From: Larry Finger <Larry.Finger@lwfinger.net>
To: Ben Hutchings <ben@decadent.org.uk>,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org,
Chaoming Li <chaoming_li@realsil.com.cn>,
Dmitry Semyonov <linulin@gmail.com>
Subject: Re: [PATCH 3.2 31/34] rtl8192ce: Fix null dereference in watchdog
Date: Fri, 16 May 2014 09:20:25 -0500 [thread overview]
Message-ID: <53761EA9.6060508@lwfinger.net> (raw)
In-Reply-To: <lsq.1400244441.849613969@decadent.org.uk>
On 05/16/2014 07:47 AM, Ben Hutchings wrote:
> 3.2.59-rc1 review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Ben Hutchings <ben@decadent.org.uk>
>
> Dmitry Semyonov reported that after upgrading from 3.2.54 to
> 3.2.57 the rtl8192ce driver will crash when its interface is brought
> up. The oops message shows:
>
> [ 1833.611397] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
> [ 1833.611455] IP: [<ffffffffa0410c6a>] rtl92ce_update_hal_rate_tbl+0x29/0x4db [rtl8192ce]
> ...
> [ 1833.613326] Call Trace:
> [ 1833.613346] [<ffffffffa02ad9c6>] ? rtl92c_dm_watchdog+0xd0b/0xec9 [rtl8192c_common]
> [ 1833.613391] [<ffffffff8105b5cf>] ? process_one_work+0x161/0x269
> [ 1833.613425] [<ffffffff8105c598>] ? worker_thread+0xc2/0x145
> [ 1833.613458] [<ffffffff8105c4d6>] ? manage_workers.isra.25+0x15b/0x15b
> [ 1833.613496] [<ffffffff8105f6d9>] ? kthread+0x76/0x7e
> [ 1833.613527] [<ffffffff81356b74>] ? kernel_thread_helper+0x4/0x10
> [ 1833.613563] [<ffffffff8105f663>] ? kthread_worker_fn+0x139/0x139
> [ 1833.613598] [<ffffffff81356b70>] ? gs_change+0x13/0x13
>
> Disassembly of rtl92ce_update_hal_rate_tbl() shows that the 'sta'
> parameter was null. None of the changes to the rtlwifi family between
> 3.2.54 and 3.2.57 seem to directly cause this, and reverting commit
> f78bccd79ba3 ('rtlwifi: rtl8192ce: Fix too long disable of IRQs')
> doesn't fix it.
>
> rtl92c_dm_watchdog() calls rtl92ce_update_hal_rate_tbl() via
> rtl92c_dm_refresh_rate_adaptive_mask(), which does not appear in the
> call trace as it was inlined. That function has been completely
> removed upstream which may explain why this crash wasn't seen there.
>
> I'm not sure that it is sensible to completely remove
> rtl92c_dm_refresh_rate_adaptive_mask() without making other
> compensating changes elsewhere, so try to work around this for 3.2 by
> checking for a null pointer in rtl92c_dm_refresh_rate_adaptive_mask()
> and then skipping the call to rtl92ce_update_hal_rate_tbl().
>
> References: https://bugs.debian.org/745137
> References: https://bugs.debian.org/745462
> Reported-by: Dmitry Semyonov <linulin@gmail.com>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> Cc: Larry Finger <Larry.Finger@lwfinger.net>
> Cc: Chaoming Li <chaoming_li@realsil.com.cn>
> ---
Ben,
Your fix is a reasonable workaround. I have no explanation for this NULL pointer
dereference to suddenly appear; however, the pointer should have been checked
from the start.
Thanks,
Larry
next prev parent reply other threads:[~2014-05-16 14:20 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-16 12:47 [PATCH 3.2 00/34] 3.2.59-rc1 review Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 04/34] parisc: fix epoll_pwait syscall on compat kernel Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 05/34] locks: allow __break_lease to sleep even when break_time is 0 Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 02/34] ext4: note the error in ext4_end_bio() Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 03/34] ext4: use i_size_read in ext4_unaligned_aio() Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 01/34] ext4: FIBMAP ioctl causes BUG_ON due to handle EXT_MAX_BLOCKS Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 28/34] usb: option: add Olivetti Olicard 500 Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 29/34] usb: option: add Alcatel L800MA Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 30/34] usb: option: add and update a number of CMOTech devices Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 15/34] libata/ahci: accommodate tag ordered controllers Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 27/34] USB: io_ti: fix firmware download on big-endian machines Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 11/34] USB: cp210x: Add 8281 (Nanotec Plug & Drive) Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 20/34] ARM: 8027/1: fix do_div() bug in big-endian systems Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 21/34] USB: serial: fix sysfs-attribute removal deadlock Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 34/34] [2/2] floppy: don't write kernel-only members to FDRAWCMD ioctl output Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 14/34] nfsd: set timeparms.to_maxval in setup_callback_client Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 25/34] usb: xhci: Prefer endpoint context dequeue pointer over stopped_trb Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 24/34] xhci: For streams the css flag most be read from the stream-ctx on ep stop Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 16/34] mm/hugetlb.c: add cond_resched_lock() in return_unused_surplus_pages() Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 23/34] Btrfs: fix inode caching vs tree log Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 06/34] mlx4_en: don't use napi_synchronize inside mlx4_en_netpoll Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 07/34] staging: r8712u: Fix case where ethtype was never obtained and always be checked against 0 Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 33/34] [1/2] floppy: ignore kernel-only members in FDRAWCMD ioctl input Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 32/34] n_tty: Fix n_tty_write crash when echoing in raw mode Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 31/34] rtl8192ce: Fix null dereference in watchdog Ben Hutchings
2014-05-16 14:20 ` Larry Finger [this message]
2014-05-16 15:38 ` Ben Hutchings
2014-05-16 16:08 ` Larry Finger
2014-05-16 12:47 ` [PATCH 3.2 17/34] dmi: add support for exact DMI matches in addition to substring matching Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 26/34] usb/xhci: fix compilation warning when !CONFIG_PCI && !CONFIG_PM Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 10/34] usb: option driver, add support for Telit UE910v2 Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 22/34] Btrfs: Don't allocate inode that is already in use Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 12/34] USB: pl2303: add ids for Hewlett-Packard HP POS pole displays Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 08/34] USB: serial: ftdi_sio: add id for Brainboxes serial cards Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 18/34] Input: synaptics - add min/max quirk for ThinkPad T431s, L440, L540, S1 Yoga and X1 Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 09/34] Revert "USB: serial: add usbid for dell wwan card to sierra.c" Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 19/34] mm: make fixup_user_fault() check the vma access rights too Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 13/34] USB: cdc-acm: Remove Motorola/Telit H24 serial interfaces from ACM driver Ben Hutchings
2014-05-16 12:59 ` [PATCH 3.2 00/34] 3.2.59-rc1 review Ben Hutchings
2014-05-16 15:55 ` Guenter Roeck
2014-05-18 13:55 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53761EA9.6060508@lwfinger.net \
--to=larry.finger@lwfinger.net \
--cc=akpm@linux-foundation.org \
--cc=ben@decadent.org.uk \
--cc=chaoming_li@realsil.com.cn \
--cc=linulin@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.