github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-12 08:43:42 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
e29aba14e8
linux/drivers
History
Piotr Figiel e29aba14e8 brcmfmac: fix Oops when bringing up interface during USB disconnect 
[ Upstream commit 24d413a31a ]

Fix a race which leads to an Oops with NULL pointer dereference.  The
dereference is in brcmf_config_dongle() when cfg_to_ndev() attempts to get
net_device structure of interface with index 0 via if2bss mapping. This
shouldn't fail because of check for bus being ready in brcmf_netdev_open(),
but it's not synchronised with USB disconnect and there is a race: after
the check the bus can be marked down and the mapping for interface 0 may be
gone.

Solve this by modifying disconnect handling so that the removal of mapping
of ifidx to brcmf_if structure happens after netdev removal (which is
synchronous with brcmf_netdev_open() thanks to rtln being locked in
devinet_ioctl()). This assures brcmf_netdev_open() returns before the
mapping is removed during disconnect.

Unable to handle kernel NULL pointer dereference at virtual address 00000008
pgd = bcae2612
[00000008] *pgd=8be73831
Internal error: Oops: 17 [#1] PREEMPT SMP ARM
Modules linked in: brcmfmac brcmutil nf_log_ipv4 nf_log_common xt_LOG xt_limit
iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6
nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis
u_ether usb_serial_simple usbserial cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc
usbmisc_imx ulpi 8250_exar 8250_pci 8250 8250_base libcomposite configfs
udc_core [last unloaded: brcmutil]
CPU: 2 PID: 24478 Comm: ifconfig Not tainted 4.19.23-00078-ga62866d-dirty #115
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
PC is at brcmf_cfg80211_up+0x94/0x29c [brcmfmac]
LR is at brcmf_cfg80211_up+0x8c/0x29c [brcmfmac]
pc : [<7f26a91c>]    lr : [<7f26a914>]    psr: a0070013
sp : eca99d28  ip : 00000000  fp : ee9c6c00
r10: 00000036  r9 : 00000000  r8 : ece4002c
r7 : edb5b800  r6 : 00000000  r5 : 80f08448  r4 : edb5b968
r3 : ffffffff  r2 : 00000000  r1 : 00000002  r0 : 00000000
Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 10c5387d  Table: 7ca0c04a  DAC: 00000051
Process ifconfig (pid: 24478, stack limit = 0xd9e85a0e)
Stack: (0xeca99d28 to 0xeca9a000)
9d20:                   00000000 80f873b0 0000000d 80f08448 eca99d68 50d45f32
9d40: 7f27de94 ece40000 80f08448 80f08448 7f27de94 ece4002c 00000000 00000036
9d60: ee9c6c00 7f27262c 00001002 50d45f32 ece40000 00000000 80f08448 80772008
9d80: 00000001 00001043 00001002 ece40000 00000000 50d45f32 ece40000 00000001
9da0: 80f08448 00001043 00001002 807723d0 00000000 50d45f32 80f08448 eca99e58
9dc0: 80f87113 50d45f32 80f08448 ece40000 ece40138 00001002 80f08448 00000000
9de0: 00000000 80772434 edbd5380 eca99e58 edbd5380 80f08448 ee9c6c0c 80805f70
9e00: 00000000 ede08e00 00008914 ece40000 00000014 ee9c6c0c 600c0013 00001043
9e20: 0208a8c0 ffffffff 00000000 50d45f32 eca98000 80f08448 7ee9fc38 00008914
9e40: 80f68e40 00000051 eca98000 00000036 00000003 80808b9c 6e616c77 00000030
9e60: 00000000 00000000 00001043 0208a8c0 ffffffff 00000000 80f08448 00000000
9e80: 00000000 816d8b20 600c0013 00000001 ede09320 801763d4 00000000 50d45f32
9ea0: eca98000 80f08448 7ee9fc38 50d45f32 00008914 80f08448 7ee9fc38 80f68e40
9ec0: ed531540 8074721c 00000800 00000001 00000000 6e616c77 00000030 00000000
9ee0: 00000000 00001002 0208a8c0 ffffffff 00000000 50d45f32 80f08448 7ee9fc38
9f00: ed531560 ec8fc900 80285a6c 80285138 edb910c0 00000000 ecd91008 ede08e00
9f20: 80f08448 00000000 00000000 816d8b20 600c0013 00000001 ede09320 801763d4
9f40: 00000000 50d45f32 00021000 edb91118 edb910c0 80f08448 01b29000 edb91118
9f60: eca99f7c 50d45f32 00021000 ec8fc900 00000003 ec8fc900 00008914 7ee9fc38
9f80: eca98000 00000036 00000003 80285a6c 00086364 7ee9fe1c 000000c3 00000036
9fa0: 801011c4 80101000 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc 600c0010 00000003 00000000 00000000
[<7f26a91c>] (brcmf_cfg80211_up [brcmfmac]) from [<7f27262c>] (brcmf_netdev_open+0x74/0xe8 [brcmfmac])
[<7f27262c>] (brcmf_netdev_open [brcmfmac]) from [<80772008>] (__dev_open+0xcc/0x150)
[<80772008>] (__dev_open) from [<807723d0>] (__dev_change_flags+0x168/0x1b4)
[<807723d0>] (__dev_change_flags) from [<80772434>] (dev_change_flags+0x18/0x48)
[<80772434>] (dev_change_flags) from [<80805f70>] (devinet_ioctl+0x67c/0x79c)
[<80805f70>] (devinet_ioctl) from [<80808b9c>] (inet_ioctl+0x210/0x3d4)
[<80808b9c>] (inet_ioctl) from [<8074721c>] (sock_ioctl+0x350/0x524)
[<8074721c>] (sock_ioctl) from [<80285138>] (do_vfs_ioctl+0xb0/0x9b0)
[<80285138>] (do_vfs_ioctl) from [<80285a6c>] (ksys_ioctl+0x34/0x5c)
[<80285a6c>] (ksys_ioctl) from [<80101000>] (ret_fast_syscall+0x0/0x28)
Exception stack(0xeca99fa8 to 0xeca99ff0)
9fa0:                   00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc
Code: e5970328 eb002021 e1a02006 e3a01002 (e5909008)
---[ end trace 5cbac2333f3ac5df ]---

Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-05-31 06:46:26 -07:00
..
accessibility
acpi ACPI/IORT: Reject platform device creation on NUMA node mapping failure 2019-05-31 06:46:21 -07:00
amba
android binder: fix handling of misaligned binder object 2019-05-02 09:58:56 +02:00
ata libata: fix using DMA buffers on stack 2019-05-04 09:20:21 +02:00
atm atm: he: fix sign-extension overflow on large shift 2019-02-27 10:08:57 +01:00
auxdisplay auxdisplay: hd44780: Fix memory leak on ->remove() 2019-04-20 09:15:55 +02:00
base PM / core: Propagate dev->power.wakeup_path when no callbacks 2019-05-31 06:46:23 -07:00
bcma
block brd: re-enable __GFP_HIGHMEM in brd_insert_page() 2019-05-25 18:23:24 +02:00
bluetooth Bluetooth: hci_qca: Give enough time to ROME controller to bootup. 2019-05-31 06:46:16 -07:00
bus
cdrom cdrom: Fix race condition in cdrom_sysctl_register 2019-04-05 22:33:10 +02:00
char random: add a spinlock_t to struct batched_entropy 2019-05-31 06:46:19 -07:00
clk clk: rockchip: Make rkpwm a critical clock on rk3288 2019-05-31 06:46:23 -07:00
clocksource clocksource/drivers/oxnas: Fix OX820 compatible 2019-05-16 19:41:21 +02:00
connector connector: fix unsafe usage of ->real_parent 2019-03-19 13:12:38 +01:00
cpufreq cpufreq: kirkwood: fix possible object reference leak 2019-05-31 06:46:24 -07:00
cpuidle cpuidle: big.LITTLE: fix refcount leak 2019-02-12 19:47:08 +01:00
crypto crypto: sun4i-ss - Fix invalid calculation of hash end 2019-05-31 06:46:15 -07:00
dax mm/huge_memory: fix vmf_insert_pfn_{pmd, pud}() crash, handle unaligned addresses 2019-05-22 07:37:40 +02:00
dca
devfreq
dio
