Re: [ 08/12] mac80211: zero initialize count field in ieee80211_tx_rate

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Willy Tarreau <w@1wt.eu>
To: Ben Hutchings <ben@decadent.org.uk>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
	Pavel Roskin <proski@gnu.org>,
	Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>,
	"John W. Linville" <linville@tuxdriver.com>
Subject: Re: [ 08/12] mac80211: zero initialize count field in ieee80211_tx_rate
Date: Mon, 12 Mar 2012 07:31:08 +0100	[thread overview]
Message-ID: <20120312063108.GC8971@1wt.eu> (raw)
In-Reply-To: <1331517472.3022.150.camel@deadeye>

On Mon, Mar 12, 2012 at 01:57:52AM +0000, Ben Hutchings wrote:
> On Mon, 2012-03-12 at 01:20 +0100, Willy Tarreau wrote:
> > 2.6.32-longterm review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
> > 
> > commit 8617b093d0031837a7be9b32bc674580cfb5f6b5 upstream.
> > 
> > rate control algorithms concludes the rate as invalid
> > with rate[i].idx < -1 , while they do also check for rate[i].count is
> > non-zero. it would be safer to zero initialize the 'count' field.
> > recently we had a ath9k rate control crash where the ath9k rate control
> > in ath_tx_status assumed to check only for rate[i].count being non-zero
> > in one instance and ended up in using invalid rate index for
> > 'connection monitoring NULL func frames' which eventually lead to the crash.
> > thanks to Pavel Roskin for fixing it and finding the root cause.
> > https://bugzilla.redhat.com/show_bug.cgi?id=768639
> 
> In 2.6.32, ath_tx_status() checks that rates[i].idx >= 0, so it properly
> ignores these dummy entries.  Further, there is code further down the
> rate_control_get_rate() function that sets .idx only and appears to
> depend on the initialisation of .count = 1.
> 
> So I'm pretty sure this patch is wrong for 2.6.32; it could be
> backported but I don't think the change is necessary anyway.

Dropping it then, thanks Ben !

Willy

next prev parent reply	other threads:[~2012-03-12  6:31 UTC|newest]

Thread overview: 61+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <feb44625a10a45049eddf27890e95d54@local>
2012-03-12  0:20 ` [ 00/12] 2.6.32.59-longterm review Willy Tarreau
2012-03-12  0:20 ` [ 01/12] compat: Re-add missing asm/compat.h include to fix compile breakage on s390 Willy Tarreau
2012-03-12  0:20 ` [ 02/12] Remove COMPAT_IA32 support Willy Tarreau
2012-03-12  1:07   ` Ben Hutchings
2012-03-12  2:49     ` Greg KH
2012-03-12  6:30       ` Willy Tarreau
2012-03-12  6:48         ` stripping [PATCH] without losing later tags from mailed patches (Re: [ 02/12] Remove COMPAT_IA32 support) Jonathan Nieder
2012-03-12  8:58           ` Willy Tarreau
2012-03-12 15:20             ` Greg KH
2012-03-12 15:24               ` Willy Tarreau
2012-03-12 16:41                 ` Thomas Rast
2012-03-12 16:53                   ` Willy Tarreau
2012-03-12 16:57                   ` Jonathan Nieder
2012-03-12 18:04                     ` Junio C Hamano
2012-03-12 18:50                       ` Willy Tarreau
2012-03-12 18:54                         ` Jonathan Nieder
2012-03-12 19:17                           ` Willy Tarreau
2012-03-12 21:47                       ` Thomas Rast
2012-03-12 21:56                         ` [PATCH] git-am: error out when seeing -b/--binary Jonathan Nieder
2012-03-12 22:03                           ` Thomas Rast
2012-03-12 22:22                             ` Jonathan Nieder
2012-03-13 15:31                               ` Thomas Rast
2012-03-13 17:31                                 ` Junio C Hamano
2012-03-13 17:51                                   ` Jonathan Nieder
2012-03-13 18:22                                     ` Junio C Hamano
2012-03-13 18:38                                       ` [PATCH] git-am: officially deprecate -b/--binary Junio C Hamano
2012-03-12 22:12                           ` [PATCH] git-am: error out when seeing -b/--binary Junio C Hamano
2012-03-12 21:57                         ` stripping [PATCH] without losing later tags from mailed patches (Re: [ 02/12] Remove COMPAT_IA32 support) Junio C Hamano
2012-03-12 16:40               ` Junio C Hamano
2012-03-12 16:48                 ` Willy Tarreau
2012-03-12 17:57                   ` Junio C Hamano
2012-03-12 18:45                     ` Willy Tarreau
2012-03-12 19:29                       ` Junio C Hamano
2012-03-12 17:12                 ` Greg KH
2012-03-12 18:01                   ` Junio C Hamano
2012-03-12 19:26                     ` Greg KH
2012-03-12 19:51                       ` Junio C Hamano
2012-03-12 20:19                       ` Willy Tarreau
2012-03-12 15:25         ` [ 02/12] Remove COMPAT_IA32 support Ben Hutchings
2012-03-12 17:02   ` Arnd Bergmann
2012-03-12 17:14     ` Willy Tarreau
2012-03-12 19:34     ` Ben Hutchings
2012-03-12 19:45       ` Willy Tarreau
2012-03-12  0:20 ` [ 03/12] writeback: fixups for !dirty_writeback_centisecs Willy Tarreau
2012-03-12  0:20 ` [ 04/12] bsg: fix sysfs link remove warning Willy Tarreau
2012-03-12  0:20 ` [ 05/12] eCryptfs: Handle failed metadata read in lookup Willy Tarreau
2012-03-12  0:20 ` [ 06/12] [S390] KEYS: Enable the compat keyctl wrapper on s390x Willy Tarreau
2012-03-12  0:20 ` [ 07/12] cifs: fix dentry refcount leak when opening a FIFO on lookup Willy Tarreau
2012-03-12  0:20 ` [ 08/12] mac80211: zero initialize count field in ieee80211_tx_rate Willy Tarreau
2012-03-12  1:57   ` Ben Hutchings
2012-03-12  4:36     ` Mohammed Shafi Shajakhan
2012-03-12  6:34       ` Willy Tarreau
2012-03-12  6:52         ` Mohammed Shafi Shajakhan
2012-03-12 15:23           ` Ben Hutchings
2012-03-12 15:55             ` Mohammed Shafi Shajakhan
2012-03-12 16:10               ` Mohammed Shafi Shajakhan
2012-03-12  6:31     ` Willy Tarreau [this message]
2012-03-12  0:20 ` [ 09/12] net/usbnet: avoid recursive locking in usbnet_stop() Willy Tarreau
2012-03-12  0:20 ` [ 10/12] regset: Prevent null pointer reference on readonly regsets Willy Tarreau
2012-03-12  0:20 ` [ 11/12] regset: Return -EFAULT, not -EIO, on host-side memory fault Willy Tarreau
2012-03-12  0:20 ` [ 12/12] watchdog: hpwdt: clean up set_memory_x call for 32 bit Willy Tarreau

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120312063108.GC8971@1wt.eu \
    --to=w@1wt.eu \
    --cc=ben@decadent.org.uk \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linville@tuxdriver.com \
    --cc=mohammed@qca.qualcomm.com \
    --cc=proski@gnu.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox