Bug 109951

Summary: rtl8192_tx_isr code analysis logic error
Product: Drivers Reporter: Yong Shi (brave_shi)
Component: network-wirelessAssignee: drivers_network-wireless (drivers_network-wireless)
Status: RESOLVED CODE_FIX    
Severity: normal CC: Larry.Finger, linville
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.3.3 Subsystem:
Regression: No Bisected commit-id:
Attachments: Fixes the problem described here.

Description Yong Shi 2015-12-25 02:01:37 UTC 
the verification for variable skb is done after the variable is used

rtl8192_tx_isr
line 1008:
	struct net_device *dev = (struct net_device *)(skb->cb);
line 1010:
	cb_desc *tcb_desc = (cb_desc *)(skb->cb + MAX_DEV_ADDR_SIZE);


the verification:
line 1028:
	if (skb != NULL) {
		dev_kfree_skb_any(skb);
		usb_free_urb(tx_urb);
		atomic_dec(&priv->tx_pending[queue_index]);
	}
Comment 1 Yong Shi 2015-12-25 08:56:36 UTC 
r8192U_core.c
Comment 2 Larry Finger 2016-01-05 02:29:29 UTC 
Created attachment 198761 [details]
Fixes the problem described here.

This patch moves all the dereferences of skb to a point after the pointer is tesped for NULL.
Comment 3 Yong Shi 2016-01-12 07:07:58 UTC 
It' ok,now.