[PATCH AUTOSEL 4.9 20/26] brcmfmac: Fix driver crash on USB control transfer timeout

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Raveendran Somu <raveendran.somu@cypress.com>,
	Chi-hsien Lin <chi-hsien.lin@cypress.com>,
	Kalle Valo <kvalo@codeaurora.org>,
	Sasha Levin <sashal@kernel.org>,
	linux-wireless@vger.kernel.org,
	brcm80211-dev-list.pdl@broadcom.com,
	brcm80211-dev-list@cypress.com, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.9 20/26] brcmfmac: Fix driver crash on USB control transfer timeout
Date: Sat, 11 Apr 2020 19:14:07 -0400	[thread overview]
Message-ID: <20200411231413.26911-20-sashal@kernel.org> (raw)
In-Reply-To: <20200411231413.26911-1-sashal@kernel.org>

From: Raveendran Somu <raveendran.somu@cypress.com>

[ Upstream commit 93a5bfbc7cad8bf3dea81c9bc07761c1226a0860 ]

When the control transfer gets timed out, the error status
was returned without killing that urb, this leads to using
the same urb. This issue causes the kernel crash as the same
urb is sumbitted multiple times. The fix is to kill the
urb for timeout transfer before returning error

Signed-off-by: Raveendran Somu <raveendran.somu@cypress.com>
Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1585124429-97371-2-git-send-email-chi-hsien.lin@cypress.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
index 31727f34381fe..6a87681b52abf 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
@@ -336,11 +336,12 @@ static int brcmf_usb_tx_ctlpkt(struct device *dev, u8 *buf, u32 len)
 		return err;
 	}
 	timeout = brcmf_usb_ioctl_resp_wait(devinfo);
-	clear_bit(0, &devinfo->ctl_op);
 	if (!timeout) {
 		brcmf_err("Txctl wait timed out\n");
+		usb_kill_urb(devinfo->ctl_urb);
 		err = -EIO;
 	}
+	clear_bit(0, &devinfo->ctl_op);
 	return err;
 }
 
@@ -366,11 +367,12 @@ static int brcmf_usb_rx_ctlpkt(struct device *dev, u8 *buf, u32 len)
 	}
 	timeout = brcmf_usb_ioctl_resp_wait(devinfo);
 	err = devinfo->ctl_urb_status;
-	clear_bit(0, &devinfo->ctl_op);
 	if (!timeout) {
 		brcmf_err("rxctl wait timed out\n");
+		usb_kill_urb(devinfo->ctl_urb);
 		err = -EIO;
 	}
+	clear_bit(0, &devinfo->ctl_op);
 	if (!err)
 		return devinfo->ctl_urb_actual_length;
 	else
-- 
2.20.1

next prev parent reply	other threads:[~2020-04-11 23:16 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-11 23:13 [PATCH AUTOSEL 4.9 01/26] net: wan: wanxl: use allow to pass CROSS_COMPILE_M68k for rebuilding firmware Sasha Levin
2020-04-11 23:13 ` [PATCH AUTOSEL 4.9 02/26] net: phy: probe PHY drivers synchronously Sasha Levin
2020-04-11 23:13 ` [PATCH AUTOSEL 4.9 03/26] serial: 8250_omap: Fix sleeping function called from invalid context during probe Sasha Levin
2020-04-11 23:13 ` [PATCH AUTOSEL 4.9 04/26] net: phy: mscc: accept all RGMII species in vsc85xx_mac_if_set Sasha Levin
2020-04-11 23:13 ` [PATCH AUTOSEL 4.9 05/26] RDMA/cm: Add missing locking around id.state in cm_dup_req_handler Sasha Levin
2020-04-11 23:13 ` [PATCH AUTOSEL 4.9 06/26] mwifiex: set needed_headroom, not hard_header_len Sasha Levin
2020-04-11 23:13 ` [PATCH AUTOSEL 4.9 07/26] Bluetooth: L2CAP: handle l2cap config request during open state Sasha Levin
2020-04-11 23:13 ` [PATCH AUTOSEL 4.9 08/26] drm/tegra: dc: Release PM and RGB output when client's registration fails Sasha Levin
2020-04-11 23:13 ` [PATCH AUTOSEL 4.9 09/26] net/mlx5e: Init ethtool steering for representors Sasha Levin
2020-04-11 23:13 ` [PATCH AUTOSEL 4.9 10/26] Bluetooth: Fix calculation of SCO handle for packet processing Sasha Levin
2020-04-11 23:13 ` [PATCH AUTOSEL 4.9 11/26] Bluetooth: guard against controllers sending zero'd events Sasha Levin
2020-04-11 23:13 ` [PATCH AUTOSEL 4.9 12/26] RDMA/rxe: Fix configuration of atomic queue pair attributes Sasha Levin
2020-04-11 23:14 ` [PATCH AUTOSEL 4.9 13/26] net: intel: e1000e: fix possible sleep-in-atomic-context bugs in e1000e_get_hw_semaphore() Sasha Levin
2020-04-11 23:14 ` [PATCH AUTOSEL 4.9 14/26] crypto: tcrypt - fix printed skcipher [a]sync mode Sasha Levin
2020-04-11 23:14 ` [PATCH AUTOSEL 4.9 15/26] drm/omap: fix possible object reference leak Sasha Levin
2020-04-11 23:14 ` [PATCH AUTOSEL 4.9 16/26] audit: CONFIG_CHANGE don't log internal bookkeeping as an event Sasha Levin
2020-04-11 23:14 ` [PATCH AUTOSEL 4.9 17/26] Bluetooth: btusb: Add support for 13d3:3548 Realtek 8822CE device Sasha Levin
2020-04-11 23:14 ` [PATCH AUTOSEL 4.9 18/26] scsi: lpfc: Fix RQ buffer leakage when no IOCBs available Sasha Levin
2020-04-11 23:14 ` [PATCH AUTOSEL 4.9 19/26] Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl Sasha Levin
2020-04-11 23:14 ` Sasha Levin [this message]
2020-04-11 23:14 ` [PATCH AUTOSEL 4.9 21/26] RDMA/cm: Update num_paths in cma_resolve_iboe_route error flow Sasha Levin
2020-04-11 23:14 ` [PATCH AUTOSEL 4.9 22/26] ASoC: Intel: Skylake: Enable codec wakeup during chip init Sasha Levin
2020-04-11 23:14 ` [PATCH AUTOSEL 4.9 23/26] dmaengine: stm32-dma: use reset controller only at probe time Sasha Levin
2020-04-11 23:14 ` [PATCH AUTOSEL 4.9 24/26] scsi: ufs: Fix ufshcd_hold() caused scheduling while atomic Sasha Levin
2020-04-11 23:14 ` [PATCH AUTOSEL 4.9 25/26] ext4: check for non-zero journal inum in ext4_calculate_overhead Sasha Levin
2020-04-11 23:14 ` [PATCH AUTOSEL 4.9 26/26] svcrdma: Fix leak of transport addresses Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:31727f34381f dfblob:6a87681b52ab )
 OR (
bs:"[PATCH AUTOSEL 4.9 20/26] brcmfmac: Fix driver crash on USB control transfer timeout" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200411231413.26911-20-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=brcm80211-dev-list.pdl@broadcom.com \
    --cc=brcm80211-dev-list@cypress.com \
    --cc=chi-hsien.lin@cypress.com \
    --cc=kvalo@codeaurora.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=raveendran.somu@cypress.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox