From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Raveendran Somu <raveendran.somu@cypress.com>,
Chi-hsien Lin <chi-hsien.lin@cypress.com>,
Kalle Valo <kvalo@codeaurora.org>,
Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org,
brcm80211-dev-list.pdl@broadcom.com,
brcm80211-dev-list@cypress.com, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.4 077/108] brcmfmac: Fix driver crash on USB control transfer timeout
Date: Sat, 11 Apr 2020 19:09:12 -0400 [thread overview]
Message-ID: <20200411230943.24951-77-sashal@kernel.org> (raw)
In-Reply-To: <20200411230943.24951-1-sashal@kernel.org>
From: Raveendran Somu <raveendran.somu@cypress.com>
[ Upstream commit 93a5bfbc7cad8bf3dea81c9bc07761c1226a0860 ]
When the control transfer gets timed out, the error status
was returned without killing that urb, this leads to using
the same urb. This issue causes the kernel crash as the same
urb is sumbitted multiple times. The fix is to kill the
urb for timeout transfer before returning error
Signed-off-by: Raveendran Somu <raveendran.somu@cypress.com>
Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1585124429-97371-2-git-send-email-chi-hsien.lin@cypress.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
index 575ed19e91951..10387a7f5d565 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
@@ -328,11 +328,12 @@ static int brcmf_usb_tx_ctlpkt(struct device *dev, u8 *buf, u32 len)
return err;
}
timeout = brcmf_usb_ioctl_resp_wait(devinfo);
- clear_bit(0, &devinfo->ctl_op);
if (!timeout) {
brcmf_err("Txctl wait timed out\n");
+ usb_kill_urb(devinfo->ctl_urb);
err = -EIO;
}
+ clear_bit(0, &devinfo->ctl_op);
return err;
}
@@ -358,11 +359,12 @@ static int brcmf_usb_rx_ctlpkt(struct device *dev, u8 *buf, u32 len)
}
timeout = brcmf_usb_ioctl_resp_wait(devinfo);
err = devinfo->ctl_urb_status;
- clear_bit(0, &devinfo->ctl_op);
if (!timeout) {
brcmf_err("rxctl wait timed out\n");
+ usb_kill_urb(devinfo->ctl_urb);
err = -EIO;
}
+ clear_bit(0, &devinfo->ctl_op);
if (!err)
return devinfo->ctl_urb_actual_length;
else
--
2.20.1
next prev parent reply other threads:[~2020-04-11 23:28 UTC|newest]
Thread overview: 111+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-11 23:07 [PATCH AUTOSEL 5.4 001/108] net: wan: wanxl: use allow to pass CROSS_COMPILE_M68k for rebuilding firmware Sasha Levin
2020-04-11 23:07 ` [PATCH AUTOSEL 5.4 002/108] netfilter: ctnetlink: be more strict when NF_CONNTRACK_MARK is not set Sasha Levin
2020-04-11 23:07 ` [PATCH AUTOSEL 5.4 003/108] net: axienet: Convert DMA error handler to a work queue Sasha Levin
2020-04-11 23:07 ` [PATCH AUTOSEL 5.4 004/108] net: phy: probe PHY drivers synchronously Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 005/108] RDMA/rxe: Set sys_image_guid to be aligned with HW IB devices Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 006/108] mmc: sdhci-esdhc-imx: restore pin state when resume back Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 007/108] mmc: sdhci: do not enable card detect interrupt for gpio cd type Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 008/108] serial: 8250_omap: Fix sleeping function called from invalid context during probe Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 009/108] ionic: check for NULL structs on teardown Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 010/108] net: phy: mscc: accept all RGMII species in vsc85xx_mac_if_set Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 011/108] platform/x86: asus_wmi: Fix return value of fan_boost_mode_store Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 012/108] drm/amd/display: Explicitly disable triplebuffer flips Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 013/108] RDMA/bnxt_re: Fix lifetimes in bnxt_re_task Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 014/108] RDMA/cm: Add missing locking around id.state in cm_dup_req_handler Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 015/108] selftests/bpf: Fix test_progs's parsing of test numbers Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 016/108] libbpf: Ignore incompatible types with matching name during CO-RE relocation Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 017/108] NTB: set peer_sta within event handler itself Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 018/108] ntb_tool: Fix printk format Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 019/108] ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 020/108] mwifiex: set needed_headroom, not hard_header_len Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 021/108] Bluetooth: L2CAP: handle l2cap config request during open state Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 022/108] drm/tegra: dc: Release PM and RGB output when client's registration fails Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 023/108] ath10k: fix not registering airtime of 11a station with WMM disable Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 024/108] drm/amd/display: Stop if retimer is not available Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 025/108] net/mlx5e: Init ethtool steering for representors Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 