This is a note to let you know that I've just added the patch titled
rt2x00: fix crash in rt2800usb_get_txwi
to the 3.0-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
rt2x00-fix-crash-in-rt2800usb_get_txwi.patch
and it can be found in the queue-3.0 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <sta...@kernel.org> know about it.
>From sgrus...@redhat.com Mon Aug 29 15:24:50 2011
From: Stanislaw Gruszka <sgrus...@redhat.com>
Date: Thu, 25 Aug 2011 17:14:26 +0200
Subject: rt2x00: fix crash in rt2800usb_get_txwi
To: sta...@kernel.org
Cc: ivdo...@gmail.com, Stanislaw Gruszka <sgrus...@redhat.com>,
jpis...@lucidpixels.com, "John W. Linville" <linvi...@tuxdriver.com>
Message-ID: <1314285266-5098-3-git-send-email-sgrus...@redhat.com>
From: Stanislaw Gruszka <sgrus...@redhat.com>
commit 674db1344443204b6ce3293f2df8fd1b7665deea upstream.
Patch should fix this oops:
BUG: unable to handle kernel NULL pointer dereference at 000000a0
IP: [<f81b30c9>] rt2800usb_get_txwi+0x19/0x70 [rt2800usb]
*pdpt = 0000000000000000 *pde = f000ff53f000ff53
Oops: 0000 [#1] SMP
Pid: 198, comm: kworker/u:3 Tainted: G W 3.0.0-wl+ #9 LENOVO
6369CTO/6369CTO
EIP: 0060:[<f81b30c9>] EFLAGS: 00010283 CPU: 1
EIP is at rt2800usb_get_txwi+0x19/0x70 [rt2800usb]
EAX: 00000000 EBX: f465e140 ECX: f4494960 EDX: ef24c5f8
ESI: 810f21f5 EDI: f1da9960 EBP: f4581e80 ESP: f4581e70
DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Process kworker/u:3 (pid: 198, ti=f4580000 task=f4494960 task.ti=f4580000)
Call Trace:
[<f804790f>] rt2800_txdone_entry+0x2f/0xf0 [rt2800lib]
[<c045110d>] ? warn_slowpath_common+0x7d/0xa0
[<f81b3a38>] ? rt2800usb_work_txdone+0x288/0x360 [rt2800usb]
[<f81b3a38>] ? rt2800usb_work_txdone+0x288/0x360 [rt2800usb]
[<f81b3a13>] rt2800usb_work_txdone+0x263/0x360 [rt2800usb]
[<c046a8d6>] process_one_work+0x186/0x440
[<c046a85a>] ? process_one_work+0x10a/0x440
[<f81b37b0>] ? rt2800usb_probe_hw+0x120/0x120 [rt2800usb]
[<c046c283>] worker_thread+0x133/0x310
[<c04885db>] ? trace_hardirqs_on+0xb/0x10
[<c046c150>] ? manage_workers+0x1e0/0x1e0
[<c047054c>] kthread+0x7c/0x90
[<c04704d0>] ? __init_kthread_worker+0x60/0x60
[<c0826b42>] kernel_thread_helper+0x6/0x1
Oops might happen because we check rt2x00queue_empty(queue) twice,
but this condition can change and we can process entry in
rt2800_txdone_entry(), which was already processed by
rt2800usb_txdone_entry_check() -> rt2x00lib_txdone_noinfo() and
has nullify entry->skb .
Reported-by: Justin Piszcz <jpis...@lucidpixels.com>
Signed-off-by: Stanislaw Gruszka <sgrus...@redhat.com>
Acked-by: Ivo van Doorn <ivdo...@gmail.com>
Signed-off-by: John W. Linville <linvi...@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>
---
drivers/net/wireless/rt2x00/rt2800lib.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/drivers/net/wireless/rt2x00/rt2800lib.c
+++ b/drivers/net/wireless/rt2x00/rt2800lib.c
@@ -764,12 +764,11 @@ void rt2800_txdone(struct rt2x00_dev *rt
entry = rt2x00queue_get_entry(queue, Q_INDEX_DONE);
if (rt2800_txdone_entry_check(entry, reg))
break;
+ entry = NULL;
}
- if (!entry || rt2x00queue_empty(queue))
- break;
-
- rt2800_txdone_entry(entry, reg);
+ if (entry)
+ rt2800_txdone_entry(entry, reg);
}
}
EXPORT_SYMBOL_GPL(rt2800_txdone);
Patches currently in stable-queue which might be from sgrus...@redhat.com are
queue-3.0/rt2x00-do-not-drop-usb-dev-reference-counter-on-suspend.patch
queue-3.0/mac80211-fix-suspend-resume-races-with-unregister-hw.patch
queue-3.0/rt2x00-fix-crash-in-rt2800usb_write_tx_desc.patch
queue-3.0/rt2x00-fix-crash-in-rt2800usb_get_txwi.patch
_______________________________________________
stable mailing list
stable@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/stable
