linux/net
Luis R. Rodriguez 416fbdff21 mac80211: fix panic when splicing unprepared TIDs
We splice skbs from the pending queue for a TID
onto the local pending queue when tearing down a
block ack request. This is not necessary unless we
actually have received a request to start a block ack
request (rate control, for example). If we never received
that request we should not be splicing the tid pending
queue as it would be null, causing a panic.

Not sure yet how exactly we allowed through a call when the
tid state does not have at least HT_ADDBA_REQUESTED_MSK set,
that will require some further review as it is not quite
obvious.

For more information see the bug report:

http://bugzilla.kernel.org/show_bug.cgi?id=13922

This fixes this oops:

BUG: unable to handle kernel NULL pointer dereference at 00000030
IP: [<f8806c70>] ieee80211_agg_splice_packets+0x40/0xc0 [mac80211]
*pdpt = 0000000002d1e001 *pde = 0000000000000000
Thread overran stack, or stack corrupted
Oops: 0000 [#1] SMP
last sysfs file: /sys/module/aes_generic/initstate
Modules linked in: <bleh>

Pid: 0, comm: swapper Not tainted (2.6.31-rc5-wl #2) Dell DV051
EIP: 0060:[<f8806c70>] EFLAGS: 00010292 CPU: 0
EIP is at ieee80211_agg_splice_packets+0x40/0xc0 [mac80211]
EAX: 00000030 EBX: 0000004c ECX: 00000003 EDX: 00000000
ESI: c1c98000 EDI: f745a1c0 EBP: c076be58 ESP: c076be38
 DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
Process swapper (pid: 0, ti=c076a000 task=c0709160 task.ti=c076a000)
Stack: <bleh2>
Call Trace:
 [<f8806edb>] ? ieee80211_stop_tx_ba_cb+0xab/0x150 [mac80211]
 [<f8802f1e>] ? ieee80211_tasklet_handler+0xce/0x110 [mac80211]
 [<c04862ff>] ? net_rx_action+0xef/0x1d0
 [<c0149378>] ? tasklet_action+0x58/0xc0
 [<c014a0f2>] ? __do_softirq+0xc2/0x190
 [<c018eb48>] ? handle_IRQ_event+0x58/0x140
 [<c01205fe>] ? ack_apic_level+0x7e/0x270
 [<c014a1fd>] ? do_softirq+0x3d/0x40
 [<c014a345>] ? irq_exit+0x65/0x90
 [<c010a6af>] ? do_IRQ+0x4f/0xc0
 [<c014a35d>] ? irq_exit+0x7d/0x90
 [<c011d547>] ? smp_apic_timer_interrupt+0x57/0x90
 [<c01094a9>] ? common_interrupt+0x29/0x30
 [<c010fd9e>] ? mwait_idle+0xbe/0x100
 [<c0107e42>] ? cpu_idle+0x52/0x90
 [<c054b1a5>] ? rest_init+0x55/0x60
 [<c077492d>] ? start_kernel+0x315/0x37d
 [<c07743ce>] ? unknown_bootoption+0x0/0x1f9
 [<c0774099>] ? i386_start_kernel+0x79/0x81
Code: <bleh3>
EIP: [<f8806c70>] ieee80211_agg_splice_packets+0x40/0xc0 [mac80211] SS:ESP 0068:c076be38
CR2: 0000000000000030

