[3.8.y.z extended stable] Patch "rt2x00: fix a crash bug in the HT descriptor handling fix" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Fri Dec 6 23:08:41 UTC 2013


This is a note to let you know that I have just added a patch titled

    rt2x00: fix a crash bug in the HT descriptor handling fix

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue

This patch is scheduled to be released in version 3.8.13.14.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From 3c7301a076e1bbd108a6cb2a5663d375d67fca9b Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd at openwrt.org>
Date: Thu, 14 Nov 2013 21:33:15 +0100
Subject: rt2x00: fix a crash bug in the HT descriptor handling fix

commit b4089d6d8e71a7293e2192025dfa507a04f661c4 upstream.

Commit "rt2x00: fix HT TX descriptor settings regression"
assumes that the control parameter to rt2x00mac_tx is always non-NULL.
There is an internal call in rt2x00lib_bc_buffer_iter where NULL is
passed. Fix the resulting crash by adding an initialized dummy on-stack
ieee80211_tx_control struct.

Signed-off-by: Felix Fietkau <nbd at openwrt.org>
Acked-by: Gertjan van Wingerde <gwingerde at gmail.com>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 drivers/net/wireless/rt2x00/rt2x00dev.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c
index cdbfc30..a1789f5 100644
--- a/drivers/net/wireless/rt2x00/rt2x00dev.c
+++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
@@ -181,6 +181,7 @@ static void rt2x00lib_autowakeup(struct work_struct *work)
 static void rt2x00lib_bc_buffer_iter(void *data, u8 *mac,
 				     struct ieee80211_vif *vif)
 {
+	struct ieee80211_tx_control control = {};
 	struct rt2x00_dev *rt2x00dev = data;
 	struct sk_buff *skb;

@@ -195,7 +196,7 @@ static void rt2x00lib_bc_buffer_iter(void *data, u8 *mac,
 	 */
 	skb = ieee80211_get_buffered_bc(rt2x00dev->hw, vif);
 	while (skb) {
-		rt2x00mac_tx(rt2x00dev->hw, NULL, skb);
+		rt2x00mac_tx(rt2x00dev->hw, &control, skb);
 		skb = ieee80211_get_buffered_bc(rt2x00dev->hw, vif);
 	}
 }
--
1.8.3.2





More information about the kernel-team mailing list