From patchwork Wed Aug 26 20:14:56 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arend van Spriel X-Patchwork-Id: 7079931 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 05A10BEEC1 for ; Wed, 26 Aug 2015 20:15:33 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 17675207FF for ; Wed, 26 Aug 2015 20:15:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id EB0D120715 for ; Wed, 26 Aug 2015 20:15:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756560AbbHZUPW (ORCPT ); Wed, 26 Aug 2015 16:15:22 -0400 Received: from mail-gw1-out.broadcom.com ([216.31.210.62]:39009 "EHLO mail-gw1-out.broadcom.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752110AbbHZUPS (ORCPT ); Wed, 26 Aug 2015 16:15:18 -0400 X-IronPort-AV: E=Sophos;i="5.17,418,1437462000"; d="scan'208";a="73564631" Received: from irvexchcas08.broadcom.com (HELO IRVEXCHCAS08.corp.ad.broadcom.com) ([10.9.208.57]) by mail-gw1-out.broadcom.com with ESMTP; 26 Aug 2015 14:43:28 -0700 Received: from IRVEXCHSMTP1.corp.ad.broadcom.com (10.9.207.51) by IRVEXCHCAS08.corp.ad.broadcom.com (10.9.208.57) with Microsoft SMTP Server (TLS) id 14.3.235.1; Wed, 26 Aug 2015 13:15:17 -0700 Received: from mail-irva-13.broadcom.com (10.10.10.20) by IRVEXCHSMTP1.corp.ad.broadcom.com (10.9.207.51) with Microsoft SMTP Server id 14.3.235.1; Wed, 26 Aug 2015 13:15:17 -0700 Received: from bld-bun-01.bun.broadcom.com (unknown [10.176.128.83]) by mail-irva-13.broadcom.com (Postfix) with ESMTP id DC9404109F; Wed, 26 Aug 2015 13:12:39 -0700 (PDT) Received: by bld-bun-01.bun.broadcom.com (Postfix, from userid 25152) id DADFCB02B78; Wed, 26 Aug 2015 22:15:05 +0200 (CEST) From: Arend van Spriel To: Kalle Valo CC: linux-wireless , Arend van Spriel Subject: [PATCH 04/12] brcmfmac: only call brcmf_cfg80211_detach() when attach was successful Date: Wed, 26 Aug 2015 22:14:56 +0200 Message-ID: <1440620104-2715-5-git-send-email-arend@broadcom.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1440620104-2715-1-git-send-email-arend@broadcom.com> References: <1440620104-2715-1-git-send-email-arend@broadcom.com> MIME-Version: 1.0 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP In brcmf_bus_start() the function brcmf_cfg80211_attach() is called which may fail. If this happens we should not call brcmf_cfg80211_detach() in the failure path as it will result in NULL pointer dereference: brcmf_fweh_activate_events: Set event_msgs error (-5) brcmf_bus_start: failed: -5 brcmf_sdio_firmware_callback: dongle is not responding BUG: unable to handle kernel NULL pointer dereference at 0000000000000068 IP: [] kernfs_find_ns+0x18/0xd0 PGD 0 Oops: 0000 [#1] SMP Modules linked in: brcmfmac(O) brcmutil(O) cfg80211 auth_rpcgss CPU: 1 PID: 45 Comm: kworker/1:1 Tainted: G O Hardware name: Dell Inc. Latitude E6410/07XJP9, BIOS A07 02/15/2011 Workqueue: events request_firmware_work_func task: ffff880036c09ac0 ti: ffff880036dd4000 