original_kernel/net/mac80211
Luis R. Rodriguez 416fbdff21 mac80211: fix panic when splicing unprepared TIDs
We splice skbs from the pending queue for a TID
onto the local pending queue when tearing down a
block ack request. This is not necessary unless we
actually have received a request to start a block ack
request (rate control, for example). If we never received
that request we should not be splicing the tid pending
queue as it would be null, causing a panic.

Not sure yet how exactly we allowed through a call when the
tid state does not have at least HT_ADDBA_REQUESTED_MSK set,
that will require some further review as it is not quite
obvious.

For more information see the bug report:

http://bugzilla.kernel.org/show_bug.cgi?id=13922

This fixes this oops:

BUG: unable to handle kernel NULL pointer dereference at 00000030
IP: [<f8806c70>] ieee80211_agg_splice_packets+0x40/0xc0 [mac80211]
*pdpt = 0000000002d1e001 *pde = 0000000000000000
Thread overran stack, or stack corrupted
Oops: 0000 [#1] SMP
last sysfs file: /sys/module/aes_generic/initstate
Modules linked in: <bleh>

Pid: 0, comm: swapper Not tainted (2.6.31-rc5-wl #2) Dell DV051
EIP: 0060:[<f8806c70>] EFLAGS: 00010292 CPU: 0
EIP is at ieee80211_agg_splice_packets+0x40/0xc0 [mac80211]
EAX: 00000030 EBX: 0000004c ECX: 00000003 EDX: 00000000
ESI: c1c98000 EDI: f745a1c0 EBP: c076be58 ESP: c076be38
 DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
Process swapper (pid: 0, ti=c076a000 task=c0709160 task.ti=c076a000)
Stack: <bleh2>
Call Trace:
 [<f8806edb>] ? ieee80211_stop_tx_ba_cb+0xab/0x150 [mac80211]
 [<f8802f1e>] ? ieee80211_tasklet_handler+0xce/0x110 [mac80211]
 [<c04862ff>] ? net_rx_action+0xef/0x1d0
 [<c0149378>] ? tasklet_action+0x58/0xc0
 [<c014a0f2>] ? __do_softirq+0xc2/0x190
 [<c018eb48>] ? handle_IRQ_event+0x58/0x140
 [<c01205fe>] ? ack_apic_level+0x7e/0x270
 [<c014a1fd>] ? do_softirq+0x3d/0x40
 [<c014a345>] ? irq_exit+0x65/0x90
 [<c010a6af>] ? do_IRQ+0x4f/0xc0
 [<c014a35d>] ? irq_exit+0x7d/0x90
 [<c011d547>] ? smp_apic_timer_interrupt+0x57/0x90
 [<c01094a9>] ? common_interrupt+0x29/0x30
 [<c010fd9e>] ? mwait_idle+0xbe/0x100
 [<c0107e42>] ? cpu_idle+0x52/0x90
 [<c054b1a5>] ? rest_init+0x55/0x60
 [<c077492d>] ? start_kernel+0x315/0x37d
 [<c07743ce>] ? unknown_bootoption+0x0/0x1f9
 [<c0774099>] ? i386_start_kernel+0x79/0x81
Code: <bleh3>
EIP: [<f8806c70>] ieee80211_agg_splice_packets+0x40/0xc0 [mac80211] SS:ESP 0068:c076be38
CR2: 0000000000000030

Cc: stable@kernel.org
Testedy-by: Jack Lau <jackelectronics@hotmail.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-08-13 14:47:42 -04:00
..
Kconfig mac80211: disable mesh 2009-07-21 12:07:35 -04:00
Makefile
aes_ccm.c
aes_ccm.h
aes_cmac.c
aes_cmac.h
agg-rx.c mac80211: Add a timeout for frames in the RX reorder buffer 2009-05-06 15:15:04 -04:00
agg-tx.c mac80211: fix panic when splicing unprepared TIDs 2009-08-13 14:47:42 -04:00
cfg.c mac80211: don't use master netdev name 2009-06-10 13:28:39 -04:00
cfg.h
debugfs.c mac80211: add queue debugfs file 2009-06-15 15:05:57 -04:00
debugfs.h
debugfs_key.c
debugfs_key.h
debugfs_netdev.c
debugfs_netdev.h
debugfs_sta.c
debugfs_sta.h
driver-ops.h cfg80211: add rfkill support 2009-06-03 14:06:14 -04:00
event.c
ht.c
ibss.c mac80211: fix parameter confusion when finding IBSS 2009-05-20 14:46:36 -04:00
ieee80211_i.h mac80211: disconnect when user changes channel 2009-06-15 15:05:58 -04:00
iface.c cfg80211: add rfkill support 2009-06-03 14:06:14 -04:00
key.c nl80211: Validate NL80211_ATTR_KEY_SEQ length 2009-05-20 14:46:25 -04:00
key.h nl80211: Add RSC configuration for new keys 2009-05-13 15:44:39 -04:00
led.c
led.h
main.c mac80211: do not pass PS frames out of mac80211 again 2009-06-10 13:28:37 -04:00
mesh.c mac80211: Use rcu_barrier() on unload. 2009-06-26 13:51:36 -07:00
mesh.h wireless: move some utility functions from mac80211 to cfg80211 2009-05-22 14:06:02 -04:00
mesh_hwmp.c mac80211: fix allocation in mesh_queue_preq 2009-07-07 12:55:27 -04:00
mesh_pathtbl.c mac80211: use correct address for mesh Path Error 2009-07-21 12:07:40 -04:00
mesh_plink.c mac80211: cancel/restart all timers across suspend/resume 2009-05-20 14:46:25 -04:00
michael.c
michael.h
mlme.c mac80211: do not queue work after suspend in the dynamic ps timer 2009-07-27 15:19:38 -04:00
pm.c mac80211: fix suspend 2009-07-29 14:52:01 -04:00
rate.c
rate.h
rc80211_minstrel.c mac80211: minstrel: avoid accessing negative indices in rix_to_ndx() 2009-07-07 12:55:28 -04:00
rc80211_minstrel.h
rc80211_minstrel_debugfs.c
rc80211_pid.h
rc80211_pid_algo.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2009-05-18 21:08:20 -07:00
rc80211_pid_debugfs.c
rx.c mac80211: fix suspend 2009-07-29 14:52:01 -04:00
scan.c mac80211: cancel/restart all timers across suspend/resume 2009-05-20 14:46:25 -04:00
spectmgmt.c mac80211: move channel switch code 2009-05-20 14:46:25 -04:00
sta_info.c mac80211: extend sta kdoc - explain when they are added 2009-06-03 14:06:15 -04:00
sta_info.h mac80211: fix kernel-doc 2009-05-20 14:46:32 -04:00
tkip.c mac80211: add driver ops wrappers 2009-05-06 15:14:37 -04:00
tkip.h
tx.c mac80211: fix injection in monitor mode 2009-07-21 12:07:38 -04:00
util.c mac80211: disconnect when user changes channel 2009-06-15 15:05:58 -04:00
wep.c
wep.h
wext.c mac80211: disconnect when user changes channel 2009-06-15 15:05:58 -04:00
wme.c mac80211: do not pass PS frames out of mac80211 again 2009-06-10 13:28:37 -04:00
wme.h
wpa.c
wpa.h