Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755888AbcCBBEt (ORCPT ); Tue, 1 Mar 2016 20:04:49 -0500 Received: from mail333.us4.mandrillapp.com ([205.201.137.77]:48096 "EHLO mail333.us4.mandrillapp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754825AbcCAX4G (ORCPT ); Tue, 1 Mar 2016 18:56:06 -0500 DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mandrill; d=linuxfoundation.org; b=Tv2bxcEx9ndxtGnXjyM7nIjowvcGHYcKSfuPlkM91JYGDUVGq+qdwJfOfLHeCB5oPNj+WRhKJaeY 5lURge6uykmb5RTApUHy7OjaL8SJYwu2ZCh03a1hIMMRysiJmAyIRtTUvqcRrAdYWncwLGW++hRR JZEnFWqVvZWNYYbplVg=; From: Greg Kroah-Hartman Subject: [PATCH 4.4 105/342] rtlwifi: rtl_pci: Fix kernel panic X-Mailer: git-send-email 2.7.2 To: Cc: Greg Kroah-Hartman , , Larry Finger , Kalle Valo Message-Id: <20160301234531.361684262@linuxfoundation.org> In-Reply-To: <20160301234527.990448862@linuxfoundation.org> References: <20160301234527.990448862@linuxfoundation.org> X-Report-Abuse: Please forward a copy of this message, including all headers, to abuse@mandrill.com X-Report-Abuse: You can also report abuse here: http://mandrillapp.com/contact/abuse?id=30481620.f79ff6c3380044a69a42a64249c9fe12 X-Mandrill-User: md_30481620 Date: Tue, 01 Mar 2016 23:54:18 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2062 Lines: 53 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Larry Finger commit f99551a2d39dc26ea03dc6761be11ac913eb2d57 upstream. In commit 38506ecefab9 (rtlwifi: rtl_pci: Start modification for new drivers), a bug was introduced that causes a NULL pointer dereference. As this bug only affects the infrequently used RTL8192EE and only under low-memory conditions, it has taken a long time for the bug to show up. The bug was reported on the linux-wireless mailing list and also at https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/ as bug #1527603 (kernel crashes due to rtl8192ee driver on ubuntu 15.10). Fixes: 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for new drivers") Signed-off-by: Larry Finger Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/realtek/rtlwifi/pci.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) --- a/drivers/net/wireless/realtek/rtlwifi/pci.c +++ b/drivers/net/wireless/realtek/rtlwifi/pci.c @@ -801,7 +801,9 @@ static void _rtl_pci_rx_interrupt(struct hw_queue); if (rx_remained_cnt == 0) return; - + buffer_desc = &rtlpci->rx_ring[rxring_idx].buffer_desc[ + rtlpci->rx_ring[rxring_idx].idx]; + pdesc = (struct rtl_rx_desc *)skb->data; } else { /* rx descriptor */ pdesc = &rtlpci->rx_ring[rxring_idx].desc[ rtlpci->rx_ring[rxring_idx].idx]; @@ -824,13 +826,6 @@ static void _rtl_pci_rx_interrupt(struct new_skb = dev_alloc_skb(rtlpci->rxbuffersize); if (unlikely(!new_skb)) goto no_new; - if (rtlpriv->use_new_trx_flow) { - buffer_desc = - &rtlpci->rx_ring[rxring_idx].buffer_desc - [rtlpci->rx_ring[rxring_idx].idx]; - /*means rx wifi info*/ - pdesc = (struct rtl_rx_desc *)skb->data; - } memset(&rx_status , 0 , sizeof(rx_status)); rtlpriv->cfg->ops->query_rx_desc(hw, &stats, &rx_status, (u8 *)pdesc, skb);