From patchwork Mon Dec 21 23:05:08 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Larry Finger X-Patchwork-Id: 7898451 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id CE97EBEEE5 for ; Mon, 21 Dec 2015 23:05:18 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 0451220567 for ; Mon, 21 Dec 2015 23:05:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 22E4820462 for ; Mon, 21 Dec 2015 23:05:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752358AbbLUXFQ (ORCPT ); Mon, 21 Dec 2015 18:05:16 -0500 Received: from mail-oi0-f41.google.com ([209.85.218.41]:36687 "EHLO mail-oi0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752005AbbLUXFO (ORCPT ); Mon, 21 Dec 2015 18:05:14 -0500 Received: by mail-oi0-f41.google.com with SMTP id o62so94544299oif.3; Mon, 21 Dec 2015 15:05:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:to:cc:subject:date:message-id; bh=V/gJ8nIs8IvL1o+v46Se08oqy3WJLV6FzyRAS3mnlJc=; b=RJRePsuTLxlNjd5F1GTru+RlgPT38+8lvkp9e/Zijaz048CrUVD8sNGCuPeWjRreZq KsRLVw4gBIvGiXr5WJFvL6jf2rPlINp52SiJUs2hdG5TqXm7gIydEY6UbA7Qo2WZLt3f PU9Yov2Iyl3FevXmKCqNL79+E/jZye/hbVYxEIvSp3yOWv0QtpjEo4aIIBxdP9Kb8qgq d3qU3WF0r0zs4faWfQkKTt+cBoWn/Rh5i8abduRl/HFfPhMfYBye4Z7vm/36kdYFQS/k i5Ya59YSzRZlaJJ5tWG+2/Ud0XRYEIOHbpwtyRZFVOKU9Ou3scLsjLQMp/8UJdrpuPWa mV6Q== X-Received: by 10.202.87.194 with SMTP id l185mr8349125oib.52.1450739113881; Mon, 21 Dec 2015 15:05:13 -0800 (PST) Received: from linux.site (cpe-24-31-249-175.kc.res.rr.com. [24.31.249.175]) by smtp.gmail.com with ESMTPSA id j7sm4698320oeq.0.2015.12.21.15.05.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 21 Dec 2015 15:05:12 -0800 (PST) From: Larry Finger To: kvalo@codeaurora.org Cc: devel@driverdev.osuosl.org, linux-wireless@vger.kernel.org, Larry Finger , Stable Subject: [PATCH] rtlwifi: rtl_pci: Fix kernel panic Date: Mon, 21 Dec 2015 17:05:08 -0600 Message-Id: <1450739108-24121-1-git-send-email-Larry.Finger@lwfinger.net> X-Mailer: git-send-email 2.1.4 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP In commit 38506ecefab9 (rtlwifi: rtl_pci: Start modification for new drivers), a bug was introduced that causes a NULL pointer dereference. As this bug only affects the infrequently used RTL8192EE and only under low-memory conditions, it has taken a long time for the bug to show up. The bug was reported on the linix-wireless mailing list and also at https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/ as bug #1527603 (kernel crashes due to rtl8192ee driver on ubuntu 15.10). Fixes: 38506ecefab9 Signed-off-by: Larry Finger Cc: Stable --- drivers/net/wireless/realtek/rtlwifi/pci.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c index f46c9d7..7f471bf 100644 --- a/drivers/net/wireless/realtek/rtlwifi/pci.c +++ b/drivers/net/wireless/realtek/rtlwifi/pci.c @@ -801,7 +801,9 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw) hw_queue); if (rx_remained_cnt == 0) return; - + buffer_desc = &rtlpci->rx_ring[rxring_idx].buffer_desc[ + rtlpci->rx_ring[rxring_idx].idx]; + pdesc = (struct rtl_rx_desc *)skb->data; } else { /* rx descriptor */ pdesc = &rtlpci->rx_ring[rxring_idx].desc[ rtlpci->rx_ring[rxring_idx].idx]; @@ -824,13 +826,6 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw) new_skb = dev_alloc_skb(rtlpci->rxbuffersize); if (unlikely(!new_skb)) goto no_new; - if (rtlpriv->use_new_trx_flow) { - buffer_desc = - &rtlpci->rx_ring[rxring_idx].buffer_desc - [rtlpci->rx_ring[rxring_idx].idx]; - /*means rx wifi info*/ - pdesc = (struct rtl_rx_desc *)skb->data; - } memset(&rx_status , 0 , sizeof(rx_status)); rtlpriv->cfg->ops->query_rx_desc(hw, &stats, &rx_status, (u8 *)pdesc, skb);