From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
alan@lxorguk.ukuu.org.uk,
Larry Finger <Larry.Finger@lwfinger.net>,
"John W. Linville" <linville@tuxdriver.com>
Subject: [ 25/52] b43legacy: Fix crash on unload when firmware not available
Date: Thu, 4 Oct 2012 14:21:16 -0700 [thread overview]
Message-ID: <20121004210638.504184964@linuxfoundation.org> (raw)
In-Reply-To: <20121004210635.372689554@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Larry Finger <Larry.Finger@lwfinger.net>
commit 2d838bb608e2d1f6cb4280e76748cb812dc822e7 upstream.
When b43legacy is loaded without the firmware being available, a following
unload generates a kernel NULL pointer dereference BUG as follows:
[ 214.330789] BUG: unable to handle kernel NULL pointer dereference at 0000004c
[ 214.330997] IP: [<c104c395>] drain_workqueue+0x15/0x170
[ 214.331179] *pde = 00000000
[ 214.331311] Oops: 0000 [#1] SMP
[ 214.331471] Modules linked in: b43legacy(-) ssb pcmcia mac80211 cfg80211 af_packet mperf arc4 ppdev sr_mod cdrom sg shpchp yenta_socket pcmcia_rsrc pci_hotplug pcmcia_core battery parport_pc parport floppy container ac button edd autofs4 ohci_hcd ehci_hcd usbcore usb_common thermal processor scsi_dh_rdac scsi_dh_hp_sw scsi_dh_emc scsi_dh_alua scsi_dh fan thermal_sys hwmon ata_generic pata_ali libata [last unloaded: cfg80211]
[ 214.333421] Pid: 3639, comm: modprobe Not tainted 3.6.0-rc6-wl+ #163 Source Technology VIC 9921/ALI Based Notebook
[ 214.333580] EIP: 0060:[<c104c395>] EFLAGS: 00010246 CPU: 0
[ 214.333687] EIP is at drain_workqueue+0x15/0x170
[ 214.333788] EAX: c162ac40 EBX: cdfb8360 ECX: 0000002a EDX: 00002a2a
[ 214.333890] ESI: 00000000 EDI: 00000000 EBP: cd767e7c ESP: cd767e5c
[ 214.333957] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[ 214.333957] CR0: 8005003b CR2: 0000004c CR3: 0c96a000 CR4: 00000090
[ 214.333957] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 214.333957] DR6: ffff0ff0 DR7: 00000400
[ 214.333957] Process modprobe (pid: 3639, ti=cd766000 task=cf802e90 task.ti=cd766000)
[ 214.333957] Stack:
[ 214.333957] 00000292 cd767e74 c12c5e09 00000296 00000296 cdfb8360 cdfb9220 00000000
[ 214.333957] cd767e90 c104c4fd cdfb8360 cdfb9220 cd682800 cd767ea4 d0c10184 cd682800
[ 214.333957] cd767ea4 cba31064 cd767eb8 d0867908 cba31064 d087e09c cd96f034 cd767ec4
[ 214.333957] Call Trace:
[ 214.333957] [<c12c5e09>] ? skb_dequeue+0x49/0x60
[ 214.333957] [<c104c4fd>] destroy_workqueue+0xd/0x150
[ 214.333957] [<d0c10184>] ieee80211_unregister_hw+0xc4/0x100 [mac80211]
[ 214.333957] [<d0867908>] b43legacy_remove+0x78/0x80 [b43legacy]
[ 214.333957] [<d083654d>] ssb_device_remove+0x1d/0x30 [ssb]
[ 214.333957] [<c126f15a>] __device_release_driver+0x5a/0xb0
[ 214.333957] [<c126fb07>] driver_detach+0x87/0x90
[ 214.333957] [<c126ef4c>] bus_remove_driver+0x6c/0xe0
[ 214.333957] [<c1270120>] driver_unregister+0x40/0x70
[ 214.333957] [<d083686b>] ssb_driver_unregister+0xb/0x10 [ssb]
[ 214.333957] [<d087c488>] b43legacy_exit+0xd/0xf [b43legacy]
[ 214.333957] [<c1089dde>] sys_delete_module+0x14e/0x2b0
[ 214.333957] [<c110a4a7>] ? vfs_write+0xf7/0x150
[ 214.333957] [<c1240050>] ? tty_write_lock+0x50/0x50
[ 214.333957] [<c110a6f8>] ? sys_write+0x38/0x70
[ 214.333957] [<c1397c55>] syscall_call+0x7/0xb
[ 214.333957] Code: bc 27 00 00 00 00 a1 74 61 56 c1 55 89 e5 e8 a3 fc ff ff 5d c3 90 55 89 e5 57 56 89 c6 53 b8 40 ac 62 c1 83 ec 14 e8 bb b7 34 00 <8b> 46 4c 8d 50 01 85 c0 89 56 4c 75 03 83 0e 40 80 05 40 ac 62
[ 214.333957] EIP: [<c104c395>] drain_workqueue+0x15/0x170 SS:ESP 0068:cd767e5c
[ 214.333957] CR2: 000000000000004c
[ 214.341110] ---[ end trace c7e90ec026d875a6 ]---Index: wireless-testing/drivers/net/wireless/b43legacy/main.c
The problem is fixed by making certain that the ucode pointer is not NULL
before deregistering the driver in mac80211.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/b43legacy/main.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/wireless/b43legacy/main.c
+++ b/drivers/net/wireless/b43legacy/main.c
@@ -3892,6 +3892,8 @@ static void b43legacy_remove(struct ssb_
cancel_work_sync(&wl->firmware_load);
B43legacy_WARN_ON(!wl);
+ if (!wldev->fw.ucode)
+ return; /* NULL if fw never loaded */
if (wl->current_dev == wldev)
ieee80211_unregister_hw(wl->hw);
next prev parent reply other threads:[~2012-10-04 21:24 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-04 21:20 [ 00/52] 3.4.13-stable review Greg Kroah-Hartman
2012-10-04 21:20 ` [ 01/52] vfs: dcache: fix deadlock in tree traversal Greg Kroah-Hartman
2012-10-04 21:20 ` [ 02/52] dm: handle requests beyond end of device instead of using BUG_ON Greg Kroah-Hartman
2012-10-04 21:20 ` [ 03/52] dm table: clear add_random unless all devices have it set Greg Kroah-Hartman
2012-10-04 21:20 ` [ 04/52] dm verity: fix overflow check Greg Kroah-Hartman
2012-10-04 21:20 ` [ 05/52] usb: gadget: dummy_hcd: fixup error probe path Greg Kroah-Hartman
2012-10-04 21:20 ` [ 06/52] USB: option: blacklist QMI interface on ZTE MF683 Greg Kroah-Hartman
2012-10-04 21:20 ` [ 07/52] USB: ftdi_sio: add TIAO USB Multi-Protocol Adapter (TUMPA) support Greg Kroah-Hartman
2012-10-04 21:20 ` [ 08/52] USB: qcaux: add Pantech vendor class match Greg Kroah-Hartman
2012-10-04 21:21 ` [ 09/52] usb: host: xhci: Fix Null pointer dereferencing with 71c731a for non-x86 systems Greg Kroah-Hartman
2012-10-04 21:21 ` [ 10/52] staging: speakup_soft: Fix reading of init string Greg Kroah-Hartman
2012-10-04 21:21 ` [ 11/52] tty: keyboard.c: Remove locking from vt_get_leds Greg Kroah-Hartman
2012-10-04 21:21 ` [ 12/52] staging: r8712u: Do not queue cloned skb Greg Kroah-Hartman
2012-10-04 21:21 ` [ 13/52] staging: comedi: s626: dont dereference insn->data Greg Kroah-Hartman
2012-10-04 21:21 ` [ 14/52] staging: comedi: jr3_pci: fix iomem dereference Greg Kroah-Hartman
2012-10-04 21:21 ` [ 15/52] staging: comedi: dont dereference user memory for INSN_INTTRIG Greg Kroah-Hartman
2012-10-04 21:21 ` [ 16/52] staging: comedi: fix memory leak for saved channel list Greg Kroah-Hartman
2012-10-04 21:21 ` [ 17/52] Remove BUG_ON from n_tty_read() Greg Kroah-Hartman
2012-10-04 21:21 ` [ 18/52] TTY: ttyprintk, dont touch behind tty->write_buf Greg Kroah-Hartman
2012-10-04 21:21 ` [ 19/52] serial: omap: fix software flow control Greg Kroah-Hartman
2012-10-04 21:21 ` [ 20/52] serial: pl011: handle corruption at high clock speeds Greg Kroah-Hartman
2012-10-04 21:21 ` [ 21/52] serial: set correct baud_base for EXSYS EX-41092 Dual 16950 Greg Kroah-Hartman
