1. 16 Jan, 2023 1 commit
    • Jisoo Jang's avatar
      wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds · 660145d7
      Jisoo Jang authored
      Fix a stack-out-of-bounds read in brcmfmac that occurs
      when 'buf' that is not null-terminated is passed as an argument of
      strreplace() in brcmf_c_preinit_dcmds(). This buffer is filled with
      a CLM version string by memcpy() in brcmf_fil_iovar_data_get().
      Ensure buf is null-terminated.
      
      Found by a modified version of syzkaller.
      
      [   33.004414][ T1896] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available
      [   33.013486][ T1896] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43236/3 wl0: Nov 30 2011 17:33:42 version 5.90.188.22
      [   33.021554][ T1896] ==================================================================
      [   33.022379][ T1896] BUG: KASAN: stack-out-of-bounds in strreplace+0xf2/0x110
      [   33.023122][ T1896] Read of size 1 at addr ffffc90001d6efc8 by task kworker/0:2/1896
      [   33.023852][ T1896]
      [   33.024096][ T1896] CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G           O      5.14.0+ #132
      [   33.024927][ T1896] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
      [   33.026065][ T1896] Workqueue: usb_hub_wq hub_event
      [   33.026581][ T1896] Call Trace:
      [   33.026896][ T1896]  dump_stack_lvl+0x57/0x7d
      [   33.027372][ T1896]  print_address_description.constprop.0.cold+0xf/0x334
      [   33.028037][ T1896]  ? strreplace+0xf2/0x110
      [   33.028403][ T1896]  ? strreplace+0xf2/0x110
      [   33.028807][ T1896]  kasan_report.cold+0x83/0xdf
      [   33.029283][ T1896]  ? strreplace+0xf2/0x110
      [   33.029666][ T1896]  strreplace+0xf2/0x110
      [   33.029966][ T1896]  brcmf_c_preinit_dcmds+0xab1/0xc40
      [   33.030351][ T1896]  ? brcmf_c_set_joinpref_default+0x100/0x100
      [   33.030787][ T1896]  ? rcu_read_lock_sched_held+0xa1/0xd0
      [   33.031223][ T1896]  ? rcu_read_lock_bh_held+0xb0/0xb0
      [   33.031661][ T1896]  ? lock_acquire+0x19d/0x4e0
      [   33.032091][ T1896]  ? find_held_lock+0x2d/0x110
      [   33.032605][ T1896]  ? brcmf_usb_deq+0x1a7/0x260
      [   33.033087][ T1896]  ? brcmf_usb_rx_fill_all+0x5a/0xf0
      [   33.033582][ T1896]  brcmf_attach+0x246/0xd40
      [   33.034022][ T1896]  ? wiphy_new_nm+0x1476/0x1d50
      [   33.034383][ T1896]  ? kmemdup+0x30/0x40
      [   33.034722][ T1896]  brcmf_usb_probe+0x12de/0x1690
      [   33.035223][ T1896]  ? brcmf_usbdev_qinit.constprop.0+0x470/0x470
      [   33.035833][ T1896]  usb_probe_interface+0x25f/0x710
      [   33.036315][ T1896]  really_probe+0x1be/0xa90
      [   33.036656][ T1896]  __driver_probe_device+0x2ab/0x460
      [   33.037026][ T1896]  ? usb_match_id.part.0+0x88/0xc0
      [   33.037383][ T1896]  driver_probe_device+0x49/0x120
      [   33.037790][ T1896]  __device_attach_driver+0x18a/0x250
      [   33.038300][ T1896]  ? driver_allows_async_probing+0x120/0x120
      [   33.038986][ T1896]  bus_for_each_drv+0x123/0x1a0
      [   33.039906][ T1896]  ? bus_rescan_devices+0x20/0x20
      [   33.041412][ T1896]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0
      [   33.041861][ T1896]  ? trace_hardirqs_on+0x1c/0x120
      [   33.042330][ T1896]  __device_attach+0x207/0x330
      [   33.042664][ T1896]  ? device_bind_driver+0xb0/0xb0
      [   33.043026][ T1896]  ? kobject_uevent_env+0x230/0x12c0
      [   33.043515][ T1896]  bus_probe_device+0x1a2/0x260
      [   33.043914][ T1896]  device_add+0xa61/0x1ce0
      [   33.044227][ T1896]  ? __mutex_unlock_slowpath+0xe7/0x660
      [   33.044891][ T1896]  ? __fw_devlink_link_to_suppliers+0x550/0x550
      [   33.045531][ T1896]  usb_set_configuration+0x984/0x1770
      [   33.046051][ T1896]  ? kernfs_create_link+0x175/0x230
