From 09987790aebd48c176ab559ebb68c925bbf6ef4d Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Tue, 19 Dec 2006 22:52:16 +0000 Subject: add two patches from madwifi trac ticket 914 - should fix multiple wlanconfig create/destroy runs and a few wds related crashes git-svn-id: svn://svn.openwrt.org/openwrt/trunk@5865 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- package/madwifi/patches/110-init_fix_PR_914.patch | 22 ++++++++++++ package/madwifi/patches/111-wds_fix_PR_914.patch | 43 +++++++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 package/madwifi/patches/110-init_fix_PR_914.patch create mode 100644 package/madwifi/patches/111-wds_fix_PR_914.patch (limited to 'package') diff --git a/package/madwifi/patches/110-init_fix_PR_914.patch b/package/madwifi/patches/110-init_fix_PR_914.patch new file mode 100644 index 0000000000..b6a0ca2b7d --- /dev/null +++ b/package/madwifi/patches/110-init_fix_PR_914.patch @@ -0,0 +1,22 @@ +Doing ifconfig athX down/ifconfig athX up several times provokes kernel crash. +See http://madwifi.org/ticket/914. But if ath_hal_phydisable() is skipped - +I observe NO CRASH whatsoever ... :\ Weird. + +Signed-off-by: Mindaugas Kriaučiūnas +Signed-off-by: Žilvinas Valinskas + +Index: madwifi-ng-trunk/ath/if_ath.c +=================================================================== +--- madwifi-ng-trunk.orig/ath/if_ath.c 2006-10-16 17:40:50.000000000 +0300 ++++ madwifi-ng-trunk/ath/if_ath.c 2006-10-18 16:17:32.000000000 +0300 +@@ -1997,7 +1997,10 @@ + ath_draintxq(sc); + if (!sc->sc_invalid) { + ath_stoprecv(sc); ++ ++ /* XXX: this helps to avoid crashes on ifconfig down/up + ath_hal_phydisable(ah); ++ */ + } else + sc->sc_rxlink = NULL; + ath_beacon_free(sc); /* XXX needed? */ diff --git a/package/madwifi/patches/111-wds_fix_PR_914.patch b/package/madwifi/patches/111-wds_fix_PR_914.patch new file mode 100644 index 0000000000..3f8607de62 --- /dev/null +++ b/package/madwifi/patches/111-wds_fix_PR_914.patch @@ -0,0 +1,43 @@ +WDS related crash is observed. This causes by possible random memory +writes/accesss. Note how wds is freed, yet it will be used further in +loop ... + +Other usages in the tree of LIST_FOREACH() when element is found and +acted up on element, loop is immediately break (either via break, or +return). But not in this case ... + +Signed-off-by: Mindaugas Kriaučiūnas +Signed-off-by: Žilvinas Valinskas + +Index: madwifi-ng-trunk/net80211/ieee80211_node.c +=================================================================== +--- madwifi-ng-trunk.orig/net80211/ieee80211_node.c 2006-09-25 13:28:08.000000000 +0300 ++++ madwifi-ng-trunk/net80211/ieee80211_node.c 2006-10-18 15:59:40.000000000 +0300 +@@ -961,11 +961,11 @@ + ieee80211_del_wds_node(struct ieee80211_node_table *nt, struct ieee80211_node *ni) + { + int hash; +- struct ieee80211_wds_addr *wds; ++ struct ieee80211_wds_addr *wds, *next; + + IEEE80211_NODE_LOCK_IRQ(nt); + for (hash = 0; hash < IEEE80211_NODE_HASHSIZE; hash++) { +- LIST_FOREACH(wds, &nt->nt_wds_hash[hash], wds_hash) { ++ LIST_FOREACH_SAFE(wds, &nt->nt_wds_hash[hash], wds_hash, next) { + if (wds->wds_ni == ni) { + if (ieee80211_node_dectestref(ni)) { + _ieee80211_free_node(ni); +@@ -984,11 +984,11 @@ + { + struct ieee80211_node_table *nt = (struct ieee80211_node_table *)data; + int hash; +- struct ieee80211_wds_addr *wds; ++ struct ieee80211_wds_addr *wds, *next; + + IEEE80211_NODE_LOCK_IRQ(nt); + for (hash = 0; hash < IEEE80211_NODE_HASHSIZE; hash++) { +- LIST_FOREACH(wds, &nt->nt_wds_hash[hash], wds_hash) { ++ LIST_FOREACH_SAFE(wds, &nt->nt_wds_hash[hash], wds_hash, next) { + if (wds->wds_agingcount != WDS_AGING_STATIC) { + if (!wds->wds_agingcount) { + if (ieee80211_node_dectestref(wds->wds_ni)) { -- cgit v1.2.3