2012-10-04 21:21 ` [ 22/52] tools/hv: Fix file handle leak Greg Kroah-Hartman
2012-10-04 21:21 ` [ 23/52] tools/hv: Fix exit() error code Greg Kroah-Hartman
2012-10-04 21:21 ` [ 24/52] tools/hv: Check for read/write errors Greg Kroah-Hartman
2012-10-04 21:21 ` Greg Kroah-Hartman [this message]
2012-10-04 21:21 ` [ 26/52] firmware: Add missing attributes to EFI variable attribute print out from sysfs Greg Kroah-Hartman
2012-10-04 21:21 ` [ 27/52] xhci: Intel Panther Point BEI quirk Greg Kroah-Hartman
2012-10-04 21:21 ` [ 28/52] xHCI: add cmd_ring_state Greg Kroah-Hartman
2012-10-07 0:54 ` Ben Hutchings
2012-10-07 14:39 ` Greg Kroah-Hartman
2012-10-04 21:21 ` [ 29/52] xHCI: add aborting command ring function Greg Kroah-Hartman
2012-10-07 1:02 ` Ben Hutchings
2012-10-08 20:48 ` Sarah Sharp
2012-10-04 21:21 ` [ 30/52] xHCI: cancel command after command timeout Greg Kroah-Hartman
2012-10-04 21:21 ` [ 31/52] xHCI: handle command after aborting the command ring Greg Kroah-Hartman
2012-10-04 21:21 ` [ 32/52] Increase XHCI suspend timeout to 16ms Greg Kroah-Hartman
2012-10-04 21:21 ` [ 33/52] ath9k: Disable ASPM only for AR9285 Greg Kroah-Hartman
2012-10-04 21:21 ` [ 34/52] coredump: prevent double-free on an error path in core dumper Greg Kroah-Hartman
2012-10-04 21:21 ` [ 35/52] n_gsm.c: Implement 3GPP27.010 DLC start-up procedure in MUX Greg Kroah-Hartman
2012-10-04 21:21 ` [ 36/52] n_gsm: uplink SKBs accumulate on list Greg Kroah-Hartman
2012-10-04 21:21 ` [ 37/52] n_gsm: added interlocking for gsm_data_lock for certain code paths Greg Kroah-Hartman
2012-10-04 21:21 ` [ 38/52] n_gsm: memory leak in uplink error path Greg Kroah-Hartman
2012-10-04 21:21 ` [ 39/52] UBI: fix autoresize handling in R/O mode Greg Kroah-Hartman
2012-10-04 21:21 ` [ 40/52] Yama: handle 32-bit userspace prctl Greg Kroah-Hartman
2012-10-04 21:21 ` [ 41/52] SCSI: ibmvscsi: Fix host config length field overflow Greg Kroah-Hartman
2012-10-04 21:21 ` [ 42/52] SCSI: hpsa: Use LUN reset instead of target reset Greg Kroah-Hartman
2012-10-04 21:21 ` [ 43/52] can: mscan-mpc5xxx: fix return value check in mpc512x_can_get_clock() Greg Kroah-Hartman
2012-10-04 21:21 ` [ 44/52] remoteproc: select VIRTIO to avoid build breakage Greg Kroah-Hartman
2012-10-04 21:21 ` [ 45/52] remoteproc: fix a potential NULL-dereference on cleanup Greg Kroah-Hartman
2012-10-04 21:21 ` [ 46/52] IPoIB: Fix use-after-free of multicast object Greg Kroah-Hartman
2012-10-04 21:21 ` [ 47/52] IB/srp: Fix use-after-free in srp_reset_req() Greg Kroah-Hartman
2012-10-04 21:21 ` [ 48/52] IB/srp: Avoid having aborted requests hang Greg Kroah-Hartman
2012-10-04 21:21 ` [ 49/52] isci: fix isci_pci_probe() generates warning on efi failure path Greg Kroah-Hartman
2012-10-04 21:21 ` [ 50/52] x86/alternatives: Fix p6 nops on non-modular kernels Greg Kroah-Hartman
2012-10-04 21:21 ` [Qemu-devel] " Greg Kroah-Hartman
2012-10-04 21:21 ` [ 51/52] SCSI: scsi_remove_target: fix softlockup regression on hot remove Greg Kroah-Hartman
2012-10-04 21:21 ` [ 52/52] SCSI: scsi_dh_alua: Enable STPG for unavailable ports Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121004210638.504184964@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=Larry.Finger@lwfinger.net \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.