Patchwork rtlwifi: rtl8192cu: Fix NULL dereference BUG when using new_id

login
register
mail settings
Submitter Larry Finger
Date Feb. 6, 2013, midnight
Message ID <1360108823-5141-1-git-send-email-Larry.Finger@lwfinger.net>
Download mbox | patch
Permalink /patch/218465/
State Not Applicable
Delegated to: David Miller
Headers show

Comments

Larry Finger - Feb. 6, 2013, midnight
When the new_id entry is used for a foreign USB device, rtlwifi BUGS with
a NULL pointer dereference.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@vger.kernel.org>
---

John,

Although this patch should be backported to stable kernels, the new_id
feature is rarely used, thus the patch should not have any particular
priority.

Larry
---

 drivers/net/wireless/rtlwifi/usb.c | 3 +++
 1 file changed, 3 insertions(+)
Ben Hutchings - Feb. 6, 2013, 12:18 a.m.
On Tue, 2013-02-05 at 18:00 -0600, Larry Finger wrote:
> When the new_id entry is used for a foreign USB device, rtlwifi BUGS with
> a NULL pointer dereference.
[...]

So set no_dynamic_id in the usb_driver structures.

(But I wonder why USB behaves differently from PCI, which requires that
the dynamic ID's driver_data value (defaulting to 0) matches a value
used in a static ID entry.)

Ben.
Larry Finger - Feb. 6, 2013, 12:44 a.m.
On 02/05/2013 06:18 PM, Ben Hutchings wrote:
> On Tue, 2013-02-05 at 18:00 -0600, Larry Finger wrote:
>> When the new_id entry is used for a foreign USB device, rtlwifi BUGS with
>> a NULL pointer dereference.
> [...]
>
> So set no_dynamic_id in the usb_driver structures.
>
> (But I wonder why USB behaves differently from PCI, which requires that
> the dynamic ID's driver_data value (defaulting to 0) matches a value
> used in a static ID entry.)

I don't know why USB differs from PCI, but we do need the dynamic ID here as 
there are always new IDs being issued. One of the criteria for adding the ID to 
the table is that it works OK with dynamic addition. These devices are 
frequently reported by users that do not have the skills to build their own kernel.

Larry


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Ben Hutchings - Feb. 6, 2013, 1:16 a.m.
On Tue, 2013-02-05 at 18:44 -0600, Larry Finger wrote:
> On 02/05/2013 06:18 PM, Ben Hutchings wrote:
> > On Tue, 2013-02-05 at 18:00 -0600, Larry Finger wrote:
> >> When the new_id entry is used for a foreign USB device, rtlwifi BUGS with
> >> a NULL pointer dereference.
> > [...]
> >
> > So set no_dynamic_id in the usb_driver structures.
> >
> > (But I wonder why USB behaves differently from PCI, which requires that
> > the dynamic ID's driver_data value (defaulting to 0) matches a value
> > used in a static ID entry.)
> 
> I don't know why USB differs from PCI, but we do need the dynamic ID here as 
> there are always new IDs being issued. One of the criteria for adding the ID to 
> the table is that it works OK with dynamic addition. These devices are 
> frequently reported by users that do not have the skills to build their own kernel.

But since there is no way to set the driver_info for a new USB ID
(again, unlike PCI), your change will reject all dynamic IDs.  (And in
any case, if the USB core were changed to allow setting driver_info,
userland would have difficulty providing a valid pointer!)

It looks like the driver_info is really driver-specific data used to
share a probe function between multiple drivers.  But you could add
per-driver probe functions that pass the correct rtl_hal_cfg as an extra
argument to rtl_usb_probe(), and then dynamic IDs should work.

Ben.
Johannes Berg - Feb. 6, 2013, 9:01 a.m.
On Wed, 2013-02-06 at 01:16 +0000, Ben Hutchings wrote:

> > I don't know why USB differs from PCI, but we do need the dynamic ID here as 
> > there are always new IDs being issued. One of the criteria for adding the ID to 
> > the table is that it works OK with dynamic addition. These devices are 
> > frequently reported by users that do not have the skills to build their own kernel.
> 
> But since there is no way to set the driver_info for a new USB ID
> (again, unlike PCI), your change will reject all dynamic IDs.  (And in
> any case, if the USB core were changed to allow setting driver_info,
> userland would have difficulty providing a valid pointer!)
> 
> It looks like the driver_info is really driver-specific data used to
> share a probe function between multiple drivers.  But you could add
> per-driver probe functions that pass the correct rtl_hal_cfg as an extra
> argument to rtl_usb_probe(), and then dynamic IDs should work.

Some (PCI?) drivers had/have numbers instead of pointers, so userland
can provide a number and it then looks up the pointer in an array.
That's only slightly indirected but makes new_id more useful in that
case.

johannes

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/drivers/net/wireless/rtlwifi/usb.c b/drivers/net/wireless/rtlwifi/usb.c
index d42bbe2..77a7517 100644
--- a/drivers/net/wireless/rtlwifi/usb.c
+++ b/drivers/net/wireless/rtlwifi/usb.c
@@ -977,6 +977,9 @@  int rtl_usb_probe(struct usb_interface *intf,
 	rtl_dbgp_flag_init(hw);
 	/* Init IO handler */
 	_rtl_usb_io_handler_init(&udev->dev, hw);
+	if (!rtlpriv->cfg || !rtlpriv->cfg->ops ||
+	    !rtlpriv->cfg->ops->read_chip_version)
+		return -ENODEV;
 	rtlpriv->cfg->ops->read_chip_version(hw);
 	/*like read eeprom and so on */
 	rtlpriv->cfg->ops->read_eeprom_info(hw);