Date:   Mon, 11 Feb 2019 15:20:15 -0500
From:   Matthew Whitehead <tedheadster@...il.com>
To:     whiteheadm@....org, netdev@...r.kernel.org, davem@...emloft.net
Cc:     Matthew Whitehead <tedheadster@...il.com>
Subject: [PATCH] Revert: "p54: Use skb_peek_tail() instead of direct head pointer accesses"

Commit e3554197fc8fbb9656f62c18f9c9edd396394e16 causes a null pointer error.

kernel: p54pci 0000:07:00.0: enabling device (0000 -> 0002)
kernel: ieee80211 phy1: p54 detected a LM86 firmware
kernel: p54: rx_mtu reduced from 3240 to 2376
kernel: ieee80211 phy1: FW rev 2.13.1.0 - Softmac protocol 5.5
kernel: ieee80211 phy1: cryptographic accelerator WEP:YES, TKIP:YES, CCMP:YES
kernel: BUG: unable to handle kernel NULL pointer dereference at 00000000
kernel: *pde = 00000000
kernel: Oops: 0000 [#1] PREEMPT SMP
kernel: CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 4.19.0.bisect-14.#871
kernel: Hardware name: IBM 2378RVU/2378RVU, BIOS 1RETDKWW (3.16 ) 04/19/2005
kernel: Workqueue: events request_firmware_work_func
kernel: EIP: p54_tx_pending+0xff/0x128 [p54common]
kernel: Code: 8b 4d dc 89 7e 30 89 56 34 0f b6 53 56 01 d7 89 79 04 8b 96 a0 00 00 00 f6 42 01 80 75 0c 80 7a 28 00 75 06 89 bb d4 01 00 00 <8b> 10 89 46 04 89 16 89 30 8b 45 ec 89 72 04 8b 55 e8 ff 43 2c e8
kernel: EAX: 00000000 EBX: ec6a2d60 ECX: ed4de568 EDX: ed4de568
kernel: ESI: ec4e0980 EDI: 00020264 EBP: c0071eb8 ESP: c0071e94
kernel: DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010082
kernel: CR0: 80050033 CR2: 00000000 CR3: 2f715000 CR4: 00000690
kernel: Call Trace:
kernel:  p54_tx+0x1a/0x1d [p54common]
kernel:  p54_download_eeprom+0xa6/0xfb [p54common]
kernel:  p54_read_eeprom+0x5c/0x99 [p54common]
kernel:  p54p_firmware_step2+0x50/0xcd [p54pci]
kernel:  request_firmware_work_func+0x2a/0x51
kernel:  process_one_work+0x16b/0x28e
kernel:  worker_thread+0x180/0x222
kernel:  kthread+0xce/0xd0
kernel:  ? cancel_delayed_work+0x5e/0x5e
kernel:  ? kthread_create_worker_on_cpu+0x1c/0x1c
kernel:  ret_from_fork+0x19/0x24
kernel: Modules linked in: p54pci p54common crc_ccitt mac80211 ipw2200 libipw lib80211 cfg80211 uhci_hcd pcmcia ehci_pci yenta_socket ehci_hcd rfkill i2c_i801 pcmcia_rsrc e1000 usbcore i2c_core pcmcia_core lpc_ich usb_common mfd_core floppy autofs4
kernel: CR2: 0000000000000000
kernel: ---[ end trace ddc1a265fd4f4bc6 ]---
kernel: EIP: p54_tx_pending+0xff/0x128 [p54common]
kernel: Code: 8b 4d dc 89 7e 30 89 56 34 0f b6 53 56 01 d7 89 79 04 8b 96 a0 00 00 00 f6 42 01 80 75 0c 80 7a 28 00 75 06 89 bb d4 01 00 00 <8b> 10 89 46 04 89 16 89 30 8b 45 ec 89 72 04 8b 55 e8 ff 43 2c e8
kernel: EAX: 00000000 EBX: ec6a2d60 ECX: ed4de568 EDX: ed4de568
kernel: ESI: ec4e0980 EDI: 00020264 EBP: c0071eb8 ESP: c16252e8
kernel: DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010082
kernel: CR0: 80050033 CR2: 00000000 CR3: 2f715000 CR4: 00000690
kernel: note: kworker/0:0[5] exited with preempt_count 1

Reverting the patch fixes the problem.

Signed-off-by: Matthew Whitehead <tedheadster@...il.com>
---
 drivers/net/wireless/intersil/p54/txrx.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/intersil/p54/txrx.c b/drivers/net/wireless/intersil/p54/txrx.c
index 79078456..3a4214d 100644
--- a/drivers/net/wireless/intersil/p54/txrx.c
+++ b/drivers/net/wireless/intersil/p54/txrx.c
@@ -121,8 +121,8 @@ static int p54_assign_address(struct p54_common *priv, struct sk_buff *skb)
 	}
 	if (unlikely(!target_skb)) {
 		if (priv->rx_end - last_addr >= len) {
-			target_skb = skb_peek_tail(&priv->tx_queue);
-			if (target_skb) {
+			target_skb = priv->tx_queue.prev;
+			if (!skb_queue_empty(&priv->tx_queue)) {
 				info = IEEE80211_SKB_CB(target_skb);
 				range = (void *)info->rate_driver_data;
 				target_addr = range->end_addr;
-- 
1.8.3.1

Powered by blists - more mailing lists