Search Linux Wireless

RE: ath6kl: null pointer dereference in do_recv_completion

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Julien/Kalle,

Did you find this issue in AR6004 USB ?
It could be a kind of race condition . since ep_cb.rx callback
should be initialized in the driver's init time itself.
Probably we are gettting recv_complete called even before
ath6kl_init_service_ep is called , which registers the ep_cb.rx callback.

ath6kl_hif_power_on ->ath6kl_usb_post_recv_transfers
which registers usb_fill_bulk_urb (ath6kl_usb_recv_complete)
and later ath6kl_init_service_ep.

Probably we should have a flag to check to by pass 
ath6kl_usb_recv_complete until init_service_ep is done ?

any thoughts ?

regards,
shafi
________________________________________
From: Julien Massot [jmassot@xxxxxxxxxxxxxxxxxxxxxx]
Sent: 19 March 2013 18:12:38
To: ath6kl-devel
Cc: linux-wireless@xxxxxxxxxxxxxxx
Subject: ath6kl: null pointer dereference in do_recv_completion

Hi,
I just found a segfault in the ath6kl driver.

I succeed in triggering it when I'm doing scp on a slow storage. ( ~
1Mbit/s slow SDIO bus)
I doesn't succeed in reproducing it using iperf, which gives slightly
better throughput (100 Mbit/s tcp).

I'm using a preempt rt Linux 2.6.33 + wireless compat-3.6.6-1.

[ 2937.469910] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 2937.470826] IP: [<(null)>] (null)
[ 2937.470826] *pde = 00000000
[ 2937.470826] Oops: 0000 [#1] PREEMPT SMP
[ 2937.470826] last sysfs file: /sys/devices/platform/regulatory.0/uevent
[ 2937.470826] Modules linked in: cdc_acm bridge stp rfcomm l2cap
bluetooth cgosdrv ov5640 ath6kl_usb ath6kl_core snd_hda_codec_analog
cfg80211 mmc_block mt9m114 unicorn(C) v4l2_common videodev
snd_hda_intel v4l1_compat snd_hda_codec videobuf_dma_contig sdhci_pci
compat videobuf_core i2c_isch snd_hwdep serio_raw sdhci [last
unloaded: i2c_serial]
[ 2937.470826]
[ 2937.470826] Pid: 1841, comm: events/0 Tainted: G         C
2.6.33.9-rt31-aldebaran-rt #1 /
[ 2937.470826] EIP: 0060:[<00000000>] EFLAGS: 00010293 CPU: 0
[ 2937.470826] EIP is at 0x0
[ 2937.470826] EAX: f3068000 EBX: f5a3bf2c ECX: f5a3bf2c EDX: f30502c0
[ 2937.470826] ESI: f30687c0 EDI: f30502c0 EBP: f5a3bef4 ESP: f5a3bee8
[ 2937.470826]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 preempt:00000000
[ 2937.470826] Process events/0 (pid: 1841, ti=f5a3a000 task=f512a4b0
task.ti=f5a3a000)
[ 2937.470826] Stack:
[ 2937.470826]  f8d05215 f3992020 f3068000 f5a3bf40 f8d05f11 c1024e18
00000002 f5dc3c40
[ 2937.470826] <0> f5dc3c40 00000246 08a3bf24 0000064a 008d2424
f55f2418 00000000 f30688f8
[ 2937.470826] <0> f5c8de00 f5a3bf2c f5a3bf2c f8d13838 f55f2000
f55f2418 f5a3bf4c f8d131d0
[ 2937.470826] Call Trace:
[ 2937.470826]  [<f8d05215>] ? do_recv_completion+0x2f/0x39 [ath6kl_core]
[ 2937.470826]  [<f8d05f11>] ? ath6kl_htc_pipe_rx_complete+0x2cc/0x31a
[ath6kl_core]
[ 2937.470826]  [<c1024e18>] ? finish_task_switch+0x51/0x67
[ 2937.470826]  [<f8d131d0>] ? ath6kl_core_rx_complete+0xd/0x10 [ath6kl_core]
[ 2937.470826]  [<f8d933a9>] ? ath6kl_usb_io_comp_work+0x2d/0x3f [ath6kl_usb]
[ 2937.470826]  [<c103da3b>] ? worker_thread+0x105/0x17c
[ 2937.470826]  [<f8d9337c>] ? ath6kl_usb_io_comp_work+0x0/0x3f [ath6kl_usb]
[ 2937.470826]  [<c104096d>] ? autoremove_wake_function+0x0/0x2f
[ 2937.470826]  [<c103d936>] ? worker_thread+0x0/0x17c
[ 2937.470826]  [<c104069b>] ? kthread+0x5f/0x64
[ 2937.470826]  [<c104063c>] ? kthread+0x0/0x64
[ 2937.470826]  [<c1002db6>] ? kernel_thread_helper+0x6/0x10
[ 2937.470826] Code:  Bad EIP value.
[ 2937.470826] EIP: [<00000000>] 0x0 SS:ESP 0068:f5a3bee8
[ 2937.470826] CR2: 0000000000000000
[ 2937.681695] hda-intel: IRQ timing workaround is activated for card
#0. Suggest a bigger bdl_pos_adj.
[ 2937.684124] ---[ end trace 65e5f4c37e647fa3 ]---

http://pastebin.com/KEGQRjzu
http://pastebin.com/cngx9q1e
http://pastebin.com/GfCdJDUt

 I found that in the file htc_pipe.c line 940 in function do_recv_completion
the ep->ep_cb.rx function pointer is null.

On Kalle's request, I add a debug line when the bug occurs.

 ath6kl_dbg(ATH6KL_DBG_HTC,
                        "SVC Ready: 0x%4.4X: ULpipe:%d DLpipe:%d id:%d\n",
                        ep->svc_id, ep->pipe.pipeid_ul,
                        ep->pipe.pipeid_dl, ep->eid);

and the log when the bugs occurs:
SVC Ready: 0x0000: ULpipe:0 DLpipe:0 id:6

So I add a check for null pointer, the communication no longer hang.

here is the patch:

>From 9565f0ab6aa5e739c8ceac6eef9e19b6dba71a07 Mon Sep 17 00:00:00 2001
From: Julien Massot <jmassot@xxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 18 Mar 2013 17:32:26 +0100
Subject: [PATCH] ath6kl: check for null rx hanldler of htc_ep_callbacks struct

---
 drivers/net/wireless/ath/ath6kl/htc_pipe.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/net/wireless/ath/ath6kl/htc_pipe.c
b/drivers/net/wireless/ath/ath6kl/htc_pipe.c
index 9adb567..969eb2a 100644
--- a/drivers/net/wireless/ath/ath6kl/htc_pipe.c
+++ b/drivers/net/wireless/ath/ath6kl/htc_pipe.c
@@ -937,6 +937,10 @@ static void do_recv_completion(struct htc_endpoint *ep,
                packet = list_first_entry(queue_to_indicate,
                                          struct htc_packet, list);
                list_del(&packet->list);
+                if (ep->ep_cb.rx == NULL) {
+                  ath6kl_warn("ep->ep_cb.rx is null .. continue ..\n");
+                  continue;
+                }
                ep->ep_cb.rx(ep->target, packet);
        }

--

Best Regards

Julien
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux