]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blob - queue-4.19/brcmfmac-fix-null-pointer-derefence-during-usb-disconnect.patch
projects / thirdparty / kernel / stable-queue.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
4.9-stable patches
[thirdparty/kernel/stable-queue.git] / queue-4.19 / brcmfmac-fix-null-pointer-derefence-during-usb-disconnect.patch
1 From 5cdb0ef6144f47440850553579aa923c20a63f23 Mon Sep 17 00:00:00 2001
2 From: Piotr Figiel <p.figiel@camlintechnologies.com>
3 Date: Mon, 4 Mar 2019 15:42:52 +0000
4 Subject: brcmfmac: fix NULL pointer derefence during USB disconnect
5
6 From: Piotr Figiel <p.figiel@camlintechnologies.com>
7
8 commit 5cdb0ef6144f47440850553579aa923c20a63f23 upstream.
9
10 In case USB disconnect happens at the moment transmitting workqueue is in
11 progress the underlying interface may be gone causing a NULL pointer
12 dereference. Add synchronization of the workqueue destruction with the
13 detach implementation in core so that the transmitting workqueue is stopped
14 during detach before the interfaces are removed.
15
16 Fix following Oops:
17
18 Unable to handle kernel NULL pointer dereference at virtual address 00000008
19 pgd = 9e6a802d
20 [00000008] *pgd=00000000
21 Internal error: Oops: 5 [#1] PREEMPT SMP ARM
22 Modules linked in: nf_log_ipv4 nf_log_common xt_LOG xt_limit iptable_mangle
23 xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4
24 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis u_ether
25 usb_serial_simple usbserial cdc_acm brcmfmac brcmutil smsc95xx usbnet
26 ci_hdrc_imx ci_hdrc ulpi usbmisc_imx 8250_exar 8250_pci 8250 8250_base
27 libcomposite configfs udc_core
28 CPU: 0 PID: 7 Comm: kworker/u8:0 Not tainted 4.19.23-00076-g03740aa-dirty #102
29 Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
30 Workqueue: brcmf_fws_wq brcmf_fws_dequeue_worker [brcmfmac]
31 PC is at brcmf_txfinalize+0x34/0x90 [brcmfmac]
32 LR is at brcmf_fws_dequeue_worker+0x218/0x33c [brcmfmac]
33 pc : [<7f0dee64>] lr : [<7f0e4140>] psr: 60010093
34 sp : ee8abef0 ip : 00000000 fp : edf38000
35 r10: ffffffed r9 : edf38970 r8 : edf38004
36 r7 : edf3e970 r6 : 00000000 r5 : ede69000 r4 : 00000000
37 r3 : 00000a97 r2 : 00000000 r1 : 0000888e r0 : ede69000
38 Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none
39 Control: 10c5387d Table: 7d03c04a DAC: 00000051
40 Process kworker/u8:0 (pid: 7, stack limit = 0x24ec3e04)
41 Stack: (0xee8abef0 to 0xee8ac000)
42 bee0: ede69000 00000000 ed56c3e0 7f0e4140
43 bf00: 00000001 00000000 edf38004 edf3e99c ed56c3e0 80d03d00 edfea43a edf3e970
44 bf20: ee809880 ee804200 ee971100 00000000 edf3e974 00000000 ee804200 80135a70
45 bf40: 80d03d00 ee804218 ee809880 ee809894 ee804200 80d03d00 ee804218 ee8aa000
46 bf60: 00000088 80135d5c 00000000 ee829f00 ee829dc0 00000000 ee809880 80135d30
47 bf80: ee829f1c ee873eac 00000000 8013b1a0 ee829dc0 8013b07c 00000000 00000000
48 bfa0: 00000000 00000000 00000000 801010e8 00000000 00000000 00000000 00000000
49 bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
50 bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
51 [<7f0dee64>] (brcmf_txfinalize [brcmfmac]) from [<7f0e4140>] (brcmf_fws_dequeue_worker+0x218/0x33c [brcmfmac])
52 [<7f0e4140>] (brcmf_fws_dequeue_worker [brcmfmac]) from [<80135a70>] (process_one_work+0x138/0x3f8)
53 [<80135a70>] (process_one_work) from [<80135d5c>] (worker_thread+0x2c/0x554)
54 [<80135d5c>] (worker_thread) from [<8013b1a0>] (kthread+0x124/0x154)
55 [<8013b1a0>] (kthread) from [<801010e8>] (ret_from_fork+0x14/0x2c)
56 Exception stack(0xee8abfb0 to 0xee8abff8)
57 bfa0: 00000000 00000000 00000000 00000000
58 bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
59 bfe0: 00000000 00000000 00000000 00000000 00000013 00000000
60 Code: e1530001 0a000007 e3560000 e1a00005 (05942008)
61 ---[ end trace 079239dd31c86e90 ]---
62
63 Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
64 Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
65 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
66
67 ---
68 drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c | 11 ++++++--
69 drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.h | 6 +++-
70 drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 4 ++-
71 drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c | 16 +++++++++---
72 drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.h | 3 +-
73 drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.c | 10 ++++++-
74 drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.h | 3 +-
75 7 files changed, 40 insertions(+), 13 deletions(-)
76
77 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c
78 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c
79 @@ -490,11 +490,18 @@ fail:
80 return -ENOMEM;
81 }
82
83 -void brcmf_proto_bcdc_detach(struct brcmf_pub *drvr)
84 +void brcmf_proto_bcdc_detach_pre_delif(struct brcmf_pub *drvr)
85 +{
86 + struct brcmf_bcdc *bcdc = drvr->proto->pd;
87 +
88 + brcmf_fws_detach_pre_delif(bcdc->fws);
89 +}
90 +
91 +void brcmf_proto_bcdc_detach_post_delif(struct brcmf_pub *drvr)
92 {
93 struct brcmf_bcdc *bcdc = drvr->proto->pd;
94
95 drvr->proto->pd = NULL;
96 - brcmf_fws_detach(bcdc->fws);
97 + brcmf_fws_detach_post_delif(bcdc->fws);
98 kfree(bcdc);
99 }
100 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.h
101 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.h
102 @@ -18,14 +18,16 @@
103
104 #ifdef CONFIG_BRCMFMAC_PROTO_BCDC
105 int brcmf_proto_bcdc_attach(struct brcmf_pub *drvr);
106 -void brcmf_proto_bcdc_detach(struct brcmf_pub *drvr);
107 +void brcmf_proto_bcdc_detach_pre_delif(struct brcmf_pub *drvr);
108 +void brcmf_proto_bcdc_detach_post_delif(struct brcmf_pub *drvr);
109 void brcmf_proto_bcdc_txflowblock(struct device *dev, bool state);
110 void brcmf_proto_bcdc_txcomplete(struct device *dev, struct sk_buff *txp,
111 bool success);
112 struct brcmf_fws_info *drvr_to_fws(struct brcmf_pub *drvr);
113 #else
114 static inline int brcmf_proto_bcdc_attach(struct brcmf_pub *drvr) { return 0; }
115 -static inline void brcmf_proto_bcdc_detach(struct brcmf_pub *drvr) {}
116 +static void brcmf_proto_bcdc_detach_pre_delif(struct brcmf_pub *drvr) {};
117 +static inline void brcmf_proto_bcdc_detach_post_delif(struct brcmf_pub *drvr) {}
118 #endif
119
120 #endif /* BRCMFMAC_BCDC_H */
121 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
122 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
123 @@ -1244,6 +1244,8 @@ void brcmf_detach(struct device *dev)
124
125 brcmf_bus_change_state(bus_if, BRCMF_BUS_DOWN);
