[kernel/f17] ath9k: fix panic caused by returning a descriptor we have... (rhbz 832927)

John W. Linville linville at fedoraproject.org
Fri Jun 29 14:42:15 UTC 2012 

commit ed9681dca3a549b592fd9adc165d971a5bb5a5d5
Author: John W. Linville <linville at tuxdriver.com>
Date:   Fri Jun 29 10:26:56 2012 -0400

    ath9k: fix panic caused by returning a descriptor we have... (rhbz 832927)

 ...anic-caused-by-returning-a-descriptor-we-.patch |   66 ++++++++++++++++++++
 kernel.spec                                        |    9 +++
 2 files changed, 75 insertions(+), 0 deletions(-)
---
diff --git a/ath9k-fix-panic-caused-by-returning-a-descriptor-we-.patch b/ath9k-fix-panic-caused-by-returning-a-descriptor-we-.patch
new file mode 100644
index 0000000..aec1f42
--- /dev/null
+++ b/ath9k-fix-panic-caused-by-returning-a-descriptor-we-.patch
@@ -0,0 +1,66 @@
+From 6bb51c70cabaadddc54a6454844eceba91a56083 Mon Sep 17 00:00:00 2001
+From: Tom Hughes <tom at compton.nu>
+Date: Wed, 27 Jun 2012 18:21:15 +0100
+Subject: [PATCH] ath9k: fix panic caused by returning a descriptor we have
+ queued for reuse
+
+Commit 3a2923e83c introduced a bug when a corrupt descriptor
+is encountered - although the following descriptor is discarded
+and returned to the queue for reuse the associated frame is
+also returned for processing. This leads to a panic:
+
+BUG: unable to handle kernel NULL pointer dereference at 000000000000003a
+IP: [<ffffffffa02599a5>] ath_rx_tasklet+0x165/0x1b00 [ath9k]
+Call Trace:
+<IRQ>
+[<ffffffff812d7fa0>] ? map_single+0x60/0x60
+[<ffffffffa028f044>] ? ath9k_ioread32+0x34/0x90 [ath9k]
+[<ffffffffa0292eec>] athk9k_tasklet+0xdc/0x160 [ath9k]
+[<ffffffff8105e133>] tasklet_action+0x63/0xd0
+[<ffffffff8105dbc0>] __do_softirq+0xc0/0x1e0
+[<ffffffff8101a873>] ? native_sched_clock+0x13/0x80
+[<ffffffff815f9d5c>] call_softirq+0x1c/0x30
+[<ffffffff810151f5>] do_softirq+0x75/0xb0
+[<ffffffff8105df95>] irq_exit+0xb5/0xc0
+[<ffffffff815fa5b3>] do_IRQ+0x63/0xe0
+[<ffffffff815f0cea>] common_interrupt+0x6a/0x6a
+<EOI>
+[<ffffffff8131840a>] ? intel_idle+0xea/0x150
+[<ffffffff813183eb>] ? intel_idle+0xcb/0x150
+[<ffffffff814a1db9>] cpuidle_enter+0x19/0x20
+[<ffffffff814a23d9>] cpuidle_idle_call+0xa9/0x240
+[<ffffffff8101c4bf>] cpu_idle+0xaf/0x120
+[<ffffffff815cda8e>] rest_init+0x72/0x74
+[<ffffffff81cf4c1a>] start_kernel+0x3b7/0x3c4
+[<ffffffff81cf4662>] ? repair_env_string+0x5e/0x5e
+[<ffffffff81cf4346>] x86_64_start_reservations+0x131/0x135
+[<ffffffff81cf444a>] x86_64_start_kernel+0x100/0x10f
+
+Making sure bf is cleared to NULL in this case restores the
+old behaviour.
+
+Signed-off-by: Tom Hughes <tom at compton.nu>
+Signed-off-by: John W. Linville <linville at tuxdriver.com>
+---
+ drivers/net/wireless/ath/ath9k/recv.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/recv.c b/drivers/net/wireless/ath/ath9k/recv.c
+index 599667a..0735aeb 100644
+--- a/drivers/net/wireless/ath/ath9k/recv.c
++++ b/drivers/net/wireless/ath/ath9k/recv.c
+@@ -695,9 +695,9 @@ static bool ath_edma_get_buffers(struct ath_softc *sc,
+ 			__skb_unlink(skb, &rx_edma->rx_fifo);
+ 			list_add_tail(&bf->list, &sc->rx.rxbuf);
+ 			ath_rx_edma_buf_link(sc, qtype);
+-		} else {
+-			bf = NULL;
+ 		}
++
++		bf = NULL;
+ 	}
+ 
+ 	*dest = bf;
+-- 
+1.7.10.2
+
diff --git a/kernel.spec b/kernel.spec
index 0664794..2b97581 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -798,6 +798,9 @@ Patch22036: block-fix-infinite-loop-in-__getblk_slow.patch
 #rhbz 832867
 Patch22040: mm-correctly-synchronize-rss-counters-at-exit-exec.patch
 
+#rhbz 832927
+Patch22041: ath9k-fix-panic-caused-by-returning-a-descriptor-we-.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1534,6 +1537,9 @@ ApplyPatch block-fix-infinite-loop-in-__getblk_slow.patch
 #rhbz 832867
 ApplyPatch mm-correctly-synchronize-rss-counters-at-exit-exec.patch
 
+#rhbz 832927
+ApplyPatch ath9k-fix-panic-caused-by-returning-a-descriptor-we-.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2394,6 +2400,9 @@ fi
 #    '-'      |  |
 #              '-'
 %changelog
+* Fri Jun 29 2012 John W. Linville <linville at redhat.com>
+- ath9k: fix panic caused by returning a descriptor we have... (rhbz 832927)
+
 * Thu Jun 28 2012 Dennis Gilmore <dennis at ausil.us>
 - include the mach- headers on arm arches if they are available

More information about the scm-commits mailing list