[BUG] rtl8192se: panic accessing unmapped memory in skb

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Biggers <ebiggers3@gmail.com>
To: linux-wireless@vger.kernel.org
Cc: netdev@vger.kernel.org, Larry.Finger@lwfinger.net,
	linux-kernel@vger.kernel.org
Subject: [BUG] rtl8192se: panic accessing unmapped memory in skb
Date: Sun, 21 Dec 2014 11:25:16 -0600	[thread overview]
Message-ID: <20141221172516.GA12784@zzz> (raw)

Hi,

I have a RTL8192SE wireless card, attached via PCI.  Usually it works with no
issues, but I recently had a kernel panic occur in the rtl8192se driver.  The
kernel version is 3.18.  Based on my analysis of the panic dump, the panic was
caused by a memory access violation in this block of code in
rtl92se_rx_query_desc():

        if (stats->decrypted) {
                hdr = (struct ieee80211_hdr *)(skb->data +
                       stats->rx_drvinfo_size + stats->rx_bufshift);

                if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
                        (ieee80211_has_protected(hdr->frame_control)))
                        rx_status->flag &= ~RX_FLAG_DECRYPTED;
                else
                        rx_status->flag |= RX_FLAG_DECRYPTED;
        }

Specifically, the violation occurred the first time hdr->frame_control was
accessed, as part of _ieee80211_is_robust_mgmt_frame().

The panic occurred when the system was under heavy filesystem load but seemingly
is not easily reproducible.

There was recently a NULL check that was removed from this exact place in the
code, but it was certainly useless.  Instead, what's much more suspect to me is
that inside _rtl_pci_rx_interrupt(), there is no error checking of the return
value of _rtl_pci_init_one_rxdesc(), which might fail if the skb couldn't be
allocated.  I am wondering if this could be causing the problem.

Eric

WARNING: multiple messages have this Message-ID (diff)

From: Eric Biggers <ebiggers3-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: linux-wireless-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	Larry.Finger-tQ5ms3gMjBLk1uMJSBkQmQ@public.gmane.org,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: [BUG] rtl8192se: panic accessing unmapped memory in skb
Date: Sun, 21 Dec 2014 11:25:16 -0600	[thread overview]
Message-ID: <20141221172516.GA12784@zzz> (raw)

Hi,

I have a RTL8192SE wireless card, attached via PCI.  Usually it works with no
issues, but I recently had a kernel panic occur in the rtl8192se driver.  The
kernel version is 3.18.  Based on my analysis of the panic dump, the panic was
caused by a memory access violation in this block of code in
rtl92se_rx_query_desc():

        if (stats->decrypted) {
                hdr = (struct ieee80211_hdr *)(skb->data +
                       stats->rx_drvinfo_size + stats->rx_bufshift);

                if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
                        (ieee80211_has_protected(hdr->frame_control)))
                        rx_status->flag &= ~RX_FLAG_DECRYPTED;
                else
                        rx_status->flag |= RX_FLAG_DECRYPTED;
        }

Specifically, the violation occurred the first time hdr->frame_control was
accessed, as part of _ieee80211_is_robust_mgmt_frame().

The panic occurred when the system was under heavy filesystem load but seemingly
is not easily reproducible.

There was recently a NULL check that was removed from this exact place in the
code, but it was certainly useless.  Instead, what's much more suspect to me is
that inside _rtl_pci_rx_interrupt(), there is no error checking of the return
value of _rtl_pci_init_one_rxdesc(), which might fail if the skb couldn't be
allocated.  I am wondering if this could be causing the problem.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

next             reply	other threads:[~2014-12-21 17:25 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-12-21 17:25 Eric Biggers [this message]
2014-12-21 17:25 ` [BUG] rtl8192se: panic accessing unmapped memory in skb Eric Biggers
2014-12-21 23:02 ` Larry Finger
2014-12-21 23:47   ` Eric Biggers
2014-12-22 17:43     ` Larry Finger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20141221172516.GA12784@zzz \
    --to=ebiggers3@gmail.com \
    --cc=Larry.Finger@lwfinger.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.