diff mbox

kernel page fault in r8712u

Message ID 555AC172.4040507@lwfinger.net (mailing list archive)
State Not Applicable
Delegated to: Kalle Valo
Headers show

Commit Message

Larry Finger May 19, 2015, 4:52 a.m. UTC 
On 05/18/2015 01:38 PM, Haggai Eran wrote:
> On 18 May 2015 at 18:31, Larry Finger <Larry.Finger@lwfinger.net> wrote:
>> On 05/17/2015 02:22 PM, Haggai Eran wrote:
>>>
>>> I added some debugging prints, trying to see more details about the
>>> packet that fails the r8712_validate_recv_frame. I noticed I'm getting
>>> many packets where recv_decache returns _FAIL. However, the last two
>>> packets before the crash fail for different reasons. The first has the
>>> ver field set to 3 (instead of zero). The second (the one that get's
>>> freed and cause the crash apparently) has an unknown type (12). If I'm
>>> not mistaken, 12 = WIFI_CTRL_TYPE | WIFI_DATA_TYPE. Is that possible?
>>>
>>> It could be that the packet headers are garbled though.
>>
>>
>> I think the headers are garbled. Did you log the address of the skb at
>> precvframe->u.hdr.pkt in r8712_free_recvframe() or orig_prframe->u.hdr.pct
>> in recv_func().
>
> I added prints of the skb pointer in every call to recv_func. Here are
> the results:
>
> ...
> [  674.111771] recv_func: pcontext = 96335820, prframe->u.hdr.pkt = 9729fb40
> [  674.118782] recv_func: pcontext = 963359b8, prframe->u.hdr.pkt = 9729f6c0
> [  674.125777] recv_func: pcontext = 96335930, prframe->u.hdr.pkt = 9729f780
> [  674.132769] recv_func: pcontext = 963358a8, prframe->u.hdr.pkt = 973d56c0
> [  674.139753] recv_func: pcontext = 96335d70, prframe->u.hdr.pkt = 973d5000
> [  674.146922] recv_func: pcontext = 963361b0, prframe->u.hdr.pkt = 973d5000
> [  674.153961] recv_func: pcontext = 963360a0, prframe->u.hdr.pkt = 973d5000
> [  674.161023] recv_func: pcontext = 96336128, prframe->u.hdr.pkt = 973d5000
> [  674.168186] recv_func: pcontext = 96336018, prframe->u.hdr.pkt = 973d5000
> [  674.175231] recv_func: pcontext = 96335f90, prframe->u.hdr.pkt = 973d5000
> [  674.182141] r8712_validate_recv_frame: ver = 1
> [  674.186814] recv_func: pcontext = 96335f08, prframe->u.hdr.pkt = 973d5000
> [  674.193811] r8712_validate_recv_frame: ver = 1
> [  674.198530] recv_func: pcontext = 963363d0, prframe->u.hdr.pkt = 973d5000
> [  674.205434] r8712_validate_recv_frame: ver = 3
> [  674.210018] Unable to handle kernel NULL pointer dereference at
> virtual address 00000001
> [  674.218209] pgd = 80004000
> [  674.221025] [00000001] *pgd=00000000
> [  674.224752] Internal error: Oops: 5 [#1] ARM
> [  674.229028] Modules linked in: rfcomm cfg80211 r8712u(C) btusb
> bluetooth bcm2708_rng
> [  674.236857] CPU: 0 PID: 530 Comm: kworker/0:1 Tainted: G        WC
>      4.0.3 #1
> [  674.244247] Hardware name: BCM2708
> [  674.247663] task: 962cdee0 ti: 960fc000 task.ti: 960fc000
> [  674.253082] PC is at put_page+0xc/0x68
> [  674.256853] LR is at skb_release_data+0x6c/0xcc
> [  674.261388] pc : [<800933e0>]    lr : [<80433fe4>]    psr: 20000113
> [  674.261388] sp : 960fdc18  ip : 960fdc28  fp : 960fdc24
> [  674.272856] r10: 84d6cc00  r9 : 0000fff8  r8 : 00002f17
> [  674.278079] r7 : 973d5000  r6 : 84dc7620  r5 : 84dc7620  r4 : 00000000
> [  674.284602] r3 : 00000037  r2 : 00000000  r1 : 00000001  r0 : 00000001
> [  674.291127] Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM
> Segment kernel
> [  674.298432] Control: 00c5387d  Table: 168a4008  DAC: 00000015
> [  674.304179] Process kworker/0:1 (pid: 530, stack limit = 0x960fc188)
> [  674.310532] Stack: (0x960fdc18 to 0x960fe000)
> [  674.314893] dc00:
