From 74e20cf2bdb8312252363362495b9e517b3637d9 Mon Sep 17 00:00:00 2001
From: Yang Bai <hamo.by@gmail.com>
Date: Thu, 12 Mar 2015 11:56:40 -0500
Subject: [PATCH V2 4.0] rtlwifi: get buffer_desc before trying to alloc new skb
If rtlpriv->use_new_trx_flow == true and we run out of memory
to alloc a new skb, we will directly jump to no_new tag with
buffer_desc == NULL. Then we will dereference this NULL pointer
in function _rtl_pci_init_one_rxdesc.
Signed-off-by: Yang Bai <hamo.by@gmail.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@vger.kernel.org> [3.18+]
---
V2 - Refactor to reduce the number of tests of use_new_trx_flow.
drivers/net/wireless/rtlwifi/pci.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
@@ -801,7 +801,10 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw)
hw_queue);
if (rx_remained_cnt == 0)
return;
-
+ buffer_desc =
+ &rtlpci->rx_ring[rxring_idx].buffer_desc
+ [rtlpci->rx_ring[rxring_idx].idx];
+ pdesc = (struct rtl_rx_desc *)skb->data;
} else { /* rx descriptor */
pdesc = &rtlpci->rx_ring[rxring_idx].desc[
rtlpci->rx_ring[rxring_idx].idx];
@@ -824,13 +827,6 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw)
new_skb = dev_alloc_skb(rtlpci->rxbuffersize);
if (unlikely(!new_skb))
goto no_new;
- if (rtlpriv->use_new_trx_flow) {
- buffer_desc =
- &rtlpci->rx_ring[rxring_idx].buffer_desc
- [rtlpci->rx_ring[rxring_idx].idx];
- /*means rx wifi info*/
- pdesc = (struct rtl_rx_desc *)skb->data;
- }
memset(&rx_status , 0 , sizeof(rx_status));
rtlpriv->cfg->ops->query_rx_desc(hw, &stats,
&rx_status, (u8 *)pdesc, skb);
--
2.1.4