diff mbox series

[v2] brcmfmac: fix brcmf_wiphy_wowl_params() NULL pointer dereference

Message ID 1533649107-157808-1-git-send-email-chi-hsien.lin@cypress.com (mailing list archive)
State Changes Requested
Delegated to: Kalle Valo
Headers show
Series [v2] brcmfmac: fix brcmf_wiphy_wowl_params() NULL pointer dereference | expand

Commit Message

Chi-Hsien Lin Aug. 7, 2018, 1:38 p.m. UTC 
From: Winnie Chang <winnie.chang@cypress.com>

The kernel BUG happens when wowl is enabled from firmware. In
brcmf_wiphy_wowl_params(), cfg is a NULL pointer because it is
drvr->config returned from wiphy_to_cfg(), and drvr->config is not set
yet. To fix it, set drvr->config before brcmf_setup_wiphy() which
calls brcmf_wiphy_wowl_params().

The kernel panic is introduced in below commit:
commit id: 856d5a011c86b59f6564be4508912fb1d866adfc
brcmfmac: allocate struct brcmf_pub instance using wiphy_new()

Signed-off-by: Winnie Chang <winnie.chang@cypress.com>
Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Comments

Arend van Spriel Aug. 7, 2018, 7:33 p.m. UTC | #1 
On 8/7/2018 3:38 PM, Chi-Hsien Lin wrote:
> From: Winnie Chang <winnie.chang@cypress.com>
>
> The kernel BUG happens when wowl is enabled from firmware. In
> brcmf_wiphy_wowl_params(), cfg is a NULL pointer because it is
> drvr->config returned from wiphy_to_cfg(), and drvr->config is not set
> yet. To fix it, set drvr->config before brcmf_setup_wiphy() which
> calls brcmf_wiphy_wowl_params().
>
> The kernel panic is introduced in below commit:
> commit id: 856d5a011c86b59f6564be4508912fb1d866adfc
> brcmfmac: allocate struct brcmf_pub instance using wiphy_new()

The above info should be in Fixes: tag, but maybe Kalle is willing to 
reformat it this time.

Regards,
Arend

> Signed-off-by: Winnie Chang <winnie.chang@cypress.com>
> Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
> ---
Chi-Hsien Lin Aug. 8, 2018, 2:32 a.m. UTC | #2 
On 08/08/2018 3:33, Arend van Spriel wrote:
> On 8/7/2018 3:38 PM, Chi-Hsien Lin wrote:
>> From: Winnie Chang <winnie.chang@cypress.com>
>>
>> The kernel BUG happens when wowl is enabled from firmware. In
>> brcmf_wiphy_wowl_params(), cfg is a NULL pointer because it is
>> drvr->config returned from wiphy_to_cfg(), and drvr->config is not set
>> yet. To fix it, set drvr->config before brcmf_setup_wiphy() which
>> calls brcmf_wiphy_wowl_params().
>>
>> The kernel panic is introduced in below commit:
>> commit id: 856d5a011c86b59f6564be4508912fb1d866adfc
>> brcmfmac: allocate struct brcmf_pub instance using wiphy_new()
> 
> The above info should be in Fixes: tag, but maybe Kalle is willing to
> reformat it this time.

Thanks for the note. I've fixed this and submitted v3.

> 
> Regards,
> Arend
> 
>> Signed-off-by: Winnie Chang <winnie.chang@cypress.com>
>> Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
>> ---
diff mbox series

Patch

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index 24c4e18..5444e62 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -6926,15 +6926,15 @@  struct brcmf_cfg80211_info *brcmf_cfg80211_attach(struct brcmf_pub *drvr,
 	cfg->d11inf.io_type = (u8)io_type;
 	brcmu_d11_attach(&cfg->d11inf);
 
-	err = brcmf_setup_wiphy(wiphy, ifp);
-	if (err < 0)
-		goto priv_out;
-
 	/* regulatory notifer below needs access to cfg so
 	 * assign it now.
 	 */
 	drvr->config = cfg;
 
+	err = brcmf_setup_wiphy(wiphy, ifp);
+	if (err < 0)
+		goto priv_out;
+
 	brcmf_dbg(INFO, "Registering custom regulatory\n");
 	wiphy->reg_notifier = brcmf_cfg80211_reg_notifier;
 	wiphy->regulatory_flags |= REGULATORY_CUSTOM_REG;