026/108] drm/amd/display: writing stereo polarity register if swapped Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 027/108] Bluetooth: Fix calculation of SCO handle for packet processing Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 028/108] net: rmnet: add missing module alias Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 029/108] drm/amd/display: Fix default logger mask definition Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 030/108] IB/mlx5: Fix missing congestion control debugfs on rep rdma device Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 031/108] Bluetooth: guard against controllers sending zero'd events Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 032/108] drm/amd/display: Only round InfoFrame refresh rates Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 033/108] crypto: chelsio - Endianess bug in create_authenc_wr Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 034/108] net: hns3: modify an unsuitable print when setting unknown duplex to fibre Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 035/108] RDMA/rxe: Fix configuration of atomic queue pair attributes Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 036/108] net: intel: e1000e: fix possible sleep-in-atomic-context bugs in e1000e_get_hw_semaphore() Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 037/108] net: dsa: bcm_sf2: Also configure Port 5 for 2Gb/sec on 7278 Sasha Levin
2020-04-12 1:16 ` Florian Fainelli
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 038/108] sh_eth: check sh_eth_cpu_data::no_tx_cntrs when dumping registers Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 039/108] sh_eth: check sh_eth_cpu_data::cexcr " Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 040/108] sh_eth: check sh_eth_cpu_data::no_xdfar " Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 041/108] ice: Fix implicit queue mapping mode in ice_vsi_get_qs Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 042/108] drm/sun4i: dsi: Use NULL to signify "no panel" Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 043/108] mt76: fix handling full tx queues in mt76_dma_tx_queue_skb_raw Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 044/108] crypto: chelsio - This fixes the kernel panic which occurs during a libkcapi test Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 045/108] crypto: tcrypt - fix printed skcipher [a]sync mode Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 046/108] RDMA/siw: Fix setting active_mtu attribute Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 047/108] rtw88: 8822c: update power sequence to v16 Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 048/108] drm/omap: fix possible object reference leak Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 049/108] audit: CONFIG_CHANGE don't log internal bookkeeping as an event Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 050/108] Bluetooth: btusb: Add support for 13d3:3548 Realtek 8822CE device Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 051/108] drm/stm: ltdc: check crtc state before enabling LIE Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 052/108] fbdev: potential information leak in do_fb_ioctl() Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 053/108] drm/crc: Actually allow to change the crc source Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 054/108] drm/amdgpu: fix parentheses in amdgpu_vm_update_ptes Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 055/108] drm/amd/display: dc_get_vmid_use_vector() crashes when get called Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 056/108] scsi: lpfc: Fix RQ buffer leakage when no IOCBs available Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 057/108] rsi: fix null pointer dereference during rsi_shutdown() Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 058/108] ASoC: mediatek: mt8183-da7219: pull TDM GPIO pins down when probed Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 059/108] RDMA/hns: Add the workqueue framework for flush cqe handler Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 060/108] mt76: mt7603: fix input validation issues for powersave-filtered frames Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 061/108] drm/amd/display: dal_ddc_i2c_payloads_create can fail causing panic Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 062/108] drm/amd/display: System crashes when add_ptb_to_table() gets called Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 063/108] drm/omap: dss: Cleanup DSS ports on initialisation failure Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 064/108] RDMA/ucma: Put a lock around every call to the rdma_cm layer Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 065/108] scsi: qla2xxx: Handle NVME status iocb correctly Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 066/108] Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 067/108] xfs: clear PF_MEMALLOC before exiting xfsaild thread Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 068/108] ath10k: start recovery process when read int status fail for sdio Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 