From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 5 Nov 2012 13:34:17 +0000 (+0100)
Subject: 3.0-stable patches
X-Git-Tag: v3.0.52~49
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=19cb8f9f6bc14af6b1bfc9f81226c8b7aa696c0f;p=thirdparty%2Fkernel%2Fstable-queue.git

3.0-stable patches

added patches:
	ath9k-fix-stale-pointers-potentially-causing-access-to-free-d-skbs.patch
---

diff --git a/queue-3.0/ath9k-fix-stale-pointers-potentially-causing-access-to-free-d-skbs.patch b/queue-3.0/ath9k-fix-stale-pointers-potentially-causing-access-to-free-d-skbs.patch
new file mode 100644
index 00000000000..4459c18c3fe
--- /dev/null
+++ b/queue-3.0/ath9k-fix-stale-pointers-potentially-causing-access-to-free-d-skbs.patch
@@ -0,0 +1,43 @@
+From 8c6e30936a7893a85f6222084f0f26aceb81137a Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Fri, 26 Oct 2012 00:31:11 +0200
+Subject: ath9k: fix stale pointers potentially causing access to free'd skbs
+
+From: Felix Fietkau <nbd@openwrt.org>
+
+commit 8c6e30936a7893a85f6222084f0f26aceb81137a upstream.
+
+bf->bf_next is only while buffers are chained as part of an A-MPDU
+in the tx queue. When a tid queue is flushed (e.g. on tearing down
+an aggregation session), frames can be enqueued again as normal
+transmission, without bf_next being cleared. This can lead to the
+old pointer being dereferenced again later.
+
+This patch might fix crashes and "Failed to stop TX DMA!" messages.
+
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/xmit.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath9k/xmit.c
++++ b/drivers/net/wireless/ath/ath9k/xmit.c
+@@ -272,6 +272,7 @@ static struct ath_buf *ath_tx_get_buffer
+ 	}
+ 
+ 	bf = list_first_entry(&sc->tx.txbuf, struct ath_buf, list);
++	bf->bf_next = NULL;
+ 	list_del(&bf->list);
+ 
+ 	spin_unlock_bh(&sc->tx.txbuflock);
+@@ -1488,6 +1489,7 @@ static void ath_tx_send_normal(struct at
+ 	if (tid)
+ 		INCR(tid->seq_start, IEEE80211_SEQ_MAX);
+ 
++	bf->bf_next = NULL;
+ 	bf->bf_lastbf = bf;
+ 	fi = get_frame_info(bf->bf_mpdu);
+ 	ath_buf_set_rate(sc, bf, fi->framelen);
diff --git a/queue-3.0/series b/queue-3.0/series
new file mode 100644
index 00000000000..45e1209d72a
--- /dev/null
+++ b/queue-3.0/series
@@ -0,0 +1 @@
+ath9k-fix-stale-pointers-potentially-causing-access-to-free-d-skbs.patch