task.ti: ffff880036dd4000 RIP: 0010:[] [] kernfs_find_ns+0x18/0xd0 RSP: 0018:ffff880036dd7a28 EFLAGS: 00010246 RAX: ffff880036c09ac0 RBX: 0000000000000000 RCX: 000000007fffffff RDX: 0000000000000000 RSI: ffffffff816578b9 RDI: 0000000000000000 RBP: ffff880036dd7a48 R08: 0000000000000000 R09: ffff880036c0b340 R10: 00000000000002ec R11: ffff880036dd7b08 R12: ffffffff816578b9 R13: 0000000000000000 R14: ffffffff816578b9 R15: ffff8800c6c87000 FS: 0000000000000000(0000) GS:ffff88012bc40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000068 CR3: 0000000001a0b000 CR4: 00000000000006e0 Stack: 0000000000000000 ffffffff816578b9 0000000000000000 ffff8800c0d003c8 ffff880036dd7a78 ffffffff811e8ff5 0000000ffffffff1 ffffffff81a9b060 ffff8800c789f880 ffff8800c0d00000 ffff880036dd7a98 ffffffff811ebe0d Call Trace: [] kernfs_find_and_get_ns+0x35/0x60 [] sysfs_unmerge_group+0x1d/0x60 [] dpm_sysfs_remove+0x22/0x60 [] device_del+0x49/0x240 [] rfkill_unregister+0x58/0xc0 [] wiphy_unregister+0xab/0x2f0 [cfg80211] [] brcmf_cfg80211_detach+0x23/0x50 [brcmfmac] [] brcmf_detach+0x86/0xe0 [brcmfmac] [] brcmf_sdio_remove+0x48/0x120 [brcmfmac] [] brcmf_sdiod_remove+0x29/0xd0 [brcmfmac] [] brcmf_ops_sdio_remove+0xb1/0x110 [brcmfmac] [] sdio_bus_remove+0x37/0x100 [mmc_core] [] __device_release_driver+0x96/0x130 [] device_release_driver+0x23/0x30 [] brcmf_sdio_firmware_callback+0x2a8/0x5d0 [brcmfmac] [] brcmf_fw_request_nvram_done+0x15f/0x5e0 [brcmfmac] [] ? devres_add+0x3f/0x50 [] ? usermodehelper_read_unlock+0x15/0x20 [] ? platform_match+0x70/0xa0 [] request_firmware_work_func+0x30/0x60 [] process_one_work+0x14c/0x3d0 [] worker_thread+0x11a/0x450 [] ? process_one_work+0x3d0/0x3d0 [] kthread+0xd2/0xf0 [] ? kthread_create_on_node+0x180/0x180 [] ret_from_fork+0x3f/0x70 [] ? kthread_create_on_node+0x180/0x180 Code: e9 40 fe ff ff 48 89 d8 eb 87 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 41 56 49 89 f6 41 55 49 89 d5 31 d2 41 54 53 <0f> b7 47 68 48 8b 5f 48 66 c1 e8 05 83 e0 01 4d 85 ed 0f b6 c8 RIP [] kernfs_find_ns+0x18/0xd0 RSP CR2: 0000000000000068 ---[ end trace 87d6ec0d3fe46740 ]--- Reported-by: Daniel (Deognyoun) Kim Reviewed-by: Hante Meuleman Reviewed-by: Franky (Zhenhui) Lin Reviewed-by: Pieter-Paul Giesberts Signed-off-by: Arend van Spriel --- drivers/net/wireless/brcm80211/brcmfmac/core.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/brcm80211/brcmfmac/core.c b/drivers/net/wireless/brcm80211/brcmfmac/core.c index 157f0d7..126081a 100644 --- a/drivers/net/wireless/brcm80211/brcmfmac/core.c +++ b/drivers/net/wireless/brcm80211/brcmfmac/core.c @@ -1049,7 +1049,10 @@ int brcmf_bus_start(struct device *dev) fail: if (ret < 0) { brcmf_err("failed: %d\n", ret); - brcmf_cfg80211_detach(drvr->config); + if (drvr->config) { + brcmf_cfg80211_detach(drvr->config); + drvr->config = NULL; + } if (drvr->fws) { brcmf_fws_del_interface(ifp); brcmf_fws_deinit(drvr);