From: Greg Kroah-Hartman Date: Wed, 30 Jan 2013 10:24:33 +0000 (+0100) Subject: 3.4-stable patches X-Git-Tag: v3.0.62~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cd072ad74f465151f315be269ee630475760871e;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: ath9k-do-not-link-receive-buffers-during-flush.patch ath9k-fix-double-free-bug-on-beacon-generate-failure.patch --- diff --git a/queue-3.4/ath9k-do-not-link-receive-buffers-during-flush.patch b/queue-3.4/ath9k-do-not-link-receive-buffers-during-flush.patch new file mode 100644 index 00000000000..c5b23bfaed3 --- /dev/null +++ b/queue-3.4/ath9k-do-not-link-receive-buffers-during-flush.patch @@ -0,0 +1,51 @@ +From a3dc48e82bb146ef11cf75676c8410c1df29b0c4 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Wed, 9 Jan 2013 16:16:52 +0100 +Subject: ath9k: do not link receive buffers during flush + +From: Felix Fietkau + +commit a3dc48e82bb146ef11cf75676c8410c1df29b0c4 upstream. + +On AR9300 the rx FIFO needs to be empty during reset to ensure that no +further DMA activity is generated, otherwise it might lead to memory +corruption issues. + +Signed-off-by: Felix Fietkau +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/recv.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/recv.c ++++ b/drivers/net/wireless/ath/ath9k/recv.c +@@ -778,6 +778,7 @@ static struct ath_buf *ath_get_next_rx_b + return NULL; + } + ++ list_del(&bf->list); + if (!bf->bf_mpdu) + return bf; + +@@ -1966,14 +1967,15 @@ requeue_drop_frag: + sc->rx.frag = NULL; + } + requeue: ++ list_add_tail(&bf->list, &sc->rx.rxbuf); ++ if (flush) ++ continue; ++ + if (edma) { +- list_add_tail(&bf->list, &sc->rx.rxbuf); + ath_rx_edma_buf_link(sc, qtype); + } else { +- list_move_tail(&bf->list, &sc->rx.rxbuf); + ath_rx_buf_link(sc, bf); +- if (!flush) +- ath9k_hw_rxena(ah); ++ ath9k_hw_rxena(ah); + } + } while (1); + diff --git a/queue-3.4/ath9k-fix-double-free-bug-on-beacon-generate-failure.patch b/queue-3.4/ath9k-fix-double-free-bug-on-beacon-generate-failure.patch new file mode 100644 index 00000000000..5cd5b5d7791 --- /dev/null +++ b/queue-3.4/ath9k-fix-double-free-bug-on-beacon-generate-failure.patch @@ -0,0 +1,32 @@ +From 1adb2e2b5f85023d17eb4f95386a57029df27c88 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Wed, 9 Jan 2013 16:16:53 +0100 +Subject: ath9k: fix double-free bug on beacon generate failure + +From: Felix Fietkau + +commit 1adb2e2b5f85023d17eb4f95386a57029df27c88 upstream. + +When the next beacon is sent, the ath_buf from the previous run is reused. +If getting a new beacon from mac80211 fails, bf->bf_mpdu is not reset, yet +the skb is freed, leading to a double-free on the next beacon tx attempt, +resulting in a system crash. + +Signed-off-by: Felix Fietkau +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/beacon.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/ath/ath9k/beacon.c ++++ b/drivers/net/wireless/ath/ath9k/beacon.c +@@ -154,6 +154,7 @@ static struct ath_buf *ath_beacon_genera + skb->len, DMA_TO_DEVICE); + dev_kfree_skb_any(skb); + bf->bf_buf_addr = 0; ++ bf->bf_mpdu = NULL; + } + + /* Get a new beacon from mac80211 */ diff --git a/queue-3.4/series b/queue-3.4/series index e68aba2041c..05a729428e4 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -15,3 +15,5 @@ iwlegacy-fix-ibss-cleanup.patch brcmsmac-increase-timer-reference-count-for-new-timers-only.patch mac80211-fix-ft-roaming.patch ath9k_htc-fix-memory-leak.patch +ath9k-do-not-link-receive-buffers-during-flush.patch +ath9k-fix-double-free-bug-on-beacon-generate-failure.patch