[PATCH] Fix kernel oops in failed chip_attach

[PATCH] Fix kernel oops in failed chip_attach

[Christian Daudt]

When chip attach fails, brcmf_sdiod_intr_unregister is being called
but that is too early as sdiodev->settings has not been set yet
nor has brcmf_sdiod_intr_register been called.
Change to use oob_irq_requested + newly created sd_irq_requested
to decide on what to unregister at intr_unregister time.

Steps to reproduce problem:
- modprobe brcmfmac using buggy FW
- rmmod brcmfmac
- modprobe brcmfmac again.

If done with a buggy firmware, brcm_chip_attach will fail on the
2nd modprobe triggering the call to intr_unregister and the
kernel oops when attempting to de-reference sdiodev->settings->bus.sdio
which has not yet been set.

Signed-off-by: Christian Daudt <csd@broadcom.com>
---
 .../wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c  | 30 ++++++++++++----------
 .../wireless/broadcom/brcm80211/brcmfmac/sdio.h    |  1 +
 2 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
index da0cdd3..09635a9 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
@@ -166,6 +166,7 @@ int brcmf_sdiod_intr_register(struct brcmf_sdio_dev *sdiodev)
 		sdio_claim_irq(sdiodev->func[1], brcmf_sdiod_ib_irqhandler);
 		sdio_claim_irq(sdiodev->func[2], brcmf_sdiod_dummy_irqhandler);
 		sdio_release_host(sdiodev->func[1]);
+		sdiodev->sd_irq_requested = true;
 	}
 
 	return 0;
@@ -173,27 +174,30 @@ int brcmf_sdiod_intr_register(struct brcmf_sdio_dev *sdiodev)
 
 int brcmf_sdiod_intr_unregister(struct brcmf_sdio_dev *sdiodev)
 {
-	struct brcmfmac_sdio_pd *pdata;
 
-	brcmf_dbg(SDIO, "Entering\n");
+	brcmf_dbg(SDIO, "Entering oob=%d sd=%d\n",
+		  sdiodev->oob_irq_requested,
+		  sdiodev->sd_irq_requested);
 
-	pdata = &sdiodev->settings->bus.sdio;
-	if (pdata->oob_irq_supported) {
+	if (sdiodev->oob_irq_requested) {
+		struct brcmfmac_sdio_pd *pdata;
+
+		pdata = &sdiodev->settings->bus.sdio;
 		sdio_claim_host(sdiodev->func[1]);
 		brcmf_sdiod_regwb(sdiodev, SDIO_CCCR_BRCM_SEPINT, 0, NULL);
 		brcmf_sdiod_regwb(sdiodev, SDIO_CCCR_IENx, 0, NULL);
 		sdio_release_host(sdiodev->func[1]);
 
-		if (sdiodev->oob_irq_requested) {
-			sdiodev->oob_irq_requested = false;
-			if (sdiodev->irq_wake) {
-				disable_irq_wake(pdata->oob_irq_nr);
-				sdiodev->irq_wake = false;
-			}
-			free_irq(pdata->oob_irq_nr, &sdiodev->func[1]->dev);
-			sdiodev->irq_en = false;
+		sdiodev->oob_irq_requested = false;
+		if (sdiodev->irq_wake) {
+			disable_irq_wake(pdata->oob_irq_nr);
+			sdiodev->irq_wake = false;
 		}
-	} else {
+		free_irq(pdata->oob_irq_nr, &sdiodev->func[1]->dev);
+		sdiodev->irq_en = false;
+	}
+
+	if (sdiodev->sd_irq_requested) {
 		sdio_claim_host(sdiodev->func[1]);
 		sdio_release_irq(sdiodev->func[2]);
 		sdio_release_irq(sdiodev->func[1]);
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.h
index dcf0ce8c..c07ad25 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.h
@@ -186,6 +186,7 @@ struct brcmf_sdio_dev {
 	struct brcmf_bus *bus_if;
 	struct brcmf_mp_device *settings;
 	bool oob_irq_requested;
+	bool sd_irq_requested;
 	bool irq_en;			/* irq enable flags */
 	spinlock_t irq_en_lock;
 	bool irq_wake;			/* irq wake enable flags */
-- 
1.9.1

Re: [PATCH] Fix kernel oops in failed chip_attach

[Kalle Valo]

Christian Daudt <csd@broadcom.com> writes:

> When chip attach fails, brcmf_sdiod_intr_unregister is being called
> but that is too early as sdiodev->settings has not been set yet
> nor has brcmf_sdiod_intr_register been called.
> Change to use oob_irq_requested + newly created sd_irq_requested
> to decide on what to unregister at intr_unregister time.
>
> Steps to reproduce problem:
> - modprobe brcmfmac using buggy FW
> - rmmod brcmfmac
> - modprobe brcmfmac again.
>
> If done with a buggy firmware, brcm_chip_attach will fail on the
> 2nd modprobe triggering the call to intr_unregister and the
> kernel oops when attempting to de-reference sdiodev->settings->bus.sdio
> which has not yet been set.
>
> Signed-off-by: Christian Daudt <csd@broadcom.com>

Please use prefix "brcmfmac: " in the title.

-- 
Kalle Valo

Re: [PATCH] Fix kernel oops in failed chip_attach

[Christian Daudt]

On Fri, May 6, 2016 at 4:53 AM, Kalle Valo <kvalo@codeaurora.org> wrote:
> Christian Daudt <csd@broadcom.com> writes:
>
>> When chip attach fails, brcmf_sdiod_intr_unregister is being called
>> but that is too early as sdiodev->settings has not been set yet
>> nor has brcmf_sdiod_intr_register been called.
>> Change to use oob_irq_requested + newly created sd_irq_requested
>> to decide on what to unregister at intr_unregister time.
>>
>> Steps to reproduce problem:
>> - modprobe brcmfmac using buggy FW
>> - rmmod brcmfmac
>> - modprobe brcmfmac again.
>>
>> If done with a buggy firmware, brcm_chip_attach will fail on the
>> 2nd modprobe triggering the call to intr_unregister and the
>> kernel oops when attempting to de-reference sdiodev->settings->bus.sdio
>> which has not yet been set.
>>
>> Signed-off-by: Christian Daudt <csd@broadcom.com>
>
> Please use prefix "brcmfmac: " in the title.
>
I'll resubmit with that mod after getting round 1 feedback. I was a
bit rusty on patch submissions and forgot about that part on the first
one.
 Thanks,
   csd

Re: [PATCH] Fix kernel oops in failed chip_attach

[Kalle Valo]

Christian Daudt <csd@broadcom.com> writes:

> On Fri, May 6, 2016 at 4:53 AM, Kalle Valo <kvalo@codeaurora.org> wrote:
>> Christian Daudt <csd@broadcom.com> writes:
>>
>>> When chip attach fails, brcmf_sdiod_intr_unregister is being called
>>> but that is too early as sdiodev->settings has not been set yet
>>> nor has brcmf_sdiod_intr_register been called.
>>> Change to use oob_irq_requested + newly created sd_irq_requested
>>> to decide on what to unregister at intr_unregister time.
>>>
>>> Steps to reproduce problem:
>>> - modprobe brcmfmac using buggy FW
>>> - rmmod brcmfmac
>>> - modprobe brcmfmac again.
>>>
>>> If done with a buggy firmware, brcm_chip_attach will fail on the
>>> 2nd modprobe triggering the call to intr_unregister and the
>>> kernel oops when attempting to de-reference sdiodev->settings->bus.sdio
>>> which has not yet been set.
>>>
>>> Signed-off-by: Christian Daudt <csd@broadcom.com>
>>
>> Please use prefix "brcmfmac: " in the title.
>>
> I'll resubmit with that mod after getting round 1 feedback. I was a
> bit rusty on patch submissions and forgot about that part on the first
> one.

No worries, that's why we do review :)

-- 
Kalle Valo