Cc: stable@kernel.org
Testedy-by: Jack Lau <jackelectronics@hotmail.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-08-13 14:47:42 -04:00
..
9p 9p: Possible regression in p9_client_stat 2009-07-14 15:54:41 -05:00
802 net: remove COMPAT_NET_DEV_OPS 2009-05-25 01:53:53 -07:00
8021q 8021q: Vlan driver should use rcu_barrier() on unload instead of syncronize_net() 2009-06-10 01:11:22 -07:00
appletalk Merge branch 'master' of /home/davem/src/GIT/linux-2.6/ 2009-08-09 21:29:47 -07:00
atm net: adding memory barrier to the poll and receive callbacks 2009-07-09 17:06:57 -07:00
ax25 net: Move rx skb_orphan call to where needed 2009-06-23 16:36:25 -07:00
bluetooth bluetooth: rfcomm_init bug fix 2009-08-03 13:24:39 -07:00
bridge net/bridge: use kobject_put to release kobject in br_add_if error path 2009-07-26 19:20:51 -07:00
can can: Fix raw_getname() leak 2009-08-09 21:45:32 -07:00
core net: Fix spinlock use in alloc_netdev_mq() 2009-08-05 08:35:11 -07:00
dcb
dccp Merge branch 'master' of /home/davem/src/GIT/linux-2.6/ 2009-08-09 21:29:47 -07:00
decnet decnet: Use rcu_barrier() on module unload. 2009-06-26 13:51:27 -07:00
dsa dsa: fix 88e6xxx statistics counter snapshotting 2009-07-05 18:03:35 -07:00
econet econet: Fix econet_getname() leak 2009-08-06 13:08:40 -07:00
ethernet net: remove COMPAT_NET_DEV_OPS 2009-05-25 01:53:53 -07:00
ieee802154 af_ieee802154: provide dummy get/setsockopt 2009-08-06 12:49:19 +04:00
ipv4 ipv4: ARP neigh procfs buffer overflow 2009-07-30 13:27:29 -07:00
ipv6 tcp: Use correct peer adr when copying MD5 keys 2009-07-20 07:49:08 -07:00
ipx headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
irda Merge branch 'master' of /home/davem/src/GIT/linux-2.6/ 2009-08-09 21:29:47 -07:00
iucv net: adding memory barrier to the poll and receive callbacks 2009-07-09 17:06:57 -07:00
key net: correct off-by-one write allocations reports 2009-06-18 00:29:12 -07:00
lapb
llc net: correct off-by-one write allocations reports 2009-06-18 00:29:12 -07:00
mac80211 mac80211: fix panic when splicing unprepared TIDs 2009-08-13 14:47:42 -04:00
netfilter netfilter: nf_conntrack: nf_conntrack_alloc() fixes 2009-07-16 14:03:40 +02:00
netlabel net/netlabel: Add kmalloc NULL tests 2009-07-30 10:58:28 -07:00
netlink net: correct off-by-one write allocations reports 2009-06-18 00:29:12 -07:00
netrom netrom: Fix nr_getname() leak 2009-08-06 13:08:43 -07:00
packet net: correct off-by-one write allocations reports 2009-06-18 00:29:12 -07:00
phonet phonet: phonet_device_get() fix 2009-08-05 12:14:09 -07:00
rds Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2009-05-18 21:08:20 -07:00
rfkill rfkill: fix rfkill_set_states() to set the hw state 2009-07-21 12:07:38 -04:00
rose rose: Fix rose_getname() leak 2009-08-06 13:08:38 -07:00
rxrpc net: adding memory barrier to the poll and receive callbacks 2009-07-09 17:06:57 -07:00
sched net: correct off-by-one write allocations reports 2009-06-18 00:29:12 -07:00
sctp sctp: fix missing destroy of percpu counter variable in sctp_proc_exit() 2009-08-09 21:45:43 -07:00
sunrpc headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
tipc tipc: Use genl_register_family_with_ops() 2009-05-21 16:50:23 -07:00
unix net: adding memory barrier to the poll and receive callbacks 2009-07-09 17:06:57 -07:00
wanrouter headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
wimax wimax: fix warning caused by not checking retval of rfkill_set_hw_state() 2009-06-11 11:12:48 -07:00
wireless cfg80211: fix regression on beacon world roaming feature 2009-08-03 16:31:21 -04:00
x25 headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
xfrm Fix xfrm hash collisions by changing __xfrm4_daddr_saddr_hash to hash addresses with addition 2009-08-09 21:45:31 -07:00
compat.c
Kconfig net: add IEEE 802.15.4 socket family implementation 2009-06-09 05:25:32 -07:00
Makefile net: add IEEE 802.15.4 socket family implementation 2009-06-09 05:25:32 -07:00
nonet.c
socket.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2009-04-06 18:05:43 -07:00
sysctl_net.c
TUNABLE