All of lore.kernel.org
 help / color / mirror / Atom feed
From: <gregkh@linuxfoundation.org>
To: arend@broadcom.com
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
Subject: Patch "brcmfmac: avoid null pointer access when brcmf_msgbuf_get_pktid() fails" has been added to the 4.0-stable tree
Date: Wed, 03 Jun 2015 10:24:56 +0900	[thread overview]
Message-ID: <143329469668192@kroah.com> (raw)


This is a note to let you know that I've just added the patch titled

    brcmfmac: avoid null pointer access when brcmf_msgbuf_get_pktid() fails

to the 4.0-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     brcmfmac-avoid-null-pointer-access-when-brcmf_msgbuf_get_pktid-fails.patch
and it can be found in the queue-4.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 7d072b404c5d8f1e0b62b6bc488dfeaa61bd2d8d Mon Sep 17 00:00:00 2001
From: Arend van Spriel <arend@broadcom.com>
Date: Tue, 26 May 2015 13:19:46 +0200
Subject: brcmfmac: avoid null pointer access when brcmf_msgbuf_get_pktid() fails

From: Arend van Spriel <arend@broadcom.com>

commit 7d072b404c5d8f1e0b62b6bc488dfeaa61bd2d8d upstream.

The function brcmf_msgbuf_get_pktid() may return a NULL pointer so
the callers should check the return pointer before accessing it to
avoid the crash below (see [1]):

brcmfmac: brcmf_msgbuf_get_pktid: Invalid packet id 273 (not in use)
BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
IP: [<ffffffff8145b225>] skb_pull+0x5/0x50
PGD 0
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: pci_stub vboxpci(O) vboxnetflt(O) vboxnetadp(O) vboxdrv(O)
 snd_hda_codec_hdmi bnep mousedev hid_generic ushwmon msr ext4 crc16 mbcache
 jbd2 sd_mod uas usb_storage ahci libahci libata scsi_mod xhci_pci xhci_hcd
 usbcore usb_common
CPU: 0 PID: 1661 Comm: irq/61-brcmf_pc Tainted: G O    4.0.1-MacbookPro-ARCH #1
Hardware name: Apple Inc. MacBookPro12,1/Mac-E43C1C25D4880AD6,
 BIOS MBP121.88Z.0167.B02.1503241251 03/24/2015
task: ffff880264203cc0 ti: ffff88025ffe4000 task.ti: ffff88025ffe4000
RIP: 0010:[<ffffffff8145b225>]  [<ffffffff8145b225>] skb_pull+0x5/0x50
RSP: 0018:ffff88025ffe7d40  EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff88008a33c000 RCX: 0000000000000044
RDX: 0000000000000000 RSI: 000000000000004a RDI: 0000000000000000
RBP: ffff88025ffe7da8 R08: 0000000000000096 R09: 000000000000004a
R10: 0000000000000000 R11: 000000000000048e R12: ffff88025ff14f00
R13: 0000000000000000 R14: ffff880263b48200 R15: ffff88008a33c000
FS:  0000000000000000(0000) GS:ffff88026ec00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000080 CR3: 000000000180b000 CR4: 00000000003407f0
Stack:
 ffffffffa06aed74 ffff88025ffe7dc8 ffff880263b48270 ffff880263b48278
 05ea88020000004a 0002ffff81014635 000000001720b2f6 ffff88026ec116c0
 ffff880263b48200 0000000000010000 ffff880263b4ae00 ffff880264203cc0
Call Trace:
 [<ffffffffa06aed74>] ? brcmf_msgbuf_process_rx+0x404/0x480 [brcmfmac]
 [<ffffffff810cea60>] ? irq_finalize_oneshot.part.30+0xf0/0xf0
 [<ffffffffa06afb55>] brcmf_proto_msgbuf_rx_trigger+0x35/0xf0 [brcmfmac]
 [<ffffffffa06baf2a>] brcmf_pcie_isr_thread_v2+0x8a/0x130 [brcmfmac]
 [<ffffffff810cea80>] irq_thread_fn+0x20/0x50
 [<ffffffff810ceddf>] irq_thread+0x13f/0x170
 [<ffffffff810cebf0>] ? wake_threads_waitq+0x30/0x30
 [<ffffffff810ceca0>] ? irq_thread_dtor+0xb0/0xb0
 [<ffffffff81092a08>] kthread+0xd8/0xf0
 [<ffffffff81092930>] ? kthread_create_on_node+0x1c0/0x1c0
 [<ffffffff8156d898>] ret_from_fork+0x58/0x90
 [<ffffffff81092930>] ? kthread_create_on_node+0x1c0/0x1c0
Code: 01 83 e2 f7 88 50 01 48 83 c4 08 5b 5d f3 c3 0f 1f 80 00 00 00 00 83 e2
 f7 88 50 01 c3 66 0f 1f 84 00 00 00 00 00 0f 1f
RIP  [<ffffffff8145b225>] skb_pull+0x5/0x50
 RSP <ffff88025ffe7d40>
CR2: 0000000000000080
---[ end trace b074c0f90e7c997d ]---

[1] http://mid.gmane.org/20150430193259.GA5630@googlemail.com

Reported-by: Michael Hornung <mhornung.linux@gmail.com>
Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c |   12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

--- a/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c
@@ -512,11 +512,9 @@ static int brcmf_msgbuf_query_dcmd(struc
 				     msgbuf->rx_pktids,
 				     msgbuf->ioctl_resp_pktid);
 	if (msgbuf->ioctl_resp_ret_len != 0) {
-		if (!skb) {
-			brcmf_err("Invalid packet id idx recv'd %d\n",
-				  msgbuf->ioctl_resp_pktid);
+		if (!skb)
 			return -EBADF;
-		}
+
 		memcpy(buf, skb->data, (len < msgbuf->ioctl_resp_ret_len) ?
 				       len : msgbuf->ioctl_resp_ret_len);
 	}
@@ -875,10 +873,8 @@ brcmf_msgbuf_process_txstatus(struct brc
 	flowid -= BRCMF_NROF_H2D_COMMON_MSGRINGS;
 	skb = brcmf_msgbuf_get_pktid(msgbuf->drvr->bus_if->dev,
 				     msgbuf->tx_pktids, idx);
-	if (!skb) {
-		brcmf_err("Invalid packet id idx recv'd %d\n", idx);
+	if (!skb)
 		return;
-	}
 
 	set_bit(flowid, msgbuf->txstatus_done_map);
 	commonring = msgbuf->flowrings[flowid];
@@ -1157,6 +1153,8 @@ brcmf_msgbuf_process_rx_complete(struct
 
 	skb = brcmf_msgbuf_get_pktid(msgbuf->drvr->bus_if->dev,
 				     msgbuf->rx_pktids, idx);
+	if (!skb)
+		return;
 
 	if (data_offset)
 		skb_pull(skb, data_offset);


Patches currently in stable-queue which might be from arend@broadcom.com are

queue-4.0/brcmfmac-avoid-null-pointer-access-when-brcmf_msgbuf_get_pktid-fails.patch

                 reply	other threads:[~2015-06-03  1:25 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=143329469668192@kroah.com \
    --to=gregkh@linuxfoundation.org \
    --cc=arend@broadcom.com \
    --cc=stable-commits@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.