github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 14:42:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
efccdcdb63
linux/drivers
History
Stanislaw Gruszka 4237cc8ef3 ath9k: protect tid->sched check 
[ Upstream commit 21f8aaee0c ]

We check tid->sched without a lock taken on ath_tx_aggr_sleep(). That
is race condition which can result of doing list_del(&tid->list) twice
(second time with poisoned list node) and cause crash like shown below:

[424271.637220] BUG: unable to handle kernel paging request at 00100104
[424271.637328] IP: [<f90fc072>] ath_tx_aggr_sleep+0x62/0xe0 [ath9k]
...
[424271.639953] Call Trace:
[424271.639998]  [<f90f6900>] ? ath9k_get_survey+0x110/0x110 [ath9k]
[424271.640083]  [<f90f6942>] ath9k_sta_notify+0x42/0x50 [ath9k]
[424271.640177]  [<f809cfef>] sta_ps_start+0x8f/0x1c0 [mac80211]
[424271.640258]  [<c10f730e>] ? free_compound_page+0x2e/0x40
[424271.640346]  [<f809e915>] ieee80211_rx_handlers+0x9d5/0x2340 [mac80211]
[424271.640437]  [<c112f048>] ? kmem_cache_free+0x1d8/0x1f0
[424271.640510]  [<c1345a84>] ? kfree_skbmem+0x34/0x90
[424271.640578]  [<c10fc23c>] ? put_page+0x2c/0x40
[424271.640640]  [<c1345a84>] ? kfree_skbmem+0x34/0x90
[424271.640706]  [<c1345a84>] ? kfree_skbmem+0x34/0x90
[424271.640787]  [<f809dde3>] ? ieee80211_rx_handlers_result+0x73/0x1d0 [mac80211]
[424271.640897]  [<f80a07a0>] ieee80211_prepare_and_rx_handle+0x520/0xad0 [mac80211]
[424271.641009]  [<f809e22d>] ? ieee80211_rx_handlers+0x2ed/0x2340 [mac80211]
[424271.641104]  [<c13846ce>] ? ip_output+0x7e/0xd0
[424271.641182]  [<f80a1057>] ieee80211_rx+0x307/0x7c0 [mac80211]
[424271.641266]  [<f90fa6ee>] ath_rx_tasklet+0x88e/0xf70 [ath9k]
[424271.641358]  [<f80a0f2c>] ? ieee80211_rx+0x1dc/0x7c0 [mac80211]
[424271.641445]  [<f90f82db>] ath9k_tasklet+0xcb/0x130 [ath9k]

Bug report:
https://bugzilla.kernel.org/show_bug.cgi?id=70551

Reported-and-tested-by: Max Sydorenko <maxim.stargazer@gmail.com>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
[ xl: backported to 3.10: adjusted context ]
Signed-off-by: Xiangyu Lu <luxiangyu@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-06-07 13:25:40 -07:00
..
accessibility
acpi ACPI / blacklist: Add dmi_enable_osi_linux quirk for Asus EEE PC 1015PX 2014-06-07 13:25:39 -07:00
amba
ata libata: clean up ZPODD when a port is detached 2014-06-07 13:25:39 -07:00
atm atm: idt77252: fix dev refcnt leak 2013-12-08 07:29:25 -08:00
auxdisplay
base drivercore: deferral race condition fix 2014-06-07 13:25:31 -07:00
bcma
block xen-blkfront: restore the non-persistent data path 2014-06-07 13:25:37 -07:00
bluetooth Bluetooth: Add support for Lite-on [04ca:3007] 2014-06-07 13:25:33 -07:00
bus bus: mvebu-mbus: allow several windows with the same target/attribute 2014-06-07 13:25:37 -07:00
cdrom drivers/cdrom/cdrom.c: use kzalloc() for failing hardware 2013-07-13 11:42:26 -07:00
char ipmi: Reset the KCS timeout when starting error recovery 2014-06-07 13:25:30 -07:00
clk clk: vexpress: NULL dereference on error path 2014-06-07 13:25:35 -07:00
clocksource clocksource: Exynos_mct: Register clock event after request_irq() 2014-06-07 13:25:29 -07:00
connector connector: improved unaligned access error fix 2013-12-08 07:29:25 -08:00
cpufreq cpufreq: Fix timer/workqueue corruption due to double queueing 2014-04-14 06:42:19 -07:00
cpuidle cpuidle: Check the result of cpuidle_get_driver() against NULL 2014-04-14 06:42:15 -07:00
crypto crypto: caam - add allocation failure handling in SPRINTFCAT macro 2014-06-07 13:25:39 -07:00
dca
devfreq
dio
dma ioat: fix tasklet tear down 2014-03-06 21:30:14 -08:00
edac i7300_edac: Fix device reference count 2014-03-06 21:30:13 -08:00
eisa Revert "EISA: Initialize device before its resources" 2014-02-13 13:47:59 -08:00
extcon
firewire firewire: ohci: fix probe failure with Agere/LSI controllers 2014-05-30 21:52:11 -07:00
firmware dmi: add support for exact DMI matches in addition to substring matching 2013-11-29 11:11:53 -08:00
gpio gpio: mxs: Allow for recursive enable_irq_wake() call 2014-05-13 13:59:45 +02:00
gpu drm/nouveau/pm/fan: drop the fan lock in fan_update() before rescheduling 2014-06-07 13:25:34 -07:00
hid HID: Revert "Revert "HID: Fix logitech-dj: missing Unifying device issue"" 2014-01-15 15:28:45 -08:00
hsi
hv Drivers: hv: vmbus: Negotiate version 3.0 when running on ws2012r2 hosts 2014-06-07 13:25:35 -07:00
hwmon hwmon: (emc1403) Support full range of known chip revision numbers 2014-06-07 13:25:31 -07:00
hwspinlock
i2c i2c: s3c2410: resume race fix 2014-06-07 13:25:39 -07:00
ide
idle x86 idle: Repair large-server 50-watt idle-power regression 2014-01-09 12:24:21 -08:00
iio iio:imu:mpu6050: Fixed segfault in Invensens MPU driver due to null dereference 2014-06-07 13:25:32 -07:00
infiniband Target/iser: Fix iscsit_accept_np and rdma_cm racy flow 2014-06-07 13:25:38 -07:00
input Input: synaptics - T540p - unify with other LEN0034 models 2014-06-07 13:25:36 -07:00
iommu iommu/amd: Fix interrupt remapping for aliased devices 2014-06-07 13:25:40 -07:00
ipack
irqchip irqchip: Gic: Support forced affinity setting 2014-06-07 13:25:28 -07:00
isdn isdnloop: several buffer overflows 2014-04-14 06:42:18 -07:00
leds leds: leds-pwm: properly clean up after probe failure 2014-06-07 13:25:34 -07:00
lguest
macintosh powerpc/windfarm: Fix noisy slots-fan on Xserve (rm31) 2013-08-11 18:35:20 -07:00
mailbox
md dm crypt: fix cpu hotplug crash by removing per-cpu structure 2014-06-07 13:25:39 -07:00
media media: V4L2: fix VIDIOC_CREATE_BUFS in 64- / 32-bit compatibility mode 2014-06-07 13:25:40 -07:00
memory
memstick
message
mfd mfd: tps65910: Fix possible invalid pointer dereference on regmap_add_irq_chip fail 2014-05-06 07:55:28 -07:00
misc mei: me: do not load the driver if the FW doesn't support MEI interface 2014-05-06 07:55:27 -07:00
mmc mmc: atmel-mci: fix timeout errors in SDIO mode when using DMA 2014-02-13 13:48:00 -08:00
mtd mtd: sm_ftl: heap corruption in sm_create_sysfs_attributes() 2014-05-13 13:59:45 +02:00
net ath9k: protect tid->sched check 2014-06-07 13:25:40 -07:00
nfc
ntb NTB: Correct debugfs to work with more than 1 NTB Device 2013-11-13 12:05:35 +09:00
nubus
of of: fix PCI bus match for PCIe slots 2014-02-22 12:41:27 -08:00
oprofile
parisc parisc: Fix interrupt routing for C8000 serial ports 2013-08-11 18:35:21 -07:00
parport parport: parport_pc: remove double PCI ID for NetMos 2014-02-06 11:08:15 -08:00
pci PCI: shpchp: Check bridge's secondary (not primary) bus speed 2014-06-07 13:25:38 -07:00
pcmcia pcmcia: at91_cf: fix gpio_get_value in at91_cf_get_status 2013-07-21 18:21:25 -07:00
pinctrl pinctrl: protect pinctrl_list add 2014-02-20 11:06:11 -08:00
platform hp_accel: Add a new PnP ID HPQ6007 for new HP laptops 2014-02-06 11:08:16 -08:00
pnp PNP / ACPI: proper handling of ACPI IO/Memory resource parsing failures 2014-03-23 21:38:22 -07:00
power power: max17040: Fix NULL pointer dereference when there is no platform_data 2014-02-22 12:41:29 -08:00
pps
ps3
ptp
pwm
rapidio rapidio/tsi721: fix tasklet termination in dma channel release 2014-03-23 21:38:09 -07:00
regulator regulator: core: Replace direct ops->disable usage 2014-03-31 09:58:13 -07:00
remoteproc
reset
rpmsg
rtc rtc-cmos: Add an alarm disable quirk 2014-02-13 13:48:03 -08:00
s390 s390/chsc: fix SEI usage on old FW levels 2014-05-13 13:59:42 +02:00
sbus
scsi SCSI: megaraid: missing bounds check in mimd_to_kioc() 2014-05-30 21:52:11 -07:00
sfi
sh
sn
spi spi: spi-ath79: fix initial GPIO CS line setup 2014-03-23 21:38:16 -07:00
ssb
ssbi
staging staging: r8712u: Fix case where ethtype was never obtained and always be checked against 0 2014-05-06 07:55:28 -07:00
target target: Don't allow setting WC emulation if device doesn't support 2014-06-07 13:25:38 -07:00
tc
thermal
tty 8250_core: Fix unwanted TX chars write 2014-06-07 13:25:30 -07:00
uio Fix a few incorrectly checked [io_]remap_pfn_range() calls 2013-11-13 12:05:33 +09:00
usb USB: Nokia 5300 should be treated as unusual dev 2014-06-07 13:25:33 -07:00
uwb
vfio mm: close PageTail race 2014-04-03 12:01:05 -07:00
vhost vhost: validate vhost_get_vq_desc return value 2014-04-14 06:42:18 -07:00
video tgafb: fix mode setting with fbset 2014-05-30 21:52:12 -07:00
virt
virtio virtio_balloon: don't softlockup on huge balloon changes. 2014-05-13 13:59:41 +02:00
vlynq
vme VME: Correct read/write alignment algorithm 2014-02-22 12:41:28 -08:00
w1 w1: fix w1_send_slave dropping a slave id 2014-05-06 07:55:28 -07:00
watchdog sc1200_wdt: Fix oops 2013-12-20 07:45:11 -08:00
xen xen/gnttab: leave lazy MMU mode in the case of a m2p override failure 2013-12-11 22:36:27 -08:00
zorro
Kconfig
Makefile