126
127 + brcmf_proto_detach_pre_delif(drvr);
128 +
129 /* make sure primary interface removed last */
130 for (i = BRCMF_MAX_IFS-1; i > -1; i--)
131 brcmf_remove_interface(drvr->iflist[i], false);
132 @@ -1253,7 +1255,7 @@ void brcmf_detach(struct device *dev)
133
134 brcmf_bus_stop(drvr->bus_if);
135
136 - brcmf_proto_detach(drvr);
137 + brcmf_proto_detach_post_delif(drvr);
138
139 bus_if->drvr = NULL;
140 wiphy_free(drvr->wiphy);
141 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
142 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
143 @@ -2410,17 +2410,25 @@ struct brcmf_fws_info *brcmf_fws_attach(
144 return fws;
145
146 fail:
147 - brcmf_fws_detach(fws);
148 + brcmf_fws_detach_pre_delif(fws);
149 + brcmf_fws_detach_post_delif(fws);
150 return ERR_PTR(rc);
151 }
152
153 -void brcmf_fws_detach(struct brcmf_fws_info *fws)
154 +void brcmf_fws_detach_pre_delif(struct brcmf_fws_info *fws)
155 {
156 if (!fws)
157 return;
158 -
159 - if (fws->fws_wq)
160 + if (fws->fws_wq) {
161 destroy_workqueue(fws->fws_wq);
162 + fws->fws_wq = NULL;
163 + }
164 +}
165 +
166 +void brcmf_fws_detach_post_delif(struct brcmf_fws_info *fws)
167 +{
168 + if (!fws)
169 + return;
170
171 /* cleanup */
172 brcmf_fws_lock(fws);
173 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.h
174 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.h
175 @@ -19,7 +19,8 @@
176 #define FWSIGNAL_H_
177
178 struct brcmf_fws_info *brcmf_fws_attach(struct brcmf_pub *drvr);
179 -void brcmf_fws_detach(struct brcmf_fws_info *fws);
180 +void brcmf_fws_detach_pre_delif(struct brcmf_fws_info *fws);
181 +void brcmf_fws_detach_post_delif(struct brcmf_fws_info *fws);
182 void brcmf_fws_debugfs_create(struct brcmf_pub *drvr);
183 bool brcmf_fws_queue_skbs(struct brcmf_fws_info *fws);
184 bool brcmf_fws_fc_active(struct brcmf_fws_info *fws);
185 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.c
186 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.c
187 @@ -67,16 +67,22 @@ fail:
188 return -ENOMEM;
189 }
190
191 -void brcmf_proto_detach(struct brcmf_pub *drvr)
192 +void brcmf_proto_detach_post_delif(struct brcmf_pub *drvr)
193 {
194 brcmf_dbg(TRACE, "Enter\n");
195
196 if (drvr->proto) {
197 if (drvr->bus_if->proto_type == BRCMF_PROTO_BCDC)
198 - brcmf_proto_bcdc_detach(drvr);
199 + brcmf_proto_bcdc_detach_post_delif(drvr);
200 else if (drvr->bus_if->proto_type == BRCMF_PROTO_MSGBUF)
201 brcmf_proto_msgbuf_detach(drvr);
202 kfree(drvr->proto);
203 drvr->proto = NULL;
204 }
205 }
206 +
207 +void brcmf_proto_detach_pre_delif(struct brcmf_pub *drvr)
208 +{
209 + if (drvr->proto && drvr->bus_if->proto_type == BRCMF_PROTO_BCDC)
210 + brcmf_proto_bcdc_detach_pre_delif(drvr);
211 +}
212 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.h
213 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.h
214 @@ -54,7 +54,8 @@ struct brcmf_proto {
215
216
217 int brcmf_proto_attach(struct brcmf_pub *drvr);
218 -void brcmf_proto_detach(struct brcmf_pub *drvr);
219 +void brcmf_proto_detach_pre_delif(struct brcmf_pub *drvr);
220 +void brcmf_proto_detach_post_delif(struct brcmf_pub *drvr);
221
222 static inline int brcmf_proto_hdrpull(struct brcmf_pub *drvr, bool do_fws,
223 struct sk_buff *skb,
Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git