lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTil8SLseSeq1M_Xg7P4AqMy3V_0jxc7by2Xuaqnb@mail.gmail.com>
Date:	Sat, 29 May 2010 15:34:31 +0200
From:	Sedat Dilek <sedat.dilek@...glemail.com>
To:	"John W. Linville" <linville@...driver.com>
Cc:	davem@...emloft.net, linux-wireless@...r.kernel.org,
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
	jiajia.zheng@...el.com,
	Abhijeet Kolekar <abhijeet.kolekar@...el.com>,
	Johannes Berg <johannes.berg@...el.com>,
	Reinette Chatre <reinette.chatre@...el.com>
Subject: Re: pull request: wireless-2.6 2010-05-28

Hi,

I have pulled wireless-2.6 GIT (master-2010-05-28) into Linus-tree
(2.6.34-git15) [0] and Intel Linux-Wireless Bug #2208 is present.

Two people confirmed the patch in [2] fixes:
1. iwlwifi-2.6 GIT master (commit f10a237c95abd6d64a3a24553bd1d3bcddd9108b)
2. compat-wireless (2010-05-21)

And it fixes also the above mentionned combination.

As a suggestion:
What about "copying" bug-reports (incl. its history) from IWL-BTS into
linux-wireless ML?
For example (dri-devel related) bug-reports from
bugzilla.freedesktop.org are "copied" into dri-devel ML.

Hope [2] gets quickly into wireless-2.6 GIT.

Kind Regards,
- Sedat -

References:
------------------
[0] commit 24010e460454ec0d2f4f0213b667b4349cbdb8e1:
Merge branch 'drm-linus' of git://git./linux/kernel/git/airlied/drm-2.6
[1] http://bugzilla.intellinuxwireless.org/show_bug.cgi?id=2208
[2] http://bugzilla.intellinuxwireless.org/attachment.cgi?id=2447
[3] http://bugzilla.intellinuxwireless.org/show_bug.cgi?id=2208#c8
[4] http://bugzilla.intellinuxwireless.org/show_bug.cgi?id=2208#c9

[  446.893181] BUG: unable to handle kernel NULL pointer dereference at (null)
[  446.893192] IP: [<f8e9eb54>]
iwl3945_get_channels_for_scan+0xb4/0x315 [iwl3945]
[  446.893214] *pde = 00000000
[  446.893220] Oops: 0000 [#1] PREEMPT SMP
[  446.893228] last sysfs file:
/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor
[  446.893233] Modules linked in: btrfs zlib_deflate crc32c libcrc32c
ufs qnx4 hfsplus hfs minix ntfs vfat msdos fat jfs xfs exportfs
reiserfs ext2 radeon ttm drm_kms_helper drm i2c_algo_bit i2c_core
acpi_cpufreq mperf cpufreq_ondemand cpufreq_stats freq_table
cpufreq_performance cpufreq_conservative cpufreq_powersave sco bridge
stp bnep rfcomm l2cap bluetooth aes_i586 aes_generic ppdev lp
kvm_intel kvm binfmt_misc ipv6 af_packet fuse ext4 jbd2 crc16
snd_hda_codec_si3054 snd_hda_codec_analog snd_hda_intel snd_hda_codec
snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_dummy snd_seq_oss
snd_seq_midi arc4 snd_rawmidi ecb snd_seq_midi_event iwl3945 iwlcore
snd_seq snd_timer snd_seq_device sierra usbserial snd parport_pc
mac80211 hp_wmi parport soundcore snd_page_alloc cfg80211 rfkill
joydev pcmcia irda pcspkr intel_agp tifm_7xx1 tifm_core rng_core
iTCO_wdt iTCO_vendor_support hp_accel yenta_socket pcmcia_rsrc
pcmcia_core psmouse evdev tpm_infineon crc_ccitt wmi video output
serio_raw lis3lv02d container battery rtc_cmos tpm_tis tpm rtc_core
tpm_bios rtc_lib input_polldev ac processor button ext3 jbd mbcache
dm_mod usbhid hid sg sr_mod cdrom sd_mod fan pata_acpi ata_generic
sdhci_pci sdhci ata_piix uhci_hcd ahci libahci mmc_core led_class
ehci_hcd tg3 libata thermal scsi_mod usbcore nls_base [last unloaded:
i2c_core]
[  446.893460]
[  446.893466] Pid: 1312, comm: iwl3945 Not tainted
2.6.34-git15.sd.1-iniza-686-kms #1 30AC/HP Compaq nc6400 (RH572EA#ABD)
[  446.893473] EIP: 0060:[<f8e9eb54>] EFLAGS: 00010283 CPU: 0
[  446.893488] EIP is at iwl3945_get_channels_for_scan+0xb4/0x315 [iwl3945]
[  446.893494] EAX: f712a000 EBX: f0548ae0 ECX: 00000000 EDX: 00000000
[  446.893500] ESI: f05c00f2 EDI: 00000058 EBP: 00000000 ESP: f6bc5ecc
[  446.893505]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
[  446.893511] Process iwl3945 (pid: 1312, ti=f6bc4000 task=f04c79c0
task.ti=f6bc4000)
[  446.893516] Stack:
[  446.893519]  00000067 f04c79ec 00000000 00000000 00000000 00210001
c10272fc c13b0401
[  446.893532] <0> c1225b2d c13b0400 f054f0f0 0002ff00 00000058
00000021 0057f0f0 f0548ae0
[  446.893546] <0> 00000000 00000005 f05c0000 f8ea1cc1 00000000
f05c00f2 00000000 c1071393
[  446.893561] Call Trace:
[  446.893572]  [<c10272fc>] ? add_preempt_count+0x8f/0x91
[  446.893581]  [<c1225b2d>] ? _raw_spin_lock_irqsave+0x1c/0x35
[  446.893598]  [<f8ea1cc1>] ? iwl3945_request_scan+0x697/0x799 [iwl3945]
[  446.893607]  [<c1071393>] ? perf_event_task_sched_in+0xe/0x71
[  446.893614]  [<c1225cf8>] ? _raw_spin_unlock_irq+0x1e/0x28
[  446.893631]  [<f8e62768>] ? iwl_bg_start_internal_scan+0x280/0x299 [iwlcore]
[  446.893639]  [<c103c530>] ? run_workqueue+0x65/0xe1
[  446.893654]  [<f8e624e8>] ? iwl_bg_start_internal_scan+0x0/0x299 [iwlcore]
[  446.893661]  [<c103c65b>] ? worker_thread+0xaf/0xbb
[  446.893669]  [<c103f22a>] ? autoremove_wake_function+0x0/0x29
[  446.893676]  [<c103c5ac>] ? worker_thread+0x0/0xbb
[  446.893683]  [<c103ef3f>] ? kthread+0x5f/0x64
[  446.893690]  [<c103eee0>] ? kthread+0x0/0x64
[  446.893698]  [<c10033b6>] ? kernel_thread_helper+0x6/0x10
[  446.893702] Code: 88 44 24 1c 83 e8 02 88 44 24 2d 8d 4f ff 0f b7
c7 89 44 24 30 66 89 4c 24 3a e9 ea 01 00 00 8b 54 24 10 8b 4c 24 08
8b 6c 90 20 <39> 4d 00 0f 85 d1 01 00 00 66 8b 4d 06 89 d8 88 4e 01 8b
54 24
[  446.893784] EIP: [<f8e9eb54>]
iwl3945_get_channels_for_scan+0xb4/0x315 [iwl3945] SS:ESP
0068:f6bc5ecc
[  446.893801] CR2: 0000000000000000
[  446.893812] ---[ end trace 7a6cdfd823c4f035 ]---


On Fri, May 28, 2010 at 8:09 PM, John W. Linville
<linville@...driver.com> wrote:
> Dave,
>
> Here are a few small fixes intended for 2.6.35.  Included are a null
> pointer dereference fix, and a use-after-free fix, as well as some more
> minor stuff.  It also include the revert of a earlier patch that I
> inadvertantly merged out of order, effectively creating a bug rather
> than fixing one.  The reverted patch will now be pointed at 2.6.36
> instead.
>
> Please let me know if there are problems!
>
> Thanks,
>
> John
>
> ---
>
> The following changes since commit 045de01a174d9f0734f657eb4b3313d89b4fd5ad:
>  Scott Feldman (1):
>        netlink: bug fix: wrong size was calculated for vfinfo list blob
>
> are available in the git repository at:
>
>  git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6.git master
>
> Christian Lamparter (1):
>      ar9170usb: fix read from freed driver context
>
> Christoph Fritz (1):
>      ssb: fix NULL ptr deref when pcihost_wrapper is used
>
> Johannes Berg (1):
>      mac80211: make a function static
>
> John W. Linville (1):
>      Revert "rt2x00: Fix rt2800usb TX descriptor writing."
>
> Justin P. Mattock (1):
>      ath9k: Fix ath_print in xmit for hardware reset.
>
> Prarit Bhargava (1):
>      libertas: fix uninitialized variable warning
>
> Vasanthakumar Thiagarajan (1):
>      ath9k: Fix bug in the way "bf_tx_aborted" of struct ath_buf is used
>
>  drivers/net/wireless/ath/ar9170/usb.c   |   14 ++++++++++++--
>  drivers/net/wireless/ath/ath9k/xmit.c   |    6 ++++--
>  drivers/net/wireless/libertas/rx.c      |    5 ++---
>  drivers/net/wireless/rt2x00/rt2800usb.c |    2 +-
>  drivers/ssb/pci.c                       |    9 ++++++---
>  drivers/ssb/sprom.c                     |    1 +
>  net/mac80211/chan.c                     |    2 +-
>  7 files changed, 27 insertions(+), 12 deletions(-)
>
> diff --git a/drivers/net/wireless/ath/ar9170/usb.c b/drivers/net/wireless/ath/ar9170/usb.c
> index 82ab532..a93dc18 100644
> --- a/drivers/net/wireless/ath/ar9170/usb.c
> +++ b/drivers/net/wireless/ath/ar9170/usb.c
> @@ -739,17 +739,27 @@ err_out:
>  static void ar9170_usb_firmware_failed(struct ar9170_usb *aru)
>  {
>        struct device *parent = aru->udev->dev.parent;
> +       struct usb_device *udev;
> +
> +       /*
> +        * Store a copy of the usb_device pointer locally.
> +        * This is because device_release_driver initiates
> +        * ar9170_usb_disconnect, which in turn frees our
> +        * driver context (aru).
> +        */
> +       udev = aru->udev;
>
>        complete(&aru->firmware_loading_complete);
>
>        /* unbind anything failed */
>        if (parent)
>                device_lock(parent);
> -       device_release_driver(&aru->udev->dev);
> +
> +       device_release_driver(&udev->dev);
>        if (parent)
>                device_unlock(parent);
>
> -       usb_put_dev(aru->udev);
> +       usb_put_dev(udev);
>  }
>
>  static void ar9170_usb_firmware_finish(const struct firmware *fw, void *context)
> diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c
> index 3db1917..859aa4a 100644
> --- a/drivers/net/wireless/ath/ath9k/xmit.c
> +++ b/drivers/net/wireless/ath/ath9k/xmit.c
> @@ -1198,7 +1198,7 @@ void ath_drain_all_txq(struct ath_softc *sc, bool retry_tx)
>                int r;
>
>                ath_print(common, ATH_DBG_FATAL,
> -                         "Unable to stop TxDMA. Reset HAL!\n");
> +                         "Failed to stop TX DMA. Resetting hardware!\n");
>
>                spin_lock_bh(&sc->sc_resetlock);
>                r = ath9k_hw_reset(ah, sc->sc_ah->curchan, false);
> @@ -1728,6 +1728,8 @@ static int ath_tx_setup_buffer(struct ieee80211_hw *hw, struct ath_buf *bf,
>        } else
>                bf->bf_isnullfunc = false;
>
> +       bf->bf_tx_aborted = false;
> +
>        return 0;
>  }
>
> @@ -1989,7 +1991,7 @@ static int ath_tx_num_badfrms(struct ath_softc *sc, struct ath_buf *bf,
>        int nbad = 0;
>        int isaggr = 0;
>
> -       if (bf->bf_tx_aborted)
> +       if (bf->bf_lastbf->bf_tx_aborted)
>                return 0;
>
>        isaggr = bf_isaggr(bf);
> diff --git a/drivers/net/wireless/libertas/rx.c b/drivers/net/wireless/libertas/rx.c
> index a115bfa..7a377f5 100644
> --- a/drivers/net/wireless/libertas/rx.c
> +++ b/drivers/net/wireless/libertas/rx.c
> @@ -329,9 +329,8 @@ static int process_rxed_802_11_packet(struct lbs_private *priv,
>        /* create the exported radio header */
>
>        /* radiotap header */
> -       radiotap_hdr.hdr.it_version = 0;
> -       /* XXX must check this value for pad */
> -       radiotap_hdr.hdr.it_pad = 0;
> +       memset(&radiotap_hdr, 0, sizeof(radiotap_hdr));
> +       /* XXX must check radiotap_hdr.hdr.it_pad for pad */
>        radiotap_hdr.hdr.it_len = cpu_to_le16 (sizeof(struct rx_radiotap_hdr));
>        radiotap_hdr.hdr.it_present = cpu_to_le32 (RX_RADIOTAP_PRESENT);
>        radiotap_hdr.rate = convert_mv_rate_to_radiotap(prxpd->rx_rate);
> diff --git a/drivers/net/wireless/rt2x00/rt2800usb.c b/drivers/net/wireless/rt2x00/rt2800usb.c
> index 6991613..0f8b84b 100644
> --- a/drivers/net/wireless/rt2x00/rt2800usb.c
> +++ b/drivers/net/wireless/rt2x00/rt2800usb.c
> @@ -413,7 +413,7 @@ static void rt2800usb_write_tx_desc(struct rt2x00_dev *rt2x00dev,
>         */
>        rt2x00_desc_read(txi, 0, &word);
>        rt2x00_set_field32(&word, TXINFO_W0_USB_DMA_TX_PKT_LEN,
> -                          skb->len - TXINFO_DESC_SIZE);
> +                          skb->len + TXWI_DESC_SIZE);
>        rt2x00_set_field32(&word, TXINFO_W0_WIV,
>                           !test_bit(ENTRY_TXD_ENCRYPT_IV, &txdesc->flags));
>        rt2x00_set_field32(&word, TXINFO_W0_QSEL, 2);
> diff --git a/drivers/ssb/pci.c b/drivers/ssb/pci.c
> index 989e275..6dcda86 100644
> --- a/drivers/ssb/pci.c
> +++ b/drivers/ssb/pci.c
> @@ -625,9 +625,12 @@ static int ssb_pci_sprom_get(struct ssb_bus *bus,
>                ssb_printk(KERN_ERR PFX "No SPROM available!\n");
>                return -ENODEV;
>        }
> -
> -       bus->sprom_offset = (bus->chipco.dev->id.revision < 31) ?
> -               SSB_SPROM_BASE1 : SSB_SPROM_BASE31;
> +       if (bus->chipco.dev) {  /* can be unavailible! */
> +               bus->sprom_offset = (bus->chipco.dev->id.revision < 31) ?
> +                       SSB_SPROM_BASE1 : SSB_SPROM_BASE31;
> +       } else {
> +               bus->sprom_offset = SSB_SPROM_BASE1;
> +       }
>
>        buf = kcalloc(SSB_SPROMSIZE_WORDS_R123, sizeof(u16), GFP_KERNEL);
>        if (!buf)
> diff --git a/drivers/ssb/sprom.c b/drivers/ssb/sprom.c
> index 007bc3a..4f7cc8d 100644
> --- a/drivers/ssb/sprom.c
> +++ b/drivers/ssb/sprom.c
> @@ -185,6 +185,7 @@ bool ssb_is_sprom_available(struct ssb_bus *bus)
>        /* this routine differs from specs as we do not access SPROM directly
>           on PCMCIA */
>        if (bus->bustype == SSB_BUSTYPE_PCI &&
> +           bus->chipco.dev &&  /* can be unavailible! */
>            bus->chipco.dev->id.revision >= 31)
>                return bus->chipco.capabilities & SSB_CHIPCO_CAP_SPROM;
>
> diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
> index 5d218c5..32be11e 100644
> --- a/net/mac80211/chan.c
> +++ b/net/mac80211/chan.c
> @@ -5,7 +5,7 @@
>  #include <linux/nl80211.h>
>  #include "ieee80211_i.h"
>
> -enum ieee80211_chan_mode
> +static enum ieee80211_chan_mode
>  __ieee80211_get_channel_mode(struct ieee80211_local *local,
>                             struct ieee80211_sub_if_data *ignore)
>  {
> --
> John W. Linville                Someday the world will need a hero, and you
> linville@...driver.com                  might be all we have.  Be ready.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