From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Bob Copeland <me@bobcopeland.com>,
"John W. Linville" <linville@tuxdriver.com>
Subject: [patch 06/24] cfg80211: fix looping soft lockup in find_ie()
Date: Wed, 16 Sep 2009 15:28:25 -0700 [thread overview]
Message-ID: <20090916222901.570305710@mini.kroah.org> (raw)
In-Reply-To: <20090916222934.GA31846@kroah.com>
[-- Attachment #1: cfg80211-fix-looping-soft-lockup-in-find_ie.patch --]
[-- Type: text/plain, Size: 4571 bytes --]
2.6.30-stable review patch. If anyone has any objections, please let us know.
------------------
From: Bob Copeland <me@bobcopeland.com>
commit fcc6cb0c13555e78c2d47257b6d1b5e59b0c419a upstream.
The find_ie() function uses a size_t for the len parameter, and
directly uses len as a loop variable. If any received packets
are malformed, it is possible for the decrease of len to overflow,
and since the result is unsigned, the loop will not terminate.
Change it to a signed int so the loop conditional works for
negative values.
This fixes the following soft lockup:
[38573.102007] BUG: soft lockup - CPU#0 stuck for 61s! [phy0:2230]
[38573.102007] Modules linked in: aes_i586 aes_generic fuse af_packet ipt_REJECT xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_state iptable_filter ip_tables x_tables acpi_cpufreq binfmt_misc dm_mirror dm_region_hash dm_log dm_multipath dm_mod kvm_intel kvm uinput i915 arc4 ecb drm snd_hda_codec_idt ath5k snd_hda_intel hid_apple mac80211 usbhid appletouch snd_hda_codec snd_pcm ath cfg80211 snd_timer i2c_algo_bit ohci1394 video snd processor ieee1394 rfkill ehci_hcd sg sky2 backlight snd_page_alloc uhci_hcd joydev output ac thermal button battery sr_mod applesmc cdrom input_polldev evdev unix [last unloaded: scsi_wait_scan]
[38573.102007] irq event stamp: 2547724535
[38573.102007] hardirqs last enabled at (2547724534): [<c1002ffc>] restore_all_notrace+0x0/0x18
[38573.102007] hardirqs last disabled at (2547724535): [<c10038f4>] apic_timer_interrupt+0x28/0x34
[38573.102007] softirqs last enabled at (92950144): [<c103ab48>] __do_softirq+0x108/0x210
[38573.102007] softirqs last disabled at (92950274): [<c1348e74>] _spin_lock_bh+0x14/0x80
[38573.102007]
[38573.102007] Pid: 2230, comm: phy0 Tainted: G W (2.6.31-rc7-wl #8) MacBook1,1
[38573.102007] EIP: 0060:[<f8ea2d50>] EFLAGS: 00010292 CPU: 0
[38573.102007] EIP is at cmp_ies+0x30/0x180 [cfg80211]
[38573.102007] EAX: 00000082 EBX: 00000000 ECX: ffffffc1 EDX: d8efd014
[38573.102007] ESI: ffffff7c EDI: 0000004d EBP: eee2dc50 ESP: eee2dc3c
[38573.102007] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
[38573.102007] CR0: 8005003b CR2: d8efd014 CR3: 01694000 CR4: 000026d0
[38573.102007] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[38573.102007] DR6: ffff0ff0 DR7: 00000400
[38573.102007] Call Trace:
[38573.102007] [<f8ea2f8d>] cmp_bss+0xed/0x100 [cfg80211]
[38573.102007] [<f8ea33e4>] cfg80211_bss_update+0x84/0x410 [cfg80211]
[38573.102007] [<f8ea3884>] cfg80211_inform_bss_frame+0x114/0x180 [cfg80211]
[38573.102007] [<f97255ff>] ieee80211_bss_info_update+0x4f/0x180 [mac80211]
[38573.102007] [<f972b118>] ieee80211_rx_bss_info+0x88/0xf0 [mac80211]
[38573.102007] [<f9739297>] ? ieee802_11_parse_elems+0x27/0x30 [mac80211]
[38573.102007] [<f972b224>] ieee80211_rx_mgmt_probe_resp+0xa4/0x1c0 [mac80211]
[38573.102007] [<f972bc59>] ieee80211_sta_rx_queued_mgmt+0x919/0xc50 [mac80211]
[38573.102007] [<c1009707>] ? sched_clock+0x27/0xa0
[38573.102007] [<c1009707>] ? sched_clock+0x27/0xa0
[38573.102007] [<c105ffd0>] ? mark_held_locks+0x60/0x80
[38573.102007] [<c1348be5>] ? _spin_unlock_irqrestore+0x55/0x70
[38573.102007] [<c134baa5>] ? sub_preempt_count+0x85/0xc0
[38573.102007] [<c1348bce>] ? _spin_unlock_irqrestore+0x3e/0x70
[38573.102007] [<c12c1c0f>] ? skb_dequeue+0x4f/0x70
[38573.102007] [<f972c021>] ieee80211_sta_work+0x91/0xb80 [mac80211]
[38573.102007] [<c1009707>] ? sched_clock+0x27/0xa0
[38573.102007] [<c134baa5>] ? sub_preempt_count+0x85/0xc0
[38573.102007] [<c10479af>] worker_thread+0x18f/0x320
[38573.102007] [<c104794e>] ? worker_thread+0x12e/0x320
[38573.102007] [<c1348be5>] ? _spin_unlock_irqrestore+0x55/0x70
[38573.102007] [<f972bf90>] ? ieee80211_sta_work+0x0/0xb80 [mac80211]
[38573.102007] [<c104cbb0>] ? autoremove_wake_function+0x0/0x50
[38573.102007] [<c1047820>] ? worker_thread+0x0/0x320
[38573.102007] [<c104c854>] kthread+0x84/0x90
[38573.102007] [<c104c7d0>] ? kthread+0x0/0x90
[38573.102007] [<c1003ab7>] kernel_thread_helper+0x7/0x10
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/wireless/scan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -97,7 +97,7 @@ void cfg80211_bss_expire(struct cfg80211
dev->bss_generation++;
}
-static u8 *find_ie(u8 num, u8 *ies, size_t len)
+static u8 *find_ie(u8 num, u8 *ies, int len)
{
while (len > 2 && ies[0] != num) {
len -= ies[1] + 2;
next prev parent reply other threads:[~2009-09-16 22:33 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20090916222819.244332644@mini.kroah.org>
2009-09-16 22:29 ` [patch 00/24] 2.6.30.8-stable review Greg KH
2009-09-16 22:28 ` [patch 01/24] Input: joydev - decouple axis and button map ioctls from input constants Greg KH
2009-09-16 22:28 ` [patch 02/24] [SCSI] sg: fix oops in the error path in sg_build_indirect() Greg KH
2009-09-16 22:28 ` [patch 03/24] agp/intel: remove restore in resume Greg KH
2009-09-16 22:28 ` [patch 04/24] ath5k: write PCU registers on initial reset Greg KH
2009-09-16 22:28 ` [patch 05/24] binfmt_elf: fix PT_INTERP bss handling Greg KH
2009-09-16 22:28 ` Greg KH [this message]
2009-09-16 22:28 ` [patch 07/24] fix undefined reference to user_shm_unlock Greg KH
2009-09-16 22:28 ` [patch 08/24] powerpc/ps3: Workaround for flash memory I/O error Greg KH
2009-09-16 22:28 ` [patch 09/24] TPM: Fixup boot probe timeout for tpm_tis driver Greg KH
2009-09-16 22:28 ` [patch 10/24] udf: Use device size when drive reported bogus number of written blocks Greg KH
2009-09-16 22:28 ` [patch 11/24] ALSA: cs46xx - Fix minimum period size Greg KH
2009-09-16 22:28 ` [patch 12/24] ARM: 5691/1: fix cache aliasing issues between kmap() and kmap_atomic() with highmem Greg KH
2009-09-16 22:28 ` [patch 13/24] ASoC: Fix WM835x Out4 capture enumeration Greg KH
2009-09-16 22:28 ` [patch 14/24] mlx4_core: Allocate and map sufficient ICM memory for EQ context Greg KH
2009-09-16 22:28 ` [patch 15/24] PCI: apply nv_msi_ht_cap_quirk on resume too Greg KH
2009-09-16 22:28 ` [patch 16/24] sound: oxygen: work around MCE when changing volume Greg KH
2009-09-16 22:28 ` [patch 17/24] x86: Fix x86_model test in es7000_apic_is_cluster() Greg KH
2009-09-16 22:28 ` [patch 18/24] x86/i386: Make sure stack-protector segment base is cache aligned Greg KH
2009-09-16 22:28 ` [patch 19/24] x86, pat: Fix cacheflush address in change_page_attr_set_clr() Greg KH
2009-09-16 22:28 ` [patch 20/24] V4L: em28xx: set up tda9887_conf in em28xx_card_setup() Greg KH
2009-09-16 22:28 ` [patch 21/24] virtio_blk: dont bounce highmem requests Greg KH
2009-09-16 22:28 ` [patch 22/24] libata: fix off-by-one error in ata_tf_read_block() Greg KH
2009-09-16 22:28 ` [patch 23/24] PCI: Unhide the SMBus on the Compaq Evo D510 USDT Greg KH
2009-09-16 22:28 ` [patch 24/24] powerpc/pseries: Fix to handle slb resize across migration Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090916222901.570305710@mini.kroah.org \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=me@bobcopeland.com \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox