← Back to team overview

kernel-packages team mailing list archive

[Bug 1354469] Re: [3.13.0-30.55] rtl8821ae Kernel PANIC due to calling incorrect function

 

This bug was fixed in the package linux - 3.13.0-35.62

---------------
linux (3.13.0-35.62) trusty; urgency=low

  [ Joseph Salisbury ]

  * Release Tracking Bug
    - LP: #1357148

  [ Brad Figg ]

  * Start new release

  [ dann frazier ]

  * SAUCE: (no-up) Fix build failure on arm64
    - LP: #1353657
  * [debian] Allow for package revisions condusive for branching

  [ David Henningsson ]

  * SAUCE: Call broadwell specific functions from the hda driver
    - LP: #1317865

  [ Edward Lin ]

  * SAUCE: (no-up) Add use native backlight quirk for Dell Inspiron
    5547/5447
    - LP: #1332437

  [ Imre Deak ]

  * SAUCE: drm/i915: move power domain init earlier during system resume
    - LP: #1353405

  [ Jani Nikula ]

  * SAUCE: drm/i915: use lane count and link rate from VBT as minimums for
    eDP
    - LP: #1338582
  * SAUCE: drm/i915/dp: force eDP lane count to max available lanes on BDW
    - LP: #1338582
  * SAUCE: drm/i915: provide interface for audio driver to query cdclk
    - LP: #1188091
  * SAUCE: drm/i915: demote opregion excessive timeout WARN_ONCE to
    DRM_INFO_ONCE
    - LP: #1351014

  [ Joseph Salisbury ]

  * [Config] updateconfigs after Linux 3.13.11.6 updates

  [ Luis Henriques ]

  * Revert "[Packaging] linux-udeb-flavour -- standardise on linux
prefix"

  [ Ming Lei ]

  * Revert "SAUCE: (no-up) ata: Fix the dma state machine lockup for the
    IDENTIFY DEVICE PIO mode command."
    - LP: #1335645

  [ Paulo Zanoni ]

  * SAUCE: drm/i915: consider the source max DP lane count too
    - LP: #1338582

  [ Tim Gardner ]

  * [Config] CONFIG_GPIO_SYSFS=y
    - LP: #1342153
  * [Config] CONFIG_KEYS_DEBUG_PROC_KEYS=y
    - LP: #1344405
  * [Config] updateconfigs
  * [Config] CONFIG_SCSI_IPR_TRACE=y, CONFIG_SCSI_IPR_DUMP=y
    - LP: #1343109
  * [Config] CONFIG_CONTEXT_TRACKING_FORCE=n
    - LP: #1349028

  [ Timo Aaltonen ]

  * SAUCE: Fix a typo in hda i915_bdw support.
    - LP: #1343140

  [ Upstream Kernel Changes ]

  * Revert "net/mlx4_en: Fix bad use of dev_id"
    - LP: #1347012
  * Revert "ACPI / AC: Remove AC's proc directory."
    - LP: #1356913
  * Revert "mac80211: move "bufferable MMPDU" check to fix AP mode scan"
    - LP: #1356913
  * mm, pcp: allow restoring percpu_pagelist_fraction default
    - LP: #1347088
  * net: Fix permission check in netlink_connect()
    - LP: #1312989
  * netlink: Rename netlink_capable netlink_allowed
    - LP: #1312989
  * net: Move the permission check in sock_diag_put_filterinfo to
    packet_diag_dump
    - LP: #1312989
  * net: Add variants of capable for use on on sockets
    - LP: #1312989
  * net: Add variants of capable for use on netlink messages
    - LP: #1312989
  * net: Use netlink_ns_capable to verify the permisions of netlink
    messages
    - LP: #1312989
  * netlink: Only check file credentials for implicit destinations
    - LP: #1312989
  * igb: fix stats for i210 rx_fifo_errors
    - LP: #1338893
  * HID: use multi input quirk for 22b9:2968
    - LP: #1339567
  * crypto/nx: disable NX on little endian builds
    - LP: #1338666
  * ACPI / video: Add Dell Inspiron 5737 to the blacklist
    - LP: #1250401
  * Input: elantech - deal with clickpads reporting right button events
    - LP: #1188025
  * net/mlx4_core: Enforce irq affinity changes immediatly
    - LP: #1326108
  * cpumask: Utility function to set n'th cpu - local cpu first
    - LP: #1326108
  * net/mlx4_en: Use affinity hint
    - LP: #1326108
  * net/mlx4_en: Don't use irq_affinity_notifier to track changes in IRQ
    affinity map
    - LP: #1326108
  * net/mlx4_en: IRQ affinity hint is not cleared on port down
    - LP: #1326108
  * Subject: net: Allow tc changes in user namespaces
    - LP: #1344049
  * net-gro: restore frag0 optimization
    - LP: #1344323
  * Bluetooth: Fix redundant encryption request for reauthentication
    - LP: #1347088
  * Bluetooth: Fix check for connection encryption
    - LP: #1347088
  * introduce for_each_thread() to replace the buggy while_each_thread()
    - LP: #1347088
  * NFS: Don't declare inode uptodate unless all attributes were checked
    - LP: #1347088
  * usb: dwc3: gadget: clear stall when disabling endpoint
    - LP: #1347088
  * ACPICA: utstring: Check array index bound before use.
    - LP: #1347088
  * mtip32xx: Increase timeout for STANDBY IMMEDIATE command
    - LP: #1347088
  * mtip32xx: Remove dfs_parent after pci unregister
    - LP: #1347088
  * mtip32xx: Fix ERO and NoSnoop values in PCIe upstream on AMD systems
    - LP: #1347088
  * extcon: max77693: Fix two NULL pointer exceptions on missing pdata
    - LP: #1347088
  * extcon: max8997: Fix NULL pointer exception on missing pdata
    - LP: #1347088
  * builddeb: use $OBJCOPY variable instead of objcopy
    - LP: #1347088
  * bluetooth: hci_ldisc: fix deadlock condition
    - LP: #1347088
  * powerpc/pseries: Fix overwritten PE state
    - LP: #1347088
  * PCI: Add new ID for Intel GPU "spurious interrupt" quirk
    - LP: #1347088
  * x86-32, espfix: Remove filter for espfix32 due to race
    - LP: #1347088
  * genirq: Sanitize spurious interrupt detection of threaded irqs
    - LP: #1347088
  * Drivers: hv: balloon: Ensure pressure reports are posted regularly
    - LP: #1347088
  * x86, x32: Use compat shims for io_{setup,submit}
    - LP: #1347088
  * iwlwifi: pcie: try to get ownership several times
    - LP: #1347088
  * ext4: fix data integrity sync in ordered mode
    - LP: #1347088
  * UBIFS: fix an mmap and fsync race condition
    - LP: #1347088
  * [media] rtl28xxu: add USB ID for Genius TVGo DVB-T03
    - LP: #1347088
  * [media] rtl28xxu: add 1b80:d395 Peak DVB-T USB
    - LP: #1347088
  * [media] rtl28xxu: add [1b80:d39d] Sveon STV20
    - LP: #1347088
  * [media] rtl28xxu: add [1b80:d3af] Sveon STV27
    - LP: #1347088
  * ASoC: max98090: Fix reset at resume time
    - LP: #1347088
  * ACPI: Fix conflict between customized DSDT and DSDT local copy
    - LP: #1347088
  * PM / OPP: fix incorrect OPP count handling in of_init_opp_table
    - LP: #1347088
  * Target/iser: Bail from accept_np if np_thread is trying to close
    - LP: #1347088
  * Target/iser: Fix hangs in connection teardown
    - LP: #1347088
  * HID: core: fix validation of report id 0
    - LP: #1347088
  * IB/srp: Fix a sporadic crash triggered by cable pulling
    - LP: #1347088
  * Target/iser: Improve cm events handling
    - LP: #1347088
  * Target/iser: Wait for proper cleanup before unloading
    - LP: #1347088
  * mtd: nand: omap: fix BCHx ecc.correct to return detected bit-flips in
    erased-page
    - LP: #1347088
  * mtd: eLBC NAND: fix subpage write support
    - LP: #1347088
  * reiserfs: call truncate_setsize under tailpack mutex
    - LP: #1347088
  * ARM: stacktrace: avoid listing stacktrace functions in stacktrace
    - LP: #1347088
  * SUNRPC: Fix a module reference leak in svc_handle_xprt
    - LP: #1347088
  * [media] uvcvideo: Fix clock param realtime setting
    - LP: #1347088
  * [media] ivtv: Fix Oops when no firmware is loaded
    - LP: #1347088
  * CIFS: Fix memory leaks in SMB2_open
    - LP: #1347088
  * iio:adc:max1363 incorrect resolutions for max11604, max11605, max11610
    and max11611.
    - LP: #1347088
  * staging/mt29f_spinand: Terminate of match table
    - LP: #1347088
  * mac80211: fix IBSS join by initializing last_scan_completed
    - LP: #1347088
  * KVM: lapic: sync highest ISR to hardware apic on EOI
    - LP: #1347088
  * s390/time: cast tv_nsec to u64 prior to shift in update_vsyscall
    - LP: #1347088
  * ahci: add PCI ID for Marvell 88SE91A0 SATA Controller
    - LP: #1347088
  * ext4: fix zeroing of page during writeback
    - LP: #1347088
  * ext4: fix wrong assert in ext4_mb_normalize_request()
    - LP: #1347088
  * IB/mlx5: add missing padding at end of struct mlx5_ib_create_cq
    - LP: #1347088
  * IB/mlx5: add missing padding at end of struct mlx5_ib_create_srq
    - LP: #1347088
  * IB/qib: Fix port in pkey change event
    - LP: #1347088
  * IB/ipath: Translate legacy diagpkt into newer extended diagpkt
    - LP: #1347088
  * mei: me: drop harmful wait optimization
    - LP: #1347088
  * mei: me: read H_CSR after asserting reset
    - LP: #1347088
  * usb: usbtest: fix unlink write error with pattern 1
    - LP: #1347088
  * s390/lowcore: reserve 96 bytes for IRB in lowcore
    - LP: #1347088
  * mac80211: fix a memory leak on sta rate selection table
    - LP: #1347088
  * mac80211: don't check netdev state for debugfs read/write
    - LP: #1347088
  * mtd: pxa3xx_nand: make the driver work on big-endian systems
    - LP: #1347088
  * hv: use correct order when freeing monitor_pages
    - LP: #1347088
  * usb: qcserial: add Netgear AirCard 341U
    - LP: #1347088
  * usb: qcserial: add additional Sierra Wireless QMI devices
    - LP: #1347088
  * IB/umad: Fix error handling
    - LP: #1347088
  * RDMA/cxgb4: Add missing padding at end of struct c4iw_create_cq_resp
    - LP: #1347088
  * MIPS: KVM: Allocate at least 16KB for exception handlers
    - LP: #1347088
  * block: virtio_blk: don't hold spin lock during world switch
    - LP: #1347088
  * nfsd: getattr for FATTR4_WORD0_FILES_AVAIL needs the statfs buffer
    - LP: #1347088
  * ASoC: tlv320aci3x: Fix custom snd_soc_dapm_put_volsw_aic3x() function
    - LP: #1347088
  * UBIFS: Remove incorrect assertion in shrink_tnc()
    - LP: #1347088
  * Bluetooth: Fix L2CAP deadlock
    - LP: #1347088
  * vgaswitcheroo: switch the mux to the igp on power down when runpm is
    enabled
    - LP: #1347088
  * drm/radeon: fix typo in radeon_connector_is_dp12_capable()
    - LP: #1347088
  * drm/radeon/dp: fix lane/clock setup for dp 1.2 capable devices
    - LP: #1347088
  * drm/radeon/atom: fix dithering on certain panels
    - LP: #1347088
  * drm/radeon: only apply hdmi bpc pll flags when encoder mode is hdmi
    - LP: #1347088
  * ahci: Add Device ID for HighPoint RocketRaid 642L
    - LP: #1347088
  * mm: fix sleeping function warning from __put_anon_vma
    - LP: #1347088
  * hugetlb: restrict hugepage_migration_support() to x86_64
    - LP: #1347088
  * kthread: fix return value of kthread_create() upon SIGKILL.
    - LP: #1347088
  * mm: vmscan: do not throttle based on pfmemalloc reserves if node has no
    ZONE_NORMAL
    - LP: #1347088
  * memcg: do not hang on OOM when killed by userspace OOM access to memory
    reserves
    - LP: #1347088
  * mm: page_alloc: use word-based accesses for get/set pageblock bitmaps
    - LP: #1347088
  * mm/memory-failure.c-failure: send right signal code to correct thread
    - LP: #1347088
  * mm/memory-failure.c: don't let collect_procs() skip over processes for
    MF_ACTION_REQUIRED
    - LP: #1347088
  * mm/memory-failure.c: support use of a dedicated thread to handle
    SIGBUS(BUS_MCEERR_AO)
    - LP: #1347088
  * powerpc/serial: Use saner flags when creating legacy ports
    - LP: #1347088
  * ALSA: hda/realtek - Add support of ALC891 codec
    - LP: #1347088
  * rbd: use reference counts for image requests
    - LP: #1347088
  * iscsi-target: Reject mutual authentication with reflected CHAP_C
    - LP: #1347088
  * powerpc/mm: Check paca psize is up to date for huge mappings
    - LP: #1347088
  * IB/umad: Fix use-after-free on close
    - LP: #1347088
  * mm: vmscan: clear kswapd's special reclaim powers before exiting
    - LP: #1347088
  * rtc: rtc-at91rm9200: fix infinite wait for ACKUPD irq
    - LP: #1347088
  * ptrace: fix fork event messages across pid namespaces
    - LP: #1347088
  * idr: fix overflow bug during maximum ID calculation at maximum height
    - LP: #1347088
  * Input: elantech - don't set bit 1 of reg_10 when the no_hw_res quirk is
    set
    - LP: #1347088
  * nfsd4: fix FREE_STATEID lockowner leak
    - LP: #1347088
  * Btrfs: fix double free in find_lock_delalloc_range
    - LP: #1347088
  * target: Set CMD_T_ACTIVE bit for Task Management Requests
    - LP: #1347088
  * target: Use complete_all for se_cmd->t_transport_stop_comp
    - LP: #1347088
  * iscsi-target: Fix ABORT_TASK + connection reset iscsi_queue_req memory
    leak
    - LP: #1347088
  * drm/nv50-/mc: fix kms pageflip events by reordering irq handling order.
    - LP: #1347088
  * drm/nouveau/kms/nv04-nv40: fix pageflip events via special case.
    - LP: #1347088
  * NFS: populate ->net in mount data when remounting
    - LP: #1347088
  * watchdog: kempld-wdt: Use the correct value when configuring the
    prescaler with the watchdog
    - LP: #1347088
  * watchdog: ath79_wdt: avoid spurious restarts on AR934x
    - LP: #1347088
  * watchdog: sp805: Set watchdog_device->timeout from ->set_timeout()
    - LP: #1347088
  * fs,userns: Change inode_capable to capable_wrt_inode_uidgid
    - LP: #1347088
  * powerpc: Add AT_HWCAP2 to indicate V.CRYPTO category support
    - LP: #1347088
  * powerpc: Correct DSCR during TM context switch
    - LP: #1347088
  * powerpc: Don't setup CPUs with bad status
    - LP: #1347088
  * Target/iscsi: Fix sendtargets response pdu for iser transport
    - LP: #1347088
  * target: Report correct response length for some commands
    - LP: #1347088
  * dm thin: update discard_granularity to reflect the thin-pool blocksize
    - LP: #1347088
  * ALSA: compress: Cancel the optimization of compiler and fix the size of
    struct for all platform.
    - LP: #1347088
  * hwmon: (ina2xx) Cast to s16 on shunt and current regs
    - LP: #1347088
  * evm: prohibit userspace writing 'security.evm' HMAC value
    - LP: #1347088
  * ALSA: hda - Add quirk for external mic on Lifebook U904
    - LP: #1328587, #1347088
  * ALSA: hda/realtek - Add more entry for enable HP mute led
    - LP: #1347088
  * ALSA: hda/realtek - Add more entry for enable HP mute led
    - LP: #1347088
  * staging: iio: tsl2x7x_core: fix proximity treshold
    - LP: #1347088
  * iio: Fix endianness issue in ak8975_read_axis()
    - LP: #1347088
  * rtmutex: Handle deadlock detection smarter
    - LP: #1347088
  * rtmutex: Detect changes in the pi lock chain
    - LP: #1347088
  * drm/i915: Disable FBC by default also on Haswell and later
    - LP: #1347088
  * drm/i915: Avoid div-by-zero when pixel_multiplier is zero
    - LP: #1347088
  * drm/i915: Reorder semaphore deadlock check
    - LP: #1347088
  * iio: adc: at91: signedness bug in at91_adc_get_trigger_value_by_name()
    - LP: #1347088
  * rtmutex: Plug slow unlock race
    - LP: #1347088
  * ACPI / ia64 / sba_iommu: Restore the working initialization ordering
    - LP: #1347088
  * epoll: fix use-after-free in eventpoll_release_file
    - LP: #1347088
  * drm/nouveau/kms: reference vblank for crtc during pageflip.
    - LP: #1347088
  * ARM: mvebu: DT: fix OpenBlocks AX3-4 RAM size
    - LP: #1347088
  * USB: EHCI: avoid BIOS handover on the HASEE E200
    - LP: #1347088
  * arm64: Bug fix in stack alignment exception
    - LP: #1347088
  * arm64: ptrace: change fs when passing kernel pointer to regset code
    - LP: #1347088
  * arm64: uid16: fix __kernel_old_{gid,uid}_t definitions
    - LP: #1347088
  * arm64: ptrace: fix empty registers set in prstatus of aarch32 process
    core
    - LP: #1347088
  * ALSA: control: Protect user controls against concurrent access
    - LP: #1347088
  * ALSA: control: Fix replacing user controls
    - LP: #1347088
  * ALSA: control: Don't access controls outside of protected regions
    - LP: #1347088
  * ALSA: control: Handle numid overflow
    - LP: #1347088
  * ALSA: control: Make sure that id->index does not overflow
    - LP: #1347088
  * Bluetooth: Fix SSP acceptor just-works confirmation without MITM
    - LP: #1347088
  * Bluetooth: Fix setting correct authentication information for SMP STK
    - LP: #1347088
  * Bluetooth: Fix indicating discovery state when canceling inquiry
    - LP: #1347088
  * Bluetooth: Fix locking of hdev when calling into SMP code
    - LP: #1347088
  * Bluetooth: Allow change security level on ATT_CID in slave role
    - LP: #1347088
  * rt2x00: disable TKIP on USB
    - LP: #1347088
  * b43: fix frequency reported on G-PHY with /new/ firmware
    - LP: #1347088
  * rt2x00: fix rfkill regression on rt2500pci
    - LP: #1347088
  * blkcg: fix use-after-free in __blkg_release_rcu() by making blkcg_gq
    refcnt an atomic_t
    - LP: #1347088
  * rbd: handle parent_overlap on writes correctly
    - LP: #1347088
  * ALSA: hda - hdmi: call overridden init on resume
    - LP: #1347088
  * x86_32, entry: Do syscall exit work on badsys (CVE-2014-4508)
    - LP: #1347088
  * hugetlb: fix copy_hugetlb_page_range() to handle migration/hwpoisoned
    entry
    - LP: #1347088
  * kernel/watchdog.c: remove preemption restrictions when restarting
    lockup detector
    - LP: #1347088
  * DMA, CMA: fix possible memory leak
    - LP: #1347088
  * mm: fix crashes from mbind() merging vmas
    - LP: #1347088
  * drm/i915: Hold the table lock whilst walking the file's idr and
    counting the objects in debugfs
    - LP: #1347088
  * [CIFS] fix mount failure with broken pathnames when smb3 mount with
    mapchars option
    - LP: #1347088
  * aio: fix aio request leak when events are reaped by userspace
    - LP: #1347088
  * aio: fix kernel memory disclosure in io_getevents() introduced in v3.10
    - LP: #1347088
  * nfs: Fix cache_validity check in nfs_write_pageuptodate()
    - LP: #1347088
  * powerpc: Don't skip ePAPR spin-table CPUs
    - LP: #1347088
  * net: allwinner: emac: Add missing free_irq
    - LP: #1347088
  * ALSA: usb-audio: Fix races at disconnection and PCM closing
    - LP: #1347088
  * recordmcount/MIPS: Fix possible incorrect mcount_loc table entries in
    modules
    - LP: #1347088
  * MIPS: MSC: Prevent out-of-bounds writes to MIPS SC ioremap'd region
    - LP: #1347088
  * ALSA: hda - restore BCLK M/N values when resuming HSW/BDW display
    controller
    - LP: #1347088
  * target: Fix left-over se_lun->lun_sep pointer OOPs
    - LP: #1347088
  * iscsi-target: Explicily clear login response PDU in exception path
    - LP: #1347088
  * efi-pstore: Fix an overflow on 32-bit builds
    - LP: #1347088
  * lz4: fix another possible overrun
    - LP: #1347088
  * iscsi-target: Avoid rejecting incorrect ITT for Data-Out
    - LP: #1347088
  * iscsi-target: fix iscsit_del_np deadlock on unload
    - LP: #1347088
  * Linux 3.13.11.5
    - LP: #1347088
  * powerpc/powernv: Fix endianness problems in EEH
    - LP: #1340200
  * libahci: export ahci_qc_issue() and ahci_start_fix_rx()
    - LP: #1335645
  * ahci_xgene: fix the dma state machine lockup for the IDENTIFY DEVICE
    PIO mode command.
    - LP: #1335645
  * fix build error in gpio-dwapb patch
    - LP: #1348808
  * usb: Check if port status is equal to RxDetect
    - LP: #1322409
  * net/mlx4_en: Protect MAC address modification with the state_lock mutex
    - LP: #1347012
  * net/mlx4_en: Fix errors in MAC address changing when port is down
    - LP: #1347012
  * bonding: Advertize vxlan offload features when supported
    - LP: #1347012
  * net/mlx4_core: Fix the error flow when probing with invalid VF
    configuration
    - LP: #1347012
  * net/mlx4_en: Don't configure the HW vxlan parser when vxlan offloading
    isn't set
    - LP: #1347012
  * net/mlx4_core: Keep only one driver entry release mlx4_priv
    - LP: #1347012
  * net/mlx4_core: Preserve pci_dev_data after __mlx4_remove_one()
    - LP: #1347012
  * net/mlx4_core: Defer VF initialization till PF is fully initialized
    - LP: #1347012
  * net/mlx4_core: Adjust port number in qp_attach wrapper when detaching
    - LP: #1347012
  * net/mlx4_core: Fix slave id computation for single port VF
    - LP: #1347012
  * net/mlx4_core: Load the Eth driver first
    - LP: #1347012
  * net/mlx4_core: Don't issue PCIe speed/width checks for VFs
    - LP: #1347012
  * net/mlx4_core: Add UPDATE_QP SRIOV wrapper support
    - LP: #1347012
  * net/mlx4_core: Reset RoCE VF gids when guest driver goes down
    - LP: #1347012
  * net/mlx4_en: Reduce memory consumption on kdump kernel
    - LP: #1347012
  * net/mlx4_core: Use low memory profile on kdump kernel
    - LP: #1347012
  * net/mlx4_en: current_mac isn't updated in port up
    - LP: #1347012
  * net/mlx4_en: Disable blueflame using ethtool private flags
    - LP: #1347012
  * net/mlx4_en: Fix mac_hash database inconsistency
    - LP: #1347012
  * ext4: handle symlink properly with inline_data
    - LP: #1349020
  * net/mlx4_en: cq->irq_desc wasn't set in legacy EQ's
    - LP: #1354242
  * rtl8821ae: fixup staging driver for revised
    ieee80211_is_robust_mgmt_frame
    - LP: #1354469
  * ahci_xgene: Fix the watermark threshold for the APM X-Gene SATA host
    controller driver.
    - LP: #1350087
  * ahci_xgene: Use correct OOB tunning parameters for APM X-Gene SoC AHCI
    SATA Host controller driver.
    - LP: #1350087
  * sunrpc: create a new dummy pipe for gssd to hold open
    - LP: #1327563
  * sunrpc: replace sunrpc_net->gssd_running flag with a more reliable
    check
    - LP: #1327563
  * nfs: check if gssd is running before attempting to use krb5i auth in
    SETCLIENTID call
    - LP: #1327563
  * ACPI / PAD: call schedule() when need_resched() is true
    - LP: #1356913
  * KVM: ioapic: fix assignment of ioapic->rtc_status.pending_eoi
    (CVE-2014-0155)
    - LP: #1356913
  * target: Explicitly clear ramdisk_mcp backend pages
    - LP: #1356913
  * sctp: Fix sk_ack_backlog wrap-around problem
    - LP: #1356913
  * mm: hugetlb: fix copy_hugetlb_page_range()
    - LP: #1356913
  * x86_32, entry: Store badsys error code in %eax
    - LP: #1356913
  * shmem: fix faulting into a hole while it's punched
    - LP: #1356913
  * shmem: fix faulting into a hole, not taking i_mutex
    - LP: #1356913
  * shmem: fix splicing from a hole while it's punched
    - LP: #1356913
  * ipvs: Fix panic due to non-linear skb
    - LP: #1356913
  * ALSA: hda - verify pin:converter connection on unsol event for HSW and
    VLV
    - LP: #1356913
  * ALSA: hda - verify pin:cvt connection on preparing a stream for Intel
    HDMI codec
    - LP: #1356913
  * x86/xen: safely map and unmap grant frames when in atomic context
    - LP: #1356913
  * ext4: Fix buffer double free in ext4_alloc_branch()
    - LP: #1356913
  * ARM: OMAP2+: Fix parser-bug in platform muxing code
    - LP: #1356913
  * KVM: x86: Increase the number of fixed MTRR regs to 10
    - LP: #1356913
  * KVM: x86: preserve the high 32-bits of the PAT register
    - LP: #1356913
  * usb: musb: ux500: don't propagate the OF node
    - LP: #1356913
  * usb: gadget: f_fs: fix NULL pointer dereference when there are no
    strings
    - LP: #1356913
  * staging: iio/ad7291: fix error code in ad7291_probe()
    - LP: #1356913
  * iio: of_iio_channel_get_by_name() returns non-null pointers for error
    legs
    - LP: #1356913
  * irqchip: spear_shirq: Fix interrupt offset
    - LP: #1356913
  * USB: option: add device ID for SpeedUp SU9800 usb 3g modem
    - LP: #1356913
  * USB: ftdi_sio: fix null deref at port probe
    - LP: #1356913
  * usb: option: add/modify Olivetti Olicard modems
    - LP: #1356913
  * scsi_error: fix invalid setting of host byte
    - LP: #1356913
  * xhci: Use correct SLOT ID when handling a reset device command
    - LP: #1356913
  * xhci: correct burst count field for isoc transfers on 1.0 xhci hosts
    - LP: #1356913
  * xhci: clear root port wake on bits if controller isn't wake-up capable
    - LP: #1356913
  * xhci: Fix runtime suspended xhci from blocking system suspend.
    - LP: #1356913
  * ibmvscsi: Abort init sequence during error recovery
    - LP: #1356913
  * ibmvscsi: Add memory barriers for send / receive
    - LP: #1356913
  * virtio-scsi: avoid cancelling uninitialized work items
    - LP: #1356913
  * virtio-scsi: fix various bad behavior on aborted requests
    - LP: #1356913
  * MIPS: KVM: Fix memory leak on VCPU
    - LP: #1356913
  * ext4: Fix hole punching for files with indirect blocks
    - LP: #1356913
  * usb: musb: Fix panic upon musb_am335x module removal
    - LP: #1356913
  * usb: musb: Ensure that cppi41 timer gets armed on premature DMA TX irq
    - LP: #1356913
  * nfsd: fix rare symlink decoding bug
    - LP: #1356913
  * tools: ffs-test: fix header values endianess
    - LP: #1356913
  * usb-storage/SCSI: Add broken_fua blacklist flag
    - LP: #1356913
  * drm/radeon/dpm: fix typo in vddci setup for eg/btc
    - LP: #1356913
  * drm/radeon/dpm: fix vddci setup typo on cayman
    - LP: #1356913
  * tracing: Remove ftrace_stop/start() from reading the trace file
    - LP: #1356913
  * usb: chipidea: udc: delete td from req's td list at ep_dequeue
    - LP: #1356913
  * drm/radeon/cik: fix typo in EOP packet
    - LP: #1356913
  * md: flush writes before starting a recovery.
    - LP: #1356913
  * drm/vmwgfx: Fix incorrect write to read-only register v2:
    - LP: #1356913
  * mm: page_alloc: fix CMA area initialisation when pageblock > MAX_ORDER
    - LP: #1356913
  * /proc/stat: convert to single_open_size()
    - LP: #1356913
  * nick kvfree() from apparmor
    - LP: #1356913
  * fs/seq_file: fallback to vmalloc allocation
    - LP: #1356913
  * lz4: add overrun checks to lz4_uncompress_unknownoutputsize()
    - LP: #1356913
  * arm64: mm: Make icache synchronisation logic huge page aware
    - LP: #1356913
  * workqueue: fix dev_set_uevent_suppress() imbalance
    - LP: #1356913
  * cpuset,mempolicy: fix sleeping function called from invalid context
    - LP: #1356913
  * crypto: sha512_ssse3 - fix byte count to bit count conversion
    - LP: #1356913
  * thermal: hwmon: Make the check for critical temp valid consistent
    - LP: #1356913
  * clk: s2mps11: Fix double free corruption during driver unbind
    - LP: #1356913
  * hwmon: (amc6821) Fix permissions for temp2_input
    - LP: #1356913
  * hwmon: (adm1029) Ensure the fan_div cache is updated in set_fan_div
    - LP: #1356913
  * hwmon: (adm1021) Fix cache problem when writing temperature limits
    - LP: #1356913
  * ext4: fix unjournalled bg descriptor while initializing inode bitmap
    - LP: #1356913
  * ext4: clarify error count warning messages
    - LP: #1356913
  * ext4: clarify ext4_error message in ext4_mb_generate_buddy_error()
    - LP: #1356913
  * ext4: disable synchronous transaction batching if max_batch_time==0
    - LP: #1356913
  * intel_pstate: Fix setting VID
    - LP: #1356913
  * intel_pstate: don't touch turbo bit if turbo disabled or unavailable.
    - LP: #1356913
  * intel_pstate: Set CPU number before accessing MSRs
    - LP: #1356913
  * USB: cp210x: add support for Corsair usb dongle
    - LP: #1356913
  * usb: option: Add ID for Telewell TW-LTE 4G v2
    - LP: #1356913
  * ACPI / EC: Avoid race condition related to advance_transaction()
    - LP: #1356913
  * ACPI / EC: Add asynchronous command byte write support
    - LP: #1356913
  * ACPI / EC: Remove duplicated ec_wait_ibf0() waiter
    - LP: #1356913
  * ACPI / EC: Fix race condition in ec_transaction_completed()
    - LP: #1356913
  * ACPI / battery: Retry to get battery information if failed during
    probing
    - LP: #1356913
  * hwmon: (adm1031) Fix writes to limit registers
    - LP: #1356913
  * workqueue: zero cpumask of wq_numa_possible_cpumask on init
    - LP: #1356913
  * hwmon: (emc2103) Clamp limits instead of bailing out
    - LP: #1356913
  * arm64: implement TASK_SIZE_OF
    - LP: #1356913
  * iio: ti_am335x_adc: Fix: Use same step id at FIFOs both ends
    - LP: #1356913
  * cpufreq: Makefile: fix compilation for davinci platform
    - LP: #1356913
  * drm/i915: Don't clobber the GTT when it's within stolen memory
    - LP: #1356913
  * Drivers: hv: vmbus: Fix a bug in the channel callback dispatch code
    - LP: #1356913
  * USB: ftdi_sio: Add extra PID.
    - LP: #1356913
  * crypto: caam - fix memleak in caam_jr module
    - LP: #1356913
  * dm: allocate a special workqueue for deferred device removal
    - LP: #1356913
  * dm io: fix a race condition in the wake up code for sync_io
    - LP: #1356913
  * drm/radeon/dp: return -EIO for flags not zero case
    - LP: #1356913
  * drm/radeon: fix typo in golden register setup on evergreen
    - LP: #1356913
  * drm/radeon: fix typo in ci_stop_dpm()
    - LP: #1356913
  * drm/radeon/dpm: Reenabling SS on Cayman
    - LP: #1356913
  * powerpc/perf: Add PPMU_ARCH_207S define
    - LP: #1356913
  * powerpc/perf: Clear MMCR2 when enabling PMU
    - LP: #1356913
  * powerpc/perf: Never program book3s PMCs with values >= 0x80000000
    - LP: #1356913
  * USB: serial: ftdi_sio: Add Infineon Triboard
    - LP: #1356913
  * phy: core: Fix error path in phy_create()
    - LP: #1356913
  * ext4: fix a potential deadlock in __ext4_es_shrink()
    - LP: #1356913
  * parisc: add serial ports of C8000/1GHz machine to hardware database
    - LP: #1356913
  * parisc: fix fanotify_mark() syscall on 32bit compat kernel
    - LP: #1356913
  * parisc: drop unused defines and header includes
    - LP: #1356913
  * clk: spear3xx: Use proper control register offset
    - LP: #1356913
  * Bluetooth: Ignore H5 non-link packets in non-active state
    - LP: #1356913
  * iwlwifi: update the 7265 series HW IDs
    - LP: #1356913
  * mwifiex: fix Tx timeout issue
    - LP: #1356913
  * x86, tsc: Fix cpufreq lockup
    - LP: #1356913
  * perf/x86/intel: ignore CondChgd bit to avoid false NMI handling
    - LP: #1356913
  * perf: Do not allow optimized switch for non-cloned events
    - LP: #1356913
  * xen/manage: fix potential deadlock when resuming the console
    - LP: #1356913
  * iwlwifi: dvm: don't enable CTS to self
    - LP: #1356913
  * iwlwifi: mvm: disable CTS to Self
    - LP: #1356913
  * xen/balloon: set ballooned out pages as invalid in p2m
    - LP: #1356913
  * mtd: devices: elm: fix elm_context_save() and elm_context_restore()
    functions
    - LP: #1356913
  * fuse: timeout comparison fix
    - LP: #1356913
  * fuse: ignore entry-timeout on LOOKUP_REVAL
    - LP: #1356913
  * fuse: handle large user and group ID
    - LP: #1356913
  * alarmtimer: Fix bug where relative alarm timers were treated as
    absolute
    - LP: #1356913
  * irqchip: gic: Add support for cortex a7 compatible string
    - LP: #1356913
  * net: mvneta: fix operation in 10 Mbit/s mode
    - LP: #1356913
  * net: mvneta: Fix big endian issue in mvneta_txq_desc_csum()
    - LP: #1356913
  * igb: Workaround for i210 Errata 25: Slow System Clock
    - LP: #1356913
  * x86/efi: Include a .bss section within the PE/COFF headers
    - LP: #1356913
  * igb: do a reset on SR-IOV re-init if device is down
    - LP: #1356913
  * iio:core: Handle error when mask type is not separate
    - LP: #1356913
  * of/irq: do irq resolution in platform_get_irq_byname()
    - LP: #1356913
  * platform_get_irq: Revert to platform_get_resource if of_irq_get fails
    - LP: #1356913
  * aio: protect reqs_available updates from changes in interrupt handlers
    - LP: #1356913
  * hwmon: (da9052) Don't use dash in the name attribute
    - LP: #1356913
  * hwmon: (da9055) Don't use dash in the name attribute
    - LP: #1356913
  * PM / sleep: Fix request_firmware() error at resume
    - LP: #1356913
  * ALSA: hda - Fix broken PM due to incomplete i915 initialization
    - LP: #1356913
  * tracing: Add ftrace_trace_stack into __trace_puts/__trace_bputs
    - LP: #1356913
  * tracing: Fix graph tracer with stack tracer on other archs
    - LP: #1356913
  * tracing: Add TRACE_ITER_PRINTK flag check in __trace_puts/__trace_bputs
    - LP: #1356913
  * dm thin metadata: do not allow the data block size to change
    - LP: #1356913
  * dm cache metadata: do not allow the data block size to change
    - LP: #1356913
  * quota: missing lock in dqcache_shrink_scan()
    - LP: #1356913
  * ring-buffer: Fix polling on trace_pipe
    - LP: #1356913
  * sched: Fix possible divide by zero in avg_atom() calculation
    - LP: #1356913
  * locking/mutex: Disable optimistic spinning on some architectures
    - LP: #1356913
  * drm/qxl: return IRQ_NONE if it was not our irq
    - LP: #1356913
  * hwmon: (adt7470) Fix writes to temperature limit registers
    - LP: #1356913
  * cpufreq: move policy kobj to policy->cpu at resume
    - LP: #1356913
  * drm/radeon: avoid leaking edid data
    - LP: #1356913
  * drm/radeon: set default bl level to something reasonable
    - LP: #1356913
  * usb: chipidea: udc: Disable auto ZLP generation on ep0
    - LP: #1356913
  * irqchip: gic: Fix core ID calculation when topology is read from DT
    - LP: #1356913
  * slab_common: fix the check for duplicate slab names
    - LP: #1356913
  * xtensa: add fixup for double exception raised in window overflow
    - LP: #1356913
  * [media] media: v4l2-core: v4l2-dv-timings.c: Cleaning up code wrong
    value used in aspect ratio
    - LP: #1356913
  * [media] hdpvr: fix two audio bugs
    - LP: #1356913
  * block: don't assume last put of shared tags is for the host
    - LP: #1356913
  * blkcg: don't call into policy draining if root_blkg is already gone
    - LP: #1356913
  * block: provide compat ioctl for BLKZEROOUT
    - LP: #1356913
  * libata: support the ata host which implements a queue depth less than
    32
    - LP: #1356913
  * [media] tda10071: force modulation to QPSK on DVB-S
    - LP: #1356913
  * [media] gspca_pac7302: Add new usb-id for Genius i-Look 317
    - LP: #1356913
  * s390/ptrace: fix PSW mask check
    - LP: #1356913
  * ahci: add support for the Promise FastTrak TX8660 SATA HBA (ahci mode)
    - LP: #1356913
  * Input: fix defuzzing logic
    - LP: #1356913
