On 19 May 2015 at 07:52, Larry Finger <Larry.Finger@xxxxxxxxxxxx> wrote:
> OK, I will have to search further upstream to see how a faulty skb was
> provided.
>
> I have been testing r8712u on my x86_64 system with no difficulty.
>
> I checked the driver with Smatch and found a couple of array problems. These
> likely won't be the problem, but try the attached patches anyway.
I found one place that might be the cause for the fault. The
recvbuf2recvframe function has a line copying memory between the
incoming pskb and a new allocated skb:
1065 pkt_copy = netdev_alloc_skb(padapter->pnetdev, alloc_sz);
1066 if (pkt_copy) {
1067 precvframe->u.hdr.pkt = pkt_copy;
1068 skb_reserve(pkt_copy, 4 - ((addr_t)(pkt_copy->data)
1069 % 4));
1070 skb_reserve(pkt_copy, shift_sz);
1071 memcpy(pkt_copy->data, pbuf, tmp_len);
1072 precvframe->u.hdr.rx_head =
precvframe->u.hdr.rx_data =
1073 precvframe->u.hdr.rx_tail =
pkt_copy->data;
1074 precvframe->u.hdr.rx_end = pkt_copy->data
+ alloc_sz;
I added a BUG_ON there in case the memcpy overflows
(BUG_ON((pkt_copy->end - pkt_copy->data) < tmp_len)) and it trigerred.
I'm not sure why does the overflow occur though.
Haggai
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
