rtlwifi: rtl_pci: Fix kernel panic
authorLarry Finger <Larry.Finger@lwfinger.net>
Mon, 21 Dec 2015 23:05:08 +0000 (17:05 -0600)
committerKalle Valo <kvalo@codeaurora.org>
Wed, 30 Dec 2015 15:36:05 +0000 (17:36 +0200)
In commit 38506ecefab9 (rtlwifi: rtl_pci: Start modification for new
drivers), a bug was introduced that causes a NULL pointer dereference.
As this bug only affects the infrequently used RTL8192EE and only under
low-memory conditions, it has taken a long time for the bug to show up.

The bug was reported on the linux-wireless mailing list and also at
https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/ as
bug #1527603 (kernel crashes due to rtl8192ee driver on ubuntu 15.10).

Fixes: 38506ecefab9 ("rtlwifi: rtl_pci: Start modification for new drivers")
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
drivers/net/wireless/realtek/rtlwifi/pci.c

index f46c9d7..7f471bf 100644 (file)
@@ -801,7 +801,9 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw)
                                                                      hw_queue);
                        if (rx_remained_cnt == 0)
                                return;
-
+                       buffer_desc = &rtlpci->rx_ring[rxring_idx].buffer_desc[
+                               rtlpci->rx_ring[rxring_idx].idx];
+                       pdesc = (struct rtl_rx_desc *)skb->data;
                } else {        /* rx descriptor */
                        pdesc = &rtlpci->rx_ring[rxring_idx].desc[
                                rtlpci->rx_ring[rxring_idx].idx];
@@ -824,13 +826,6 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw)
                new_skb = dev_alloc_skb(rtlpci->rxbuffersize);
                if (unlikely(!new_skb))
                        goto no_new;
-               if (rtlpriv->use_new_trx_flow) {
-                       buffer_desc =
-                         &rtlpci->rx_ring[rxring_idx].buffer_desc
-                               [rtlpci->rx_ring[rxring_idx].idx];
-                       /*means rx wifi info*/
-                       pdesc = (struct rtl_rx_desc *)skb->data;
-               }
                memset(&rx_status , 0 , sizeof(rx_status));
                rtlpriv->cfg->ops->query_rx_desc(hw, &stats,
                                                 &rx_status, (u8 *)pdesc, skb);