1
linux/net/wireless
Luis R. Rodriguez 2784fe915c cfg80211: fix null pointer dereference with a custom regulatory request
Once we moved the core regulatory request to the queue and let
the scheduler process it last_request will have been left NULL
until the schedular decides to process the first request. When
this happens and we are loading a driver with a custom regulatory
request like all Atheros drivers we end up with a NULL pointer
dereference. We fix this by checking if the request was a
custom one.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
IP: [<ffffffffa016de87>] freq_reg_info_regd.clone.2+0x27/0x130 [cfg80211]
PGD 71f91067 PUD 712b2067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
last sysfs file: /sys/devices/pci0000:00/0000:00:1d.7/usb2/2-1/firmware/2-1/loading
CPU 0
Modules linked in: ath9k_htc(+) ath9k_common ath9k_hw ath <etc>
Pid: 3094, comm: insmod Tainted: G        W   2.6.37-rc5-wl #16 INVALID/28427ZQ
RIP: 0010:[<ffffffffa016de87>]  [<ffffffffa016de87>] freq_reg_info_regd.clone.2+0x27/0x130 [cfg80211]
RSP: 0018:ffff88007045db78  EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffffa047d9a0 RCX: ffff88007045dbd0
RDX: 0000000000004e20 RSI: 000000000024cde0 RDI: ffff8800700483e0
RBP: ffff88007045db98 R08: ffffffffa02f5b40 R09: 0000000000000001
R10: 000000000000000e R11: 0000000000000001 R12: 0000000000000000
R13: ffff88007004e3b0 R14: 0000000000000000 R15: ffff880070048340
FS:  00007f635a707700(0000) GS:ffff880077400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000004 CR3: 00000000708a9000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process insmod (pid: 3094, threadinfo ffff88007045c000, task ffff8800713e3ec0)
Stack:
 ffffffffa047d9a0 0000000000000000 ffff88007004e3b0 0000000000000000
 ffff88007045dc08 ffffffffa016e147 000000007045dc08 0000000000000002
 ffff8800700483e0 ffffffffa02f5b40 ffff88007045dbd8 0000000000000000
Call Trace:
 [<ffffffffa016e147>] wiphy_apply_custom_regulatory+0x137/0x1d0 [cfg80211]
 [<ffffffffa047a690>] ? ath9k_reg_notifier+0x0/0x50 [ath9k_htc]
 [<ffffffffa02f47f7>] ath_regd_init+0x347/0x430 [ath]
 [<ffffffffa047b1f5>] ath9k_htc_probe_device+0x6c5/0x960 [ath9k_htc]
 [<ffffffffa0472a2c>] ath9k_htc_hw_init+0xc/0x30 [ath9k_htc]
 [<ffffffffa04747e6>] ath9k_hif_usb_probe+0x216/0x3b0 [ath9k_htc]
 [<ffffffffa03bb6bc>] usb_probe_interface+0x10c/0x210 [usbcore]
 [<ffffffff812aec26>] driver_probe_device+0x96/0x1c0
 [<ffffffff812aedf3>] __driver_attach+0xa3/0xb0
 [<ffffffff812aed50>] ? __driver_attach+0x0/0xb0
 [<ffffffff812adaae>] bus_for_each_dev+0x5e/0x90
 [<ffffffff812ae8c9>] driver_attach+0x19/0x20
 [<ffffffff812ae438>] bus_add_driver+0x168/0x320
 [<ffffffff812af071>] driver_register+0x71/0x140
 [<ffffffff811fc4a8>] ? __raw_spin_lock_init+0x38/0x70
 [<ffffffffa03ba39c>] usb_register_driver+0xdc/0x190 [usbcore]
 [<ffffffffa03a2000>] ? ath9k_htc_init+0x0/0x4f [ath9k_htc]
 [<ffffffffa047499e>] ath9k_hif_usb_init+0x1e/0x20 [ath9k_htc]
 [<ffffffffa03a202b>] ath9k_htc_init+0x2b/0x4f [ath9k_htc]
 [<ffffffff8100212f>] do_one_initcall+0x3f/0x180
 [<ffffffff8109ef5b>] sys_init_module+0xbb/0x200
 [<ffffffff8100bf52>] system_call_fastpath+0x16/0x1b
Code: <etc, who cares>
RIP  [<ffffffffa016de87>] freq_reg_info_regd.clone.2+0x27/0x130 [cfg80211]
 RSP <ffff88007045db78>
CR2: 0000000000000004
---[ end trace 79e4193601c8b713 ]---

Reported-by: Sujith Manoharan <Sujith.Manoharan@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-12-16 15:22:31 -05:00
..
.gitignore wireless: support internal statically compiled regulatory database 2009-12-21 18:56:10 -05:00
chan.c cfg80211: fix can_beacon_sec_chan, reenable HT40 2010-11-18 11:35:05 -05:00
core.c cfg80211/mac80211: add mesh join/leave commands 2010-12-06 16:01:29 -05:00
core.h cfg80211/mac80211: add mesh join/leave commands 2010-12-06 16:01:29 -05:00
db.txt wireless: support internal statically compiled regulatory database 2009-12-21 18:56:10 -05:00
debugfs.c llseek: automatically add .llseek fop 2010-10-15 15:53:27 +02:00
debugfs.h
ethtool.c
ethtool.h
genregdb.awk wireless: correct sparse warning in generated regdb.c 2010-07-20 16:49:37 -04:00
ibss.c cfg80211/mac80211: allow per-station GTKs 2010-10-06 16:30:40 -04:00
Kconfig wireless: remove CONFIG_WIRELESS_OLD_REGULATORY 2009-12-28 16:31:37 -05:00
lib80211_crypt_ccmp.c lib80211: remove unused host_build_iv option 2010-07-26 15:09:04 -04:00
lib80211_crypt_tkip.c net/wireless: Use pr_<level> and netdev_<level> 2010-11-24 16:19:33 -05:00
lib80211_crypt_wep.c lib80211: remove unused host_build_iv option 2010-07-26 15:09:04 -04:00
lib80211.c net/wireless: Use pr_<level> and netdev_<level> 2010-11-24 16:19:33 -05:00
Makefile cfg80211/mac80211: add mesh join/leave commands 2010-12-06 16:01:29 -05:00
mesh.c cfg80211/mac80211: add mesh join/leave commands 2010-12-06 16:01:29 -05:00
mlme.c nl80211: Add notification for dropped Deauth/Disassoc 2010-12-16 15:22:30 -05:00
nl80211.c nl80211: Add notification for dropped Deauth/Disassoc 2010-12-16 15:22:30 -05:00
nl80211.h nl80211: Add notification for dropped Deauth/Disassoc 2010-12-16 15:22:30 -05:00
radiotap.c radiotap: fix vendor namespace parsing 2010-10-15 15:57:34 -04:00
reg.c cfg80211: fix null pointer dereference with a custom regulatory request 2010-12-16 15:22:31 -05:00
reg.h wireless: move regulatory_init to .init.text 2010-06-18 15:11:13 -04:00
regdb.h wireless: support internal statically compiled regulatory database 2009-12-21 18:56:10 -05:00
scan.c cfg80211: update information elements in cached BSS struct 2010-12-13 15:23:28 -05:00
sme.c cfg80211/mac80211: allow per-station GTKs 2010-10-06 16:30:40 -04:00
sysfs.c wireless: Print wiphy name in sysfs. 2010-10-12 16:05:29 -04:00
sysfs.h
util.c cfg80211/nl80211: separate unicast/multicast default TX keys 2010-12-13 15:23:28 -05:00
wext-compat.c cfg80211/nl80211: separate unicast/multicast default TX keys 2010-12-13 15:23:28 -05:00
wext-compat.h
wext-core.c net/wireless: Use pr_<level> and netdev_<level> 2010-11-24 16:19:33 -05:00
wext-priv.c wext: fix potential private ioctl memory content leak 2010-09-20 13:41:40 -04:00
wext-proc.c net: spread __net_init, __net_exit 2010-01-17 19:16:02 -08:00
wext-sme.c cfg80211: allow changing port control protocol 2010-08-27 13:27:07 -04:00
wext-spy.c