Re: [PATCH 1/2] brcmfmac: fix WARNING during USB disconnect in case of unempty psq

[Kalle Valo <kvalo@codeaurora.org>]

Piotr Figiel <p.figiel@camlintechnologies.com> wrote:

> brcmu_pkt_buf_free_skb emits WARNING when attempting to free a sk_buff
> which is part of any queue. After USB disconnect this may have happened
> when brcmf_fws_hanger_cleanup() is called as per-interface psq was never
> cleaned when removing the interface.
> Change brcmf_fws_macdesc_cleanup() in a way that it removes the
> corresponding packets from hanger table (to avoid double-free when
> brcmf_fws_hanger_cleanup() is called) and add a call to clean-up the
> interface specific packet queue.
> 
> Below is a WARNING during USB disconnect with Raspberry Pi WiFi dongle
> running in AP mode. This was reproducible when the interface was
> transmitting during the disconnect and is fixed with this commit.
> 
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 1171 at drivers/net/wireless/broadcom/brcm80211/brcmutil/utils.c:49 brcmu_pkt_buf_free_skb+0x3c/0x40
> Modules linked in: nf_log_ipv4 nf_log_common xt_LOG xt_limit iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis u_ether cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc ulpi usbmisc_imx 8250_exar 8250_pci 8250 8250_base libcomposite configfs udc_core
> CPU: 0 PID: 1171 Comm: kworker/0:0 Not tainted 4.19.23-00075-gde33ed8 #99
> Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
> Workqueue: usb_hub_wq hub_event
> [<8010ff84>] (unwind_backtrace) from [<8010bb64>] (show_stack+0x10/0x14)
> [<8010bb64>] (show_stack) from [<80840278>] (dump_stack+0x88/0x9c)
> [<80840278>] (dump_stack) from [<8011f5ec>] (__warn+0xfc/0x114)
> [<8011f5ec>] (__warn) from [<8011f71c>] (warn_slowpath_null+0x40/0x48)
> [<8011f71c>] (warn_slowpath_null) from [<805a476c>] (brcmu_pkt_buf_free_skb+0x3c/0x40)
> [<805a476c>] (brcmu_pkt_buf_free_skb) from [<805bb6c4>] (brcmf_fws_cleanup+0x1e4/0x22c)
> [<805bb6c4>] (brcmf_fws_cleanup) from [<805bc854>] (brcmf_fws_del_interface+0x58/0x68)
> [<805bc854>] (brcmf_fws_del_interface) from [<805b66ac>] (brcmf_remove_interface+0x40/0x150)
> [<805b66ac>] (brcmf_remove_interface) from [<805b6870>] (brcmf_detach+0x6c/0xb0)
> [<805b6870>] (brcmf_detach) from [<805bdbb8>] (brcmf_usb_disconnect+0x30/0x4c)
> [<805bdbb8>] (brcmf_usb_disconnect) from [<805e5d64>] (usb_unbind_interface+0x5c/0x1e0)
> [<805e5d64>] (usb_unbind_interface) from [<804aab10>] (device_release_driver_internal+0x154/0x1ec)
> [<804aab10>] (device_release_driver_internal) from [<804a97f4>] (bus_remove_device+0xcc/0xf8)
> [<804a97f4>] (bus_remove_device) from [<804a6fc0>] (device_del+0x118/0x308)
> [<804a6fc0>] (device_del) from [<805e488c>] (usb_disable_device+0xa0/0x1c8)
> [<805e488c>] (usb_disable_device) from [<805dcf98>] (usb_disconnect+0x70/0x1d8)
> [<805dcf98>] (usb_disconnect) from [<805ddd84>] (hub_event+0x464/0xf50)
> [<805ddd84>] (hub_event) from [<80135a70>] (process_one_work+0x138/0x3f8)
> [<80135a70>] (process_one_work) from [<80135d5c>] (worker_thread+0x2c/0x554)
> [<80135d5c>] (worker_thread) from [<8013b1a0>] (kthread+0x124/0x154)
> [<8013b1a0>] (kthread) from [<801010e8>] (ret_from_fork+0x14/0x2c)
> Exception stack(0xecf8dfb0 to 0xecf8dff8)
> dfa0:                                     00000000 00000000 00000000 00000000
> dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
> ---[ end trace 38d234018e9e2a90 ]---
> ------------[ cut here ]------------
> 
> Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>

2 patches applied to wireless-drivers-next.git, thanks.

c80d26e81ef1 brcmfmac: fix WARNING during USB disconnect in case of unempty psq
5cdb0ef6144f brcmfmac: fix NULL pointer derefence during USB disconnect

-- 
https://patchwork.kernel.org/patch/10837981/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches