From: Larry Finger <Larry.Finger@lwfinger.net>
To: Haggai Eran <haggai.eran@gmail.com>
Cc: linux-wireless@vger.kernel.org
Subject: Re: [PATCH] staging: rtl8712: prevent buffer overrun in recvbuf2recvframe
Date: Sat, 23 May 2015 12:48:25 -0500 [thread overview]
Message-ID: <5560BD69.10409@lwfinger.net> (raw)
In-Reply-To: <CAJ=9CzbohiYSj1J4M17iK4Rqh0bopEF8zhN=Sqrh7GO6eBP-=w@mail.gmail.com>
On 05/23/2015 12:24 PM, Haggai Eran wrote:
> On 20 May 2015 at 22:20, Haggai Eran <haggai.eran@gmail.com> wrote:
>> On 20 May 2015 at 19:39, Larry Finger <Larry.Finger@lwfinger.net> wrote:
>>> On 05/20/2015 01:17 AM, Haggai Eran wrote:
>>>>
>>>> On May 19, 2015 08:47, "Haggai Eran" <haggai.eran@gmail.com
>>>> <mailto:haggai.eran@gmail.com>> wrote:
>>>> >
>>>> > With an RTL8191SU USB adaptor, sometimes the hints for a fragmented
>>>> > packet are set, but the packet length is too large. Truncate the packet
>>>> > to prevent memory corruption.
>>>> >
>>>> > Signed-off-by: Haggai Eran <haggai.eran@gmail.com
>>>> <mailto:haggai.eran@gmail.com>>
>>>> > ---
>>>> >
>>>> > Hi,
>>>> >
>>>> > I think this solves the issue for me. I'll test it more thoroughly
>>>> later. I
>>>> > still don't know why a fragmented packet has such a large pkt_len value
>>>> though.
>>>> >
>>>> > Thanks,
>>>> > Haggai
>>>> >
>>>>
>>>> I guess I was too quick with this patch. It prevents the kernel page
>>>> faults, but
>>>> with it I still see sometimes the connectivity disappear for a minute or
>>>> two.
>>>
>>>
>>> Is anything logged when that happens?
>> No. I get once in a while the other corrupted entries I told you
>> about, but nothing special to these freezes
>>
>>> I'm still trying to see where that magic number of 1658 comes from, and how
>>> that affects the RX buffer size.
>>
>> I tried to look at the new driver (rtl8192su), but it doesn't seem to
>> handle this more-fragment bit at all.
>>
>>> When I unconditionally set alloc_sz to tmp_len as in the attached patch (I
>>> remembered to refresh it this time), nothing bad has happened here yet. What
>>> happens on your box?
>>
>> The same freezes still occur.
>
> I think the freezes I saw weren't related to the same issue. I was
> running a debugging kernel, and I saw the same freezes also with a
> different wifi adaptor. After switching to a non-debugging kernel, and
> using your patch, the freezes stopped.
That is good news. Perhaps the debugging kernel is overflowing the stack. Did
your debugging kernel have "Check for stack overflows" set in the "Memory
Debugging" section of the configuration? I did not have that turned on until
today, but it seems like a good idea.
Do you want to prepare the final version of the patch, or should I?
Larry
next prev parent reply other threads:[~2015-05-23 17:48 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-19 5:47 [PATCH] staging: rtl8712: prevent buffer overrun in recvbuf2recvframe Haggai Eran
2015-05-19 15:51 ` Larry Finger
2015-05-19 17:23 ` Haggai Eran
[not found] ` <CAJ=9Czay5pbi6p+n8SxXaJsWG4JR2p_vteKYbLxvoxLVtPQPaQ@mail.gmail.com>
2015-05-20 16:39 ` Larry Finger
2015-05-20 19:20 ` Haggai Eran
2015-05-23 17:24 ` Haggai Eran
2015-05-23 17:48 ` Larry Finger [this message]
2015-05-23 18:09 ` Haggai Eran
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5560BD69.10409@lwfinger.net \
--to=larry.finger@lwfinger.net \
--cc=haggai.eran@gmail.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).