71] ima: hashing large files bug fix Greg KH
2009-09-05 0:13 ` [patch 12/71] kernel_read: redefine offset type Greg KH
2009-09-05 0:13 ` [patch 13/71] tracing: Fix too large stack usage in do_one_initcall() Greg KH
2009-09-05 0:13 ` [patch 14/71] sound: pcm_lib: fix unsorted list constraint handling Greg KH
2009-09-05 0:13 ` [patch 15/71] clone(): fix race between copy_process() and de_thread() Greg KH
2009-09-05 0:13 ` [patch 16/71] wmi: fix kernel panic when stack protection enabled Greg KH
2009-09-05 0:13 ` [patch 17/71] SUNRPC: Fix rpc_task_force_reencode Greg KH
2009-09-05 0:13 ` [patch 18/71] ALSA: hda - Fix MacBookPro 3,1/4,1 quirk with ALC889A Greg KH
2009-09-05 0:13 ` [patch 19/71] KVM: take mmu_lock when updating a deleted slot Greg KH
2009-09-05 0:13 ` [patch 20/71] KVM: x86: check for cr3 validity in mmu_alloc_roots Greg KH
2009-09-05 0:13 ` [patch 21/71] KVM: MMU: protect kvm_mmu_change_mmu_pages with mmu_lock Greg KH
2009-09-05 0:13 ` [patch 22/71] KVM: MMU: do not free active mmu pages in free_mmu_pages() Greg KH
2009-09-05 0:13 ` [patch 23/71] KVM: Introduce {set/get}_interrupt_shadow() Greg KH
2009-09-05 0:13 ` [patch 24/71] KVM: Deal with interrupt shadow state for emulated instructions Greg KH
2009-09-05 0:14 ` [patch 25/71] KVM: MMU: Use different shadows when EFER.NXE changes Greg KH
2009-09-05 0:14 ` [patch 26/71] KVM: x86: Ignore reads to EVNTSEL MSRs Greg KH
2009-09-05 0:14 ` [patch 27/71] KVM: Ignore reads to K7 " Greg KH
2009-09-05 0:14 ` [patch 28/71] KVM: Fix cpuid feature misreporting Greg KH
2009-09-05 0:14 ` [patch 29/71] KVM: x86: verify MTRR/PAT validity Greg KH
2009-09-05 0:14 ` [patch 30/71] KVM: SVM: force new asid on vcpu migration Greg KH
2009-09-05 0:14 ` [patch 31/71] KVM: MMU: handle n_free_mmu_pages > n_alloc_mmu_pages in kvm_mmu_change_mmu_pages Greg KH
2009-09-05 0:14 ` [patch 32/71] [stable] [PATCH 14/16] KVM: MMU: limit rmap chain length Greg KH
2009-09-05 0:14 ` [patch 33/71] KVM: fix ack not being delivered when msi present Greg KH
2009-09-05 0:14 ` [patch 34/71] KVM: Fix KVM_GET_MSR_INDEX_LIST Greg KH
2009-09-05 0:14 ` [patch 35/71] iwl3945: fix rfkill switch Greg KH
2009-09-05 0:14 ` [patch 36/71] iwlagn: do not send key clear commands when rfkill enabled Greg KH
2009-09-05 0:14 ` [patch 37/71] libata: OCZ Vertex cant do HPA Greg KH
2009-09-05 0:14 ` [patch 38/71] SCSI: mpt2sas: Introduced check for enclosure_handle to avoid crash Greg KH
2009-09-05 0:14 ` [patch 39/71] SCSI: mpt2sas: Expander fix oops saying "Already part of another port" Greg KH
2009-09-05 0:14 ` [patch 40/71] SCSI: mpt2sas: Raid 10 Value is showing as Raid 1E in /va/log/messages Greg KH
2009-09-05 0:14 ` [patch 41/71] SCSI: mpt2sas: Excessive log info causes sas iounit page time out Greg KH
2009-09-05 0:14 ` [patch 42/71] SCSI: mpt2sas: fix infinite loop inside config request Greg KH
2009-09-05 0:14 ` [patch 43/71] SCSI: mpt2sas: fix crash due to Watchdog is active while OS in standby mode Greg KH
