All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH FIX] brcmfmac: disable PCIe interrupts before bus reset
@ 2019-11-18 11:53 Rafał Miłecki
  2019-11-19  9:26 ` Kalle Valo
  2019-11-20  7:45 ` Kalle Valo
  0 siblings, 2 replies; 3+ messages in thread
From: Rafał Miłecki @ 2019-11-18 11:53 UTC (permalink / raw)
  To: Kalle Valo
  Cc: Arend van Spriel, Franky Lin, Hante Meuleman, Chi-Hsien Lin,
	Wright Feng, Pieter-Paul Giesberts, Winnie Chang, linux-wireless,
	brcm80211-dev-list.pdl, brcm80211-dev-list,
	Rafał Miłecki, stable

From: Rafał Miłecki <rafal@milecki.pl>

Keeping interrupts on could result in brcmfmac freeing some resources
and then IRQ handlers trying to use them. That was obviously a straight
path for crashing a kernel.

Example:
CPU0                           CPU1
----                           ----
brcmf_pcie_reset
  brcmf_pcie_bus_console_read
  brcmf_detach
    ...
    brcmf_fweh_detach
    brcmf_proto_detach
                               brcmf_pcie_isr_thread
                                 ...
                                 brcmf_proto_msgbuf_rx_trigger
                                   ...
                                   drvr->proto->pd
    brcmf_pcie_release_irq

[  363.789218] Unable to handle kernel NULL pointer dereference at virtual address 00000038
[  363.797339] pgd = c0004000
[  363.800050] [00000038] *pgd=00000000
[  363.803635] Internal error: Oops: 17 [#1] SMP ARM
(...)
[  364.029209] Backtrace:
[  364.031725] [<bf243838>] (brcmf_proto_msgbuf_rx_trigger [brcmfmac]) from [<bf2471dc>] (brcmf_pcie_isr_thread+0x228/0x274 [brcmfmac])
[  364.043662]  r7:00000001 r6:c8ca0000 r5:00010000 r4:c7b4f800

Fixes: 4684997d9eea ("brcmfmac: reset PCIe bus on a firmware crash")
Cc: stable@vger.kernel.org # v5.2+
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
---
Kalle: if you are planning another pull request for 5.4 you may push
       this to the wireless-drivers. Otherwise make it
       wireless-drivers-next and lets have stable maintainers pick it.
---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
index 3184dab41a5e..f64ce5074a55 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
@@ -1425,6 +1425,8 @@ static int brcmf_pcie_reset(struct device *dev)
 	struct brcmf_fw_request *fwreq;
 	int err;
 
+	brcmf_pcie_intr_disable(devinfo);
+
 	brcmf_pcie_bus_console_read(devinfo, true);
 
 	brcmf_detach(dev);
-- 
2.21.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH FIX] brcmfmac: disable PCIe interrupts before bus reset
  2019-11-18 11:53 [PATCH FIX] brcmfmac: disable PCIe interrupts before bus reset Rafał Miłecki
@ 2019-11-19  9:26 ` Kalle Valo
  2019-11-20  7:45 ` Kalle Valo
  1 sibling, 0 replies; 3+ messages in thread
From: Kalle Valo @ 2019-11-19  9:26 UTC (permalink / raw)
  To: Rafał Miłecki
  Cc: Arend van Spriel, Franky Lin, Hante Meuleman, Chi-Hsien Lin,
	Wright Feng, Pieter-Paul Giesberts, Winnie Chang, linux-wireless,
	brcm80211-dev-list.pdl, brcm80211-dev-list,
	Rafał Miłecki, stable

Rafał Miłecki <zajec5@gmail.com> writes:

