Bug 109951 - rtl8192_tx_isr code analysis logic error
Summary: rtl8192_tx_isr code analysis logic error
Status: RESOLVED CODE_FIX
Alias: None
Product: Drivers
Classification: Unclassified
Component: network-wireless (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: drivers_network-wireless@kernel-bugs.osdl.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-25 02:01 UTC by Yong Shi
Modified: 2016-01-12 07:07 UTC (History)
2 users (show)

See Also:
Kernel Version: 4.3.3
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Fixes the problem described here. (2.05 KB, patch)
2016-01-05 02:29 UTC, Larry Finger 		Details | Diff
Add an attachment (proposed patch, testcase, etc.)

Description Yong Shi 2015-12-25 02:01:37 UTC 
the verification for variable skb is done after the variable is used

rtl8192_tx_isr
line 1008:
	struct net_device *dev = (struct net_device *)(skb->cb);
line 1010:
	cb_desc *tcb_desc = (cb_desc *)(skb->cb + MAX_DEV_ADDR_SIZE);


the verification:
line 1028:
	if (skb != NULL) {
		dev_kfree_skb_any(skb);
		usb_free_urb(tx_urb);
		atomic_dec(&priv->tx_pending[queue_index]);
	}
Comment 1 Yong Shi 2015-12-25 08:56:36 UTC 
r8192U_core.c
Comment 2 Larry Finger 2016-01-05 02:29:29 UTC 
Created attachment 198761 [details]
Fixes the problem described here.

This patch moves all the dereferences of skb to a point after the pointer is tesped for NULL.
Comment 3 Yong Shi 2016-01-12 07:07:58 UTC 
It' ok,now.
Note You need to log in before you can comment on or make changes to this bug.