Control: tag -1 patch moreinfo On Fri, 2014-04-18 at 14:28 +0400, Dmitry Semyonov wrote: > Package: src:linux > Version: 3.2.57-1 > Severity: important > > Dear Maintainer, > > At least 3.2.57-1 and 3.2.57-2 Debian kernels from > stable-proposed-updates archive crash after issuing "sudo ifup wlan0=h" > command. (netconsole output will be provided in a separate e-mail.) > > Previous stable kernels worked fine on the same laptop but I have not > tried to downgrade the kernel to double-check whether current stable > version continues to work now. Does this patch fix it? You can build a new kernel package by following the instructions at <http://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-common-official>, or if that is going to take a long time then I can do that for you. Ben. -- Ben Hutchings Make three consecutive correct guesses and you will be considered an expert.
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 19 Apr 2014 14:36:43 +0100
Subject: rtl8192ce: Fix null dereference in watchdog
Bug-Debian: https://bugs.debian.org/745137
Dmitry Semyonov reported that after upgrading from 3.2.54-2 to
3.2.57-1 the rtl8192ce driver will crash when its interface is brought
up. The oops message shows:
[ 1833.611397] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
[ 1833.611455] IP: [<ffffffffa0410c6a>] rtl92ce_update_hal_rate_tbl+0x29/0x4db [rtl8192ce]
...
[ 1833.613326] Call Trace:
[ 1833.613346] [<ffffffffa02ad9c6>] ? rtl92c_dm_watchdog+0xd0b/0xec9 [rtl8192c_common]
[ 1833.613391] [<ffffffff8105b5cf>] ? process_one_work+0x161/0x269
[ 1833.613425] [<ffffffff8105c598>] ? worker_thread+0xc2/0x145
[ 1833.613458] [<ffffffff8105c4d6>] ? manage_workers.isra.25+0x15b/0x15b
[ 1833.613496] [<ffffffff8105f6d9>] ? kthread+0x76/0x7e
[ 1833.613527] [<ffffffff81356b74>] ? kernel_thread_helper+0x4/0x10
[ 1833.613563] [<ffffffff8105f663>] ? kthread_worker_fn+0x139/0x139
[ 1833.613598] [<ffffffff81356b70>] ? gs_change+0x13/0x13
Disassembly of rtl92ce_update_hal_rate_tbl() shows that the 'sta'
parameter was null. None of the changes to the rtlwifi family between
3.2.54 and 3.2.57 seem to directly cause this, but my suspicion is that
this is caused by a race condition that was was unmasked by commit
f78bccd79ba3 ('rtlwifi: rtl8192ce: Fix too long disable of IRQs').
rtl92c_dm_watchdog() calls rtl92ce_update_hal_rate_tbl() via
rtl92c_dm_refresh_rate_adaptive_mask(), which does not appear in the
call trace as it was inlined. That function has been completely
removed upstream which may explain why this crash wasn't seen there.
I'm not sure that it is sensible to completely remove
rtl92c_dm_refresh_rate_adaptive_mask() without making other
compensating changes elsewhere, so try to work around this for 3.2 by
checking for a null pointer in rtl92c_dm_refresh_rate_adaptive_mask()
and then skipping the call to rtl92ce_update_hal_rate_tbl().
--- a/drivers/net/wireless/rtlwifi/rtl8192c/dm_common.c
+++ b/drivers/net/wireless/rtlwifi/rtl8192c/dm_common.c
@@ -1228,11 +1228,14 @@ static void rtl92c_dm_refresh_rate_adapt
if (rtlhal->interface == INTF_PCI) {
rcu_read_lock();
sta = ieee80211_find_sta(mac->vif, mac->bssid);
+ if (!sta)
+ goto out_unlock;
}
rtlpriv->cfg->ops->update_rate_tbl(hw, sta,
p_ra->ratr_state);
p_ra->pre_ratr_state = p_ra->ratr_state;
+ out_unlock:
if (rtlhal->interface == INTF_PCI)
rcu_read_unlock();
}
Attachment:
signature.asc
Description: This is a digitally signed message part