From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
To: kvalo@codeaurora.org
Cc: linux-wireless@vger.kernel.org, nbd@nbd.name
Subject: Fwd: [PATCH] mt76: mt76u: fix NULL pointer dereference in mt76u_status_worker
Date: Wed, 16 Dec 2020 19:44:29 +0100 [thread overview]
Message-ID: <20201216184429.GG2036@lore-desk> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 114 bytes --]
Hi Kalle,
Since net-next is closed now I guess we can consider this patch for
wireless-drivers
Regards,
Lorenzo
[-- Attachment #1.2: Type: message/rfc822, Size: 8509 bytes --]
From: Lorenzo Bianconi <lorenzo@kernel.org>
To: nbd@nbd.name
Cc: linux-wireless@vger.kernel.org, lorenzo.bianconi@redhat.com
Subject: [PATCH] mt76: mt76u: fix NULL pointer dereference in mt76u_status_worker
Date: Tue, 8 Dec 2020 10:20:15 +0100
Message-ID: <cd44dc407cf3e5f27688105d4a75fb1c68e62b06.1607419147.git.lorenzo@kernel.org>
Fix the following NULL pointer dereference in mt76u_status_worker that
can occur if status thread runs before allocating tx queues
[ 31.395373] BUG: kernel NULL pointer dereference, address: 000000000000002c
[ 31.395769] #PF: supervisor read access in kernel mode
[ 31.395985] #PF: error_code(0x0000) - not-present page
[ 31.396178] PGD 0 P4D 0
[ 31.396277] Oops: 0000 [#1] SMP
[ 31.396430] CPU: 3 PID: 337 Comm: mt76-usb-status Not tainted 5.10.0-rc1-kvm+ #49
[ 31.396703] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-3.fc33 04/01/2014
[ 31.397048] RIP: 0010:mt76u_status_worker+0x2b/0x190
[ 31.397931] RSP: 0018:ffffc9000076fe98 EFLAGS: 00010282
[ 31.398118] RAX: 0000000000000001 RBX: ffff888111203fe8 RCX: 0000000000000000
[ 31.398400] RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffff888111203fe8
[ 31.398668] RBP: ffff888111201d00 R08: 000000000000038c R09: 000000000000009b
[ 31.398952] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 31.399235] R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810c987300
[ 31.399494] FS: 0000000000000000(0000) GS:ffff88817bd80000(0000) knlGS:0000000000000000
[ 31.399767] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 31.399991] CR2: 000000000000002c CR3: 0000000103525000 CR4: 00000000000006a0
[ 31.400236] Call Trace:
[ 31.400348] ? schedule+0x3e/0xa0
[ 31.400514] __mt76_worker_fn+0x71/0xa0
[ 31.400634] ? mt76_get_min_avg_rssi+0x110/0x110
[ 31.400827] kthread+0x118/0x130
[ 31.400984] ? __kthread_bind_mask+0x60/0x60
[ 31.401212] ret_from_fork+0x1f/0x30
[ 31.401353] Modules linked in:
[ 31.401480] CR2: 000000000000002c
[ 31.401627] ---[ end trace 8bf174505cc34851 ]---
[ 31.401798] RIP: 0010:mt76u_status_worker+0x2b/0x190
[ 31.402636] RSP: 0018:ffffc9000076fe98 EFLAGS: 00010282
[ 31.402829] RAX: 0000000000000001 RBX: ffff888111203fe8 RCX: 0000000000000000
[ 31.403118] RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffff888111203fe8
[ 31.403424] RBP: ffff888111201d00 R08: 000000000000038c R09: 000000000000009b
[ 31.403689] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 31.403933] R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810c987300
[ 31.404209] FS: 0000000000000000(0000) GS:ffff88817bd80000(0000) knlGS:0000000000000000
[ 31.404482] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 31.404726] CR2: 000000000000002c CR3: 0000000103525000 CR4: 00000000000006a0
[ 31.405294] mt76x0u: probe of 1-1:1.0 failed with error -110
[ 31.406007] usb 1-1: USB disconnect, device number 2
[ 31.840756] usb 1-1: new high-speed USB device number 3 using xhci_hcd
[ 32.461295] usb 1-1: reset high-speed USB device number 3 using xhci_hcd
[ 32.659932] mt76x0u 1-1:1.0: ASIC revision: 76100002 MAC revision: 76502000
[ 33.197032] mt76x0u 1-1:1.0: EEPROM ver:02 fae:01
Fixes: 9daf27e62852 ("mt76: mt76u: use dedicated thread for status work")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
---
drivers/net/wireless/mediatek/mt76/usb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/usb.c b/drivers/net/wireless/mediatek/mt76/usb.c
index 7a91fd0c2b01..b95d093728b9 100644
--- a/drivers/net/wireless/mediatek/mt76/usb.c
+++ b/drivers/net/wireless/mediatek/mt76/usb.c
@@ -815,6 +815,8 @@ static void mt76u_status_worker(struct mt76_worker *w)
for (i = 0; i < IEEE80211_NUM_ACS; i++) {
q = dev->phy.q_tx[i];
+ if (!q)
+ continue;
while (q->queued > 0) {
if (!q->entry[q->tail].done)
--
2.28.0
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
next reply other threads:[~2020-12-16 18:46 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-16 18:44 Lorenzo Bianconi [this message]
2020-12-16 19:06 ` Fwd: [PATCH] mt76: mt76u: fix NULL pointer dereference in mt76u_status_worker Kalle Valo
2020-12-16 20:47 ` Lorenzo Bianconi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201216184429.GG2036@lore-desk \
--to=lorenzo.bianconi@redhat.com \
--cc=kvalo@codeaurora.org \
--cc=linux-wireless@vger.kernel.org \
--cc=nbd@nbd.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.