[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#636531: linux-image-3.0.0-1-kirkwood: NULL pointer deref in rt2800usb_get_txwi

On 08/05/2011 11:17 AM, Arnaud Patard (Rtp) wrote:
> Marc Kleine-Budde <mkl@pengutronix.de> writes:
> 
> Hi,
> 
>>
>> [frogger@hardanger:linux-2.6]$ git show
>> b52398b6e4522176dd125722c72c301015d24520
>> commit b52398b6e4522176dd125722c72c301015d24520
>> Author: Stanislaw Gruszka <sgruszka@redhat.com>
>> Date:   Sat Jul 30 13:32:56 2011 +0200
>>
>>     rt2x00: rt2800: fix zeroing skb structure
>>
>>     We should clear skb->data not skb itself. Bug was introduced by:
>>     commit 0b8004aa12d13ec750d102ba4082a95f0107c649 "rt2x00: Properly
>>     reserve room for descriptors in skbs".
>>
>>     Cc: stable@kernel.org # 2.6.36+
>>     Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
>>     Acked-by: Gertjan van Wingerde <gwingerde@gmail.com>
>>     Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
>>     Signed-off-by: John W. Linville <linville@tuxdriver.com>
>>
> 
> I've done a quick build of 3.0 with this patch [1], can you please try
> it in order to check if the patch is fixing the issue ?

No - crashed with the same NULL pointer deref again:

[23069.387816] Unable to handle kernel NULL pointer dereference at virtual address 000000ac
[23069.396455] pgd = c0004000
[23069.399236] [000000ac] *pgd=00000000
[23069.402892] Internal error: Oops: 17 [#1]
[23069.406919] Modules linked in: nfsd nfs lockd fscache auth_rpcgss nfs_acl sunrpc bridge ipv6 stp ext2 arc4 rt2800usb rt2800lib crc_ccitt rt2x00usb rt2x00
lib mac80211 hmac cfg80211 rfkill sha1_generic mv_cesa aes_generic ext4 mbcache jbd2 mmc_block ehci_hcd mvsdio usbcore mmc_core mv643xx_eth libphy inet_lro
[23069.434536] CPU: 0    Not tainted  (3.0.0-1-kirkwood #1)
[23069.439881] PC is at rt2800usb_get_txwi+0x10/0x20 [rt2800usb]
[23069.445667] LR is at rt2800_txdone_entry+0x34/0xe0 [rt2800lib]
[23069.451525] pc : [<bf1c001c>]    lr : [<bf1b6344>]    psr: 80000013
[23069.451530] sp : def87f00  ip : 00000001  fp : 00000021
[23069.463066] r10: 00000006  r9 : 00000001  r8 : 0000003c
[23069.468317] r7 : 00000000  r6 : ded36fc0  r5 : 818221ed  r4 : df9f1018
[23069.474874] r3 : 00000000  r2 : 00000000  r1 : 818221ed  r0 : df9f1018
[23069.481432] Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
[23069.488774] Control: 0005397f  Table: 1ec38000  DAC: 00000017
[23069.494547] Process kworker/u:1 (pid: 1508, stack limit = 0xdef86270)
[23069.501016] Stack: (0xdef87f00 to 0xdef88000)
[23069.505401] 7f00: 00000000 818221ed 00000000 ded36fc0 df9f1018 818221ed df93aeb4 bf1b64c8
[23069.513622] 7f20: c042c4c4 ded36fc0 ded36fc4 bf1c0d88 00000000 ded373c4 c040600c 00000012
[23069.521846] 7f40: df938a05 bf1c0d9c ded373c4 de4d0f60 df938a00 bf1c0d88 00000000 ded373c4
[23069.530069] 7f60: c040600c 00000012 df938a05 c005b9cc de4d0f60 de4d0f60 c0450034 c045003c
[23069.538292] 7f80: def86000 de4d0f70 c040600c 00000001 00000089 c005d634 de4d0f60 00000000
[23069.546514] 7fa0: a0000013 de8b5f10 de4d0f60 def87fd4 c005d454 00000000 00000000 00000000
[23069.554737] 7fc0: 00000000 c0060a9c c0030df4 00000000 de4d0f60 00000000 def87fd8 def87fd8
[23069.562960] 7fe0: 00000000 de8b5f10 c0060a18 c0030df4 00000013 c0030df4 00000000 00000000
[23069.571208] [<bf1c001c>] (rt2800usb_get_txwi+0x10/0x20 [rt2800usb]) from [<bf1b6344>] (rt2800_txdone_entry+0x34/0xe0 [rt2800lib])
[23069.582939] [<bf1b6344>] (rt2800_txdone_entry+0x34/0xe0 [rt2800lib]) from [<bf1b64c8>] (rt2800_txdone+0xd8/0x124 [rt2800lib])
[23069.594314] [<bf1b64c8>] (rt2800_txdone+0xd8/0x124 [rt2800lib]) from [<bf1c0d9c>] (rt2800usb_work_txdone+0x14/0x104 [rt2800usb])
[23069.605952] [<bf1c0d9c>] (rt2800usb_work_txdone+0x14/0x104 [rt2800usb]) from [<c005b9cc>] (process_one_work+0x248/0x3e4)
[23069.616880] [<c005b9cc>] (process_one_work+0x248/0x3e4) from [<c005d634>] (worker_thread+0x1e0/0x2fc)
[23069.626150] [<c005d634>] (worker_thread+0x1e0/0x2fc) from [<c0060a9c>] (kthread+0x84/0x8c)
[23069.634466] [<c0060a9c>] (kthread+0x84/0x8c) from [<c0030df4>] (kernel_thread_exit+0x0/0x8)
[23069.642861] Code: e5903008 e5933008 e3530010 e590300c (159300ac)

There was more than one patch addressing rt2800 driverthe in the pull
request on netdev. I should have a look at all of them.

cheers, Marc

-- 
Pengutronix e.K.                  | Marc Kleine-Budde           |
Industrial Linux Solutions        | Phone: +49-231-2826-924     |
Vertretung West/Dortmund          | Fax:   +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686  | http://www.pengutronix.de   |

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: