Bug 97441

Summary: rtlwifi null pointer dereference crashes kernel
Product: Drivers Reporter: e-kernel
Component: network-wirelessAssignee: drivers_network-wireless (drivers_network-wireless)
Status: NEW ---    
Severity: high CC: artas360, bugs, jwboyer, Larry.Finger, lfdominguez, szg00000, wking
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.0 Subsystem:
Regression: No Bisected commit-id:
Attachments: Proposed patch
Correct patch

Description e-kernel 2015-04-28 14:22:38 UTC 
On kernel 4.0 (arch linux testing/linux 4.0-2) with RTL8188CE wifi chip using driver rtl8192ce when sharing my network connection via wifi with network manager leads to a kernel crash due to null pointer dereference:

Apr 28 11:33:19 bugbox kernel: BUG: unable to handle kernel NULL pointer dereference at 0000000000000006
Apr 28 11:33:19 bugbox kernel: IP: [<ffffffffa07a799e>] rtl_get_tcb_desc+0x5e/0x770 [rtlwifi]
Apr 28 11:33:19 bugbox kernel: PGD 408898067 PUD 40997e067 PMD 0
Apr 28 11:33:19 bugbox kernel: Oops: 0002 [#1] PREEMPT SMP
Apr 28 11:33:19 bugbox kernel: Modules linked in: fuse snd_hda_codec_hdmi btrfs joydev mousedev xor raid6_pq snd_hda_codec_realtek snd_hda_codec_generic bridge stp ipt_MASQUERADE llc nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat xt_tcpudp nf_conntrack_ipv4 nf_def
Apr 28 11:33:19 bugbox kernel: drm_kms_helper libps2 ablk_helper snd_hda_codec mac_hid cryptd evdev cfg80211 drm i2c_i801 e1000e pcspkr snd_hwdep snd_pcm i2c_algo_bit mei_me i2c_core lpc_ich thinkpad_acpi snd_timer wmi ptp thermal nvram mei rfkill i8042 snd hwmon tpm_ti
Apr 28 11:33:19 bugbox kernel: CPU: 2 PID: 485 Comm: wpa_supplicant Tainted: G O 4.0.0-2-ARCH #1
Apr 28 11:33:19 bugbox kernel: Hardware name: LENOVO 2441CTO/2441CTO, BIOS G5ETA0WW (2.60 ) 08/22/2014
Apr 28 11:33:19 bugbox kernel: task: ffff880408a30000 ti: ffff880408c28000 task.ti: ffff880408c28000
Apr 28 11:33:19 bugbox kernel: RIP: 0010:[<ffffffffa07a799e>] [<ffffffffa07a799e>] rtl_get_tcb_desc+0x5e/0x770 [rtlwifi]
Apr 28 11:33:19 bugbox kernel: RSP: 0018:ffff880408c2b6a8 EFLAGS: 00010086
Apr 28 11:33:19 bugbox kernel: RAX: 0000000000000000 RBX: ffff880408a406a0 RCX: 0000000000000000
Apr 28 11:33:19 bugbox kernel: RDX: 0000000000000000 RSI: ffff880408a42028 RDI: ffff880408a406a0
Apr 28 11:33:19 bugbox kernel: RBP: ffff880408c2b6e8 R08: 0000000000000000 R09: 0000000000000000
Apr 28 11:33:19 bugbox kernel: R10: ffffffffa07c7000 R11: ffffffff818278c0 R12: ffff8803e29d6e28
Apr 28 11:33:19 bugbox kernel: R13: ffff88040154f960 R14: 0000000000000080 R15: ffff880408a41ae0
Apr 28 11:33:19 bugbox kernel: FS: 00007f0b8b80c700(0000) GS:ffff88041dc80000(0000) knlGS:0000000000000000
Apr 28 11:33:19 bugbox kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Apr 28 11:33:19 bugbox kernel: CR2: 0000000000000006 CR3: 0000000403afb000 CR4: 00000000001407e0
Apr 28 11:33:19 bugbox kernel: Stack:
Apr 28 11:33:19 bugbox kernel: ffff8803e29d6e30 000000010154f960 ffff880408c2b6e8 ffff880408a41ae0
Apr 28 11:33:19 bugbox kernel: ffff88040154f960 ffff880037656000 ffff880408a406a0 0000000000000000
Apr 28 11:33:19 bugbox kernel: ffff880408c2b768 ffffffffa06cc756 ffff880408c2b780 0000000000000000
Apr 28 11:33:19 bugbox kernel: Call Trace:
Apr 28 11:33:19 bugbox kernel: [<ffffffffa06cc756>] rtl92ce_tx_fill_desc+0x1a6/0x740 [rtl8192ce]
Apr 28 11:33:19 bugbox kernel: [<ffffffffa06f1123>] ? rate_control_get_rate+0xd3/0xe0 [mac80211]
Apr 28 11:33:19 bugbox kernel: [<ffffffffa07c3b02>] rtl_pci_tx+0x1a2/0x440 [rtl_pci]
Apr 28 11:33:19 bugbox kernel: [<ffffffffa07abb1e>] rtl_op_bss_info_changed+0x50e/0x820 [rtlwifi]
Apr 28 11:33:19 bugbox kernel: [<ffffffffa06d7e2e>] ieee80211_bss_info_change_notify+0xbe/0x210 [mac80211]
Apr 28 11:33:19 bugbox kernel: [<ffffffffa06f7690>] ieee80211_start_ap+0x400/0x4c0 [mac80211]
Apr 28 11:33:19 bugbox kernel: [<ffffffffa05a63bf>] nl80211_start_ap+0x32f/0x630 [cfg80211]
Apr 28 11:33:19 bugbox kernel: [<ffffffff814a0247>] genl_family_rcv_msg+0x1e7/0x3f0
Apr 28 11:33:19 bugbox kernel: [<ffffffff81569572>] ? __schedule+0x382/0xa00
Apr 28 11:33:19 bugbox kernel: [<ffffffff814a0450>] ? genl_family_rcv_msg+0x3f0/0x3f0
Apr 28 11:33:19 bugbox kernel: [<ffffffff814a04c9>] genl_rcv_msg+0x79/0xc0
Apr 28 11:33:19 bugbox kernel: [<ffffffff8149f439>] netlink_rcv_skb+0xb9/0xe0
Apr 28 11:33:19 bugbox kernel: [<ffffffff814a004c>] genl_rcv+0x2c/0x40
Apr 28 11:33:19 bugbox kernel: [<ffffffff8149eac0>] netlink_unicast+0x120/0x1b0
Apr 28 11:33:19 bugbox kernel: [<ffffffff8149f154>] netlink_sendmsg+0x534/0x640
Apr 28 11:33:19 bugbox kernel: [<ffffffff81450a22>] do_sock_sendmsg+0x52/0x80
Apr 28 11:33:19 bugbox kernel: [<ffffffff81452020>] ___sys_sendmsg+0x330/0x340
Apr 28 11:33:19 bugbox kernel: [<ffffffff8118c166>] ? handle_mm_fault+0xc76/0x1750
Apr 28 11:33:19 bugbox kernel: [<ffffffff81212d7c>] ? fsnotify+0x3ac/0x580
Apr 28 11:33:19 bugbox kernel: [<ffffffff814531e1>] __sys_sendmsg+0x51/0x90
Apr 28 11:33:19 bugbox kernel: [<ffffffff81453232>] SyS_sendmsg+0x12/0x20
Apr 28 11:33:19 bugbox kernel: [<ffffffff8156d8c9>] system_call_fastpath+0x12/0x17
Apr 28 11:33:19 bugbox kernel: Code: 0f 88 37 04 00 00 0f b6 76 04 48 8b 4f 38 48 8b b4 f1 d8 00 00 00 48 8d 0c 40 48 8b 46 08 48 8d 04 88 48 85 c0 74 08 0f b7 40 06 <41> 88 40 06 44 89 f0 83 e0 0c 66 83 f8 08 74 32 41 0f b6 40 03
Apr 28 11:33:19 bugbox kernel: RIP [<ffffffffa07a799e>] rtl_get_tcb_desc+0x5e/0x770 [rtlwifi]


Additional info:
* testing/linux 4.0-2


Steps to reproduce:
Configure network sharing in network-manager, enable the sharing, system freezes instantly.
Comment 1 W. Trevor King 2015-07-09 04:22:31 UTC 
This looks like the same bug that was discussed briefly on linux-wireless on 2015-06-05 [1].

[1]: http://thread.gmane.org/gmane.linux.kernel.wireless.general/138645
Comment 2 bugs 2015-07-19 18:44:41 UTC 
Currently I have to run kernel 3.19.7 because all 4.x.x kernels crash at boot time
See more details at https://bugzilla.redhat.com/show_bug.cgi?id=1235414
Comment 3 Luis Felipe Domínguez Vega 2015-07-29 19:49:59 UTC 
Hello,
I think I fix the problem, I just add two lines and all work (the AP mode) fine without problems.

Here go: (Sorry I have no git and no internet to download code and upload changes)

Into file /drivers/net/wireless/rtlwifi/core.c

Inside (line 1013):

   static void send_beacon_frame(struct ieee80211_hw *hw,
                                 struct ieee80211_vif *vif)
   {
         struct rtl_priv *rtlpriv = rtl_priv(hw);
         struct sk_buff *skb = ieee80211_beacon_get(hw, vif);
         
         //Here I add this two lines
         struct rtl_tcb_desc tcb_desc;
         memset (&tcb_desc, 0, sizeof(struct rtl_tcb_desc));
         
        if(skb)                // I replace the last NULL parametter
           rtlpriv->intf_ops->adapter_tx(hw, NULL, skb, &tcb_desc)  
   }

I think the problem was the last NULL parametter.
Comment 4 Larry Finger 2015-07-29 20:47:45 UTC 
Created attachment 184001 [details]
Proposed patch

This version of the patch is reworked a little, but is essentially as proposed by Dominguez.
Comment 5 bugs 2015-07-29 21:03:47 UTC 
Please, make sure all affected drivers are fixed, not only rtl8821ae
It is happening too at a system using the rtl8192ce driver.
Comment 6 Larry Finger 2015-07-30 00:14:42 UTC 
The patch is for rtlwifi, which is used by all of the drivers.
Comment 7 Luis Felipe Domínguez Vega 2015-07-30 01:12:28 UTC 
Now i'm using the RTL 8188ee module. All works fine....
Comment 8 Josh Boyer 2015-08-03 13:14:28 UTC 
(In reply to Larry Finger from comment #4)
> Created attachment 184001 [details]
> Proposed patch
> 
> This version of the patch is reworked a little, but is essentially as
> proposed by Dominguez.

I'm confused.  This patch looks like bringing in register definitions and no longer including ../reg.h.  It doesn't look at all like the two lines of code in comment #3.  How is this the same?

Is there an upstream patch that was sent for this?
Comment 9 Larry Finger 2015-08-03 15:02:02 UTC 
Yes. It is commit 7c62940165e9ae4004ce4e6b5117330bab94df68 in the wireless-drivers repo. The real patch is as follows:

diff --git a/drivers/net/wireless/rtlwifi/core.c b/drivers/net/wireless/rtlwifi/core.c
index 3b3a88b..585d088 100644
--- a/drivers/net/wireless/rtlwifi/core.c
+++ b/drivers/net/wireless/rtlwifi/core.c
@@ -1015,9 +1015,12 @@ static void send_beacon_frame(struct ieee80211_hw *hw,
 {
        struct rtl_priv *rtlpriv = rtl_priv(hw);
        struct sk_buff *skb = ieee80211_beacon_get(hw, vif);
+       struct rtl_tcb_desc tcb_desc;
 
-       if (skb)
-               rtlpriv->intf_ops->adapter_tx(hw, NULL, skb, NULL);
+       if (skb) {
+               memset(&tcb_desc, 0, sizeof(struct rtl_tcb_desc));
+               rtlpriv->intf_ops->adapter_tx(hw, NULL, skb, &tcb_desc);
+       }
 }
 
 static void rtl_op_bss_info_changed(struct ieee80211_hw *hw,
Comment 10 Larry Finger 2015-08-03 15:05:01 UTC 
Created attachment 184141 [details]
Correct patch

The wrong patch was previously attached. It is replaced with the correct one.
Comment 11 bugs 2015-11-23 21:12:43 UTC 
The problem has been fixed in at least couple of recent kernel releases.
I am now running 4.2.6 on a Fedora 23 and it is working fine.
Comment 12 Larry Finger 2016-02-15 17:03:20 UTC 
Please close this with a CODE FIX. I do not have the necessary privilege.