From patchwork Thu Mar 12 17:29:31 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Larry Finger <Larry.Finger@lwfinger.net>
X-Patchwork-Id: 5997561
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
X-Original-To: patchwork-linux-wireless@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 0FA9ABF90F
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Thu, 12 Mar 2015 17:29:41 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 520B02034F
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Thu, 12 Mar 2015 17:29:40 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 6B8632034B
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Thu, 12 Mar 2015 17:29:39 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755016AbbCLR3i (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Thu, 12 Mar 2015 13:29:38 -0400
Received: from mail-ob0-f171.google.com ([209.85.214.171]:39290 "EHLO
	mail-ob0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754002AbbCLR3g (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Thu, 12 Mar 2015 13:29:36 -0400
Received: by obcwp18 with SMTP id wp18so15457932obc.6;
	Thu, 12 Mar 2015 10:29:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject
	:references:in-reply-to:content-type;
	bh=1njqFC1HwNYBS4/ZSWbWNfSsFYbj12/8ZqKXa6wZLUU=;
	b=PpxOeLezRfnQXdEwk4eDSsUlCSzlgKm2rXpimDG9+JyHi2SgJtuIrtOvGqnNQbU2Tr
	jj55Zh22gR6TwpVbd9m8b6sVWuquhFC5VzzvFPOpb2BL0X8ojZFf00pGQGBXNkCOqP0n
	soVY8z64drOu8sqJ4cC4XsnxZCRiyU4FG96iK/B5NkgBk7RgtdGdlIyxTstHY5TODhcJ
	cJZC1gcdXc1LAzjOPJEFANbUqAJP5MkLELHUDEcx+jJWiyk1T6uqACn1y8rw53+elYYJ
	Tml+2JWL45K/kPv3nZmZpGf5EXCT2DJBKWnRgnX+C7Z3Q2sbQevfGDgLv4t0J8mOIiUz
	53Mg==
X-Received: by 10.202.49.77 with SMTP id x74mr227654oix.7.1426181375500;
	Thu, 12 Mar 2015 10:29:35 -0700 (PDT)
Received: from linux.site ([75.81.56.199]) by mx.google.com with ESMTPSA id
	by10sm4875309oec.8.2015.03.12.10.29.32
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 12 Mar 2015 10:29:34 -0700 (PDT)
Message-ID: <5501CCFB.3040203@lwfinger.net>
Date: Thu, 12 Mar 2015 12:29:31 -0500
From: Larry Finger <Larry.Finger@lwfinger.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Yang Bai <hamo.by@gmail.com>, kvalo@codeaurora.org
CC: linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH] rtlwifi: get buffer_desc before trying to alloc new skb
References: <1426160036-1542-1-git-send-email-hamo.by@gmail.com>
In-Reply-To: <1426160036-1542-1-git-send-email-hamo.by@gmail.com>
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,T_TVD_MIME_EPI,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

On 03/12/2015 06:33 AM, Yang Bai wrote:
> if rtlpriv->use_new_trx_flow == true and we run out of memory
> to alloc a new skb, we will directly jump to no_new tag with
> buffer_desc == NULL. Then we will dereference this NULL pointer
> in function _rtl_pci_init_one_rxdesc.
>
> Signed-off-by: Yang Bai <hamo.by@gmail.com>

Is the attached patch OK? I have tested it, but it is unlikely that I have hit 
any memory failures, thus that part needs to be checked by eye.

Larry

From 74e20cf2bdb8312252363362495b9e517b3637d9 Mon Sep 17 00:00:00 2001
From: Yang Bai <hamo.by@gmail.com>
Date: Thu, 12 Mar 2015 11:56:40 -0500
Subject: [PATCH V2 4.0] rtlwifi: get buffer_desc before trying to alloc new skb

If rtlpriv->use_new_trx_flow == true and we run out of memory
to alloc a new skb, we will directly jump to no_new tag with
buffer_desc == NULL. Then we will dereference this NULL pointer
in function _rtl_pci_init_one_rxdesc.

Signed-off-by: Yang Bai <hamo.by@gmail.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@vger.kernel.org> [3.18+]
---

V2 - Refactor to reduce the number of tests of use_new_trx_flow.


 drivers/net/wireless/rtlwifi/pci.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/drivers/net/wireless/rtlwifi/pci.c b/drivers/net/wireless/rtlwifi/pci.c
index a62170e..7069778 100644
--- a/drivers/net/wireless/rtlwifi/pci.c
+++ b/drivers/net/wireless/rtlwifi/pci.c
@@ -801,7 +801,10 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw)
 								      hw_queue);
 			if (rx_remained_cnt == 0)
 				return;
-
+			buffer_desc =
+			  &rtlpci->rx_ring[rxring_idx].buffer_desc
+				[rtlpci->rx_ring[rxring_idx].idx];
+			pdesc = (struct rtl_rx_desc *)skb->data;
 		} else {	/* rx descriptor */
 			pdesc = &rtlpci->rx_ring[rxring_idx].desc[
 				rtlpci->rx_ring[rxring_idx].idx];
@@ -824,13 +827,6 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw)
 		new_skb = dev_alloc_skb(rtlpci->rxbuffersize);
 		if (unlikely(!new_skb))
 			goto no_new;
-		if (rtlpriv->use_new_trx_flow) {
-			buffer_desc =
-			  &rtlpci->rx_ring[rxring_idx].buffer_desc
-				[rtlpci->rx_ring[rxring_idx].idx];
-			/*means rx wifi info*/
-			pdesc = (struct rtl_rx_desc *)skb->data;
-		}
 		memset(&rx_status , 0 , sizeof(rx_status));
 		rtlpriv->cfg->ops->query_rx_desc(hw, &stats,
 						 &rx_status, (u8 *)pdesc, skb);
-- 
2.1.4