[PATCH] wifi: brcmfmac: Fix potential kernel oops when probe fails

public inbox for linux-wireless@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] wifi: brcmfmac: Fix potential kernel oops when probe fails
       [not found] <CGME20251231143556eucas1p141b278048039730d03edf85c6f3e5350@eucas1p1.samsung.com>
@ 2025-12-31 14:35 ` Marek Szyprowski
  2026-01-14 13:45   ` Arend van Spriel
  0 siblings, 1 reply; 5+ messages in thread
From: Marek Szyprowski @ 2025-12-31 14:35 UTC (permalink / raw)
  To: linux-wireless, brcm80211, brcm80211-dev-list.pdl
  Cc: Marek Szyprowski, Arend van Spriel

When probe of the sdio brcmfmac device fails for some reasons (i.e.
missing firmware), the sdiodev->bus is set to error instead of NULL, thus
the cleanup later in brcmf_sdio_remove() tries to free resources via
invalid bus pointer. Fix this.

Fixes: 0ff0843310b7 ("wifi: brcmfmac: Add optional lpo clock enable support")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
index 6a3f187320fc..6615748fa5bb 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
@@ -954,6 +954,7 @@ int brcmf_sdiod_probe(struct brcmf_sdio_dev *sdiodev)
 	sdiodev->bus = brcmf_sdio_probe(sdiodev);
 	if (IS_ERR(sdiodev->bus)) {
 		ret = PTR_ERR(sdiodev->bus);
+		sdiodev->bus = NULL;
 		goto out;
 	}
 	brcmf_sdiod_host_fixup(sdiodev->func2->card->host);
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] wifi: brcmfmac: Fix potential kernel oops when probe fails
  2025-12-31 14:35 ` [PATCH] wifi: brcmfmac: Fix potential kernel oops when probe fails Marek Szyprowski
@ 2026-01-14 13:45   ` Arend van Spriel
  2026-01-14 23:16     ` Marek Szyprowski
  0 siblings, 1 reply; 5+ messages in thread
From: Arend van Spriel @ 2026-01-14 13:45 UTC (permalink / raw)
  To: Marek Szyprowski, linux-wireless, brcm80211,
	brcm80211-dev-list.pdl

On 12/31/2025 3:35 PM, Marek Szyprowski wrote:
> When probe of the sdio brcmfmac device fails for some reasons (i.e.
> missing firmware), the sdiodev->bus is set to error instead of NULL, thus
> the cleanup later in brcmf_sdio_remove() tries to free resources via
> invalid bus pointer. Fix this.

Hi Marek,

Thanks for the fix. Please consider my suggestion below...

> Fixes: 0ff0843310b7 ("wifi: brcmfmac: Add optional lpo clock enable support")
> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
> ---
>   drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
> index 6a3f187320fc..6615748fa5bb 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
> @@ -954,6 +954,7 @@ int brcmf_sdiod_probe(struct brcmf_sdio_dev *sdiodev)

Maybe use a local variable bus and assign it only on success:

>   	bus = brcmf_sdio_probe(sdiodev);
>   	if (IS_ERR(bus)) {
>   		ret = PTR_ERR(bus);
>   		goto out;
>   	}
> +	sdiodev->bus = bus;
>   	brcmf_sdiod_host_fixup(sdiodev->func2->card->host);

Regards,
Arend

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] wifi: brcmfmac: Fix potential kernel oops when probe fails
  2026-01-14 13:45   ` Arend van Spriel
@ 2026-01-14 23:16     ` Marek Szyprowski
  2026-02-02 18:31       ` Arend van Spriel
  0 siblings, 1 reply; 5+ messages in thread
From: Marek Szyprowski @ 2026-01-14 23:16 UTC (permalink / raw)
  To: Arend van Spriel, linux-wireless, brcm80211,
	brcm80211-dev-list.pdl

On 14.01.2026 14:45, Arend van Spriel wrote:
> On 12/31/2025 3:35 PM, Marek Szyprowski wrote:
>> When probe of the sdio brcmfmac device fails for some reasons (i.e.
>> missing firmware), the sdiodev->bus is set to error instead of NULL, 
>> thus
>> the cleanup later in brcmf_sdio_remove() tries to free resources via
>> invalid bus pointer. Fix this.
>
> Hi Marek,
>
> Thanks for the fix. Please consider my suggestion below...
>
>> Fixes: 0ff0843310b7 ("wifi: brcmfmac: Add optional lpo clock enable 
>> support")
>> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
>> ---
>>   drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 1 +
>>   1 file changed, 1 insertion(+)
>>
>> diff --git 
>> a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c 
>> b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
>> index 6a3f187320fc..6615748fa5bb 100644
>> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
>> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
>> @@ -954,6 +954,7 @@ int brcmf_sdiod_probe(struct brcmf_sdio_dev 
>> *sdiodev)
>
> Maybe use a local variable bus and assign it only on success:
>
>>       bus = brcmf_sdio_probe(sdiodev);
>>       if (IS_ERR(bus)) {
>>           ret = PTR_ERR(bus);
>>           goto out;
>>       }
>> +    sdiodev->bus = bus;
>> brcmf_sdiod_host_fixup(sdiodev->func2->card->host);
>
Well, that would look much better, but sdiodev->bus is also assigned 
inside brcmf_sdio_probe() and I didn't check if this is required by the 
functions called there or not. Maybe brcmf_sdio_probe() should simply 
return error code to make things easier to track?


Best regards
-- 
Marek Szyprowski, PhD
Samsung R&D Institute Poland


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] wifi: brcmfmac: Fix potential kernel oops when probe fails
  2026-01-14 23:16     ` Marek Szyprowski
@ 2026-02-02 18:31       ` Arend van Spriel
  2026-02-03  6:24         ` Arend van Spriel
  0 siblings, 1 reply; 5+ messages in thread
From: Arend van Spriel @ 2026-02-02 18:31 UTC (permalink / raw)
  To: Marek Szyprowski, linux-wireless, brcm80211,
	brcm80211-dev-list.pdl

Op 15 januari 2026 00:16:31 schreef Marek Szyprowski 
<m.szyprowski@samsung.com>:

> On 14.01.2026 14:45, Arend van Spriel wrote:
>> On 12/31/2025 3:35 PM, Marek Szyprowski wrote:
>>> When probe of the sdio brcmfmac device fails for some reasons (i.e.
>>> missing firmware), the sdiodev->bus is set to error instead of NULL,
>>> thus
>>> the cleanup later in brcmf_sdio_remove() tries to free resources via
>>> invalid bus pointer. Fix this.
>>
>> Hi Marek,
>>
>> Thanks for the fix. Please consider my suggestion below...
>>
>>> Fixes: 0ff0843310b7 ("wifi: brcmfmac: Add optional lpo clock enable
>>> support")
>>> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
>>> ---
>>>  drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 1 +
>>>  1 file changed, 1 insertion(+)
>>>
>>> diff --git
>>> a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
>>> b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
>>> index 6a3f187320fc..6615748fa5bb 100644
>>> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
>>> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
>>> @@ -954,6 +954,7 @@ int brcmf_sdiod_probe(struct brcmf_sdio_dev
>>> *sdiodev)
>>
>> Maybe use a local variable bus and assign it only on success:
>>
>>>      bus = brcmf_sdio_probe(sdiodev);
>>>      if (IS_ERR(bus)) {
>>>          ret = PTR_ERR(bus);
>>>          goto out;
>>>      }
>>> +    sdiodev->bus = bus;
>>> brcmf_sdiod_host_fixup(sdiodev->func2->card->host);
> Well, that would look much better, but sdiodev->bus is also assigned
> inside brcmf_sdio_probe() and I didn't check if this is required by the
> functions called there or not. Maybe brcmf_sdio_probe() should simply
> return error code to make things easier to track?

