KS8851: NULL pointer dereference if list is empty

Message ID	k2ocb8016981004161748s1a91f926x3c29b3fbd45ad46c@mail.gmail.com
State	Accepted, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=KVOhQ5LS7X4MVSe1tWXkKkJ80dDwcBKdz9MwutyMu1RdeI7nAcHvMwab4NMGap7ISU g5OWZMaVReZ48r5EAk97yH/CBdExgjEy4omllOcAiA2tzEBGjBWol6F2+kcXQAZt5qX2 FD7eEEbBxtCdEgxsom+50iDtDP/CTviGCbjt4= MIME-Version: 1.0 Date: Fri, 16 Apr 2010 19:48:43 -0500 Message-ID: <k2ocb8016981004161748s1a91f926x3c29b3fbd45ad46c@mail.gmail.com> Subject: [PATCH] KS8851: NULL pointer dereference if list is empty From: Abraham Arce <abraham.arce.moreno@gmail.com> To: netdev@vger.kernel.org Content-Type: text/plain; charset=ISO-8859-1 Sender: netdev-owner@vger.kernel.org Precedence: bulk

Message ID

k2ocb8016981004161748s1a91f926x3c29b3fbd45ad46c@mail.gmail.com

State

Accepted, archived

Delegated to:

David Miller

Headers

DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:date:message-id:subject:from:to:content-type;
	b=KVOhQ5LS7X4MVSe1tWXkKkJ80dDwcBKdz9MwutyMu1RdeI7nAcHvMwab4NMGap7ISU
	g5OWZMaVReZ48r5EAk97yH/CBdExgjEy4omllOcAiA2tzEBGjBWol6F2+kcXQAZt5qX2
	FD7eEEbBxtCdEgxsom+50iDtDP/CTviGCbjt4=
MIME-Version: 1.0
Date: Fri, 16 Apr 2010 19:48:43 -0500
Message-ID: <k2ocb8016981004161748s1a91f926x3c29b3fbd45ad46c@mail.gmail.com>
Subject: [PATCH] KS8851: NULL pointer dereference if list is empty
From: Abraham Arce <abraham.arce.moreno@gmail.com>
To: netdev@vger.kernel.org
Content-Type: text/plain; charset=ISO-8859-1
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Commit Message

Abraham Arce April 17, 2010, 12:48 a.m. UTC

Fix NULL pointer dereference in ks8851_tx_work by checking if dequeued
list is already empty before writing the packet to TX FIFO

 Unable to handle kernel NULL pointer dereference at virtual address 00000050
 PC is at ks8851_tx_work+0xdc/0x1b0
 LR is at wait_for_common+0x148/0x164
 pc : [<c01c0df4>]    lr : [<c025a980>]    psr: 20000013
 Backtrace:
  ks8851_tx_work+0x0/0x1b0
  worker_thread+0x0/0x190
  kthread+0x0/0x90

Signed-off-by: Abraham Arce <x0066660@ti.com>
---
 drivers/net/ks8851.c |   12 +++++++-----
 1 files changed, 7 insertions(+), 5 deletions(-)

Comments

David Miller April 21, 2010, 11:29 p.m. UTC | #1

From: Abraham Arce <abraham.arce.moreno@gmail.com>
Date: Fri, 16 Apr 2010 19:48:43 -0500

> Fix NULL pointer dereference in ks8851_tx_work by checking if dequeued
> list is already empty before writing the packet to TX FIFO
> 
>  Unable to handle kernel NULL pointer dereference at virtual address 00000050
>  PC is at ks8851_tx_work+0xdc/0x1b0
>  LR is at wait_for_common+0x148/0x164
>  pc : [<c01c0df4>]    lr : [<c025a980>]    psr: 20000013
>  Backtrace:
>   ks8851_tx_work+0x0/0x1b0
>   worker_thread+0x0/0x190
>   kthread+0x0/0x90
> 
> Signed-off-by: Abraham Arce <x0066660@ti.com>

Applied to net-2.6, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/net/ks8851.c b/drivers/net/ks8851.c
index 13cc1ca..9e9f9b3 100644
--- a/drivers/net/ks8851.c
+++ b/drivers/net/ks8851.c
@@ -722,12 +722,14 @@  static void ks8851_tx_work(struct work_struct *work)
 		txb = skb_dequeue(&ks->txq);
 		last = skb_queue_empty(&ks->txq);

-		ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_SDA);
-		ks8851_wrpkt(ks, txb, last);
-		ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr);
-		ks8851_wrreg16(ks, KS_TXQCR, TXQCR_METFE);
+		if (txb != NULL) {
+			ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr | RXQCR_SDA);
+			ks8851_wrpkt(ks, txb, last);
+			ks8851_wrreg16(ks, KS_RXQCR, ks->rc_rxqcr);
+			ks8851_wrreg16(ks, KS_TXQCR, TXQCR_METFE);

-		ks8851_done_tx(ks, txb);
+			ks8851_done_tx(ks, txb);
+		}
 	}

 	mutex_unlock(&ks->lock);

KS8851: NULL pointer dereference if list is empty

Commit Message

Comments

Patch