>      960fdc44 960fdc28
> [  674.323076] dc20: 80433fe4 800933e0 973d5000 96309010 96308520
> 96309010 960fdc5c 960fdc48
> [  674.331257] dc40: 8043406c 80433f84 00000001 973d5000 960fdc74
> 960fdc60 8043413c 80434050
> [  674.339437] dc60: 40000113 963363d0 960fdc84 960fdc78 80441c08
> 80434120 960fdcac 960fdc88
> [  674.347618] dc80: 7f10ca70 80441bd0 00000000 96308520 963363d0
> 00000000 96309010 00002f17
> [  674.355798] dca0: 960fdce4 960fdcb0 7f10d3f8 7f10ca50 960fdcd4
> 960fdcc0 80439aac 96308520
> [  674.363978] dcc0: 963363d0 9630a520 00002f80 00002f17 0000fff8
> 84d6cc00 960fdd04 960fdce8
> [  674.372157] dce0: 7f10eb84 7f10d36c 000000d2 963363d0 84dc7626
> 00000018 960fdd54 960fdd08
> [  674.380338] dd00: 7f10c65c 7f10eb5c 96308ff0 963090d4 9729f840
> 9630b520 96309010 973d5000
> [  674.388518] dd20: ffff2f00 00000002 808f4590 96309094 808f458c
> 8093f820 00000000 96a32900
> [  674.396698] dd40: 8093f840 40000000 960fdd7c 960fdd58 8001fbbc
> 7f10c4b8 0000833e 00000000
> [  674.404879] dd60: 00000000 00000102 960fc000 8093f840 960fddcc
> 960fdd80 8001ffc0 8001fb48
> [  674.413058] dd80: 8054e348 80052428 00000001 00000001 04208060
> 0001b61a 00000009 960fc000
> [  674.421237] dda0: 00000000 00000000 80920c94 00000000 00000000
> 00000000 8003555c 00000000
> [  674.429416] ddc0: 960fdde4 960fddd0 80020474 8001fea4 00000000
> 00000000 960fde0c 960fdde8
> [  674.437598] dde0: 80057298 800203bc 960fde20 8054e760 60000013
> f200b200 960fde54 972ba1e0
> [  674.445777] de00: 960fde1c 960fde10 800081e4 80057224 960fde7c
> 960fde20 800127f8 800081cc
> [  674.453957] de20: 8054e75c 00000001 962cdee0 00000000 808f6668
> 969021e0 97051140 00000000
> [  674.462140] de40: 972ba1e0 8003555c 00000000 960fde7c 960fde58
> 960fde68 8004b37c 8054e760
> [  674.470319] de60: 60000013 ffffffff 00000000 808f6668 960fdeac
> 960fde80 8003e738 8054e73c
> [  674.478499] de80: 00000001 00000000 8003e6cc 960fde98 97239140
> 962cdee0 808f6668 972ba1e0
> [  674.486679] dea0: 960fded4 960fdeb0 80549748 8003e6d8 960fded8
> 960fc000 808f5834 808f5834
> [  674.494860] dec0: 808f5864 00000008 960fdeec 960fded8 80549ad8
> 80549558 962cdee0 971e55a0
> [  674.503039] dee0: 960fdf24 960fdef0 80035590 80549aa0 972c4940
> 971e55a0 800354cc 00000000
> [  674.511220] df00: 972c4940 971e55a0 800354cc 00000000 00000000
> 00000000 960fdfac 960fdf28
> [  674.519401] df20: 8003a080 800354d8 00000000 00000000 960fdf4c
> 971e55a0 00000000 00000001
> [  674.527581] df40: dead4ead ffffffff ffffffff 8093fd70 00000000
> 00000000 80646d2c 960fdf5c
> [  674.535759] df60: 960fdf5c 00000000 00000001 dead4ead ffffffff
> ffffffff 8093fd70 00000000
> [  674.543939] df80: 00000000 80646d2c 960fdf88 960fdf88 972c4940
> 80039fa0 00000000 00000000
> [  674.552118] dfa0: 00000000 960fdfb0 8000e8f0 80039fac 00000000
> 00000000 00000000 00000000
> [  674.560296] dfc0: 00000000 00000000 00000000 00000000 00000000
> 00000000 00000000 00000000
> [  674.568474] dfe0: 00000000 00000000 00000000 00000000 00000013
> 00000000 00000000 00000000
> [  674.576643] Backtrace:
> [  674.579129] [<800933d4>] (put_page) from [<80433fe4>]
> (skb_release_data+0x6c/0xcc)
> [  674.586711] [<80433f78>] (skb_release_data) from [<8043406c>]
> (skb_release_all+0x28/0x2c)
> [  674.594881]  r7:96309010 r6:96308520 r5:96309010 r4:973d5000
> [  674.600599] [<80434044>] (skb_release_all) from [<8043413c>]
> (consume_skb+0x28/0x5c)
> [  674.608338]  r4:973d5000 r3:00000001
> [  674.611961] [<80434114>] (consume_skb) from [<80441c08>]
> (__dev_kfree_skb_any+0x44/0x48)
> [  674.620045]  r4:963363d0 r3:40000113
> [  674.623891] [<80441bc4>] (__dev_kfree_skb_any) from [<7f10ca70>]
> (r8712_free_recvframe+0x2c/0x94 [r8712u])
> [  674.633827] [<7f10ca44>] (r8712_free_recvframe [r8712u]) from
> [<7f10d3f8>] (recv_func+0x98/0x6f0 [r8712u])
> [  674.643477]  r8:00002f17 r7:96309010 r6:00000000 r5:963363d0
> r4:96308520 r3:00000000
> [  674.651563] [<7f10d360>] (recv_func [r8712u]) from [<7f10eb84>]
> (r8712_recv_entry+0x34/0x78 [r8712u])
> [  674.660780]  r10:84d6cc00 r9:0000fff8 r8:00002f17 r7:00002f80
> r6:9630a520 r5:963363d0
> [  674.668666]  r4:96308520
> [  674.671495] [<7f10eb50>] (r8712_recv_entry [r8712u]) from
> [<7f10c65c>] (recv_tasklet+0x1b0/0x324 [r8712u])
> [  674.681145]  r6:00000018 r5:84dc7626 r4:963363d0 r3:000000d2
> [  674.687002] [<7f10c4ac>] (recv_tasklet [r8712u]) from [<8001fbbc>]
> (tasklet_hi_action+0x80/0xdc)
> [  674.695785]  r10:40000000 r9:8093f840 r8:96a32900 r7:00000000
> r6:8093f820 r5:808f458c
> [  674.703670]  r4:96309094
> [  674.706228] [<8001fb3c>] (tasklet_hi_action) from [<8001ffc0>]
> (__do_softirq+0x128/0x290)
> [  674.714399]  r8:8093f840 r7:960fc000 r6:00000102 r5:00000000
> r4:00000000 r3:0000833e
> [  674.722205] [<8001fe98>] (__do_softirq) from [<80020474>]
> (irq_exit+0xc4/0x118)
> [  674.729509]  r10:00000000 r9:8003555c r8:00000000 r7:00000000
> r6:00000000 r5:80920c94
> [  674.737392]  r4:00000000
> [  674.739968] [<800203b0>] (irq_exit) from [<80057298>]
> (__handle_domain_irq+0x80/0xe0)
> [  674.747793]  r4:00000000 r3:00000000
> [  674.751406] [<80057218>] (__handle_domain_irq) from [<800081e4>]
> (asm_do_IRQ+0x24/0x28)
> [  674.759404]  r8:972ba1e0 r7:960fde54 r6:f200b200 r5:60000013
> r4:8054e760 r3:960fde20
> [  674.767228] [<800081c0>] (asm_do_IRQ) from [<800127f8>] (__irq_svc+0x38/0xb0)
> [  674.774361] Exception stack(0x960fde20 to 0x960fde68)
> [  674.779421] de20: 8054e75c 00000001 962cdee0 00000000 808f6668
> 969021e0 97051140 00000000
> [  674.787600] de40: 972ba1e0 8003555c 00000000 960fde7c 960fde58
> 960fde68 8004b37c 8054e760
> [  674.795771] de60: 60000013 ffffffff
> [  674.799294] [<8054e730>] (_raw_spin_unlock_irq) from [<8003e738>]
> (finish_task_switch+0x6c/0x108)
> [  674.808157]  r4:808f6668 r3:00000000
> [  674.811772] [<8003e6cc>] (finish_task_switch) from [<80549748>]
> (__schedule+0x1fc/0x548)
> [  674.819856]  r7:972ba1e0 r6:808f6668 r5:962cdee0 r4:97239140
> [  674.825572] [<8054954c>] (__schedule) from [<80549ad8>] (schedule+0x44/0x9c)
> [  674.832615]  r8:00000008 r7:808f5864 r6:808f5834 r5:808f5834
> r4:960fc000 r3:960fded8
> [  674.840438] [<80549a94>] (schedule) from [<80035590>]
> (worker_thread+0xc4/0x4d0)
> [  674.847829]  r4:971e55a0 r3:962cdee0
> [  674.851442] [<800354cc>] (worker_thread) from [<8003a080>]
> (kthread+0xe0/0x100)
> [  674.858747]  r10:00000000 r9:00000000 r8:00000000 r7:800354cc
> r6:971e55a0 r5:972c4940
> [  674.866630]  r4:00000000
> [  674.869192] [<80039fa0>] (kthread) from [<8000e8f0>]
> (ret_from_fork+0x14/0x24)
> [  674.876409]  r7:00000000 r6:00000000 r5:80039fa0 r4:972c4940
> [  674.882121] Code: 8009272c e1a0c00d e92dd800 e24cb004 (e5902000)
> [  674.888596] ---[ end trace 8b18691702087335 ]---
> [  674.893371] Kernel panic - not syncing: Fatal exception in interrupt
> [  674.899744] ---[ end Kernel panic - not syncing: Fatal exception in interrupt
>
> The offsets are a little different, I guess because of the added
> prints, and debugging features I enabled in the kernel. One thing I
> notice is that the skb at 0x973d5000 gets reused a couple of times
> before the crash. Also, this time the pointer being dereferenced is
> NULL (0x1).

OK, I will have to search further upstream to see how a faulty skb was provided.

I have been testing r8712u on my x86_64 system with no difficulty.

I checked the driver with Smatch and found a couple of array problems. These 
likely won't be the problem, but try the attached patches anyway.

Larry

Comments

Haggai Eran May 19, 2015, 5 a.m. UTC | #1 
On 19 May 2015 at 07:52, Larry Finger <Larry.Finger@lwfinger.net> wrote:
> OK, I will have to search further upstream to see how a faulty skb was
> provided.
>
> I have been testing r8712u on my x86_64 system with no difficulty.
>
> I checked the driver with Smatch and found a couple of array problems. These
> likely won't be the problem, but try the attached patches anyway.

I found one place that might be the cause for the fault. The
recvbuf2recvframe function has a line copying memory between the
incoming pskb and a new allocated skb:

1065                 pkt_copy = netdev_alloc_skb(padapter->pnetdev, alloc_sz);
1066                 if (pkt_copy) {
1067                         precvframe->u.hdr.pkt = pkt_copy;
1068                         skb_reserve(pkt_copy, 4 - ((addr_t)(pkt_copy->data)
1069                                     % 4));
1070                         skb_reserve(pkt_copy, shift_sz);
1071                         memcpy(pkt_copy->data, pbuf, tmp_len);
1072                         precvframe->u.hdr.rx_head =
precvframe->u.hdr.rx_data =
1073                                  precvframe->u.hdr.rx_tail =
pkt_copy->data;
1074                         precvframe->u.hdr.rx_end = pkt_copy->data
+ alloc_sz;

I added a BUG_ON there in case the memcpy overflows
(BUG_ON((pkt_copy->end - pkt_copy->data) < tmp_len)) and it trigerred.
I'm not sure why does the overflow occur though.

Haggai
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Haggai Eran May 19, 2015, 5:16 a.m. UTC | #2 
On 19 May 2015 at 07:52, Larry Finger <Larry.Finger@lwfinger.net> wrote:
> I checked the driver with Smatch and found a couple of array problems. These
> likely won't be the problem, but try the attached patches anyway.

I tried the patches. The first one prevents the driver from working. I
think the smatch warning may be a false positive, because HWXMIT_ENTRY
is checked specifically for values 4 and 5 in an if statement.

The second patch doesn't hurt, but it didn't solve the issue.
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

From 7729f6f1c7c6cb49b77b42e89e0e10be3121079b Mon Sep 17 00:00:00 2001
From: Larry Finger <Larry.Finger@lwfinger.net>
Date: Mon, 18 May 2015 23:47:22 -0500
Subject: [PATCH 2/2] staging: rtl8712: Fix Smatch error in rtl8712_efuse.c

Smatch reports the following error:

drivers/staging/rtl8712/rtl8712_efuse.c:545 r8712_efuse_map_write() error: buffer overflow 'pktdata' 8 <= 8

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
---
 drivers/staging/rtl8712/rtl8712_efuse.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8712/rtl8712_efuse.c b/drivers/staging/rtl8712/rtl8712_efuse.c
index d957169..dfe6cd7 100644
--- a/drivers/staging/rtl8712/rtl8712_efuse.c
+++ b/drivers/staging/rtl8712/rtl8712_efuse.c
@@ -495,7 +495,7 @@  u8 r8712_efuse_map_write(struct _adapter *padapter, u16 addr, u16 cnts,
 			 u8 *data)
 {
 	u8 offset, word_en, empty;
-	u8 pktdata[PGPKT_DATA_SIZE], newdata[PGPKT_DATA_SIZE];
+	u8 pktdata[PGPKT_DATA_SIZE + 1], newdata[PGPKT_DATA_SIZE + 1];
 	int i, j, idx;
 
 	if ((addr + cnts) > EFUSE_MAP_MAX_SIZE)
-- 
2.1.4