rtlwifi: rtl_pci: Fix kernel panic
In commit38506ecefa
(rtlwifi: rtl_pci: Start modification for new drivers), a bug was introduced that causes a NULL pointer dereference. As this bug only affects the infrequently used RTL8192EE and only under low-memory conditions, it has taken a long time for the bug to show up. The bug was reported on the linux-wireless mailing list and also at https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/ as bug #1527603 (kernel crashes due to rtl8192ee driver on ubuntu 15.10). Fixes:38506ecefa
("rtlwifi: rtl_pci: Start modification for new drivers") Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Cc: Stable <stable@vger.kernel.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
This commit is contained in:
parent
d47762633f
commit
f99551a2d3
|
@ -801,7 +801,9 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw)
|
||||||
hw_queue);
|
hw_queue);
|
||||||
if (rx_remained_cnt == 0)
|
if (rx_remained_cnt == 0)
|
||||||
return;
|
return;
|
||||||
|
buffer_desc = &rtlpci->rx_ring[rxring_idx].buffer_desc[
|
||||||
|
rtlpci->rx_ring[rxring_idx].idx];
|
||||||
|
pdesc = (struct rtl_rx_desc *)skb->data;
|
||||||
} else { /* rx descriptor */
|
} else { /* rx descriptor */
|
||||||
pdesc = &rtlpci->rx_ring[rxring_idx].desc[
|
pdesc = &rtlpci->rx_ring[rxring_idx].desc[
|
||||||
rtlpci->rx_ring[rxring_idx].idx];
|
rtlpci->rx_ring[rxring_idx].idx];
|
||||||
|
@ -824,13 +826,6 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw)
|
||||||
new_skb = dev_alloc_skb(rtlpci->rxbuffersize);
|
new_skb = dev_alloc_skb(rtlpci->rxbuffersize);
|
||||||
if (unlikely(!new_skb))
|
if (unlikely(!new_skb))
|
||||||
goto no_new;
|
goto no_new;
|
||||||
if (rtlpriv->use_new_trx_flow) {
|
|
||||||
buffer_desc =
|
|
||||||
&rtlpci->rx_ring[rxring_idx].buffer_desc
|
|
||||||
[rtlpci->rx_ring[rxring_idx].idx];
|
|
||||||
/*means rx wifi info*/
|
|
||||||
pdesc = (struct rtl_rx_desc *)skb->data;
|
|
||||||
}
|
|
||||||
memset(&rx_status , 0 , sizeof(rx_status));
|
memset(&rx_status , 0 , sizeof(rx_status));
|
||||||
rtlpriv->cfg->ops->query_rx_desc(hw, &stats,
|
rtlpriv->cfg->ops->query_rx_desc(hw, &stats,
|
||||||
&rx_status, (u8 *)pdesc, skb);
|
&rx_status, (u8 *)pdesc, skb);
|
||||||
|
|
Loading…
Reference in New Issue