From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mail-la0-f44.google.com ([209.85.215.44]:34168 "EHLO mail-la0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750858AbbESFAZ (ORCPT ); Tue, 19 May 2015 01:00:25 -0400 Received: by laat2 with SMTP id t2so5579870laa.1 for ; Mon, 18 May 2015 22:00:24 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <555AC172.4040507@lwfinger.net> References: <55575AC8.2060301@lwfinger.net> <5557844B.4040108@lwfinger.net> <55586D8D.7040407@gmail.com> <555A05DC.8080704@lwfinger.net> <555AC172.4040507@lwfinger.net> Date: Tue, 19 May 2015 08:00:24 +0300 Message-ID: (sfid-20150519_070030_425948_8AD9331A) Subject: Re: kernel page fault in r8712u From: Haggai Eran To: Larry Finger Cc: linux-wireless@vger.kernel.org Content-Type: text/plain; charset=UTF-8 Sender: linux-wireless-owner@vger.kernel.org List-ID: On 19 May 2015 at 07:52, Larry Finger wrote: > OK, I will have to search further upstream to see how a faulty skb was > provided. > > I have been testing r8712u on my x86_64 system with no difficulty. > > I checked the driver with Smatch and found a couple of array problems. These > likely won't be the problem, but try the attached patches anyway. I found one place that might be the cause for the fault. The recvbuf2recvframe function has a line copying memory between the incoming pskb and a new allocated skb: 1065 pkt_copy = netdev_alloc_skb(padapter->pnetdev, alloc_sz); 1066 if (pkt_copy) { 1067 precvframe->u.hdr.pkt = pkt_copy; 1068 skb_reserve(pkt_copy, 4 - ((addr_t)(pkt_copy->data) 1069 % 4)); 1070 skb_reserve(pkt_copy, shift_sz); 1071 memcpy(pkt_copy->data, pbuf, tmp_len); 1072 precvframe->u.hdr.rx_head = precvframe->u.hdr.rx_data = 1073 precvframe->u.hdr.rx_tail = pkt_copy->data; 1074 precvframe->u.hdr.rx_end = pkt_copy->data + alloc_sz; I added a BUG_ON there in case the memcpy overflows (BUG_ON((pkt_copy->end - pkt_copy->data) < tmp_len)) and it trigerred. I'm not sure why does the overflow occur though. Haggai