BUG in latest wireless-testing pull - 2.6.31-rc4

Commit Message

Pavel Roskin July 25, 2009, 4:21 a.m. UTC

On Fri, 2009-07-24 at 22:35 -0500, Larry Finger wrote:
> I pulled from the wireless-testing (git describe yields
> v2.6.31-rc4-29133-g1addf37) and get the following BUG:
> 
> BUG: unable to handle kernel NULL pointer dereference at 000000000000000c
> IP: [<ffffffffa0267fc1>] ieee80211_scan_work+0x18a/0x426 [mac80211]

I got it too :-(

> chan = local->scan_req->channels[local->scan_channel_idx];
> 
> in ieee80211_scan_state_set_channel().

The same thing here.

The oops happens when local->scan_channel_idx reaches 14, which is
local->scan_req->n_channels.

I tried this patch:



It prevents the oops, but now udev hangs on startup.   Perhaps
ieee80211_scan_state_set_channel() shouldn't set local->scan_channel_idx
to an invalid value in the first place.  Or maybe if it happens,
something else should be done to stop the scan.

Patch

--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -588,6 +588,10 @@  static void ieee80211_scan_state_set_channel(struct ieee80211_local *local,
 	struct ieee80211_sub_if_data *sdata = local->scan_sdata;
 
 	skip = 0;
+
+	if (local->scan_channel_idx >= local->scan_req->n_channels)
+		return;
+
 	chan = local->scan_req->channels[local->scan_channel_idx];
 
 	if (chan->flags & IEEE80211_CHAN_DISABLED ||