Commit 78899f82 authored by Larry Finger's avatar Larry Finger Committed by Greg Kroah-Hartman

rtlwifi: rtl_pci: Fix kernel panic

commit f99551a2 upstream.

In commit 38506ece (rtlwifi: rtl_pci: Start modification for new
drivers), a bug was introduced that causes a NULL pointer dereference.
As this bug only affects the infrequently used RTL8192EE and only under
low-memory conditions, it has taken a long time for the bug to show up.

The bug was reported on the linux-wireless mailing list and also at
https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/ as
bug #1527603 (kernel crashes due to rtl8192ee driver on ubuntu 15.10).

Fixes: 38506ece ("rtlwifi: rtl_pci: Start modification for new drivers")
Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 6d88b00e
...@@ -801,7 +801,9 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw) ...@@ -801,7 +801,9 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw)
hw_queue); hw_queue);
if (rx_remained_cnt == 0) if (rx_remained_cnt == 0)
return; return;
buffer_desc = &rtlpci->rx_ring[rxring_idx].buffer_desc[
rtlpci->rx_ring[rxring_idx].idx];
pdesc = (struct rtl_rx_desc *)skb->data;
} else { /* rx descriptor */ } else { /* rx descriptor */
pdesc = &rtlpci->rx_ring[rxring_idx].desc[ pdesc = &rtlpci->rx_ring[rxring_idx].desc[
rtlpci->rx_ring[rxring_idx].idx]; rtlpci->rx_ring[rxring_idx].idx];
...@@ -824,13 +826,6 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw) ...@@ -824,13 +826,6 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw)
new_skb = dev_alloc_skb(rtlpci->rxbuffersize); new_skb = dev_alloc_skb(rtlpci->rxbuffersize);
if (unlikely(!new_skb)) if (unlikely(!new_skb))
goto no_new; goto no_new;
if (rtlpriv->use_new_trx_flow) {
buffer_desc =
&rtlpci->rx_ring[rxring_idx].buffer_desc
[rtlpci->rx_ring[rxring_idx].idx];
/*means rx wifi info*/
pdesc = (struct rtl_rx_desc *)skb->data;
}
memset(&rx_status , 0 , sizeof(rx_status)); memset(&rx_status , 0 , sizeof(rx_status));
rtlpriv->cfg->ops->query_rx_desc(hw, &stats, rtlpriv->cfg->ops->query_rx_desc(hw, &stats,
&rx_status, (u8 *)pdesc, skb); &rx_status, (u8 *)pdesc, skb);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment