drivers: staging: wilc1000 - NULL pointer dereference

From: Chandra Gorentla
Date: Sun Sep 13 2015 - 08:47:50 EST

Next message: Chris Mason: "Re: [PATCH] fs-writeback: drop wb->list_lock during blk_finish_plug()"
Previous message: Bob Liu: "Re: [Xen-devel] [PATCH 0/2] block/xen-blkfront: Support non-indirect with 64KB page granularity"
Next in thread: Greg KH: "Re: drivers: staging: wilc1000 - NULL pointer dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

At this point I do not have the hardware.

NULL pointer deference is observed in the wilc1000.ko module on x86 target
with bus type SPI and when SPI is not ready. Following are the steps to
reproduce.

$ sudo insmod drivers/staging/wilc1000/wilc1000.ko
$ sudo ifconfig wlan1 up

wlan1 in the above command is the device controlled by 'wilc1000.ko'.

Though the target I tested is not built to support WILC1000, my test
scenario can be treated as a case where in SPI is not working or WILC1000
is not connected to the supported hardware.

I think I know a fix (pasted below) to this but cannot test it because hardware
is not available to test positive cases.

Thanks,
chandra

gcs@gcs-HP-Compaq-nx6320:~/linux/staging$ git diff
diff --git a/drivers/staging/wilc1000/linux_wlan.c b/drivers/staging/wilc1000/linux_wlan.c
index 63f44f8..48f063d 100644
--- a/drivers/staging/wilc1000/linux_wlan.c
+++ b/drivers/staging/wilc1000/linux_wlan.c
@@ -1634,6 +1634,12 @@ int mac_open(struct net_device *ndev)
int i = 0;
struct WILC_WFI_priv *priv;

+#ifdef WILC_SPI
+ if (!g_linux_wlan || !g_linux_wlan->wilc_spidev) {
+ netdev_err(ndev, "wilc1000: SPI device not ready\n");
+ return -ENODEV;
+ }
+#endif
nic = netdev_priv(ndev);
priv = wiphy_priv(nic->wilc_netdev->ieee80211_ptr->wiphy);
PRINT_D(INIT_DBG, "MAC OPEN[%p]\n", ndev);
gcs@gcs-HP-Compaq-nx6320:~/linux/staging$

DMESG -
.
.
.
[ 732.084744] wilc1000: module is from the staging directory, the quality is unknown, you have been warned.
[ 732.086903] IN INIT FUNCTION
[ 732.086910] *** WILC1000 driver VERSION=[10.2] FW_VER=[10.2] ***
[ 772.414455] BUG: unable to handle kernel NULL pointer dereference at 00000190
[ 772.414603] IP: [<c14d7c5b>] __spi_sync+0x1b/0x220
[ 772.414711] *pdpt = 000000000f93a001 *pde = 0000000000000000
[ 772.414848] Oops: 0000 [#1] SMP
[ 772.414980] Modules linked in: wilc1000(OC) drbg ctr ccm bnep rfcomm lp i915 arc4 iwl3945 iwlegacy mac80211 snd_hda_codec_si3054 snd_hda_codec_analog snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core btusb i2c_algo_bit drm_kms_helper snd_pcm btrtl btbcm cfg80211 btintel bluetooth drm snd_hwdep snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq hp_wmi ppdev sparse_keymap pcmcia snd_timer snd_seq_device yenta_socket snd coretemp pcmcia_rsrc joydev pcmcia_core serio_raw tifm_7xx1 tifm_core parport_pc soundcore lpc_ich parport wmi video mac_hid psmouse ahci libahci sdhci_pci tg3 ptp pps_core firewire_ohci sdhci firewire_core crc_itu_t
[ 772.417735] CPU: 0 PID: 3273 Comm: ifconfig Tainted: G C O 4.2.0-09334-g65da87c-dirty #16
[ 772.417817] Hardware name: Hewlett-Packard HP Compaq nx6320/30AA, BIOS 68YDU Ver. F.0E 02/21/2008
[ 772.417899] task: cf878000 ti: cfac2000 task.ti: cfac2000
[ 772.417961] EIP: 0060:[<c14d7c5b>] EFLAGS: 00010286 CPU: 0
[ 772.418025] EIP is at __spi_sync+0x1b/0x220
[ 772.418086] EAX: cfac3bbc EBX: 00000000 ECX: 00000000 EDX: cfac3bec
[ 772.418148] ESI: cfac3c98 EDI: cfac3bec EBP: cfac3bd0 ESP: cfac3b90
[ 772.418212] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[ 772.418273] CR0: 8005003b CR2: 00000190 CR3: 1e7e0be0 CR4: 000006f0
[ 772.418336] Stack:
[ 772.418391] de692c00 0007fcb4 00000000 5554c379 000000de df2c3d40 de693c00 de693c00
[ 772.418407] df2c3d40 558578a7 000000de cfac3bbc cfac3bbc 00000011 cfac3c98 cfac3c1c
[ 772.418407] cfac3bd8 c14d7e6f cfac3c6c e08b7af7 00000000 00000000 00000000 cfac3c58
[ 772.418407] Call Trace:
[ 772.418407] [<c14d7e6f>] spi_sync+0xf/0x20
[ 772.418407] [<e08b7af7>] linux_spi_write_read+0x77/0x100 [wilc1000]
[ 772.418407] [<e08b513e>] spi_cmd_complete+0xde/0x820 [wilc1000]
[ 772.418407] [<c1093eeb>] ? enqueue_entity+0x36b/0xed0
[ 772.418407] [<e08b58a8>] spi_internal_read+0x28/0x80 [wilc1000]
[ 772.418407] [<e08b66df>] spi_init+0xcf/0x2a0 [wilc1000]
[ 772.418407] [<e089bfce>] wilc_wlan_init+0x10e/0x530 [wilc1000]
[ 772.418407] [<c1043dea>] ? native_smp_send_reschedule+0x3a/0x50
[ 772.418407] [<e08a312b>] ? wlan_init_locks+0x6b/0x1e0 [wilc1000]
[ 772.418407] [<e08a369a>] wilc1000_wlan_init+0x8a/0x8b0 [wilc1000]
[ 772.418407] [<c1087307>] ? ttwu_do_wakeup+0x17/0x100
[ 772.418407] [<c10c14d5>] ? internal_add_timer+0x75/0x80
[ 772.418407] [<c10c3050>] ? mod_timer+0xf0/0x1d0
[ 772.418407] [<e08a0a60>] ? linux_wlan_rx_complete+0x50/0x50 [wilc1000]
[ 772.418407] [<e08a0c50>] ? wlan_deinitialize_threads.isra.10+0x100/0x100 [wilc1000]
[ 772.418407] [<e08b7700>] ? linux_spi_deinit+0x60/0x60 [wilc1000]
[ 772.418407] [<e08b76a0>] ? wilc_debugfs_remove+0x20/0x20 [wilc1000]
[ 772.418407] [<e08b7b80>] ? linux_spi_write_read+0x100/0x100 [wilc1000]
[ 772.418407] [<e08b7740>] ? linux_spi_init+0x40/0x40 [wilc1000]
[ 772.418407] [<e08b7920>] ? linux_spi_write+0x1e0/0x1e0 [wilc1000]
[ 772.418407] [<e08b7a80>] ? linux_spi_read+0x160/0x160 [wilc1000]
[ 772.418407] [<e08a26f0>] ? GetIfHandler+0x250/0x250 [wilc1000]
[ 772.418407] [<e08a0a10>] ? wlan_deinit_locks.isra.3+0x50/0x50 [wilc1000]
[ 772.418407] [<e08a0ac0>] ? linux_wlan_dbg+0x60/0x60 [wilc1000]
[ 772.418407] [<e08a3f3f>] mac_open+0x7f/0x360 [wilc1000]
[ 772.418407] [<c15d054d>] ? call_netdevice_notifiers_info+0x2d/0x60
[ 772.418407] [<c15d82a3>] __dev_open+0x83/0xf0
[ 772.418407] [<c16b088b>] ? _raw_spin_unlock_bh+0x1b/0x20
[ 772.418407] [<c15d856e>] __dev_change_flags+0x8e/0x140
[ 772.418407] [<c15d8648>] dev_change_flags+0x28/0x60
[ 772.418407] [<c163b716>] devinet_ioctl+0x5b6/0x6e0
[ 772.418407] [<c1332046>] ? _copy_to_user+0x26/0x30
[ 772.418407] [<c163c84d>] inet_ioctl+0x6d/0xa0
[ 772.418407] [<c15bbd24>] sock_ioctl+0x114/0x250
[ 772.418407] [<c15bbc10>] ? sock_fasync+0x80/0x80
[ 772.418407] [<c11b443a>] do_vfs_ioctl+0x30a/0x540
[ 772.418407] [<c11bd3f6>] ? __alloc_fd+0x36/0x100
[ 772.418407] [<c11b04fc>] ? putname+0x4c/0x50
[ 772.418407] [<c11b04fc>] ? putname+0x4c/0x50
[ 772.418407] [<c11a2610>] ? do_sys_open+0x180/0x200
[ 772.418407] [<c11b46d0>] SyS_ioctl+0x60/0x90
[ 772.418407] [<c16b0ed0>] sysenter_do_call+0x12/0x12
[ 772.418407] Code: 00 00 e8 39 fa ff ff 5d c3 8d b4 26 00 00 00 00 55 89 e5 57 56 53 83 ec 34 3e 8d 74 26 00 89 c3 89 d7 8d 45 ec 89 45 ec 89 45 f0 <8b> 83 90 01 00 00 89 4d dc c7 45 e4 00 00 00 00 c7 45 e8 00 00
[ 772.418407] EIP: [<c14d7c5b>] __spi_sync+0x1b/0x220 SS:ESP 0068:cfac3b90
[ 772.418407] CR2: 0000000000000190
[ 772.425237] ---[ end trace 37b46cc426c30252 ]---

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Chris Mason: "Re: [PATCH] fs-writeback: drop wb->list_lock during blk_finish_plug()"
Previous message: Bob Liu: "Re: [Xen-devel] [PATCH 0/2] block/xen-blkfront: Support non-indirect with 64KB page granularity"
Next in thread: Greg KH: "Re: drivers: staging: wilc1000 - NULL pointer dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]