  * tracing: Fix wraparound problems in "uptime" trace clock
    - LP: #1356913
  * drm/i915: Reorder the semaphore deadlock check, again
    - LP: #1356913
  * libata: introduce ata_host->n_tags to avoid oops on SAS controllers
    - LP: #1356913
  * drm/radeon: fix irq ring buffer overflow handling
    - LP: #1356913
  * coredump: fix the setting of PF_DUMPCORE
    - LP: #1356913
  * fs: umount on symlink leaks mnt count
    - LP: #1356913
  * hwmon: (smsc47m192) Fix temperature limit and vrm write operations
    - LP: #1356913
  * parisc: Remove SA_RESTORER define
    - LP: #1356913
  * drm/radeon: fix cut and paste issue for hawaii.
    - LP: #1356913
  * parport: fix menu breakage
    - LP: #1356913
  * Fix gcc-4.9.0 miscompilation of load_balance()  in scheduler
    - LP: #1356913
  * scsi: handle flush errors properly
    - LP: #1356913
  * cfg80211: fix mic_failure tracing
    - LP: #1356913
  * iio: buffer: Fix demux table creation
    - LP: #1356913
  * iio:bma180: Fix scale factors to report correct acceleration units
    - LP: #1356913
  * iio:bma180: Missing check for frequency fractional part
    - LP: #1356913
  * powerpc/perf: Fix MMCR2 handling for EBB
    - LP: #1356913
  * ath9k: fix aggregation session lockup
    - LP: #1356913
  * sched_clock: Avoid corrupting hrtimer tree during suspend
    - LP: #1356913
  * staging: vt6655: Fix Warning on boot handle_irq_event_percpu.
    - LP: #1356913
  * staging: vt6655: Fix disassociated messages every 10 seconds
    - LP: #1356913
  * can: c_can_platform: Fix raminit, use devm_ioremap() instead of
    devm_ioremap_resource()
    - LP: #1356913
  * crypto: arm-aes - fix encryption of unaligned data
    - LP: #1356913
  * ARM: fix alignment of keystone page table fixup
    - LP: #1356913
  * net: sendmsg: fix NULL pointer dereference
    - LP: #1356913
  * mm/page-writeback.c: fix divide by zero in bdi_dirty_limits()
    - LP: #1356913
  * mm, thp: do not allow thp faults to avoid cpuset restrictions
    - LP: #1356913
  * rapidio/tsi721_dma: fix failure to obtain transaction descriptor
    - LP: #1356913
  * memcg: oom_notify use-after-free fix
    - LP: #1356913
  * crypto: af_alg - properly label AF_ALG socket
    - LP: #1356913
  * printk: rename printk_sched to printk_deferred
    - LP: #1356913
  * timer: Fix lock inversion between hrtimer_bases.lock and scheduler
    locks
    - LP: #1356913
  * dm bufio: fully initialize shrinker
    - LP: #1356913
  * dm cache: fix race affecting dirty block count
    - LP: #1356913
  * qlcnic: info leak in qlcnic_dcb_peer_app_info()
    - LP: #1356913
  * netlink: rate-limit leftover bytes warning and print process name
    - LP: #1356913
  * bridge: Prevent insertion of FDB entry with disallowed vlan
    - LP: #1356913
  * net: tunnels - enable module autoloading
    - LP: #1356913
  * net: fix inet_getid() and ipv6_select_ident() bugs
    - LP: #1356913
  * team: fix mtu setting
    - LP: #1356913
  * tcp: fix cwnd undo on DSACK in F-RTO
    - LP: #1356913
  * sh_eth: use RNC mode for packet reception
    - LP: #1356913
  * sh_eth: fix SH7619/771x support
    - LP: #1356913
  * net: filter: fix typo in sparc BPF JIT
    - LP: #1356913
  * net: filter: fix sparc32 typo
    - LP: #1356913
  * net: qmi_wwan: add Olivetti Olicard modems
    - LP: #1356913
  * net: force a list_del() in unregister_netdevice_many()
    - LP: #1356913
  * ipip, sit: fix ipv4_{update_pmtu,redirect} calls
    - LP: #1356913
  * sfc: PIO:Restrict to 64bit arch and use 64-bit writes.
    - LP: #1356913
  * ipv4: fix a race in ip4_datagram_release_cb()
    - LP: #1356913
  * rtnetlink: fix userspace API breakage for iproute2 < v3.9.0
    - LP: #1356913
  * vxlan: use dev->needed_headroom instead of dev->hard_header_len
    - LP: #1356913
  * udp: ipv4: do not waste time in __udp4_lib_mcast_demux_lookup
    - LP: #1356913
  * ip_tunnel: fix ip_tunnel_lookup
    - LP: #1356913
  * slip: Fix deadlock in write_wakeup
    - LP: #1356913
  * slcan: Port write_wakeup deadlock fix from slip
    - LP: #1356913
  * net: sctp: propagate sysctl errors from proc_do* properly
    - LP: #1356913
  * tcp: fix tcp_match_skb_to_sack() for unaligned SACK at end of an skb
    - LP: #1356913
  * net: sctp: check proc_dointvec result in proc_sctp_do_auth
    - LP: #1356913
  * 8021q: fix a potential memory leak
    - LP: #1356913
  * net: huawei_cdc_ncm: increase command buffer size
    - LP: #1356913
  * ipv4: fix dst race in sk_dst_get()
    - LP: #1356913
  * ipv4: irq safe sk_dst_[re]set() and ipv4_sk_update_pmtu() fix
    - LP: #1356913
  * net: fix sparse warning in sk_dst_set()
    - LP: #1356913
  * vlan: free percpu stats in device destructor
    - LP: #1356913
  * bnx2x: fix possible panic under memory stress
    - LP: #1356913
  * tcp: Fix divide by zero when pushing during tcp-repair
    - LP: #1356913
  * ipv4: icmp: Fix pMTU handling for rare case
    - LP: #1356913
  * net: qmi_wwan: Add ID for Telewell TW-LTE 4G v2
    - LP: #1356913
  * net: qmi_wwan: add two Sierra Wireless/Netgear devices
    - LP: #1356913
  * net: Fix NETDEV_CHANGE notifier usage causing spurious arp flush
    - LP: #1356913
  * igmp: fix the problem when mc leave group
    - LP: #1356913
  * tcp: fix false undo corner cases
    - LP: #1356913
  * appletalk: Fix socket referencing in skb
    - LP: #1356913
  * netlink: Fix handling of error from netlink_dump().
    - LP: #1356913
  * be2net: set EQ DB clear-intr bit in be_open()
    - LP: #1356913
  * tipc: clear 'next'-pointer of message fragments before reassembly
    - LP: #1356913
  * net: sctp: fix information leaks in ulpevent layer
    - LP: #1356913
  * net: pppoe: use correct channel MTU when using Multilink PPP
    - LP: #1356913
  * sunvnet: clean up objects created in vnet_new() on vnet_exit()
    - LP: #1356913
  * net: huawei_cdc_ncm: add "subclass 3" devices
    - LP: #1356913
  * dns_resolver: assure that dns_query() result is null-terminated
    - LP: #1356913
  * dns_resolver: Null-terminate the right string
    - LP: #1356913
  * ipv4: fix buffer overflow in ip_options_compile()
    - LP: #1356913
  * x86/xen: no need to explicitly register an NMI callback
    - LP: #1356913
  * Linux 3.13.11.6
    - LP: #1356913
 -- Joseph Salisbury <joseph.salisbury@xxxxxxxxxxxxx>   Thu, 14 Aug 2014 17:12:19 -0400

** Changed in: linux (Ubuntu Trusty)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-0155

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-4508

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1354469

Title:
  [3.13.0-30.55] rtl8821ae Kernel PANIC due to calling incorrect
  function

Status in “linux” package in Ubuntu:
  Fix Released
Status in “linux” source package in Trusty:
  Fix Released
Status in “linux” source package in Utopic:
  Fix Released

Bug description:
  I had a support incident with a user of an Asus X551MA containing a
  Realtek RTL8821AE WiFi card. After the kernel update from 3.13.0-24 to
  3.13.0-30 there was a kernel Panic as soon as the wifi card began
  scanning (photograph attached).

   I investigated the bug in detail and diagnosed the cause to commit
  22bf70f which modifies a function prototype called by the RTL8821ae
  driver but does not update the driver to call the alternative
  function.

  Corrective patch attached.

  RIP [<ffffffffa042ffe5>] rtl8821ae_rx_query_desc+0x1d5/0xa50
  [rtl8821ae]

  No changes were introduced in the rtl8821ae module between 3.13.0-24
  and 3.13.0-30. The only changes were in mac80211, which rtl8821ae
  depends on (along with cfg80211):

  # check rtl8821ae
  $ gitlog Ubuntu-3.13.0-24.47..Ubuntu-3.13.0-30.55 -- drivers/staging/rtl8821ae
  # check mac80211
  $ gitlog Ubuntu-3.13.0-24.47..Ubuntu-3.13.0-30.55 -- net/mac80211
  7049ad3 Mon May 19 18:45:30 2014 +0100 Michael Braun mac80211: fix WPA with VLAN on AP side with ps-sta again
  5d31275 Mon May 19 18:45:30 2014 +0100 Johannes Berg mac80211: fix suspend vs. authentication race
  56f2ea4 Mon May 19 18:45:29 2014 +0100 Johannes Berg mac80211: fix potential use-after-free
  22bf70f Tue Apr 15 15:27:46 2014 +0100 Johannes Berg mac80211: add length check in ieee80211_is_robust_mgmt_frame()
  # check cfg80211
  $ gitlog Ubuntu-3.13.0-24.47..Ubuntu-3.13.0-30.55 -- net/wireless/
  $

  The faulting location is in function rx_query_desc() at offset 0x1d5.

  $ objdump -d
  /lib/modules/3.13.0-30-generic/kernel/drivers/staging/rtl8821ae/rtl8821ae.ko

  0000000000033e40 <rtl8821ae_rx_query_desc>:

  Faulting instruction is at 0x33e40 + 0x1d5 = 0x34015

  Now I examine the debug-symbols of the module with:

  $ gdb -d drivers/staging/rtl8821ae -d
  drivers/staging/rtl8821ae/rtl8821ae
  /usr/lib/debug/modules/3.13.0-30-generic/kernel/drivers/staging/rtl8821ae/rtl8821ae.dbgsym.ko

  (gdb) info line rtl8821ae_rx_query_desc
  Line 539 of "/build/buildd/linux-3.13.0/drivers/staging/rtl8821ae/rtl8821ae/trx.c" starts at address 0x33e40 <rtl8821ae_rx_query_desc>
      and ends at 0x33e65 <rtl8821ae_rx_query_desc+37>.
  (gdb) x/i 0x34015
      0x34015 <rtl8821ae_rx_query_desc+469>:       movzwl (%rdi),%esi
  (gdb) disas rtl8821ae_rx_query_desc
  ...
      0x0000000000033ffe <+446>:   je     0x34641 <rtl8821ae_rx_query_desc+2049>
      0x0000000000034004 <+452>:   cmpl   $0x18,0x68(%rdx)
      0x0000000000034008 <+456>:   jbe    0x34268 <rtl8821ae_rx_query_desc+1064>
      0x000000000003400e <+462>:   mov    0xd8(%rdx),%rdi       /* hdr->frame_control */
      0x0000000000034015 <+469>:   movzwl (%rdi),%esi           /* FAULT %rdi invalid */
      0x0000000000034018 <+472>:   mov    %esi,%ecx
      0x000000000003401a <+474>:   and    $0xfc,%cx
      0x000000000003401f <+479>:   cmp    $0xa0,%cx
      0x0000000000034024 <+484>:   je     0x34068 <rtl8821ae_rx_query_desc+552>
  ...
  (gdb) info line *0x34015
  Line 2194 of "/build/buildd/linux-3.13.0/include/linux/ieee80211.h" starts at address 0x34015 <rtl8821ae_rx_query_desc+469>
      and ends at 0x34018 <rtl8821ae_rx_query_desc+472>.

  ---- include/linux/ieee80211.h -----
  /**
    * _ieee80211_is_robust_mgmt_frame - check if frame is a robust management frame
    * @hdr: the frame (buffer must include at least the first octet of payload)
    */
  static inline bool _ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)
  {
     if (ieee80211_is_disassoc(hdr->frame_control) ||      /* LINE 2194 */
         ieee80211_is_deauth(hdr->frame_control))
       return true;

  /**
    * ieee80211_is_disassoc - check if IEEE80211_FTYPE_MGMT && IEEE80211_STYPE_DISASSOC
    * @fc: frame control bytes in little-endian byteorder
    */
  static inline int ieee80211_is_disassoc(__le16 fc)
  {
     return (fc & cpu_to_le16(IEEE80211_FCTL_FTYPE | IEEE80211_FCTL_STYPE)) ==
            cpu_to_le16(IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_DISASSOC);
  }

  ----- drivers/staging/rtl8821ae/rtl8821ae/trx.c::rtl8821ae_rx_query_desc() -----
  ...
       if ((ieee80211_is_robust_mgmt_frame(hdr)) &&        /* FAULT LOCATION */
         (ieee80211_has_protected(hdr->frame_control)))
         rx_status->flag &= ~RX_FLAG_DECRYPTED;
       else
         rx_status->flag |= RX_FLAG_DECRYPTED;
     }
  ...
  ----- 8-< -----

  On investigation it appears that gdb may have an incorrect debug reference for the location of ieee80211_is_robust_mgmt_frame() since the
  location it references is for the underscore-prefix function _ieee80211_is_robust_mgmt_frame(). This may be due to both functions being inline.

  The changes introduced in commit:

  22bf70f Tue Apr 15 15:27:46 2014 +0100 Johannes Berg mac80211: add
  length check in ieee80211_is_robust_mgmt_frame()

  include renaming the existing

  ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)

  to

  _ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)

  and replacing the original function with one taking an skb, not
  ieee80211_hdr:

  + * ieee80211_is_robust_mgmt_frame - check if skb contains a robust mgmt frame
  + * @skb: the skb containing the frame, length will be checked
  + */
  +static inline bool ieee80211_is_robust_mgmt_frame(struct sk_buff *skb)
  +{
  +       if (skb->len < 25)
  +               return false;
  +       return _ieee80211_is_robust_mgmt_frame((void *)skb->data);
  +}
  +
  +/**

  Not being able to debug a live kernel with this hardware I'm unable to pursue much further, but commit 22bf70f suggests that the wrong function is now being called by rtl8821ae because it isn't
  patched to call the underscore version of the function as all other rtl* drivers were. If this is the case, the receiving function is expecting a skb.

  The required change therefore probably should be:

  $ git diff drivers/staging/rtl8821ae/rtl8821ae/trx.c
  diff --git a/drivers/staging/rtl8821ae/rtl8821ae/trx.c b/drivers/staging/rtl8821ae/rtl8821ae/trx.c
  index 75ae438..963b55f 100644
  --- a/drivers/staging/rtl8821ae/rtl8821ae/trx.c
  +++ b/drivers/staging/rtl8821ae/rtl8821ae/trx.c
  @@ -616,7 +616,7 @@ bool rtl8821ae_rx_query_desc(struct ieee80211_hw *hw,
                                   return false;
                   }

  -               if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
  +               if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
                           (ieee80211_has_protected(hdr->frame_control)))
                           rx_status->flag &= ~RX_FLAG_DECRYPTED;
                   else
  ---

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1354469/+subscriptions


References