> From: Rafał Miłecki <rafal@milecki.pl>
>
> Keeping interrupts on could result in brcmfmac freeing some resources
> and then IRQ handlers trying to use them. That was obviously a straight
> path for crashing a kernel.
>
> Example:
> CPU0                           CPU1
> ----                           ----
> brcmf_pcie_reset
>   brcmf_pcie_bus_console_read
>   brcmf_detach
>     ...
>     brcmf_fweh_detach
>     brcmf_proto_detach
>                                brcmf_pcie_isr_thread
>                                  ...
>                                  brcmf_proto_msgbuf_rx_trigger
>                                    ...
>                                    drvr->proto->pd
>     brcmf_pcie_release_irq
>
> [  363.789218] Unable to handle kernel NULL pointer dereference at virtual address 00000038
> [  363.797339] pgd = c0004000
> [  363.800050] [00000038] *pgd=00000000
> [  363.803635] Internal error: Oops: 17 [#1] SMP ARM
> (...)
> [  364.029209] Backtrace:
> [  364.031725] [<bf243838>] (brcmf_proto_msgbuf_rx_trigger [brcmfmac]) from [<bf2471dc>] (brcmf_pcie_isr_thread+0x228/0x274 [brcmfmac])
> [  364.043662]  r7:00000001 r6:c8ca0000 r5:00010000 r4:c7b4f800
>
> Fixes: 4684997d9eea ("brcmfmac: reset PCIe bus on a firmware crash")
> Cc: stable@vger.kernel.org # v5.2+
> Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
> ---
> Kalle: if you are planning another pull request for 5.4 you may push
>        this to the wireless-drivers. Otherwise make it
>        wireless-drivers-next and lets have stable maintainers pick it.

Unless the sky falls down I'm not planning to submit anything for v5.4
anymore. So this has to go to -next.

-- 
Kalle Valo

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH FIX] brcmfmac: disable PCIe interrupts before bus reset
  2019-11-18 11:53 [PATCH FIX] brcmfmac: disable PCIe interrupts before bus reset Rafał Miłecki
  2019-11-19  9:26 ` Kalle Valo
@ 2019-11-20  7:45 ` Kalle Valo
  1 sibling, 0 replies; 3+ messages in thread
From: Kalle Valo @ 2019-11-20  7:45 UTC (permalink / raw)
  To: Rafał Miłecki
  Cc: Arend van Spriel, Franky Lin, Hante Meuleman, Chi-Hsien Lin,
	Wright Feng, Pieter-Paul Giesberts, Winnie Chang, linux-wireless,
	brcm80211-dev-list.pdl, brcm80211-dev-list,
	Rafał Miłecki, stable

Rafał Miłecki wrote:

> From: Rafał Miłecki <rafal@milecki.pl>
> 
> Keeping interrupts on could result in brcmfmac freeing some resources
> and then IRQ handlers trying to use them. That was obviously a straight
> path for crashing a kernel.
> 
> Example:
> CPU0                           CPU1
> ----                           ----
> brcmf_pcie_reset
>   brcmf_pcie_bus_console_read
>   brcmf_detach
>     ...
>     brcmf_fweh_detach
>     brcmf_proto_detach
>                                brcmf_pcie_isr_thread
>                                  ...
>                                  brcmf_proto_msgbuf_rx_trigger
>                                    ...
>                                    drvr->proto->pd
>     brcmf_pcie_release_irq
> 
> [  363.789218] Unable to handle kernel NULL pointer dereference at virtual address 00000038
> [  363.797339] pgd = c0004000
> [  363.800050] [00000038] *pgd=00000000
> [  363.803635] Internal error: Oops: 17 [#1] SMP ARM
> (...)
> [  364.029209] Backtrace:
> [  364.031725] [<bf243838>] (brcmf_proto_msgbuf_rx_trigger [brcmfmac]) from [<bf2471dc>] (brcmf_pcie_isr_thread+0x228/0x274 [brcmfmac])
> [  364.043662]  r7:00000001 r6:c8ca0000 r5:00010000 r4:c7b4f800
> 
> Fixes: 4684997d9eea ("brcmfmac: reset PCIe bus on a firmware crash")
> Cc: stable@vger.kernel.org # v5.2+
> Signed-off-by: Rafał Miłecki <rafal@milecki.pl>

Patch applied to wireless-drivers-next.git, thanks.

5d26a6a6150c brcmfmac: disable PCIe interrupts before bus reset

-- 
https://patchwork.kernel.org/patch/11249683/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-11-20  7:45 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-18 11:53 [PATCH FIX] brcmfmac: disable PCIe interrupts before bus reset Rafał Miłecki
2019-11-19  9:26 ` Kalle Valo
2019-11-20  7:45 ` Kalle Valo

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.