diff --git a/iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch b/iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch new file mode 100644 index 0000000..84d6aa0 --- /dev/null +++ b/iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch @@ -0,0 +1,58 @@ +If channel switch is pending and we remove interface we can +crash like showed below due to passing NULL vif to mac80211: + +BUG: unable to handle kernel paging request at fffffffffffff8cc +IP: [] strnlen+0xd/0x40 +Call Trace: + [] string.isra.3+0x3e/0xd0 + [] vsnprintf+0x219/0x640 + [] vscnprintf+0x11/0x30 + [] vprintk_emit+0x115/0x4f0 + [] printk+0x61/0x63 + [] ieee80211_chswitch_done+0xaf/0xd0 [mac80211] + [] iwl_chswitch_done+0x34/0x40 [iwldvm] + [] iwlagn_commit_rxon+0x2a3/0xdc0 [iwldvm] + [] ? iwlagn_set_rxon_chain+0x180/0x2c0 [iwldvm] + [] iwl_set_mode+0x36/0x40 [iwldvm] + [] iwlagn_mac_remove_interface+0x8d/0x1b0 [iwldvm] + [] ieee80211_do_stop+0x29d/0x7f0 [mac80211] + +This is because we nulify ctx->vif in iwlagn_mac_remove_interface() +before calling some other functions that teardown interface. To fix +just check ctx->vif on iwl_chswitch_done(). We should not call +ieee80211_chswitch_done() as channel switch works were already canceled +by mac80211 in ieee80211_do_stop() -> ieee80211_mgd_stop(). + +Resolve: +https://bugzilla.redhat.com/show_bug.cgi?id=979581 + +Cc: stable@vger.kernel.org +Reported-by: Lukasz Jagiello +Signed-off-by: Stanislaw Gruszka +--- + drivers/net/wireless/iwlwifi/dvm/mac80211.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/iwlwifi/dvm/mac80211.c b/drivers/net/wireless/iwlwifi/dvm/mac80211.c +index 323e4a3..9a817df 100644 +--- a/drivers/net/wireless/iwlwifi/dvm/mac80211.c ++++ b/drivers/net/wireless/iwlwifi/dvm/mac80211.c +@@ -1046,7 +1046,10 @@ void iwl_chswitch_done(struct iwl_priv *priv, bool is_success) + if (test_bit(STATUS_EXIT_PENDING, &priv->status)) + return; + +- if (test_and_clear_bit(STATUS_CHANNEL_SWITCH_PENDING, &priv->status)) ++ if (!test_and_clear_bit(STATUS_CHANNEL_SWITCH_PENDING, &priv->status)) ++ return; ++ ++ if (ctx->vif) + ieee80211_chswitch_done(ctx->vif, is_success); + } + +-- +1.7.11.7 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-wireless" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file diff --git a/kernel.spec b/kernel.spec index 1f40b27..8f533cb 100644 --- a/kernel.spec +++ b/kernel.spec @@ -773,6 +773,9 @@ Patch25064: iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch #rhbz 987639 987656 Patch25065: net_310.mbox +#rhbz 979581 +Patch25069: iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch + # END OF PATCH DEFINITIONS %endif @@ -1494,6 +1497,9 @@ ApplyPatch iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch #rhbz 987639 987656 ApplyPatch net_310.mbox +#rhbz 979581 +ApplyPatch iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch + # END OF PATCH APPLICATIONS %endif @@ -2302,6 +2308,9 @@ fi # and build. %changelog +* Fri Jul 26 2013 Josh Boyer +- Add patch to fix NULL deref in iwlwifi (rhbz 979581) + * Thu Jul 25 2013 Justin M. Forbes 3.10.3-300 - Linux v3.10.3