069/108] scsi: aacraid: Disabling TM path and only processing IOP reset Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 070/108] RDMA/cm: Remove a race freeing timewait_info Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 071/108] KVM: PPC: Book3S HV: Treat TM-related invalid form instructions on P9 like the valid ones Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 072/108] drm/msm: fix leaks if initialization fails Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 073/108] drm/msm/a5xx: Always set an OPP supported hardware value Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 074/108] drm/msm: devcoredump should dump MSM_SUBMIT_BO_DUMP buffers Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 075/108] i2c: dev: Fix the race between the release of i2c_dev and cdev Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 076/108] net: axienet: Propagate failure of DMA descriptor setup Sasha Levin
2020-04-11 23:09 ` Sasha Levin [this message]
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 078/108] brcmfmac: Fix double freeing in the fmac usb data path Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 079/108] brcmfmac: fix the incorrect return value in brcmf_inform_single_bss() Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 080/108] xfrm: add prep for esp beet mode offload Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 081/108] xfs: prohibit fs freezing when using empty transactions Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 082/108] RDMA/cm: Update num_paths in cma_resolve_iboe_route error flow Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 083/108] netfilter: nf_tables: silence a RCU-list warning in nft_table_lookup() Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 084/108] crypto/chtls: Fix chtls crash in connection cleanup Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 085/108] ASoC: stm32: spdifrx: fix regmap status check Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 086/108] ASoC: Intel: Skylake: Enable codec wakeup during chip init Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 087/108] scsi: qla2xxx: Return appropriate failure through BSG Interface Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 088/108] scsi: qla2xxx: fix FW resource count values Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 089/108] of: of_reserved_mem: Increase limit on number of reserved regions Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 090/108] dmaengine: stm32-dma: use reset controller only at probe time Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 091/108] scsi: qla2xxx: Add fixes for mailbox command Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 092/108] scsi: qla2xxx: Fix control flags for login/logout IOCB Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 093/108] scsi: qla2xxx: Fix qla2x00_echo_test() based on ISP type Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 094/108] scsi: ufs: Fix ufshcd_hold() caused scheduling while atomic Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 095/108] ARM: shmobile: Enable ARM_GLOBAL_TIMER on Cortex-A9 MPCore SoCs Sasha Levin
2020-04-12 8:44 ` Geert Uytterhoeven
2020-04-17 17:18 ` Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 096/108] arm64: dts: qcom: msm8916-samsung-a2015: Reserve Samsung firmware memory Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 097/108] bus: hisi_lpc: Fixup IO ports addresses to avoid use-after-free in host removal Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 098/108] arm64: dts: g12-common: add parkmode_disable_ss_quirk on DWC3 controller Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 099/108] rtc: cmos: Use spin_lock_irqsave() in cmos_interrupt() Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 100/108] powerpc/book3s64: Fix error handling in mm_iommu_do_alloc() Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 101/108] arm64: dts: qcom: msm8998-mtp: Disable funnel 4 and 5 Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 102/108] nfsd: Don't add locks to closed or closing open stateids Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 103/108] ext4: check for non-zero journal inum in ext4_calculate_overhead Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 104/108] ext4: avoid ENOSPC when avoiding to reuse recently deleted inodes Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 105/108] powerpc/pseries: Handle UE event for memcpy_mcsafe Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 106/108] svcrdma: Fix leak of transport addresses Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 107/108] rtc: imx-sc: Align imx sc msg structs to 4 Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 108/108] PCI: Use ioremap(), not phys_to_virt() for platform ROM Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200411230943.24951-77-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=brcm80211-dev-list.pdl@broadcom.com \
--cc=brcm80211-dev-list@cypress.com \
--cc=chi-hsien.lin@cypress.com \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=raveendran.somu@cypress.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).