From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.1 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40E42C433EA for ; Tue, 28 Jul 2020 17:29:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 24A7C2078E for ; Tue, 28 Jul 2020 17:29:26 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SyxYachV" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732031AbgG1R3W (ORCPT ); Tue, 28 Jul 2020 13:29:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35358 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731779AbgG1R3V (ORCPT ); Tue, 28 Jul 2020 13:29:21 -0400 Received: from mail-pl1-x641.google.com (mail-pl1-x641.google.com [IPv6:2607:f8b0:4864:20::641]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5340EC061794; Tue, 28 Jul 2020 10:29:21 -0700 (PDT) Received: by mail-pl1-x641.google.com with SMTP id k4so10229088pld.12; Tue, 28 Jul 2020 10:29:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DvC33c6lX0M+cpFedrNCLZ1U+Zo7I7ibJkFG+4mqa48=; b=SyxYachVFhddv9xgQSCtTM81YnnLRQvfAdfCIXYBJGywlbTOAe56WaqrxZkelpcZIT aNeRE6VXBeiAy5H78OHAkA7DnlhlX+t7hT21JkI323wKse2v24CpNdfbMabKqMQe2YO6 oM68s0417RsaCNEoYuZWj7/pHwFh8Db0UmapN9NGhzshWV7AlQiMeZZfAlBgD932u81/ wS7yRsYxLcYm95RzQZCavC3QsXMWUeshoGCdpnDY1a18OkaX7v2PYlK8QoXrH9pb3HqH llvex8HxTkmdy00dKr5uJpUZ8/Vnck432yidHnv7ckh+aYCixUkwarEkmeAdaFEN7KBi DGAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DvC33c6lX0M+cpFedrNCLZ1U+Zo7I7ibJkFG+4mqa48=; b=lBAucCNCrpqdBYwqGfrSZwOgMxXCHbGs6U17frRdS49aA4foRxhn6me0df56QSj/Ze ZcoZetnyr8cjyhGaajTyPQfmoD3sNlwfWPz0q8HFVZc4t6KX0EwOgM9CUu6wLtxq/k36 TxS0aB32/wgmtBKNwmv0gHAGM9udh+NKMNp6PbB9ailSw/GrJ4F8Lf0CkktEjiGCGk9q v2bLVMlvYnmI8+0zgtKsawRwjUK2p9QK5dagUNumypUAFazncK6e/abD/2AYR6poFRKe 38bWQAs1d/fJR3T4v1Exb6wlc9mRqpPx4KWiQ6Wn7KAQf5vfR2KJIqejSPz+JzEDY8Rv l+Cw== X-Gm-Message-State: AOAM5327vqbLtFUsEgQtTJv/F/0vYv3QTyZc4ucoCE4rcwA6l/pwIh/a UR4Nk4gUqdxtlmbZn0J/h7PZkCOQOldPehfdNWc= X-Google-Smtp-Source: ABdhPJyo6Up0HxgUu0YXezBBId8olJiV2HxsKPkSX/2vuB9eJTZdnOqNu8a+sLck2iCAvE4kWHW/kPzUymSyxIghXfM= X-Received: by 2002:a17:90a:a393:: with SMTP id x19mr5714267pjp.228.1595957360726; Tue, 28 Jul 2020 10:29:20 -0700 (PDT) MIME-Version: 1.0 References: <1595900652-3842-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp> In-Reply-To: <1595900652-3842-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp> From: Andy Shevchenko Date: Tue, 28 Jul 2020 20:29:05 +0300 Message-ID: Subject: Re: [PATCH] mwifiex: don't call del_timer_sync() on uninitialized timer To: Tetsuo Handa Cc: gbhat@marvell.com, amitkarwar@gmail.com, andreyknvl@google.com, "David S. Miller" , Dmitry Vyukov , huxinming820@gmail.com, Kalle Valo , Linux Kernel Mailing List , USB , "open list:TI WILINK WIRELES..." , netdev , Nishant Sarmukadam , syzbot+dc4127f950da51639216@syzkaller.appspotmail.com, syzkaller-bugs , syzbot Content-Type: text/plain; charset="UTF-8" Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On Tue, Jul 28, 2020 at 4:46 AM Tetsuo Handa wrote: > > syzbot is reporting that del_timer_sync() is called from > mwifiex_usb_cleanup_tx_aggr() from mwifiex_unregister_dev() without > checking timer_setup() from mwifiex_usb_tx_init() was called [1]. > Since mwifiex_usb_prepare_tx_aggr_skb() is calling del_timer() if > is_hold_timer_set == true, use the same condition for del_timer_sync(). > > [1] https://syzkaller.appspot.com/bug?id=fdeef9cf7348be8b8ab5b847f2ed993aba8ea7b6 > Can you use BugLink: tag for above? > Reported-by: syzbot > Cc: Ganapathi Bhat > Signed-off-by: Tetsuo Handa > --- > A patch from Ganapathi Bhat ( https://patchwork.kernel.org/patch/10990275/ ) is stalling > at https://lore.kernel.org/linux-usb/MN2PR18MB2637D7C742BC235FE38367F0A09C0@MN2PR18MB2637.namprd18.prod.outlook.com/ . > syzbot by now got this report for 10000 times. Do we want to go with this simple patch? > > drivers/net/wireless/marvell/mwifiex/usb.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/net/wireless/marvell/mwifiex/usb.c b/drivers/net/wireless/marvell/mwifiex/usb.c > index 6f3cfde..04a1461 100644 > --- a/drivers/net/wireless/marvell/mwifiex/usb.c > +++ b/drivers/net/wireless/marvell/mwifiex/usb.c > @@ -1353,7 +1353,8 @@ static void mwifiex_usb_cleanup_tx_aggr(struct mwifiex_adapter *adapter) > skb_dequeue(&port->tx_aggr.aggr_list))) > mwifiex_write_data_complete(adapter, skb_tmp, > 0, -1); > - del_timer_sync(&port->tx_aggr.timer_cnxt.hold_timer); > + if (port->tx_aggr.timer_cnxt.is_hold_timer_set) > + del_timer_sync(&port->tx_aggr.timer_cnxt.hold_timer); > port->tx_aggr.timer_cnxt.is_hold_timer_set = false; > port->tx_aggr.timer_cnxt.hold_tmo_msecs = 0; > } > -- > 1.8.3.1 > -- With Best Regards, Andy Shevchenko