Sorry for the late response. Indeed the bus instance is allocated and 
assigned to sdiodev. So that is something the caller needs to repeat. So 
changing the return type of brcmf_sdio_probe() makes sense. The only thing 
that should be taken care of in the failure path of brcmf_sdio_probe() is 
to set sdiodev->bus to NULL after calling brcmf_sdio_remove().

Regards,
Arend



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] wifi: brcmfmac: Fix potential kernel oops when probe fails
  2026-02-02 18:31       ` Arend van Spriel
@ 2026-02-03  6:24         ` Arend van Spriel
  0 siblings, 0 replies; 5+ messages in thread
From: Arend van Spriel @ 2026-02-03  6:24 UTC (permalink / raw)
  To: Marek Szyprowski, linux-wireless, brcm80211,
	brcm80211-dev-list.pdl

Op 2 februari 2026 19:31:17 schreef Arend van Spriel 
<arend.vanspriel@broadcom.com>:

> Op 15 januari 2026 00:16:31 schreef Marek Szyprowski 
> <m.szyprowski@samsung.com>:
>
>> On 14.01.2026 14:45, Arend van Spriel wrote:
>>> On 12/31/2025 3:35 PM, Marek Szyprowski wrote:
>>>> When probe of the sdio brcmfmac device fails for some reasons (i.e.
>>>> missing firmware), the sdiodev->bus is set to error instead of NULL,
>>>> thus
>>>> the cleanup later in brcmf_sdio_remove() tries to free resources via
>>>> invalid bus pointer. Fix this.
>>>
>>> Hi Marek,
>>>
>>> Thanks for the fix. Please consider my suggestion below...
>>>
>>>> Fixes: 0ff0843310b7 ("wifi: brcmfmac: Add optional lpo clock enable
>>>> support")
>>>> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
>>>> ---
>>>> drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 1 +
>>>> 1 file changed, 1 insertion(+)
>>>>
>>>> diff --git
>>>> a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
>>>> b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
>>>> index 6a3f187320fc..6615748fa5bb 100644
>>>> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
>>>> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
>>>> @@ -954,6 +954,7 @@ int brcmf_sdiod_probe(struct brcmf_sdio_dev
>>>> *sdiodev)
>>>
>>> Maybe use a local variable bus and assign it only on success:
>>>
>>>> bus = brcmf_sdio_probe(sdiodev);
>>>> if (IS_ERR(bus)) {
>>>>   ret = PTR_ERR(bus);
>>>>   goto out;
>>>> }
>>>> +    sdiodev->bus = bus;
>>>> brcmf_sdiod_host_fixup(sdiodev->func2->card->host);
>> Well, that would look much better, but sdiodev->bus is also assigned
>> inside brcmf_sdio_probe() and I didn't check if this is required by the
>> functions called there or not. Maybe brcmf_sdio_probe() should simply
>> return error code to make things easier to track?

Correcting some typos here...

>>
> Sorry for the late response. Indeed the bus instance is allocated and 
> assigned to sdiodev

...in brcmf_sdio_probe.

> So that is

*NOT*

> something the caller needs to repeat. So changing the return type of 
> brcmf_sdio_probe() makes sense. The only thing that should be taken care of 
> in the failure path of brcmf_sdio_probe() is to set sdiodev->bus to NULL 
> after calling brcmf_sdio_remove().

Regards,
Arend



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-02-03  6:24 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <CGME20251231143556eucas1p141b278048039730d03edf85c6f3e5350@eucas1p1.samsung.com>
2025-12-31 14:35 ` [PATCH] wifi: brcmfmac: Fix potential kernel oops when probe fails Marek Szyprowski
2026-01-14 13:45   ` Arend van Spriel
2026-01-14 23:16     ` Marek Szyprowski
2026-02-02 18:31       ` Arend van Spriel
2026-02-03  6:24         ` Arend van Spriel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox