Control: tag -1 patch moreinfo On Fri, 2014-04-18 at 14:28 +0400, Dmitry Semyonov wrote: > Package: src:linux > Version: 3.2.57-1 > Severity: important > > Dear Maintainer, > > At least 3.2.57-1 and 3.2.57-2 Debian kernels from > stable-proposed-updates archive crash after issuing "sudo ifup wlan0=h" > command. (netconsole output will be provided in a separate e-mail.) > > Previous stable kernels worked fine on the same laptop but I have not > tried to downgrade the kernel to double-check whether current stable > version continues to work now.
Does this patch fix it? You can build a new kernel package by following the instructions at <http://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-common-official>, or if that is going to take a long time then I can do that for you. Ben. -- Ben Hutchings Make three consecutive correct guesses and you will be considered an expert.
From: Ben Hutchings <b...@decadent.org.uk> Date: Sat, 19 Apr 2014 14:36:43 +0100 Subject: rtl8192ce: Fix null dereference in watchdog Bug-Debian: https://bugs.debian.org/745137 Dmitry Semyonov reported that after upgrading from 3.2.54-2 to 3.2.57-1 the rtl8192ce driver will crash when its interface is brought up. The oops message shows: [ 1833.611397] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 [ 1833.611455] IP: [<ffffffffa0410c6a>] rtl92ce_update_hal_rate_tbl+0x29/0x4db [rtl8192ce] ... [ 1833.613326] Call Trace: [ 1833.613346] [<ffffffffa02ad9c6>] ? rtl92c_dm_watchdog+0xd0b/0xec9 [rtl8192c_common] [ 1833.613391] [<ffffffff8105b5cf>] ? process_one_work+0x161/0x269 [ 1833.613425] [<ffffffff8105c598>] ? worker_thread+0xc2/0x145 [ 1833.613458] [<ffffffff8105c4d6>] ? manage_workers.isra.25+0x15b/0x15b [ 1833.613496] [<ffffffff8105f6d9>] ? kthread+0x76/0x7e [ 1833.613527] [<ffffffff81356b74>] ? kernel_thread_helper+0x4/0x10 [ 1833.613563] [<ffffffff8105f663>] ? kthread_worker_fn+0x139/0x139 [ 1833.613598] [<ffffffff81356b70>] ? gs_change+0x13/0x13 Disassembly of rtl92ce_update_hal_rate_tbl() shows that the 'sta' parameter was null. None of the changes to the rtlwifi family between 3.2.54 and 3.2.57 seem to directly cause this, but my suspicion is that this is caused by a race condition that was was unmasked by commit f78bccd79ba3 ('rtlwifi: rtl8192ce: Fix too long disable of IRQs'). rtl92c_dm_watchdog() calls rtl92ce_update_hal_rate_tbl() via rtl92c_dm_refresh_rate_adaptive_mask(), which does not appear in the call trace as it was inlined. That function has been completely removed upstream which may explain why this crash wasn't seen there. I'm not sure that it is sensible to completely remove rtl92c_dm_refresh_rate_adaptive_mask() without making other compensating changes elsewhere, so try to work around this for 3.2 by checking for a null pointer in rtl92c_dm_refresh_rate_adaptive_mask() and then skipping the call to rtl92ce_update_hal_rate_tbl(). --- a/drivers/net/wireless/rtlwifi/rtl8192c/dm_common.c +++ b/drivers/net/wireless/rtlwifi/rtl8192c/dm_common.c @@ -1228,11 +1228,14 @@ static void rtl92c_dm_refresh_rate_adapt if (rtlhal->interface == INTF_PCI) { rcu_read_lock(); sta = ieee80211_find_sta(mac->vif, mac->bssid); + if (!sta) + goto out_unlock; } rtlpriv->cfg->ops->update_rate_tbl(hw, sta, p_ra->ratr_state); p_ra->pre_ratr_state = p_ra->ratr_state; + out_unlock: if (rtlhal->interface == INTF_PCI) rcu_read_unlock(); }
signature.asc
Description: This is a digitally signed message part