2009-09-05 0:14 ` [patch 44/71] SCSI: mpt2sas: fix oops because drv data points to NULL on resume from hibernate Greg KH
2009-09-05 0:14 ` [patch 45/71] [SCSI] mpt2sas: fix config request and diag reset deadlock Greg KH
2009-09-05 0:14 ` [patch 46/71] do_sigaltstack: avoid copying stack_t as a structure to user space Greg KH
2009-09-05 0:14 ` [patch 47/71] Bug Fix arch/ia64/kernel/pci-dma.c: fix recursive dma_supported() call in iommu_dma_supported() Greg KH
2009-09-05 0:14 ` [patch 48/71] x86, amd: Dont probe for extended APIC ID if APICs are disabled Greg KH
2009-09-05 0:14 ` [patch 49/71] ocfs2: Initialize the cluster were writing to in a non-sparse extend Greg KH
2009-09-05 0:14 ` [patch 50/71] ACPI processor: force throttling state when BIOS returns incorrect value Greg KH
2009-09-05 0:14 ` [patch 51/71] vfs: fix inode_init_always calling convention Greg KH
2009-09-05 0:14 ` [patch 52/71] vfs: add __destroy_inode Greg KH
2009-09-05 0:14 ` [patch 53/71] xfs: fix freeing of inodes not yet added to the inode cache Greg KH
2009-09-05 0:14 ` [patch 54/71] xfs: fix spin_is_locked assert on uni-processor builds Greg KH
2009-09-05 0:14 ` [patch 55/71] gspca - ov534: Fix ov772x Greg KH
2009-09-05 0:14 ` [patch 56/71] kthreads: fix kthread_create() vs kthread_stop() race Greg KH
2009-09-05 0:14 ` [patch 57/71] ipv6: Fix commit 63d9950b08184e6531adceb65f64b429909cc101 (ipv6: Make v4-mapped bindings consistent with IPv4) Greg KH
2009-09-05 0:14 ` [patch 58/71] USB: fix the clear_tt_buffer interface Greg KH
2009-09-05 0:14 ` [patch 59/71] USB: EHCI: use the new " Greg KH
2009-09-05 0:14 ` [patch 60/71] USB: EHCI: fix two new bugs related to Clear-TT-Buffer Greg KH
2009-09-05 0:14 ` [patch 61/71] powerpc/ps3: Add missing check for PS3 to rtc-ps3 platform device registration Greg KH
2009-09-05 0:14 ` [patch 62/71] ipv4: make ip_append_data() handle NULL routing table Greg KH
2009-09-05 0:14 ` [patch 63/71] ar9170: fix read & write outside array bounds Greg KH
2009-09-05 0:14 ` [patch 64/71] xenfb: connect to backend before registering fb Greg KH
2009-09-05 0:14 ` [patch 65/71] can: Fix raw_getname() leak Greg KH
2009-09-05 0:14 ` [patch 66/71] irda: Fix irda_getname() leak Greg KH
2009-09-05 0:14 ` [patch 67/71] appletalk: fix atalk_getname() leak Greg KH
2009-09-05 0:14 ` [patch 68/71] netrom: Fix nr_getname() leak Greg KH
2009-09-05 0:14 ` [patch 69/71] econet: Fix econet_getname() leak Greg KH
2009-09-05 0:14 ` [patch 70/71] rose: Fix rose_getname() leak Greg KH
2009-09-05 0:14 ` [patch 71/71] NET: llc, zero sockaddr_llc struct Greg KH
2009-09-05 4:54 ` [patch 00/71] 2.6.30.6-stable review Grant Coady
2009-09-05 14:48 ` Greg KH
2009-09-08 19:23 ` [Stable-review] " Luis R. Rodriguez
2009-09-09 22:44 ` Greg KH
2009-09-10 0:21 ` Luis R. Rodriguez
2009-09-10 3:00 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090905001448.519998467@mini.kroah.org \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=lrodriguez@atheros.com \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox