448261 – wireless-pending patch does not consider NULL pointer in rtl8180_max2820.c

Bug 448261 - wireless-pending patch does not consider NULL pointer in rtl8180_max2820.c

Summary: wireless-pending patch does not consider NULL pointer in rtl8180_max2820.c

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	9
Hardware:	i686
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	John W. Linville
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-05-25 05:23 UTC by Colin Lai
Modified:	2008-07-09 19:14 UTC (History)
CC List:	2 users (show)
Fixed In Version:	kernel-2.6.25.4-39 .fc9
Clone Of:
Environment:
Last Closed:	2008-07-09 19:14:10 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
0001-rtl8180-avoid-NULL-dereference-in-max2820_rf_set_ch.patch (1.44 KB, patch) 2008-05-27 21:07 UTC, John W. Linville	no flags	Details \| Diff
View All

Description Colin Lai 2008-05-25 05:23:30 UTC

Description of problem:
Following code copy from linux-2.6-wireless-pending.patch in
kernel-2.6.25.3-18.fc9.src.rpm
------------------
        struct rtl8180_priv *priv = dev->priv;
-       unsigned int chan_idx = conf ? conf->channel - 1 : 0;
-       u32 txpw = priv->channels[chan_idx].val & 0xFF;
+       int channel = ieee80211_frequency_to_channel(conf->channel->center_freq);
+       unsigned int chan_idx = channel - 1;
+       u32 txpw = priv->channels[chan_idx].hw_value & 0xFF;
        u32 chan = max2820_chan[chan_idx];
------------------

In the original code, conf pointer is considered to be NULL. And in function
max2820_rf_init(), there is "max2820_rf_set_channel(dev, NULL)" code.
In the patched code, conf pointer is not considered to be NULL. 

patch to linux-2.6-wireless-pending.patch should be something like:
------------------
-       int channel = ieee80211_frequency_to_channel(conf->channel->center_freq);
+       int channel = conf ? ( conf->channel ?
ieee80211_frequency_to_channel(conf->channel->center_freq) : 1) : 1;
------------------

Version-Release number of selected component (if applicable):


How reproducible:
Everytime I turn up LINKSYS WPC11 ver.4 Cardbus card in Fedora 8/9 , it dumps.

Steps to Reproduce:
1. Insert wireless cardbus card LINKSYS WPC11 ver.4 (rtl8180+max2820) in slot
2. ifconfig wlanX up (wlanX is the interface of LINKSYS WPC11 ver.4)
3. kernel dump trace at once
  
Actual results:
kernel dump trace. ifconfig wlanX down does not work. System can not shutdown.

Expected results:
wlan card works without kernel dump.

Additional info:
When rtl8180 card with max2820 rf up, kernel will dump:
-------------------
BUG: unable to handle kernel NULL pointer dereference at 00000018
IP: [<e0a825bf>] :rtl8180:max2820_rf_set_channel+0xb/0x7b
*pde = 1ac0f067 *pte = 00000000
Oops: 0000 [#1] SMP
Modules linked in: arc4 ecb crypto_blkcipher rtl8180 mac80211 eeprom_93cx6
cfg80211 ipv6 ipt_REJECT xt_tcpudp nf_conntrack_ipv4 xt_state nf_conntrack
iptable_filter ip_tables x_tables dm_mirror dm_mod ppdev snd_intel8x0
snd_usb_audio snd_usb_lib snd_rawmidi snd_hwdep dcdbas parport_pc snd_seq_dummy
parport floppy snd_intel8x0m pcspkr snd_ac97_codec ac97_bus snd_seq_oss
snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm
snd_timer joydev snd i2c_i801 soundcore snd_page_alloc i2c_core 3c59x mii
battery sg video ac output button iTCO_wdt iTCO_vendor_support sr_mod cdrom
ata_piix pata_acpi ata_generic libata sd_mod scsi_mod ext3 jbd mbcache uhci_hcd
ohci_hcd ehci_hcd [last unloaded: scsi_wait_scan]

Pid: 2302, comm: ifconfig Not tainted (2.6.25.3-18.fc9.i686.debug #1)
EIP: 0060:[<e0a825bf>] EFLAGS: 00010246 CPU: 0
EIP is at max2820_rf_set_channel+0xb/0x7b [rtl8180]
EAX: dac282c0 EBX: dac282c0 ECX: 00000000 EDX: 00000000
ESI: dac29260 EDI: c009c200 EBP: defc8e28 ESP: defc8e1c
 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process ifconfig (pid: 2302, ti=defc8000 task=dac3a000 task.ti=defc8000)
Stack: dac29260 dac282c0 c009c200 defc8e38 e0a82696 dac29260 dac293e0 defc8e64
       e0a7ff41 dac282c0 dac29260 00000004 c009c000 dac29260 0009c000 dac28c20
       dac282c0 dac30580 defc8ea8 e0b1e6fc 00000000 dac30000 dac3013c dac28c20

Call Trace:
 [<e0a82696>] ? max2820_rf_init+0x41/0x15f [rtl8180]
 [<e0a7ff41>] ? rtl8180_start+0x48f/0x716 [rtl8180]
 [<e0b1e6fc>] ? ieee80211_open+0x237/0x458 [mac80211]
 [<c05d17bc>] ? dev_open+0x46/0x7e
 [<c05d1342>] ? dev_change_flags+0x9a/0x14d
 [<c060ee7c>] ? devinet_ioctl+0x218/0x52c
 [<c060fcdc>] ? inet_ioctl+0x8c/0xa8
 [<c05c5871>] ? sock_ioctl+0x1b8/0x1da
 [<c05c56b9>] ? sock_ioctl+0x0/0x1da
 [<c0496606>] ? vfs_ioctl+0x22/0x69
 [<c0496886>] ? do_vfs_ioctl+0x239/0x24c
 [<c04968d9>] ? sys_ioctl+0x40/0x5b
 [<c0405c2e>] ? syscall_call+0x7/0xb
 =======================
Code: ff 00 00 00 c1 e0 08 8b 12 01 c8 83 ea 80 e8 91 16 a8 df b8 01 00 00 00 e8
94 fa 9a df 5b 5d c3 55 89 e5 57 56 53 89 c3 8b 70 44 <8b> 42 18 0f b7 40 04 e8
2b 62 00 00 ba 03 00 00 00 8b 3c 85 08
EIP: [<e0a825bf>] max2820_rf_set_channel+0xb/0x7b [rtl8180] SS:ESP 0068:defc8e1c
---[ end trace af049780c8863622 ]---

Comment 1 John W. Linville 2008-05-27 21:07:23 UTC

Created attachment 306841 [details]
0001-rtl8180-avoid-NULL-dereference-in-max2820_rf_set_ch.patch

I think this version will be sufficient -- if the mac80211 code is passing
NULLs then we want to know about it, and the void return would give us no other
indication.

Do you find this agreeable?

Comment 2 Colin Lai 2008-05-28 00:50:31 UTC

I Agree with you. Your patch is sufficient.
btw. I use Firefox 2.0.0.14, I have to manual select two button below or there
is an bugzilla bug error - - .

Note You need to log in before you can comment on or make changes to this bug.