From: Larry Finger <Larry.Finger@lwfinger.net>
To: Ben Hutchings <ben@decadent.org.uk>,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org,
Chaoming Li <chaoming_li@realsil.com.cn>,
Dmitry Semyonov <linulin@gmail.com>
Subject: Re: [PATCH 3.2 31/34] rtl8192ce: Fix null dereference in watchdog
Date: Fri, 16 May 2014 09:20:25 -0500 [thread overview]
Message-ID: <53761EA9.6060508@lwfinger.net> (raw)
In-Reply-To: <lsq.1400244441.849613969@decadent.org.uk>
On 05/16/2014 07:47 AM, Ben Hutchings wrote:
> 3.2.59-rc1 review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Ben Hutchings <ben@decadent.org.uk>
>
> Dmitry Semyonov reported that after upgrading from 3.2.54 to
> 3.2.57 the rtl8192ce driver will crash when its interface is brought
> up. The oops message shows:
>
> [ 1833.611397] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
> [ 1833.611455] IP: [<ffffffffa0410c6a>] rtl92ce_update_hal_rate_tbl+0x29/0x4db [rtl8192ce]
> ...
> [ 1833.613326] Call Trace:
> [ 1833.613346] [<ffffffffa02ad9c6>] ? rtl92c_dm_watchdog+0xd0b/0xec9 [rtl8192c_common]
> [ 1833.613391] [<ffffffff8105b5cf>] ? process_one_work+0x161/0x269
> [ 1833.613425] [<ffffffff8105c598>] ? worker_thread+0xc2/0x145
> [ 1833.613458] [<ffffffff8105c4d6>] ? manage_workers.isra.25+0x15b/0x15b
> [ 1833.613496] [<ffffffff8105f6d9>] ? kthread+0x76/0x7e
> [ 1833.613527] [<ffffffff81356b74>] ? kernel_thread_helper+0x4/0x10
> [ 1833.613563] [<ffffffff8105f663>] ? kthread_worker_fn+0x139/0x139
> [ 1833.613598] [<ffffffff81356b70>] ? gs_change+0x13/0x13
>
> Disassembly of rtl92ce_update_hal_rate_tbl() shows that the 'sta'
> parameter was null. None of the changes to the rtlwifi family between
> 3.2.54 and 3.2.57 seem to directly cause this, and reverting commit
> f78bccd79ba3 ('rtlwifi: rtl8192ce: Fix too long disable of IRQs')
> doesn't fix it.
>
> rtl92c_dm_watchdog() calls rtl92ce_update_hal_rate_tbl() via
> rtl92c_dm_refresh_rate_adaptive_mask(), which does not appear in the
> call trace as it was inlined. That function has been completely
> removed upstream which may explain why this crash wasn't seen there.
>
> I'm not sure that it is sensible to completely remove
> rtl92c_dm_refresh_rate_adaptive_mask() without making other
> compensating changes elsewhere, so try to work around this for 3.2 by
> checking for a null pointer in rtl92c_dm_refresh_rate_adaptive_mask()
> and then skipping the call to rtl92ce_update_hal_rate_tbl().
>
> References: https://bugs.debian.org/745137
> References: https://bugs.debian.org/745462
> Reported-by: Dmitry Semyonov <linulin@gmail.com>
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> Cc: Larry Finger <Larry.Finger@lwfinger.net>
> Cc: Chaoming Li <chaoming_li@realsil.com.cn>
> ---
Ben,
Your fix is a reasonable workaround. I have no explanation for this NULL pointer
dereference to suddenly appear; however, the pointer should have been checked
from the start.
Thanks,
Larry
next prev parent reply other threads:[~2014-05-16 14:20 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-16 12:47 [PATCH 3.2 00/34] 3.2.59-rc1 review Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 04/34] parisc: fix epoll_pwait syscall on compat kernel Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 02/34] ext4: note the error in ext4_end_bio() Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 01/34] ext4: FIBMAP ioctl causes BUG_ON due to handle EXT_MAX_BLOCKS Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 05/34] locks: allow __break_lease to sleep even when break_time is 0 Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 03/34] ext4: use i_size_read in ext4_unaligned_aio() Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 13/34] USB: cdc-acm: Remove Motorola/Telit H24 serial interfaces from ACM driver Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 27/34] USB: io_ti: fix firmware download on big-endian machines Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 14/34] nfsd: set timeparms.to_maxval in setup_callback_client Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 11/34] USB: cp210x: Add 8281 (Nanotec Plug & Drive) Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 07/34] staging: r8712u: Fix case where ethtype was never obtained and always be checked against 0 Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 18/34] Input: synaptics - add min/max quirk for ThinkPad T431s, L440, L540, S1 Yoga and X1 Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 10/34] usb: option driver, add support for Telit UE910v2 Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 08/34] USB: serial: ftdi_sio: add id for Brainboxes serial cards Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 33/34] [1/2] floppy: ignore kernel-only members in FDRAWCMD ioctl input Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 30/34] usb: option: add and update a number of CMOTech devices Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 21/34] USB: serial: fix sysfs-attribute removal deadlock Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 34/34] [2/2] floppy: don't write kernel-only members to FDRAWCMD ioctl output Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 28/34] usb: option: add Olivetti Olicard 500 Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 25/34] usb: xhci: Prefer endpoint context dequeue pointer over stopped_trb Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 12/34] USB: pl2303: add ids for Hewlett-Packard HP POS pole displays Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 23/34] Btrfs: fix inode caching vs tree log Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 29/34] usb: option: add Alcatel L800MA Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 09/34] Revert "USB: serial: add usbid for dell wwan card to sierra.c" Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 17/34] dmi: add support for exact DMI matches in addition to substring matching Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 24/34] xhci: For streams the css flag most be read from the stream-ctx on ep stop Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 15/34] libata/ahci: accommodate tag ordered controllers Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 20/34] ARM: 8027/1: fix do_div() bug in big-endian systems Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 19/34] mm: make fixup_user_fault() check the vma access rights too Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 26/34] usb/xhci: fix compilation warning when !CONFIG_PCI && !CONFIG_PM Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 31/34] rtl8192ce: Fix null dereference in watchdog Ben Hutchings
2014-05-16 14:20 ` Larry Finger [this message]
2014-05-16 15:38 ` Ben Hutchings
2014-05-16 16:08 ` Larry Finger
2014-05-16 12:47 ` [PATCH 3.2 06/34] mlx4_en: don't use napi_synchronize inside mlx4_en_netpoll Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 32/34] n_tty: Fix n_tty_write crash when echoing in raw mode Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 16/34] mm/hugetlb.c: add cond_resched_lock() in return_unused_surplus_pages() Ben Hutchings
2014-05-16 12:47 ` [PATCH 3.2 22/34] Btrfs: Don't allocate inode that is already in use Ben Hutchings
2014-05-16 12:59 ` [PATCH 3.2 00/34] 3.2.59-rc1 review Ben Hutchings
2014-05-16 15:55 ` Guenter Roeck
2014-05-18 13:55 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53761EA9.6060508@lwfinger.net \
--to=larry.finger@lwfinger.net \
--cc=akpm@linux-foundation.org \
--cc=ben@decadent.org.uk \
--cc=chaoming_li@realsil.com.cn \
--cc=linulin@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox