* [PATCH] iwlagn: fix panic in iwl{5000,4965}_rx_reply_tx
@ 2009-09-23 8:51 Stanislaw Gruszka
2009-09-24 21:38 ` reinette chatre
0 siblings, 1 reply; 3+ messages in thread
From: Stanislaw Gruszka @ 2009-09-23 8:51 UTC (permalink / raw)
To: linux-wireless; +Cc: Reinette Chatre, John W. Linville, Stanislaw Gruszka
In some cases firmware can give us bad value of index in transmit
buffers array. This patch add sanity check for such values and return
from processing function instantly when it happens.
https://bugzilla.redhat.com/show_bug.cgi?id=521931
Patch was tested by reporter on iwl5000. I think check can be also
helpful for 4965.
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
---
drivers/net/wireless/iwlwifi/iwl-4965.c | 6 ++++++
drivers/net/wireless/iwlwifi/iwl-5000.c | 6 ++++++
2 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/drivers/net/wireless/iwlwifi/iwl-4965.c b/drivers/net/wireless/iwlwifi/iwl-4965.c
index 8f3d4bc..573818f 100644
--- a/drivers/net/wireless/iwlwifi/iwl-4965.c
+++ b/drivers/net/wireless/iwlwifi/iwl-4965.c
@@ -2019,6 +2019,12 @@ static int iwl4965_tx_status_reply_tx(struct iwl_priv *priv,
agg->frame_count, txq_id, idx);
hdr = iwl_tx_queue_get_hdr(priv, txq_id, idx);
+ if (!hdr) {
+ IWL_ERR(priv,
+ "BUG_ON idx doesn't point to valid skb"
+ " idx=%d, txq_id=%d\n", idx, txq_id);
+ return -1;
+ }
sc = le16_to_cpu(hdr->seq_ctrl);
if (idx != (SEQ_TO_SN(sc) & 0xff)) {
diff --git a/drivers/net/wireless/iwlwifi/iwl-5000.c b/drivers/net/wireless/iwlwifi/iwl-5000.c
index b3c648c..460f1fb 100644
--- a/drivers/net/wireless/iwlwifi/iwl-5000.c
+++ b/drivers/net/wireless/iwlwifi/iwl-5000.c
@@ -1139,6 +1139,12 @@ static int iwl5000_tx_status_reply_tx(struct iwl_priv *priv,
agg->frame_count, txq_id, idx);
hdr = iwl_tx_queue_get_hdr(priv, txq_id, idx);
+ if (!hdr) {
+ IWL_ERR(priv,
+ "BUG_ON idx doesn't point to valid skb"
+ " idx=%d, txq_id=%d\n", idx, txq_id);
+ return -1;
+ }
sc = le16_to_cpu(hdr->seq_ctrl);
if (idx != (SEQ_TO_SN(sc) & 0xff)) {
--
1.6.2.5
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] iwlagn: fix panic in iwl{5000,4965}_rx_reply_tx
2009-09-23 8:51 [PATCH] iwlagn: fix panic in iwl{5000,4965}_rx_reply_tx Stanislaw Gruszka
@ 2009-09-24 21:38 ` reinette chatre
2009-09-28 20:14 ` John W. Linville
0 siblings, 1 reply; 3+ messages in thread
From: reinette chatre @ 2009-09-24 21:38 UTC (permalink / raw)
To: Stanislaw Gruszka; +Cc: linux-wireless@vger.kernel.org, John W. Linville
Hi Stanislaw,
On Wed, 2009-09-23 at 01:51 -0700, Stanislaw Gruszka wrote:
> In some cases firmware can give us bad value of index in transmit
> buffers array. This patch add sanity check for such values and return
> from processing function instantly when it happens.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=521931
>
> Patch was tested by reporter on iwl5000. I think check can be also
> helpful for 4965.
>
> Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
> ---
I looked at the bugzilla entry and I think that there may be another fix
required here. After the driver submitted the five frames it received a
surprisingly large number of tx responses from firmware, with one of
these causing the problem. The bad value from the firmware may be a
result of something else done incorrectly by driver here since the
firmware has been trying for more than 40 times at this point to inform
driver about tx results.
I commented in that bugzilla and we can continue to debug this issue
there. Until then I'd like to hold off on this patch.
Reinette
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH] iwlagn: fix panic in iwl{5000,4965}_rx_reply_tx
2009-09-24 21:38 ` reinette chatre
@ 2009-09-28 20:14 ` John W. Linville
0 siblings, 0 replies; 3+ messages in thread
From: John W. Linville @ 2009-09-28 20:14 UTC (permalink / raw)
To: reinette chatre; +Cc: Stanislaw Gruszka, linux-wireless@vger.kernel.org
On Thu, Sep 24, 2009 at 02:38:07PM -0700, reinette chatre wrote:
> Hi Stanislaw,
>
> On Wed, 2009-09-23 at 01:51 -0700, Stanislaw Gruszka wrote:
> > In some cases firmware can give us bad value of index in transmit
> > buffers array. This patch add sanity check for such values and return
> > from processing function instantly when it happens.
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=521931
> >
> > Patch was tested by reporter on iwl5000. I think check can be also
> > helpful for 4965.
> >
> > Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
> > ---
>
> I looked at the bugzilla entry and I think that there may be another fix
> required here. After the driver submitted the five frames it received a
> surprisingly large number of tx responses from firmware, with one of
> these causing the problem. The bad value from the firmware may be a
> result of something else done incorrectly by driver here since the
> firmware has been trying for more than 40 times at this point to inform
> driver about tx results.
>
> I commented in that bugzilla and we can continue to debug this issue
> there. Until then I'd like to hold off on this patch.
Hmmm...well, I already sent it to Dave/Linus -- it's in 2.6.32-rc1...
John
--
John W. Linville Someday the world will need a hero, and you
linville@tuxdriver.com might be all we have. Be ready.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-09-28 20:15 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-09-23 8:51 [PATCH] iwlagn: fix panic in iwl{5000,4965}_rx_reply_tx Stanislaw Gruszka
2009-09-24 21:38 ` reinette chatre
2009-09-28 20:14 ` John W. Linville
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).