[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#636531: linux-image-3.0.0-1-kirkwood: NULL pointer deref in rt2800usb_get_txwi

Hello,

On Fri, Aug 05, 2011 at 06:04:51PM +0200, Marc Kleine-Budde wrote:
> On 08/05/2011 11:17 AM, Arnaud Patard (Rtp) wrote:
> > Marc Kleine-Budde <mkl@pengutronix.de> writes:
> > I've done a quick build of 3.0 with this patch [1], can you please try
> > it in order to check if the patch is fixing the issue ?
> 
> No - crashed with the same NULL pointer deref again:
> 
> [23069.387816] Unable to handle kernel NULL pointer dereference at virtual address 000000ac
> [23069.396455] pgd = c0004000
> [23069.399236] [000000ac] *pgd=00000000
> [23069.402892] Internal error: Oops: 17 [#1]
> [23069.406919] Modules linked in: nfsd nfs lockd fscache auth_rpcgss nfs_acl sunrpc bridge ipv6 stp ext2 arc4 rt2800usb rt2800lib crc_ccitt rt2x00usb rt2x00
> lib mac80211 hmac cfg80211 rfkill sha1_generic mv_cesa aes_generic ext4 mbcache jbd2 mmc_block ehci_hcd mvsdio usbcore mmc_core mv643xx_eth libphy inet_lro
> [23069.434536] CPU: 0    Not tainted  (3.0.0-1-kirkwood #1)
> [23069.439881] PC is at rt2800usb_get_txwi+0x10/0x20 [rt2800usb]
> [23069.445667] LR is at rt2800_txdone_entry+0x34/0xe0 [rt2800lib]
> [23069.451525] pc : [<bf1c001c>]    lr : [<bf1b6344>]    psr: 80000013
> [23069.451530] sp : def87f00  ip : 00000001  fp : 00000021
> [23069.463066] r10: 00000006  r9 : 00000001  r8 : 0000003c
> [23069.468317] r7 : 00000000  r6 : ded36fc0  r5 : 818221ed  r4 : df9f1018
> [23069.474874] r3 : 00000000  r2 : 00000000  r1 : 818221ed  r0 : df9f1018
Looking at the disassembly of rt2800usb_get_txwi in Arnaud's kernel:

	0000000c <rt2800usb_get_txwi>:
	   c:   e5903008        ldr     r3, [r0, #8]
	  10:   e5933008        ldr     r3, [r3, #8]
	  14:   e3530010        cmp     r3, #16
	  18:   e590300c        ldr     r3, [r0, #12]
	  1c:   159300ac        ldrne   r0, [r3, #172]  ; 0xac
	  20:   059300ac        ldreq   r0, [r3, #172]  ; 0xac
	  24:   12800004        addne   r0, r0, #4
	  28:   e12fff1e        bx      lr

This error means entry->skb is NULL in rt2800usb_get_txwi.

Maybe this gives a hint about the needed fix?

Best regards
Uwe

BTW, the compiler isn't very clever here. But introducing a helper variable for
entry->skb->data still doesn't make gcc save that instruction.

-- 
Pengutronix e.K.                           | Uwe Kleine-König            |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Reply to: