[ 046/122] mac80211: fix crash with single-queue drivers

From: Greg Kroah-Hartman
Date: Tue Aug 07 2012 - 18:29:22 EST

Next message: Greg Kroah-Hartman: "[ 048/122] mac80211: fix read outside array bounds"
Previous message: Greg Kroah-Hartman: "[ 045/122] tun: fix a crash bug and a memory leak"
In reply to: Greg Kroah-Hartman: "[ 045/122] tun: fix a crash bug and a memory leak"
Next in thread: Greg Kroah-Hartman: "[ 048/122] mac80211: fix read outside array bounds"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx>

3.5-stable review patch. If anyone has any objections, please let me know.

------------------

From: Johannes Berg <johannes.berg@xxxxxxxxx>

commit a6f38ac3cc853189705006cc1e0f17ce8467a1df upstream.

Larry (and some others I think) reported that with
single-queue drivers mac80211 crashes when waking
the queues. This happens because we allocate just
a single queue for each virtual interface in case
the driver doesn't have at least 4 queues, but the
code stopping/waking the virtual interface queues
wasn't taking this into account.

Reported-by: Larry Finger <Larry.Finger@xxxxxxxxxxxx>
Tested-by: Larry Finger <Larry.Finger@xxxxxxxxxxxx>
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
net/mac80211/util.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)

--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -268,6 +268,10 @@ EXPORT_SYMBOL(ieee80211_ctstoself_durati
void ieee80211_propagate_queue_wake(struct ieee80211_local *local, int queue)
{
struct ieee80211_sub_if_data *sdata;
+ int n_acs = IEEE80211_NUM_ACS;
+
+ if (local->hw.queues < IEEE80211_NUM_ACS)
+ n_acs = 1;

list_for_each_entry_rcu(sdata, &local->interfaces, list) {
int ac;
@@ -279,7 +283,7 @@ void ieee80211_propagate_queue_wake(stru
local->queue_stop_reasons[sdata->vif.cab_queue] != 0)
continue;

- for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
+ for (ac = 0; ac < n_acs; ac++) {
int ac_queue = sdata->vif.hw_queue[ac];

if (ac_queue == queue ||
@@ -341,6 +345,7 @@ static void __ieee80211_stop_queue(struc
{
struct ieee80211_local *local = hw_to_local(hw);
struct ieee80211_sub_if_data *sdata;
+ int n_acs = IEEE80211_NUM_ACS;

trace_stop_queue(local, queue, reason);

@@ -352,11 +357,14 @@ static void __ieee80211_stop_queue(struc

__set_bit(reason, &local->queue_stop_reasons[queue]);

+ if (local->hw.queues < IEEE80211_NUM_ACS)
+ n_acs = 1;
+
rcu_read_lock();
list_for_each_entry_rcu(sdata, &local->interfaces, list) {
int ac;

- for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
+ for (ac = 0; ac < n_acs; ac++) {
if (sdata->vif.hw_queue[ac] == queue ||
sdata->vif.cab_queue == queue)
netif_stop_subqueue(sdata->dev, ac);

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg Kroah-Hartman: "[ 048/122] mac80211: fix read outside array bounds"
Previous message: Greg Kroah-Hartman: "[ 045/122] tun: fix a crash bug and a memory leak"
In reply to: Greg Kroah-Hartman: "[ 045/122] tun: fix a crash bug and a memory leak"
Next in thread: Greg Kroah-Hartman: "[ 048/122] mac80211: fix read outside array bounds"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]