lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Sun, 21 Dec 2014 17:02:02 -0600
From:	Larry Finger <Larry.Finger@...inger.net>
To:	Eric Biggers <ebiggers3@...il.com>, linux-wireless@...r.kernel.org
CC:	netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [BUG] rtl8192se: panic accessing unmapped memory in skb

On 12/21/2014 11:25 AM, Eric Biggers wrote:
> Hi,
>
> I have a RTL8192SE wireless card, attached via PCI.  Usually it works with no
> issues, but I recently had a kernel panic occur in the rtl8192se driver.  The
> kernel version is 3.18.  Based on my analysis of the panic dump, the panic was
> caused by a memory access violation in this block of code in
> rtl92se_rx_query_desc():
>
>          if (stats->decrypted) {
>                  hdr = (struct ieee80211_hdr *)(skb->data +
>                         stats->rx_drvinfo_size + stats->rx_bufshift);
>
>                  if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
>                          (ieee80211_has_protected(hdr->frame_control)))
>                          rx_status->flag &= ~RX_FLAG_DECRYPTED;
>                  else
>                          rx_status->flag |= RX_FLAG_DECRYPTED;
>          }
>
> Specifically, the violation occurred the first time hdr->frame_control was
> accessed, as part of _ieee80211_is_robust_mgmt_frame().
>
> The panic occurred when the system was under heavy filesystem load but seemingly
> is not easily reproducible.
>
> There was recently a NULL check that was removed from this exact place in the
> code, but it was certainly useless.  Instead, what's much more suspect to me is
> that inside _rtl_pci_rx_interrupt(), there is no error checking of the return
> value of _rtl_pci_init_one_rxdesc(), which might fail if the skb couldn't be
> allocated.  I am wondering if this could be causing the problem.

Your analysis is probably correct; however, I'm not sure what to do if the 
allocate of an skb fails. As the name says, this routine is entered through an 
interrupt, and I'm not sure what to do other than to exit.

The attached patch will implement the exit after logging an error. Please patch 
your system and report back.

How much RAM does your system have? That info might be useful in trying to 
reproduce the problem, which might indeed be difficult. Although pci.c was 
extensively reworked in the 3.17 => 3.18 transition, most of the changes were 
added to implement the changed descriptor structure for the RTL8192EE, and I do 
not remember any changes that would affect any of the other drivers. As a 
result, the current structure has been in place for some time, and this problem 
has not been reported before.

Larry


View attachment "rtlwifi_report_add_new_rxdesc_failure" of type "text/plain" (2181 bytes)

Powered by blists - more mailing lists