• Luis R. Rodriguez's avatar
    cfg80211: fix bug on regulatory core exit on access to last_request · 58ebacc6
    Luis R. Rodriguez authored
    Commit 4d9d88d1 by Scott James Remnant <keybuk@google.com> added
    the .uevent() callback for the regulatory device used during
    the platform device registration. The change was done to account
    for queuing up udev change requests through udevadm triggers.
    The change also meant that upon regulatory core exit we will now
    send a uevent() but the uevent() callback, reg_device_uevent(),
    also accessed last_request. Right before commiting device suicide
    we free'd last_request but never set it to NULL so
    platform_device_unregister() would lead to bogus kernel paging
    request. Fix this and also simply supress uevents right before
    we commit suicide as they are pointless.
    
    This fix is required for kernels >= v2.6.39
    
    $ git describe --contains 4d9d88d1
    v2.6.39-rc1~468^2~25^2^2~21
    
    The impact of not having this present is that a bogus paging
    access may occur (only read) upon cfg80211 unload time. You
    may also get this BUG complaint below. Although Johannes
    could not reproduce the issue this fix is theoretically correct.
    
    mac80211_hwsim: unregister radios
    mac80211_hwsim: closing netlink
    BUG: unable to handle kernel paging request at ffff88001a06b5ab
    IP: [<ffffffffa030df9a>] reg_device_uevent+0x1a/0x50 [cfg80211]
    PGD 1836063 PUD 183a063 PMD 1ffcb067 PTE 1a06b160
    Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
    CPU 0
    Modules linked in: cfg80211(-) [last unloaded: mac80211]
    
    Pid: 2279, comm: rmmod Tainted: G        W   3.1.0-wl+ #663 Bochs Bochs
    RIP: 0010:[<ffffffffa030df9a>]  [<ffffffffa030df9a>] reg_device_uevent+0x1a/0x50 [cfg80211]
    RSP: 0000:ffff88001c5f9d58  EFLAGS: 00010286
    RAX: 0000000000000000 RBX: ffff88001d2eda88 RCX: ffff88001c7468fc
    RDX: ffff88001a06b5a0 RSI: ffff88001c7467b0 RDI: ffff88001c7467b0
    RBP: ffff88001c5f9d58 R08: 000000000000ffff R09: 000000000000ffff
    R10: 0000000000000000 R11: 0000000000000001 R12: ffff88001c7467b0
    R13: ffff88001d2eda78 R14: ffffffff8164a840 R15: 0000000000000001
    FS:  00007f8a91d8a6e0(0000) GS:ffff88001fc00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: ffff88001a06b5ab CR3: 000000001c62e000 CR4: 00000000000006f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    Process rmmod (pid: 2279, threadinfo ffff88001c5f8000, task ffff88000023c780)
    Stack:
     ffff88001c5f9d98 ffffffff812ff7e5 ffffffff8176ab3d ffff88001c7468c2
     000000000000ffff ffff88001d2eda88 ffff88001c7467b0 ffff880000114820
     ffff88001c5f9e38 ffffffff81241dc7 ffff88001c5f9db8 ffffffff81040189
    Call Trace:
     [<ffffffff812ff7e5>] dev_uevent+0xc5/0x170
     [<ffffffff81241dc7>] kobject_uevent_env+0x1f7/0x490
     [<ffffffff81040189>] ? sub_preempt_count+0x29/0x60
     [<ffffffff814cab1a>] ? _raw_spin_unlock_irqrestore+0x4a/0x90
     [<ffffffff81305307>] ? devres_release_all+0x27/0x60
     [<ffffffff8124206b>] kobject_uevent+0xb/0x10
     [<ffffffff812fee27>] device_del+0x157/0x1b0
     [<ffffffff8130377d>] platform_device_del+0x1d/0x90
     [<ffffffff81303b76>] platform_device_unregister+0x16/0x30
     [<ffffffffa030fffd>] regulatory_exit+0x5d/0x180 [cfg80211]
     [<ffffffffa032bec3>] cfg80211_exit+0x2b/0x45 [cfg80211]
     [<ffffffff8109a84c>] sys_delete_module+0x16c/0x220
     [<ffffffff8108a23e>] ? trace_hardirqs_on_caller+0x7e/0x120
     [<ffffffff814cba02>] system_call_fastpath+0x16/0x1b
    Code: <all your base are belong to me>
    RIP  [<ffffffffa030df9a>] reg_device_uevent+0x1a/0x50 [cfg80211]
     RSP <ffff88001c5f9d58>
    CR2: ffff88001a06b5ab
    ---[ end trace 147c5099a411e8c0 ]---
    Reported-by: default avatarJohannes Berg <johannes@sipsolutions.net>
    Cc: Scott James Remnant <keybuk@google.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarLuis R. Rodriguez <mcgrof@qca.qualcomm.com>
    Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
    58ebacc6
reg.c 59.1 KB