From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Sat, 10 Dec 2011 17:07:54 +0000 (-0800)
Subject: 3.0 patches
X-Git-Tag: v3.0.14~12
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a076cffa98507198a3ca6ac1690d3d2f913fd824;p=thirdparty%2Fkernel%2Fstable-queue.git

3.0 patches

added patches:
	mac80211-fix-race-condition-caused-by-late-addba-response.patch
---

diff --git a/queue-3.0/mac80211-fix-race-condition-caused-by-late-addba-response.patch b/queue-3.0/mac80211-fix-race-condition-caused-by-late-addba-response.patch
new file mode 100644
index 00000000000..b6e57bac922
--- /dev/null
+++ b/queue-3.0/mac80211-fix-race-condition-caused-by-late-addba-response.patch
@@ -0,0 +1,63 @@
+From johannes@sipsolutions.net  Sat Dec 10 09:04:20 2011
+From: Nikolay Martynov <mar.kolya@gmail.com>
+Date: Sat, 10 Dec 2011 17:31:23 +0100
+Subject: mac80211: fix race condition caused by late addBA response
+To: Greg KH <gregkh@suse.de>
+Cc: Greg KH <greg@kroah.com>, Nikolay Martynov <mar.kolya@gmail.com>, John Linville <linville@tuxdriver.com>, stable@vger.kernel.org
+Message-ID: <1323534683.3344.30.camel@jlt3.sipsolutions.net>
+
+
+From: Nikolay Martynov <mar.kolya@gmail.com>
+
+Upstream commit d305a6557b2c4dca0110f05ffe745b1ef94adb80.
+
+If addBA responses comes in just after addba_resp_timer has
+expired mac80211 will still accept it and try to open the
+aggregation session. This causes drivers to be confused and
+in some cases even crash.
+
+This patch fixes the race condition and makes sure that if
+addba_resp_timer has expired addBA response is not longer
+accepted and we do not try to open half-closed session.
+
+Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com>
+[some adjustments]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/mac80211/agg-tx.c |   17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/agg-tx.c
++++ b/net/mac80211/agg-tx.c
+@@ -792,12 +792,27 @@ void ieee80211_process_addba_resp(struct
+ 		goto out;
+ 	}
+ 
+-	del_timer(&tid_tx->addba_resp_timer);
++	del_timer_sync(&tid_tx->addba_resp_timer);
+ 
+ #ifdef CONFIG_MAC80211_HT_DEBUG
+ 	printk(KERN_DEBUG "switched off addBA timer for tid %d\n", tid);
+ #endif
+ 
++	/*
++	 * addba_resp_timer may have fired before we got here, and
++	 * caused WANT_STOP to be set. If the stop then was already
++	 * processed further, STOPPING might be set.
++	 */
++	if (test_bit(HT_AGG_STATE_WANT_STOP, &tid_tx->state) ||
++	    test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) {
++#ifdef CONFIG_MAC80211_HT_DEBUG
++		printk(KERN_DEBUG
++		       "got addBA resp for tid %d but we already gave up\n",
++		       tid);
++#endif
++		goto out;
++	}
++
+ 	if (le16_to_cpu(mgmt->u.action.u.addba_resp.status)
+ 			== WLAN_STATUS_SUCCESS) {
+ 		/*
diff --git a/queue-3.0/series b/queue-3.0/series
index 663b079a036..714c5236bf9 100644
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -19,3 +19,4 @@ intel-iommu-set-iommu_superpage-on-vm-domains-to-lowest-common-denominator.patch
 intel-iommu-fix-superpage-support-in-pfn_to_dma_pte.patch
 percpu-fix-chunk-range-calculation.patch
 iwlwifi-do-not-re-configure-ht40-after-associated.patch
+mac80211-fix-race-condition-caused-by-late-addba-response.patch