From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Christian Lamparter <chunkeey@gmail.com>, Kalle Valo <kvalo@codeaurora.org> Subject: [PATCH 5.2 34/61] p54: fix crash during initialization Date: Fri, 12 Jul 2019 14:19:47 +0200 [thread overview] Message-ID: <20190712121622.438830740@linuxfoundation.org> (raw) In-Reply-To: <20190712121620.632595223@linuxfoundation.org> From: Christian Lamparter <chunkeey@gmail.com> commit 1645ab931998b39aed5761f095956f0b10a6362f upstream. This patch fixes a crash that got introduced when the mentioned patch replaced the direct list_head access with skb_peek_tail(). When the device is starting up, there are no entries in the queue, so previously to "Use skb_peek_tail() instead..." the target_skb would end up as the tail and head pointer which then could be used by __skb_queue_after to fill the empty queue. With skb_peek_tail() in its place will instead just return NULL which then causes a crash in the __skb_queue_after(). | BUG: unable to handle kernel NULL pointer dereference at 000000 | #PF error: [normal kernel read fault] | PGD 0 P4D 0 | Oops: 0000 [#1] SMP PTI | CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: GO 5.1.0-rc7-wt+ #218 | Hardware name: MSI MS-7816/Z87-G43 (MS-7816), BIOS V1.11 05/09/2015 | Workqueue: events request_firmware_work_func | RIP: 0010:p54_tx_pending+0x10f/0x1b0 [p54common] | Code: 78 06 80 78 28 00 74 6d <48> 8b 07 49 89 7c 24 08 49 89 04 24 4 | RSP: 0018:ffffa81c81927d90 EFLAGS: 00010086 | RAX: ffff9bbaaf131048 RBX: 0000000000020670 RCX: 0000000000020264 | RDX: ffff9bbaa976d660 RSI: 0000000000000202 RDI: 0000000000000000 | RBP: ffff9bbaa976d620 R08: 00000000000006c0 R09: ffff9bbaa976d660 | R10: 0000000000000000 R11: ffffe8480dbc5900 R12: ffff9bbb45e87700 | R13: ffff9bbaa976d648 R14: ffff9bbaa976d674 R15: ffff9bbaaf131048 | FS: 0000000000000000(0000) GS:ffff9bbb5ec00000(0000) knlGS:00000 | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | CR2: 0000000000000000 CR3: 00000003695fc003 CR4: 00000000001606f0 | Call Trace: | p54_download_eeprom+0xbe/0x120 [p54common] | p54_read_eeprom+0x7f/0xc0 [p54common] | p54u_load_firmware_cb+0xe0/0x160 [p54usb] | request_firmware_work_func+0x42/0x80 | process_one_work+0x1f5/0x3f0 | worker_thread+0x28/0x3c0 Cc: stable@vger.kernel.org Fixes: e3554197fc8f ("p54: Use skb_peek_tail() instead of direct head pointer accesses.") Signed-off-by: Christian Lamparter <chunkeey@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- drivers/net/wireless/intersil/p54/txrx.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/drivers/net/wireless/intersil/p54/txrx.c +++ b/drivers/net/wireless/intersil/p54/txrx.c @@ -139,7 +139,10 @@ static int p54_assign_address(struct p54 unlikely(GET_HW_QUEUE(skb) == P54_QUEUE_BEACON)) priv->beacon_req_id = data->req_id; - __skb_queue_after(&priv->tx_queue, target_skb, skb); + if (target_skb) + __skb_queue_after(&priv->tx_queue, target_skb, skb); + else + __skb_queue_head(&priv->tx_queue, skb); spin_unlock_irqrestore(&priv->tx_queue.lock, flags); return 0; }
next prev parent reply other threads:[~2019-07-12 12:36 UTC|newest] Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-07-12 12:19 [PATCH 5.2 00/61] 5.2.1-stable review Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 01/61] crypto: talitos - fix hash on SEC1 Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 02/61] crypto: lrw - use correct alignmask Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 03/61] crypto: talitos - rename alternative AEAD algos Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 04/61] fscrypt: dont set policy for a dead directory Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 05/61] udf: Fix incorrect final NOT_ALLOCATED (hole) extent length Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 06/61] media: stv0297: fix frequency range limit Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 07/61] ALSA: usb-audio: Fix parse of UAC2 Extension Units Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 08/61] ALSA: hda/realtek - Headphone Mic cant record after S3 Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 09/61] tpm: Actually fail on TPM errors during "get random" Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 10/61] tpm: Fix TPM 1.2 Shutdown sequence to prevent future TPM operations Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 11/61] block: fix .bi_size overflow Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 12/61] block, bfq: NULL out the bic when its no longer valid Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 13/61] perf intel-pt: Fix itrace defaults for perf script Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 14/61] perf auxtrace: " Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 15/61] perf intel-pt: Fix itrace defaults for perf script intel-pt documentation Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 16/61] perf pmu: Fix uncore PMU alias list for ARM64 Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 17/61] perf thread-stack: Fix thread stack return from kernel for kernel-only case Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 18/61] perf header: Assign proper ff->ph in perf_event__synthesize_features() Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 19/61] x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg() Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 20/61] x86/tls: Fix possible spectre-v1 in do_get_thread_area() Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 21/61] Documentation: Add section about CPU vulnerabilities for Spectre Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 22/61] Documentation/admin: Remove the vsyscall=native documentation Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 23/61] mwifiex: Dont abort on small, spec-compliant vendor IEs Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 24/61] USB: serial: ftdi_sio: add ID for isodebug v1 Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 25/61] USB: serial: option: add support for GosunCn ME3630 RNDIS mode Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 26/61] Revert "serial: 8250: Dont service RX FIFO if interrupts are disabled" Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 27/61] p54usb: Fix race between disconnect and firmware loading Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 28/61] usb: gadget: f_fs: data_len used before properly set Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 29/61] usb: gadget: ether: Fix race between gether_disconnect and rx_submit Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 30/61] usb: dwc2: use a longer AHB idle timeout in dwc2_core_reset() Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 31/61] usb: renesas_usbhs: add a workaround for a race condition of workqueue Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 32/61] drivers/usb/typec/tps6598x.c: fix portinfo width Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 33/61] drivers/usb/typec/tps6598x.c: fix 4CC cmd write Greg Kroah-Hartman 2019-07-12 12:19 ` Greg Kroah-Hartman [this message] 2019-07-12 12:19 ` [PATCH 5.2 35/61] staging: comedi: dt282x: fix a null pointer deref on interrupt Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 36/61] staging: wilc1000: fix error path cleanup in wilc_wlan_initialize() Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 37/61] staging: bcm2835-camera: Restore return behavior of ctrl_set_bitrate() Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 38/61] staging: comedi: amplc_pci230: fix null pointer deref on interrupt Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 39/61] staging: mt7621-pci: fix PCIE_FTS_NUM_LO macro Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 40/61] HID: Add another Primax PIXART OEM mouse quirk Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 41/61] lkdtm: support llvm-objcopy Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 42/61] binder: fix memory leak in error path Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 43/61] binder: return errors from buffer copy functions Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 44/61] iio: adc: stm32-adc: add missing vdda-supply Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 45/61] coresight: Potential uninitialized variable in probe() Greg Kroah-Hartman 2019-07-12 12:19 ` [PATCH 5.2 46/61] coresight: etb10: Do not call smp_processor_id from preemptible Greg Kroah-Hartman 2019-07-12 12:20 ` [PATCH 5.2 47/61] coresight: tmc-etr: Do not call smp_processor_id() " Greg Kroah-Hartman 2019-07-12 12:20 ` [PATCH 5.2 48/61] coresight: tmc-etr: alloc_perf_buf: Do not call smp_processor_id " Greg Kroah-Hartman 2019-07-12 12:20 ` [PATCH 5.2 49/61] coresight: tmc-etf: " Greg Kroah-Hartman 2019-07-12 12:20 ` [PATCH 5.2 50/61] carl9170: fix misuse of device driver API Greg Kroah-Hartman 2019-07-12 12:20 ` [PATCH 5.2 51/61] Revert "x86/build: Move _etext to actual end of .text" Greg Kroah-Hartman 2019-07-12 12:20 ` [PATCH 5.2 52/61] VMCI: Fix integer overflow in VMCI handle arrays Greg Kroah-Hartman 2019-07-12 12:20 ` [PATCH 5.2 53/61] staging: vchiq_2835_arm: revert "quit using custom down_interruptible()" Greg Kroah-Hartman 2019-07-12 12:20 ` [PATCH 5.2 54/61] staging: vchiq: make wait events interruptible Greg Kroah-Hartman 2019-07-12 12:20 ` [PATCH 5.2 55/61] staging: vchiq: revert "switch to wait_for_completion_killable" Greg Kroah-Hartman 2019-07-12 12:20 ` [PATCH 5.2 56/61] staging: fsl-dpaa2/ethsw: fix memory leak of switchdev_work Greg Kroah-Hartman 2019-07-12 12:20 ` [PATCH 5.2 57/61] staging: bcm2835-camera: Replace spinlock protecting context_map with mutex Greg Kroah-Hartman 2019-07-12 12:20 ` [PATCH 5.2 58/61] staging: bcm2835-camera: Ensure all buffers are returned on disable Greg Kroah-Hartman 2019-07-12 12:20 ` [PATCH 5.2 59/61] staging: bcm2835-camera: Remove check of the number of buffers supplied Greg Kroah-Hartman 2019-07-12 12:20 ` [PATCH 5.2 60/61] staging: bcm2835-camera: Handle empty EOS buffers whilst streaming Greg Kroah-Hartman 2019-07-12 12:20 ` [PATCH 5.2 61/61] staging: rtl8712: reduce stack usage, again Greg Kroah-Hartman 2019-07-12 13:36 ` [PATCH 5.2 00/61] 5.2.1-stable review Jon Hunter 2019-07-12 15:31 ` Greg Kroah-Hartman 2019-07-12 16:10 ` Jon Hunter 2019-07-12 16:51 ` Greg Kroah-Hartman 2019-07-12 17:00 ` Major Hayden 2019-07-12 17:17 ` Dan Rue 2019-07-12 22:07 ` shuah 2019-07-13 8:23 ` Greg Kroah-Hartman 2019-07-13 3:04 ` Naresh Kamboju 2019-07-13 14:32 ` Greg Kroah-Hartman 2019-07-13 10:15 ` Shreeya Patel 2019-07-13 15:21 ` Greg Kroah-Hartman 2019-07-13 20:37 ` Luke Nowakowski-Krijger 2019-07-14 6:02 ` Greg Kroah-Hartman 2019-07-13 22:04 ` Guenter Roeck 2019-07-14 6:02 ` Greg Kroah-Hartman 2019-07-14 5:35 ` Kelsey Skunberg 2019-07-14 6:02 ` Greg Kroah-Hartman
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190712121622.438830740@linuxfoundation.org \ --to=gregkh@linuxfoundation.org \ --cc=chunkeey@gmail.com \ --cc=kvalo@codeaurora.org \ --cc=linux-kernel@vger.kernel.org \ --cc=stable@vger.kernel.org \ --subject='Re: [PATCH 5.2 34/61] p54: fix crash during initialization' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).