kernel_optimize_test/drivers
Johannes Berg 827d42c9ac mac80211: fix spurious delBA handling
Lennert Buytenhek noticed that delBA handling in mac80211
was broken and has remotely triggerable problems, some of
which are due to some code shuffling I did that ended up
changing the order in which things were done -- this was

  commit d75636ef9c
  Author: Johannes Berg <johannes@sipsolutions.net>
  Date:   Tue Feb 10 21:25:53 2009 +0100

    mac80211: RX aggregation: clean up stop session

and other parts were already present in the original

  commit d92684e660
  Author: Ron Rindjunsky <ron.rindjunsky@intel.com>
  Date:   Mon Jan 28 14:07:22 2008 +0200

      mac80211: A-MPDU Tx add delBA from recipient support

The first problem is that I moved a BUG_ON before various
checks -- thereby making it possible to hit. As the comment
indicates, the BUG_ON can be removed since the ampdu_action
callback must already exist when the state is != IDLE.

The second problem isn't easily exploitable but there's a
race condition due to unconditionally setting the state to
OPERATIONAL when a delBA frame is received, even when no
aggregation session was ever initiated. All the drivers
accept stopping the session even then, but that opens a
race window where crashes could happen before the driver
accepts it. Right now, a WARN_ON may happen with non-HT
drivers, while the race opens only for HT drivers.

For this case, there are two things necessary to fix it:
 1) don't process spurious delBA frames, and be more careful
    about the session state; don't drop the lock

 2) HT drivers need to be prepared to handle a session stop
    even before the session was really started -- this is
    true for all drivers (that support aggregation) but
    iwlwifi which can be fixed easily. The other HT drivers
    (ath9k and ar9170) are behaving properly already.

Reported-by: Lennert Buytenhek <buytenh@marvell.com>
Cc: stable@kernel.org
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-11-30 13:55:51 -05:00
..
accessibility
acpi Merge branch 'bugzilla-13449' into release 2009-11-06 01:45:11 -05:00
amba
ata sata_via: Remove redundant device ID for VIA VT8261 2009-11-03 14:27:06 -05:00
atm
auxdisplay
base PM: Remove some debug messages producing too much noise 2009-11-03 11:18:18 +01:00
block loop: fix NULL dereference if mount fails 2009-10-29 07:39:27 -07:00
bluetooth fix memory leak in fixed btusb_close 2009-11-14 12:57:08 -08:00
cdrom
char Merge branch 'agp-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/agp-2.6 2009-11-18 17:08:16 -08:00
clocksource
connector
cpufreq [CPUFREQ] Fix stale cpufreq_cpu_governor pointer 2009-11-17 23:15:04 -05:00
cpuidle cpuidle: always return with interrupts enabled 2009-10-29 07:39:31 -07:00
crypto
dca
dio
dma
edac amd64_edac: fix CECCs reporting 2009-11-04 14:04:06 +01:00
eisa
firewire
firmware
gpio gpiolib: fix device_create() result check 2009-11-12 07:26:00 -08:00
gpu Merge branch 'hostprogs-wmissing-prototypes' of git://git.kernel.org/pub/scm/linux/kernel/git/josh/linux-misc 2009-11-17 09:14:49 -08:00
hid
hwmon hwmon: (adt7475) Fix sysfs file names 2009-11-16 12:45:40 +01:00
i2c i2c-piix4: Modify code name SB900 to Hudson-2 2009-11-07 13:10:46 +01:00
ide Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide-2.6 2009-11-09 09:50:55 -08:00
idle
ieee1394
ieee802154 ieee802154: dont leak skbs in ieee802154_fake_xmit() 2009-11-19 13:16:21 -08:00
infiniband
input Input: lifebook - fix settings for CF-72 2009-11-16 22:27:12 -08:00
isdn Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2009-11-18 14:54:45 -08:00
leds leds-gpio: fix possible crash on OF device unbinding 2009-11-16 11:50:42 +00:00
lguest
macintosh
mca
md md/raid5: Allow dirty-degraded arrays to be assembled when only party is degraded. 2009-11-13 17:47:00 +11:00
media V4L/DVB (13314): saa7134: set ts_force_val for the Hauppauge WinTV HVR-1150 2009-11-07 12:55:15 -02:00
memstick
message
mfd mfd: Do not dereference null pointer in twl4030 error path 2009-10-27 00:20:33 +01:00
misc sgi-gru: decrapfiy options_write() function 2009-11-05 10:48:30 -08:00
mmc mmci-omap: free irq resource 2009-11-12 07:25:57 -08:00
mtd ARM: Fix warning in sa1100-flash.c 2009-11-16 16:13:35 +00:00
net mac80211: fix spurious delBA handling 2009-11-30 13:55:51 -05:00
nubus
of
oprofile
parisc
parport
pci Merge git://git.infradead.org/users/dwmw2/iommu-2.6.32 2009-11-14 13:05:27 -08:00
pcmcia PM / yenta: Split resume into early and late parts (rev. 4) 2009-11-03 10:54:58 +01:00
platform eeepc-laptop: don't enable camera at startup if it's already on. 2009-11-03 10:24:19 -05:00
pnp
power
pps pps: events reporting fix up 2009-11-12 07:26:01 -08:00
ps3
rapidio
regulator dereferencing freed memory regulator_fixed_voltage_remove() 2009-11-16 12:40:25 +00:00
rtc ARM: 5787/1: U300 COH 901 331 fixes 2009-11-16 16:15:49 +00:00
s390 [S390] sclp: undo quiesce handler override on resume 2009-11-13 15:45:03 +01:00
sbus
scsi [SCSI] bfa: declare MODULE_FIRMWARE 2009-11-11 12:21:06 -05:00
serial serial: add support for the Lava Quattro PCI quad-port 16550A card 2009-11-12 07:25:57 -08:00
sfi
sh
sn
spi spi: error status should be negative 2009-11-17 17:40:32 -08:00
ssb ssb-pcmcia: Fix 32bit register access in early bus scanning 2009-11-10 16:21:12 -05:00
staging Staging: fix wireless drivers depends 2009-10-30 14:47:44 -07:00
tc
telephony
thermal acpi: thermal: Add EOL to the trip_point_N_type strings 2009-11-05 17:33:24 -05:00
uio uio: pm_runtime_disable is needed if failed 2009-11-13 11:36:00 +09:00
usb Merge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6 2009-11-18 07:37:51 -08:00
uwb
video drivers/video/da8xx-fb.c: fix error return 2009-11-17 17:40:33 -08:00
virtio virtio: order used ring after used index read 2009-10-29 08:50:37 +10:30
vlynq
w1
watchdog [WATCHDOG] SBC-FITPC2 watchdog driver registration fix 2009-11-10 15:06:52 +00:00
xen
zorro
Kconfig
Makefile