Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v2.6.32.3 2010-01-06T23:04:09Z 2010-01-06T23:04:09Z Johannes Berg johannes@sipsolutions.net 2009-12-23T12:12:05Z urn:sha1:477702056912abc2120a18e8494fb2204ccdd958 commit 3bdb2d48c5f58c781a4099c99044384a23620884 upstream. Joseph Nahmias reported, in http://bugs.debian.org/562016, that he was getting the following warning (with some log around the issue): ath0: direct probe to AP 00:11:95:77:e0:b0 (try 1) ath0: direct probe responded ath0: authenticate with AP 00:11:95:77:e0:b0 (try 1) ath0: authenticated ath0: associate with AP 00:11:95:77:e0:b0 (try 1) ath0: deauthenticating from 00:11:95:77:e0:b0 by local choice (reason=3) ath0: direct probe to AP 00:11:95:77:e0:b0 (try 1) ath0: RX AssocResp from 00:11:95:77:e0:b0 (capab=0x421 status=0 aid=2) ath0: associated ------------[ cut here ]------------ WARNING: at net/wireless/mlme.c:97 cfg80211_send_rx_assoc+0x14d/0x152 [cfg80211]() Hardware name: 7658CTO ... Pid: 761, comm: phy0 Not tainted 2.6.32-trunk-686 #1 Call Trace: [<c1030a5d>] ? warn_slowpath_common+0x5e/0x8a [<c1030a93>] ? warn_slowpath_null+0xa/0xc [<f86cafc7>] ? cfg80211_send_rx_assoc+0x14d/0x152 ... ath0: link becomes ready ath0: deauthenticating from 00:11:95:77:e0:b0 by local choice (reason=3) ath0: no IPv6 routers present ath0: link is not ready ath0: direct probe to AP 00:11:95:77:e0:b0 (try 1) ath0: direct probe responded ath0: authenticate with AP 00:11:95:77:e0:b0 (try 1) ath0: authenticated ath0: associate with AP 00:11:95:77:e0:b0 (try 1) ath0: RX ReassocResp from 00:11:95:77:e0:b0 (capab=0x421 status=0 aid=2) ath0: associated It is not clear to me how the first "direct probe" here happens, but this seems to be a race condition, if the user requests to deauth after requesting assoc, but before the assoc response is received. In that case, it may happen that mac80211 tries to report the assoc success to cfg80211, but gets blocked on the wdev lock that is held because the user is requesting the deauth. The result is that we run into a warning. This is mostly harmless, but maybe cause an unexpected event to be sent to userspace; we'd send an assoc success event although userspace was no longer expecting that. To fix this, remove the warning and check whether the race happened and in that case abort processing. Reported-by: Joseph Nahmias <joe@nahmias.net> Cc: 562016-quiet@bugs.debian.org Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2009-11-03T15:44:01Z Linus Torvalds torvalds@linux-foundation.org 2009-11-03T15:44:01Z urn:sha1:a84216e671c724e0920dfad2fb70828d428ff60a * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (21 commits) mac80211: check interface is down before type change cfg80211: fix NULL ptr deref libertas if_usb: Fix crash on 64-bit machines mac80211: fix reason code output endianness mac80211: fix addba timer ath9k: fix misplaced semicolon on rate control b43: Fix DMA TX bounce buffer copying mac80211: fix BSS leak rt73usb.c : more ids ipw2200: fix oops on missing firmware gre: Fix dev_addr clobbering for gretap sky2: set carrier off in probe net: fix sk_forward_alloc corruption pcnet_cs: add cis of PreMax PE-200 ethernet pcmcia card r8169: Fix card drop incoming VLAN tagged MTU byte large jumbo frames ibmtr: possible Read buffer overflow? net: Fix RPF to work with policy routing net: fix kmemcheck annotations e1000e: rework disable K1 at 1000Mbps for 82577/82578 e1000e: config PHY via software after resets ... 2009-11-02T20:14:07Z Johannes Berg johannes@sipsolutions.net 2009-10-31T06:40:37Z urn:sha1:7400f42e9d765fa0656b432f3ab1245f9710f190 commit 211a4d12abf86fe0df4cd68fc6327cbb58f56f81 Author: Johannes Berg <johannes@sipsolutions.net> Date: Tue Oct 20 15:08:53 2009 +0900 cfg80211: sme: deauthenticate on assoc failure introduced a potential NULL pointer dereference that some people have been hitting for some reason -- the params.bssid pointer is not guaranteed to be non-NULL for what seems to be a race between various ways of reaching the same thing. While I'm trying to analyse the problem more let's first fix the crash. I think the real fix may be to avoid doing _anything_ if it ended up being NULL, but right now I'm not sure yet. I think http://bugzilla.kernel.org/show_bug.cgi?id=14342 might also be this issue. Reported-by: Parag Warudkar <parag.lkml@gmail.com> Tested-by: Parag Warudkar <parag.lkml@gmail.com> Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com> 2009-10-29T16:22:08Z Linus Torvalds torvalds@linux-foundation.org 2009-10-29T16:22:08Z urn:sha1:49b2de8e6febfea5a8791b6476195903af83a35d * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (43 commits) net: Fix 'Re: PACKET_TX_RING: packet size is too long' netdev: usb: dm9601.c can drive a device not supported yet, add support for it qlge: Fix firmware mailbox command timeout. qlge: Fix EEH handling. AF_RAW: Augment raw_send_hdrinc to expand skb to fit iphdr->ihl (v2) bonding: fix a race condition in calls to slave MII ioctls virtio-net: fix data corruption with OOM sfc: Set ip_summed correctly for page buffers passed to GRO cnic: Fix L2CTX_STATUSB_NUM offset in context memory. MAINTAINERS: rt2x00 list is moderated airo: Reorder tests, check bounds before element mac80211: fix for incorrect sequence number on hostapd injected frames libertas spi: fix sparse errors mac80211: trivial: fix spelling in mesh_hwmp cfg80211: sme: deauthenticate on assoc failure mac80211: keep auth state when assoc fails mac80211: fix ibss joining b43: add 'struct b43_wl' missing declaration b43: Fix Bugzilla #14181 and the bug from the previous 'fix' rt2x00: Fix crypto in TX frame for rt2800usb ... 2009-10-27T20:29:47Z Johannes Berg johannes@sipsolutions.net 2009-10-20T06:08:53Z urn:sha1:7d930bc33653d5592dc386a76a38f39c2e962344 When the in-kernel SME gets an association failure from the AP we don't deauthenticate, and thus get into a very confused state which will lead to warnings later on. Fix this by actually deauthenticating when the AP indicates an association failure. (Brought to you by the hacking session at Kernel Summit 2009 in Tokyo, Japan. -- JWL) Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com> 2009-10-15T22:03:17Z Linus Torvalds torvalds@linux-foundation.org 2009-10-15T22:03:17Z urn:sha1:c3da31485f074a6f598b67045b08e2e15d908310 * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (53 commits) vmxnet: fix 2 build problems net: add support for STMicroelectronics Ethernet controllers. net: ks8851_mll uses mii interfaces net/fec_mpc52xx: Fix kernel panic on FEC error net: Fix OF platform drivers coldplug/hotplug when compiled as modules TI DaVinci EMAC: Clear statistics register properly. r8169: partial support and phy init for the 8168d irda/sa1100_ir: check return value of startup hook udp: Fix udp_poll() and ioctl() WAN: fix Cisco HDLC handshaking. tcp: fix tcp_defer_accept to consider the timeout 3c574_cs: spin_lock the set_multicast_list function net: Teach pegasus driver to ignore bluetoother adapters with clashing Vendor:Product IDs netxen: fix pci bar mapping ethoc: fix warning from 32bit build libertas: fix build net: VMware virtual Ethernet NIC driver: vmxnet3 net: Fix IXP 2000 network driver building. libertas: fix build mac80211: document ieee80211_rx() context requirement ... 2009-10-11T18:20:58Z Alexey Dobriyan adobriyan@gmail.com 2009-10-07T13:09:06Z urn:sha1:d43c36dc6b357fa1806800f18aa30123c747a6d1 After m68k's task_thread_info() doesn't refer to current, it's possible to remove sched.h from interrupt.h and not break m68k! Many thanks to Heiko Carstens for allowing this. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> 2009-10-08T20:27:00Z Johannes Berg johannes@sipsolutions.net 2009-10-08T19:02:02Z urn:sha1:8a8e05e5d8f6155788761961fc9845328863c16d The error unwinding code in set_netns has a bug that will make it run into a BUG_ON if passed a bad wiphy index, fix by not trying to unlock a wiphy that doesn't exist. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com> 2009-09-28T20:55:07Z Johannes Berg johannes@sipsolutions.net 2009-09-28T13:26:43Z urn:sha1:8f1546cadf7ac5e9a40d54089a1c7302264ec49b The move away from having drivers assign wireless handlers, in favour of making cfg80211 assign them, broke the sysfs registration (the wireless/ dir went missing) because the handlers are now assigned only after registration, which is too late. Fix this by special-casing cfg80211-based devices, all of which are required to have an ieee80211_ptr, in the sysfs code, and also using get_wireless_stats() to have the same values reported as in procfs. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Reported-by: Hugh Dickins <hugh.dickins@tiscali.co.uk> Tested-by: Hugh Dickins <hugh.dickins@tiscali.co.uk> Signed-off-by: John W. Linville <linville@tuxdriver.com> 2009-09-28T20:55:06Z Arjan van de Ven arjan@linux.intel.com 2009-09-26T18:51:14Z urn:sha1:8503bd8c7dc6f82ec2de9d05e0a476e6ca5adc8b The wireless extensions have a copy_from_user to a local stack array "essid", but both me and gcc have failed to find where the bounds for this copy are located in the code. This patch adds some basic sanity checks for the copy length to make sure that we don't overflow the stack buffer. Signed-off-by: Arjan van de Ven <arjan@linux.intel.com> Cc: linux-wireless@vger.kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>