rtlwifi: rtl8192cu: Fix NULL dereference BUG when using new_id

Submitted by Larry Finger on Feb. 6, 2013, midnight

Details

Message ID 1360108823-5141-1-git-send-email-Larry.Finger@lwfinger.net
State Not Applicable
Delegated to: David Miller
Headers show

Commit Message

Larry Finger Feb. 6, 2013, midnight
When the new_id entry is used for a foreign USB device, rtlwifi BUGS with
a NULL pointer dereference.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@vger.kernel.org>
---

John,

Although this patch should be backported to stable kernels, the new_id
feature is rarely used, thus the patch should not have any particular
priority.

Larry
---

 drivers/net/wireless/rtlwifi/usb.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Ben Hutchings Feb. 6, 2013, 12:18 a.m.
On Tue, 2013-02-05 at 18:00 -0600, Larry Finger wrote:
> When the new_id entry is used for a foreign USB device, rtlwifi BUGS with
> a NULL pointer dereference.
[...]

So set no_dynamic_id in the usb_driver structures.

(But I wonder why USB behaves differently from PCI, which requires that
the dynamic ID's driver_data value (defaulting to 0) matches a value
used in a static ID entry.)

Ben.
Larry Finger Feb. 6, 2013, 12:44 a.m.
On 02/05/2013 06:18 PM, Ben Hutchings wrote:
> On Tue, 2013-02-05 at 18:00 -0600, Larry Finger wrote:
>> When the new_id entry is used for a foreign USB device, rtlwifi BUGS with
>> a NULL pointer dereference.
> [...]
>
> So set no_dynamic_id in the usb_driver structures.
>
> (But I wonder why USB behaves differently from PCI, which requires that
> the dynamic ID's driver_data value (defaulting to 0) matches a value
> used in a static ID entry.)

I don't know why USB differs from PCI, but we do need the dynamic ID here as 
there are always new IDs being issued. One of the criteria for adding the ID to 
the table is that it works OK with dynamic addition. These devices are 
frequently reported by users that do not have the skills to build their own kernel.

Larry


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Ben Hutchings Feb. 6, 2013, 1:16 a.m.
On Tue, 2013-02-05 at 18:44 -0600, Larry Finger wrote:
> On 02/05/2013 06:18 PM, Ben Hutchings wrote:
> > On Tue, 2013-02-05 at 18:00 -0600, Larry Finger wrote:
> >> When the new_id entry is used for a foreign USB device, rtlwifi BUGS with
> >> a NULL pointer dereference.
> > [...]
> >
> > So set no_dynamic_id in the usb_driver structures.
> >
> > (But I wonder why USB behaves differently from PCI, which requires that
> > the dynamic ID's driver_data value (defaulting to 0) matches a value
> > used in a static ID entry.)
> 
> I don't know why USB differs from PCI, but we do need the dynamic ID here as 
> there are always new IDs being issued. One of the criteria for adding the ID to 
> the table is that it works OK with dynamic addition. These devices are 
> frequently reported by users that do not have the skills to build their own kernel.

But since there is no way to set the driver_info for a new USB ID
(again, unlike PCI), your change will reject all dynamic IDs.  (And in
any case, if the USB core were changed to allow setting driver_info,
userland would have difficulty providing a valid pointer!)

It looks like the driver_info is really driver-specific data used to
share a probe function between multiple drivers.  But you could add
per-driver probe functions that pass the correct rtl_hal_cfg as an extra
argument to rtl_usb_probe(), and then dynamic IDs should work.

Ben.
Johannes Berg Feb. 6, 2013, 9:01 a.m.
On Wed, 2013-02-06 at 01:16 +0000, Ben Hutchings wrote:

> > I don't know why USB differs from PCI, but we do need the dynamic ID here as 
> > there are always new IDs being issued. One of the criteria for adding the ID to 
> > the table is that it works OK with dynamic addition. These devices are 
> > frequently reported by users that do not have the skills to build their own kernel.
> 
> But since there is no way to set the driver_info for a new USB ID
> (again, unlike PCI), your change will reject all dynamic IDs.  (And in
> any case, if the USB core were changed to allow setting driver_info,
> userland would have difficulty providing a valid pointer!)
> 
> It looks like the driver_info is really driver-specific data used to
> share a probe function between multiple drivers.  But you could add
> per-driver probe functions that pass the correct rtl_hal_cfg as an extra
> argument to rtl_usb_probe(), and then dynamic IDs should work.

Some (PCI?) drivers had/have numbers instead of pointers, so userland
can provide a number and it then looks up the pointer in an array.
That's only slightly indirected but makes new_id more useful in that
case.

johannes

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch hide | download patch | download mbox

diff --git a/drivers/net/wireless/rtlwifi/usb.c b/drivers/net/wireless/rtlwifi/usb.c
index d42bbe2..77a7517 100644
--- a/drivers/net/wireless/rtlwifi/usb.c
+++ b/drivers/net/wireless/rtlwifi/usb.c
@@ -977,6 +977,9 @@  int rtl_usb_probe(struct usb_interface *intf,
 	rtl_dbgp_flag_init(hw);
 	/* Init IO handler */
 	_rtl_usb_io_handler_init(&udev->dev, hw);
+	if (!rtlpriv->cfg || !rtlpriv->cfg->ops ||
+	    !rtlpriv->cfg->ops->read_chip_version)
+		return -ENODEV;
 	rtlpriv->cfg->ops->read_chip_version(hw);
 	/*like read eeprom and so on */
 	rtlpriv->cfg->ops->read_eeprom_info(hw);