From patchwork Mon Aug 3 19:58:26 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lennert Buytenhek X-Patchwork-Id: 38990 Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n73JxBm0025490 for ; Mon, 3 Aug 2009 19:59:12 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755092AbZHCT61 (ORCPT ); Mon, 3 Aug 2009 15:58:27 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1755077AbZHCT61 (ORCPT ); Mon, 3 Aug 2009 15:58:27 -0400 Received: from xi.wantstofly.org ([80.101.37.227]:47397 "EHLO mail.wantstofly.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755044AbZHCT60 (ORCPT ); Mon, 3 Aug 2009 15:58:26 -0400 Received: by mail.wantstofly.org (Postfix, from userid 500) id 3D63218E213; Mon, 3 Aug 2009 21:58:26 +0200 (CEST) Date: Mon, 3 Aug 2009 21:58:26 +0200 From: Lennert Buytenhek To: linville@tuxdriver.com, linux-wireless@vger.kernel.org Cc: nico@cam.org Subject: [PATCH 1/5] mwl8k: fix NULL pointer dereference on receive out-of-memory Message-ID: <20090803195826.GH18639@mail.wantstofly.org> Mime-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.4.2.2i Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org When we go into out-of-memory and fail to allocate skbuffs to refill the receive ring with, rxq_process can end up running into a receive ring entry that is marked as host-owned but doesn't have an associated skbuff. If this happens, we must break out of the rx processing loop instead of trying to process the descriptor. Signed-off-by: Lennert Buytenhek Acked-by: Nicolas Pitre --- drivers/net/wireless/mwl8k.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/drivers/net/wireless/mwl8k.c b/drivers/net/wireless/mwl8k.c index a9a9704..f437fab 100644 --- a/drivers/net/wireless/mwl8k.c +++ b/drivers/net/wireless/mwl8k.c @@ -1012,6 +1012,8 @@ static int rxq_process(struct ieee80211_hw *hw, int index, int limit) rmb(); skb = rxq->rx_skb[rxq->rx_head]; + if (skb == NULL) + break; rxq->rx_skb[rxq->rx_head] = NULL; rxq->rx_head = (rxq->rx_head + 1) % MWL8K_RX_DESCS;