From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757315AbaEPOUb (ORCPT ); Fri, 16 May 2014 10:20:31 -0400 Received: from mail-ob0-f178.google.com ([209.85.214.178]:52650 "EHLO mail-ob0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757230AbaEPOU2 (ORCPT ); Fri, 16 May 2014 10:20:28 -0400 Message-ID: <53761EA9.6060508@lwfinger.net> Date: Fri, 16 May 2014 09:20:25 -0500 From: Larry Finger User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: Ben Hutchings , linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, Chaoming Li , Dmitry Semyonov Subject: Re: [PATCH 3.2 31/34] rtl8192ce: Fix null dereference in watchdog References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 05/16/2014 07:47 AM, Ben Hutchings wrote: > 3.2.59-rc1 review patch. If anyone has any objections, please let me know. > > ------------------ > > From: Ben Hutchings > > Dmitry Semyonov reported that after upgrading from 3.2.54 to > 3.2.57 the rtl8192ce driver will crash when its interface is brought > up. The oops message shows: > > [ 1833.611397] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 > [ 1833.611455] IP: [] rtl92ce_update_hal_rate_tbl+0x29/0x4db [rtl8192ce] > ... > [ 1833.613326] Call Trace: > [ 1833.613346] [] ? rtl92c_dm_watchdog+0xd0b/0xec9 [rtl8192c_common] > [ 1833.613391] [] ? process_one_work+0x161/0x269 > [ 1833.613425] [] ? worker_thread+0xc2/0x145 > [ 1833.613458] [] ? manage_workers.isra.25+0x15b/0x15b > [ 1833.613496] [] ? kthread+0x76/0x7e > [ 1833.613527] [] ? kernel_thread_helper+0x4/0x10 > [ 1833.613563] [] ? kthread_worker_fn+0x139/0x139 > [ 1833.613598] [] ? gs_change+0x13/0x13 > > Disassembly of rtl92ce_update_hal_rate_tbl() shows that the 'sta' > parameter was null. None of the changes to the rtlwifi family between > 3.2.54 and 3.2.57 seem to directly cause this, and reverting commit > f78bccd79ba3 ('rtlwifi: rtl8192ce: Fix too long disable of IRQs') > doesn't fix it. > > rtl92c_dm_watchdog() calls rtl92ce_update_hal_rate_tbl() via > rtl92c_dm_refresh_rate_adaptive_mask(), which does not appear in the > call trace as it was inlined. That function has been completely > removed upstream which may explain why this crash wasn't seen there. > > I'm not sure that it is sensible to completely remove > rtl92c_dm_refresh_rate_adaptive_mask() without making other > compensating changes elsewhere, so try to work around this for 3.2 by > checking for a null pointer in rtl92c_dm_refresh_rate_adaptive_mask() > and then skipping the call to rtl92ce_update_hal_rate_tbl(). > > References: https://bugs.debian.org/745137 > References: https://bugs.debian.org/745462 > Reported-by: Dmitry Semyonov > Signed-off-by: Ben Hutchings > Cc: Larry Finger > Cc: Chaoming Li > --- Ben, Your fix is a reasonable workaround. I have no explanation for this NULL pointer dereference to suddenly appear; however, the pointer should have been checked from the start. Thanks, Larry