2012-04-05 03:37:42

by Larry Finger

Subject: Question about setup error in mac80211

In https://bugzilla.kernel.org/show_bug.cgi?id=43044, driver rtl8192ce is
getting an oops due to a NULL pointer dereference due to NULL being returned by
ieee80211_get_tx_rate. For reference, the code in question is

static inline struct ieee80211_rate *
ieee80211_get_tx_rate(const struct ieee80211_hw *hw,
const struct ieee80211_tx_info *c)
{
if (WARN_ON(c->control.rates[0].idx < 0))
return NULL;
return &hw->wiphy->bands[c->band]->bitrates[c->control.rates[0].idx];
}

Any thoughts regarding what might be causing this? I don't have the full log,
but I assume that the WARN_ON must have been in the logs.

I can easily protect rtlwifi, but I would like to know the cause.

Thanks,

Larry

2012-04-05 06:47:54

by Helmut Schaa

Subject: Re: Question about setup error in mac80211

On Thu, Apr 5, 2012 at 5:37 AM, Larry Finger <[email protected]> wrote:
> In https://bugzilla.kernel.org/show_bug.cgi?id=43044, driver rtl8192ce is
> getting an oops due to a NULL pointer dereference due to NULL being returned
> by ieee80211_get_tx_rate. For reference, the code in question is
>
> static inline struct ieee80211_rate *
> ieee80211_get_tx_rate(const struct ieee80211_hw *hw,
> ? ? ? ? ? ? ? ? ? ? ?const struct ieee80211_tx_info *c)
> {
> ? ? ? ?if (WARN_ON(c->control.rates[0].idx < 0))
> ? ? ? ? ? ? ? ?return NULL;
> ? ? ? ?return &hw->wiphy->bands[c->band]->bitrates[c->control.rates[0].idx];

For MCS rates c->control.rates[0].idx contains the MCS rate itself. So, calling
ieee80211_get_tx_rate for an MCS rate might actually cause this ...

Helmut