Bug#636531: linux-image-3.0.0-1-kirkwood: NULL pointer deref in rt2800usb_get_txwi

Wed, 03 Aug 2011 14:36:23 -0700 

On 08/03/2011 10:29 PM, Marc Kleine-Budde wrote:
> Package: linux-2.6
> Version: 3.0.0-1
> Severity: critical
> Tags: upstream
> Justification: breaks the whole system
> 
> 
> Hello,
> 
> I'm running a Ralink RT2870 USB Wireless NIC on a sheeva plug in
> accesspoint mode. The wireless network is bridged to the internal
> ethernet port. linux-image and ralink firmware should be latest and
> greatest.
> 
> After some hours of operation the kernel oopes, see below.

[...]

> [35438.609781] Unable to handle kernel NULL pointer dereference at virtual 
> address 000000ac
> [35438.619110] pgd = c0004000
> [35438.622930] [000000ac] *pgd=00000000
> [35438.626684] Internal error: Oops: 17 [#1]
> [35438.630707] Modules linked in: nfsd nfs lockd fscache auth_rpcgss nfs_acl 
> sunrpc bridge ipv6 stp ext2 arc4 rt2800usb rt2800lib crc_ccitt rt2x00usb 
> rt2x00lib mac80211 hmac cfg80211 rfkill sha1_generic mv_cesa aes_generic ext4 
> mbcache jbd2 mmc_block ehci_hcd usbcore mvsdio mmc_core mv643xx_eth libphy 
> inet_lro
> [35438.658325] CPU: 0    Not tainted  (3.0.0-1-kirkwood #1)
> [35438.663670] PC is at rt2800usb_get_txwi+0x10/0x20 [rt2800usb]
> [35438.669456] LR is at rt2800_txdone_entry+0x34/0xe0 [rt2800lib]
> [35438.675313] pc : [<bf1c001c>]    lr : [<bf1b6348>]    psr: 80000013
> [35438.675319] sp : dfa93f00  ip : 00000001  fp : 00000021
> [35438.686855] r10: 0000000a  r9 : 00000001  r8 : 0000003c
> [35438.692106] r7 : 00000000  r6 : de8f8fc0  r5 : 808c21f5  r4 : dee613a8
> [35438.698663] r3 : 00000000  r2 : 00000000  r1 : 808c21f5  r0 : dee613a8
> [35438.705222] Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment 
> kernel
> [35438.712563] Control: 0005397f  Table: 1f978000  DAC: 00000017
> [35438.718336] Process kworker/u:0 (pid: 1684, stack limit = 0xdfa92270)
> [35438.724806] Stack: (0xdfa93f00 to 0xdfa94000)
> [35438.729190] 3f00: 00000000 808c21f5 00000000 de8f8fc0 dee613a8 808c21f5 
> de64e0b4 bf1b64cc
> [35438.737411] 3f20: c042c4c4 de8f8fc0 de8f8fc4 bf1c0d88 00000000 de8f93c4 
> c040600c 00000012
> [35438.745635] 3f40: c108aa05 bf1c0d9c de8f93c4 df0a8920 c108aa00 bf1c0d88 
> 00000000 de8f93c4
> [35438.753858] 3f60: c040600c 00000012 c108aa05 c005b9cc df0a8920 df0a8920 
> c0450034 c045003c
> [35438.762081] 3f80: dfa92000 df0a8930 c040600c 00000001 00000089 c005d634 
> df0a8920 00000000
> [35438.770303] 3fa0: a0000013 de4e3f10 df0a8920 dfa93fd4 c005d454 00000000 
> 00000000 00000000
> [35438.778526] 3fc0: 00000000 c0060a9c c0030df4 00000000 df0a8920 00000000 
> dfa93fd8 dfa93fd8
> [35438.786749] 3fe0: 00000000 de4e3f10 c0060a18 c0030df4 00000013 c0030df4 
> 0000004c 000c0012
> [35438.794997] [<bf1c001c>] (rt2800usb_get_txwi+0x10/0x20 [rt2800usb]) from 
> [<bf1b6348>] (rt2800_txdone_entry+0x34/0xe0 [rt2800lib])
> [35438.806729] [<bf1b6348>] (rt2800_txdone_entry+0x34/0xe0 [rt2800lib]) from 
> [<bf1b64cc>] (rt2800_txdone+0xd8/0x124 [rt2800lib])
> [35438.818104] [<bf1b64cc>] (rt2800_txdone+0xd8/0x124 [rt2800lib]) from 
> [<bf1c0d9c>] (rt2800usb_work_txdone+0x14/0x104 [rt2800usb])
> [35438.829740] [<bf1c0d9c>] (rt2800usb_work_txdone+0x14/0x104 [rt2800usb]) 
> from [<c005b9cc>] (process_one_work+0x248/0x3e4)
> [35438.840668] [<c005b9cc>] (process_one_work+0x248/0x3e4) from [<c005d634>] 
> (worker_thread+0x1e0/0x2fc)
> [35438.849940] [<c005d634>] (worker_thread+0x1e0/0x2fc) from [<c0060a9c>] 
> (kthread+0x84/0x8c)
> [35438.858254] [<c0060a9c>] (kthread+0x84/0x8c) from [<c0030df4>] 
> (kernel_thread_exit+0x0/0x8)
> [35438.866651] Code: e5903008 e5933008 e3530010 e590300c (159300ac) 
> [35438.873402] ---[ end trace 7d38928a6ea608ba ]---

This patch looks promising. It's currently going from the wireless
(git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless.git)
into David Miller's tree and finally into 3.1. It's scheduled for stable
(2.6.36+).

cheers, Marc

[frogger@hardanger:linux-2.6]$ git show
b52398b6e4522176dd125722c72c301015d24520
commit b52398b6e4522176dd125722c72c301015d24520
Author: Stanislaw Gruszka <sgrus...@redhat.com>
Date:   Sat Jul 30 13:32:56 2011 +0200

    rt2x00: rt2800: fix zeroing skb structure

    We should clear skb->data not skb itself. Bug was introduced by:
    commit 0b8004aa12d13ec750d102ba4082a95f0107c649 "rt2x00: Properly
    reserve room for descriptors in skbs".

    Cc: sta...@kernel.org # 2.6.36+
    Signed-off-by: Stanislaw Gruszka <sgrus...@redhat.com>
    Acked-by: Gertjan van Wingerde <gwinge...@gmail.com>
    Acked-by: Ivo van Doorn <ivdo...@gmail.com>
    Signed-off-by: John W. Linville <linvi...@tuxdriver.com>

diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c
b/drivers/net/wireless/rt2x00/rt2800lib.c
index 75d2c6c..f94d669 100644
--- a/drivers/net/wireless/rt2x00/rt2800lib.c
+++ b/drivers/net/wireless/rt2x00/rt2800lib.c
@@ -703,8 +703,7 @@ void rt2800_write_beacon(struct queue_entry *entry,
struct txentry_desc *txdesc)
        /*
         * Add space for the TXWI in front of the skb.
         */
-       skb_push(entry->skb, TXWI_DESC_SIZE);
-       memset(entry->skb, 0, TXWI_DESC_SIZE);
+       memset(skb_push(entry->skb, TXWI_DESC_SIZE), 0, TXWI_DESC_SIZE);

        /*
         * Register descriptor details in skb frame descriptor.

-- 
Pengutronix e.K.                  | Marc Kleine-Budde           |
Industrial Linux Solutions        | Phone: +49-231-2826-924     |
Vertretung West/Dortmund          | Fax:   +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686  | http://www.pengutronix.de   |

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to