From patchwork Sun Dec 21 23:02:02 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Larry Finger X-Patchwork-Id: 5525511 Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 735F6BEEA8 for ; Sun, 21 Dec 2014 23:02:44 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id B31592013D for ; Sun, 21 Dec 2014 23:02:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id DB26E20121 for ; Sun, 21 Dec 2014 23:02:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753686AbaLUXCH (ORCPT ); Sun, 21 Dec 2014 18:02:07 -0500 Received: from mail-oi0-f51.google.com ([209.85.218.51]:43590 "EHLO mail-oi0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752386AbaLUXCE (ORCPT ); Sun, 21 Dec 2014 18:02:04 -0500 Received: by mail-oi0-f51.google.com with SMTP id e131so7886296oig.10; Sun, 21 Dec 2014 15:02:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=4CRuW7zZIG0EG1+HFjZd3Y9Xh7rRy89WiBrK+f0F/Kc=; b=SHYpaaInyxUoCbIxe9jh0/TS5w5mzRvW/eAUh4YmK3qwFxr1Xb1DGLKML3eGRquaXd HwTMeS1GSP2u00YlzNM+NKfd0oMGzo1Nb9kJylB4Tzk0jytIdA2nts2KbHfGHsn5KL5c vKqvPrZ8Mo17hUqnWzXow3cd48oGsH0dKerQypmbjLP4Y+IubOq8trmC4iRr0g4868PA hEfGYf1wVLQ05ButC0T4IQ+g0beo8Om4Y8bqvSj2qJRgw3VxxFvmuzvRIv/UGTCm2hlH O+dMmpvDzpgFmPEs8J5sZueJGemu4TgBDxJMwv+tifOQbjgbzTtz/etK+SzTTaYvxmxF vwCg== X-Received: by 10.60.43.101 with SMTP id v5mr11528234oel.24.1419202923737; Sun, 21 Dec 2014 15:02:03 -0800 (PST) Received: from linux.site ([69.76.245.152]) by mx.google.com with ESMTPSA id c8sm3309720oel.0.2014.12.21.15.02.02 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 21 Dec 2014 15:02:02 -0800 (PST) Message-ID: <5497516A.2020400@lwfinger.net> Date: Sun, 21 Dec 2014 17:02:02 -0600 From: Larry Finger User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: Eric Biggers , linux-wireless@vger.kernel.org CC: netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [BUG] rtl8192se: panic accessing unmapped memory in skb References: <20141221172516.GA12784@zzz> In-Reply-To: <20141221172516.GA12784@zzz> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,T_TVD_MIME_EPI, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On 12/21/2014 11:25 AM, Eric Biggers wrote: > Hi, > > I have a RTL8192SE wireless card, attached via PCI. Usually it works with no > issues, but I recently had a kernel panic occur in the rtl8192se driver. The > kernel version is 3.18. Based on my analysis of the panic dump, the panic was > caused by a memory access violation in this block of code in > rtl92se_rx_query_desc(): > > if (stats->decrypted) { > hdr = (struct ieee80211_hdr *)(skb->data + > stats->rx_drvinfo_size + stats->rx_bufshift); > > if ((_ieee80211_is_robust_mgmt_frame(hdr)) && > (ieee80211_has_protected(hdr->frame_control))) > rx_status->flag &= ~RX_FLAG_DECRYPTED; > else > rx_status->flag |= RX_FLAG_DECRYPTED; > } > > Specifically, the violation occurred the first time hdr->frame_control was > accessed, as part of _ieee80211_is_robust_mgmt_frame(). > > The panic occurred when the system was under heavy filesystem load but seemingly > is not easily reproducible. > > There was recently a NULL check that was removed from this exact place in the > code, but it was certainly useless. Instead, what's much more suspect to me is > that inside _rtl_pci_rx_interrupt(), there is no error checking of the return > value of _rtl_pci_init_one_rxdesc(), which might fail if the skb couldn't be > allocated. I am wondering if this could be causing the problem. Your analysis is probably correct; however, I'm not sure what to do if the allocate of an skb fails. As the name says, this routine is entered through an interrupt, and I'm not sure what to do other than to exit. The attached patch will implement the exit after logging an error. Please patch your system and report back. How much RAM does your system have? That info might be useful in trying to reproduce the problem, which might indeed be difficult. Although pci.c was extensively reworked in the 3.17 => 3.18 transition, most of the changes were added to implement the changed descriptor structure for the RTL8192EE, and I do not remember any changes that would affect any of the other drivers. As a result, the current structure has been in place for some time, and this problem has not been reported before. Larry diff --git a/drivers/net/wireless/rtlwifi/pci.c b/drivers/net/wireless/rtlwifi/pci.c index 846a2e6..c576c71 100644 --- a/drivers/net/wireless/rtlwifi/pci.c +++ b/drivers/net/wireless/rtlwifi/pci.c @@ -676,7 +676,7 @@ static int _rtl_pci_init_one_rxdesc(struct ieee80211_hw *hw, skb = dev_alloc_skb(rtlpci->rxbuffersize); if (!skb) - return 0; + return -ENOMEM;; rtlpci->rx_ring[rxring_idx].rx_buf[desc_idx] = skb; /* just set skb->cb to mapping addr for pci_unmap_single use */ @@ -685,7 +685,7 @@ static int _rtl_pci_init_one_rxdesc(struct ieee80211_hw *hw, rtlpci->rxbuffersize, PCI_DMA_FROMDEVICE); bufferaddress = *((dma_addr_t *)skb->cb); if (pci_dma_mapping_error(rtlpci->pdev, bufferaddress)) - return 0; + return -EFAULT; if (rtlpriv->use_new_trx_flow) { rtlpriv->cfg->ops->set_desc(hw, (u8 *)entry, false, HW_DESC_RX_PREPARE, @@ -701,7 +701,7 @@ static int _rtl_pci_init_one_rxdesc(struct ieee80211_hw *hw, HW_DESC_RXOWN, (u8 *)&tmp_one); } - return 1; + return 0; } /* inorder to receive 8K AMSDU we have set skb to @@ -768,6 +768,7 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw) .signal = 0, .rate = 0, }; + int err; /*RX NORMAL PKT */ while (count--) { @@ -912,13 +913,21 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw) } end: if (rtlpriv->use_new_trx_flow) { - _rtl_pci_init_one_rxdesc(hw, (u8 *)buffer_desc, - rxring_idx, - rtlpci->rx_ring[rxring_idx].idx); + err = _rtl_pci_init_one_rxdesc(hw, (u8 *)buffer_desc, + rxring_idx, + rtlpci->rx_ring[rxring_idx].idx); + if (err) { + pr_err("%s Failed to init RX descriptor\n"); + return; + } } else { - _rtl_pci_init_one_rxdesc(hw, (u8 *)pdesc, rxring_idx, - rtlpci->rx_ring[rxring_idx].idx); - + err = _rtl_pci_init_one_rxdesc(hw, (u8 *)pdesc, + rxring_idx, + rtlpci->rx_ring[rxring_idx].idx); + if (err) { + pr_err("%s Failed to init RX descriptor\n"); + return; + } if (rtlpci->rx_ring[rxring_idx].idx == rtlpci->rxringcount - 1) rtlpriv->cfg->ops->set_desc(hw, (u8 *)pdesc,