dma dmaengine: at_xdmac: remove BUG_ON macro in tasklet 2019-05-31 06:46:17 -07:00
dma-buf
edac x86/cpu: Sanitize FAM6_ATOM naming 2019-05-14 19:17:53 +02:00
eisa
extcon extcon: arizona: Disable mic detect if running when driver is removed 2019-05-31 06:46:23 -07:00
firewire
firmware efi: Fix debugobjects warning on 'efi_rts_work' 2019-05-08 07:21:44 +02:00
fmc
fpga fpga: altera-cvp: fix 'bad IO access' on x86_64 2019-02-12 19:46:59 +01:00
fsi fsi: master-ast-cf: select GENERIC_ALLOCATOR 2018-12-17 09:24:35 +01:00
gnss gnss: sirf: fix premature wakeup interrupt enable 2019-03-10 07:17:21 +01:00
gpio gpio: mxc: add check to return defer probe if clock tree NOT ready 2019-05-08 07:21:53 +02:00
gpu drm/pl111: fix possible object reference leak 2019-05-31 06:46:24 -07:00
hid HID: logitech-hidpp: use RAP instead of FAP to get the protocol version 2019-05-31 06:46:16 -07:00
hsi
hv Drivers: hv: vmbus: Remove the undesired put_cpu_ptr() in hv_synic_cleanup() 2019-05-10 17:54:04 +02:00
hwmon hwmon: (f71805f) Use request_muxed_region for Super-IO accesses 2019-05-31 06:46:22 -07:00
hwspinlock
hwtracing intel_th: msu: Fix single mode with IOMMU 2019-05-25 18:23:26 +02:00
i2c i2c: i2c-stm32f7: Fix SDADEL minimum formula 2019-05-08 07:21:55 +02:00
ide ide: fix a typo in the settings proc file name 2019-01-31 08:14:42 +01:00
idle x86/cpu: Sanitize FAM6_ATOM naming 2019-05-14 19:17:53 +02:00
iio iio: adc: ti-ads7950: Fix improper use of mlock 2019-05-31 06:46:25 -07:00
infiniband RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure 2019-05-31 06:46:21 -07:00
input Input: synaptics-rmi4 - fix possible double free 2019-05-16 19:41:25 +02:00
iommu iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114 2019-05-25 18:23:30 +02:00
ipack
irqchip MIPS: perf: ath79: Fix perfcount IRQ assignment 2019-05-16 19:41:24 +02:00
isdn isdn: bas_gigaset: use usb_fill_int_urb() properly 2019-05-16 19:41:31 +02:00
leds leds: trigger: netdev: use memcpy in device_name_store 2019-05-04 09:20:22 +02:00
lightnvm lightnvm: pblk: add lock protection to list operations 2019-02-12 19:47:08 +01:00
macintosh
mailbox mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush timeout issue 2019-03-23 20:09:49 +01:00
mcb
md bcache: avoid clang -Wunintialized warning 2019-05-31 06:46:15 -07:00
media media: pvrusb2: Prevent a buffer overflow 2019-05-31 06:46:18 -07:00
memory memory: tegra: Fix integer overflow on tick value calculation 2019-05-25 18:23:32 +02:00
memstick memstick: Prevent memstick host from getting runtime suspended during card detection 2019-02-12 19:47:10 +01:00
message
mfd mfd: twl-core: Disable IRQ while suspended 2019-05-08 07:21:48 +02:00
misc lkdtm: Add tests for NULL pointer dereference 2019-04-20 09:16:04 +02:00
mmc mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support 2019-05-31 06:46:23 -07:00
mtd mtd: spi-nor: intel-spi: Avoid crossing 4K address boundary on read/write 2019-05-22 07:37:41 +02:00
mux
net brcmfmac: fix Oops when bringing up interface during USB disconnect 2019-05-31 06:46:26 -07:00
nfc spi: ST ST95HF NFC: declare missing of table 2019-05-16 19:41:25 +02:00
ntb
nubus
nvdimm libnvdimm/pmem: Bypass CONFIG_HARDENED_USERCOPY overhead 2019-05-31 06:46:01 -07:00
nvme nvme-rdma: fix a NULL deref when an admin connect times out 2019-05-31 06:46:15 -07:00
nvmem
of of: overlay: do not duplicate properties from overlay for new nodes 2019-02-06 17:30:16 +01:00
opp OPP: Use opp_table->regulators to verify no regulator case 2019-02-12 19:47:08 +01:00
oprofile
parisc parisc: Skip registering LED when running in QEMU 2019-05-25 18:23:23 +02:00
parport parport_pc: fix find_superio io compare code, should use equal test. 2019-03-23 20:10:05 +01:00
pci PCI: Fix issue with "pci=disable_acs_redir" parameter being ignored 2019-05-25 18:23:43 +02:00
pcmcia
perf perf/arm-cci: Remove broken race mitigation 2019-05-31 06:46:17 -07:00
phy phy: mapphone-mdm6600: add gpiolib dependency 2019-05-31 06:46:20 -07:00
pinctrl pinctrl: samsung: fix leaked of_node references 2019-05-31 06:46:17 -07:00
platform platform/x86: dell-laptop: fix rfkill functionality 2019-05-16 19:41:18 +02:00
pnp
power power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG 2019-05-25 18:23:44 +02:00
powercap x86/cpu: Sanitize FAM6_ATOM naming 2019-05-14 19:17:53 +02:00
pps
ps3
ptp ptp: Fix pass zero to ERR_PTR() in ptp_clock_register 2019-02-12 19:47:01 +01:00
pwm
rapidio
ras
regulator regulator: act8865: Fix act8600_sudcdc_voltage_ranges setting 2019-04-05 22:33:15 +02:00
remoteproc
reset reset: meson-audio-arb: Fix missing .owner setting of reset_controller_dev 2019-05-08 07:21:47 +02:00
rpmsg
rtc rtc: stm32: manage the get_irq probe defer case 2019-05-31 06:46:13 -07:00
s390 s390: cio: fix cio_irb declaration 2019-05-31 06:46:24 -07:00
sbus drivers/sbus/char: add of_node_put() 2018-12-21 14:15:17 +01:00
scsi scsi: libsas: Do discovery on empty PHY to update PHY info 2019-05-31 06:46:22 -07:00
sfi
sh
siox
slimbus slimbus: fix a potential NULL pointer dereference in of_qcom_slim_ngd_register 2019-05-31 06:46:14 -07:00
sn
soc soc: sunxi: Fix missing dependency on REGMAP_MMIO 2019-05-10 17:54:10 +02:00
soundwire
spi spi: pxa2xx: fix SCR (divisor) calculation 2019-05-31 06:46:11 -07:00
spmi
ssb ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit 2019-05-31 06:46:04 -07:00
staging staging: vc04_services: handle kzalloc failure 2019-05-31 06:46:19 -07:00
target scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock 2019-03-23 20:09:59 +01:00
tc
tee tee: optee: avoid possible double list_del() 2019-02-12 19:47:08 +01:00
thermal x86/cpu: Sanitize FAM6_ATOM naming 2019-05-14 19:17:53 +02:00
thunderbolt thunderbolt: Take domain lock in switch sysfs attribute callbacks 2019-05-31 06:46:20 -07:00
tty tty: Don't force RISCV SBI console as preferred console 2019-05-22 07:37:43 +02:00
uio
usb USB: core: Don't unbind interfaces following device reset failure 2019-05-31 06:46:20 -07:00
uwb
vfio vfio/pci: use correct format characters 2019-05-08 07:21:49 +02:00
vhost vhost: reject zero size iova range 2019-04-27 09:36:31 +02:00
video fbdev: fix WARNING in __alloc_pages_nodemask bug 2019-05-31 06:46:04 -07:00
virt drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl 2019-05-16 19:41:31 +02:00
virtio virtio_pci: fix a NULL pointer reference in vp_del_vqs 2019-05-10 17:54:08 +02:00
visorbus
vlynq
vme
w1 w1: fix the resume command API 2019-05-31 06:46:14 -07:00
watchdog watchdog: mt7621_wdt/rt2880_wdt: Fix compilation problem 2019-02-27 10:08:52 +01:00
xen fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock 2019-05-08 07:21:51 +02:00
zorro
Kconfig
Makefile