      [   33.046548][ T1896]  usb_generic_driver_probe+0x69/0x90
      [   33.046931][ T1896]  usb_probe_device+0x9c/0x220
      [   33.047434][ T1896]  really_probe+0x1be/0xa90
      [   33.047760][ T1896]  __driver_probe_device+0x2ab/0x460
      [   33.048134][ T1896]  driver_probe_device+0x49/0x120
      [   33.048516][ T1896]  __device_attach_driver+0x18a/0x250
      [   33.048910][ T1896]  ? driver_allows_async_probing+0x120/0x120
      [   33.049437][ T1896]  bus_for_each_drv+0x123/0x1a0
      [   33.049814][ T1896]  ? bus_rescan_devices+0x20/0x20
      [   33.050164][ T1896]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0
      [   33.050579][ T1896]  ? trace_hardirqs_on+0x1c/0x120
      [   33.050936][ T1896]  __device_attach+0x207/0x330
      [   33.051399][ T1896]  ? device_bind_driver+0xb0/0xb0
      [   33.051888][ T1896]  ? kobject_uevent_env+0x230/0x12c0
      [   33.052314][ T1896]  bus_probe_device+0x1a2/0x260
      [   33.052688][ T1896]  device_add+0xa61/0x1ce0
      [   33.053121][ T1896]  ? __fw_devlink_link_to_suppliers+0x550/0x550
      [   33.053568][ T1896]  usb_new_device.cold+0x463/0xf66
      [   33.053953][ T1896]  ? hub_disconnect+0x400/0x400
      [   33.054313][ T1896]  ? rwlock_bug.part.0+0x90/0x90
      [   33.054661][ T1896]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0
      [   33.055094][ T1896]  hub_event+0x10d5/0x3330
      [   33.055530][ T1896]  ? hub_port_debounce+0x280/0x280
      [   33.055934][ T1896]  ? __lock_acquire+0x1671/0x5790
      [   33.056387][ T1896]  ? wq_calc_node_cpumask+0x170/0x2a0
      [   33.056924][ T1896]  ? lock_release+0x640/0x640
      [   33.057383][ T1896]  ? rcu_read_lock_sched_held+0xa1/0xd0
      [   33.057916][ T1896]  ? rcu_read_lock_bh_held+0xb0/0xb0
      [   33.058402][ T1896]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0
      [   33.059019][ T1896]  process_one_work+0x873/0x13e0
      [   33.059488][ T1896]  ? lock_release+0x640/0x640
      [   33.059932][ T1896]  ? pwq_dec_nr_in_flight+0x320/0x320
      [   33.060446][ T1896]  ? rwlock_bug.part.0+0x90/0x90
      [   33.060898][ T1896]  worker_thread+0x8b/0xd10
      [   33.061348][ T1896]  ? __kthread_parkme+0xd9/0x1d0
      [   33.061810][ T1896]  ? process_one_work+0x13e0/0x13e0
      [   33.062288][ T1896]  kthread+0x379/0x450
      [   33.062660][ T1896]  ? _raw_spin_unlock_irq+0x24/0x30
      [   33.063148][ T1896]  ? set_kthread_struct+0x100/0x100
      [   33.063606][ T1896]  ret_from_fork+0x1f/0x30
      [   33.064070][ T1896]
      [   33.064313][ T1896]
      [   33.064545][ T1896] addr ffffc90001d6efc8 is located in stack of task kworker/0:2/1896 at offset 512 in frame:
      [   33.065478][ T1896]  brcmf_c_preinit_dcmds+0x0/0xc40
      [   33.065973][ T1896]
      [   33.066191][ T1896] this frame has 4 objects:
      [   33.066614][ T1896]  [48, 56) 'ptr'
      [   33.066618][ T1896]  [80, 148) 'revinfo'
      [   33.066957][ T1896]  [192, 210) 'eventmask'
      [   33.067338][ T1896]  [256, 512) 'buf'
      [   33.067742][ T1896]
      [   33.068304][ T1896] Memory state around the buggy address:
      [   33.068838][ T1896]  ffffc90001d6ee80: f2 00 00 02 f2 f2 f2 f2 f2 00 00 00 00 00 00 00
      [   33.069545][ T1896]  ffffc90001d6ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   33.070626][ T1896] >ffffc90001d6ef80: 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3
      [   33.072052][ T1896]                                               ^
      [   33.073043][ T1896]  ffffc90001d6f000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   33.074230][ T1896]  ffffc90001d6f080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   33.074914][ T1896] ==================================================================
      [   33.075713][ T1896] Disabling lock debugging due to kernel taint
      
      Reviewed-by: Arend van Spriel<arend.vanspriel@broadcom.com>
      Signed-off-by: default avatarJisoo Jang <jisoo.jang@yonsei.ac.kr>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20221230075139.56591-1-jisoo.jang@yonsei.ac.kr
      660145d7
  2. 12 Jan, 2023 4 commits
  3. 22 Dec, 2022 12 commits
    • Yang Yingliang's avatar
      wifi: wl3501_cs: don't call kfree_skb() under spin_lock_irqsave() · 44bacbdf
      Yang Yingliang authored
      It is not allowed to call kfree_skb() from hardware interrupt
      context or with interrupts being disabled. So replace kfree_skb()
      with dev_kfree_skb_irq() under spin_lock_irqsave(). Compile
      tested only.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20221207150453.114742-1-yangyingliang@huawei.com
      44bacbdf
    • Yang Yingliang's avatar
      wifi: libertas: cmdresp: don't call kfree_skb() under spin_lock_irqsave() · 708a49a6
      Yang Yingliang authored
      It is not allowed to call kfree_skb() from hardware interrupt
      context or with interrupts being disabled. So replace kfree_skb()
      with dev_kfree_skb_irq() under spin_lock_irqsave(). Compile
      tested only.
      
      Fixes: f52b041a ("libertas: Add spinlock to avoid race condition")
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20221207150008.111743-5-yangyingliang@huawei.com
      708a49a6
    • Yang Yingliang's avatar
      wifi: libertas: main: don't call kfree_skb() under spin_lock_irqsave() · f393df15
      Yang Yingliang authored
      It is not allowed to call kfree_skb() from hardware interrupt
      context or with interrupts being disabled. So replace kfree_skb()
      with dev_kfree_skb_irq() under spin_lock_irqsave(). Compile
      tested only.
      
      Fixes: d2e7b342 ("libertas: disable functionality when interface is down")
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20221207150008.111743-4-yangyingliang@huawei.com
      f393df15
    • Yang Yingliang's avatar
      wifi: libertas: if_usb: don't call kfree_skb() under spin_lock_irqsave() · 3968e81b
      Yang Yingliang authored
      It is not allowed to call kfree_skb() from hardware interrupt
      context or with interrupts being disabled. So replace kfree_skb()
      with dev_kfree_skb_irq() under spin_lock_irqsave(). Compile
      tested only.
      
      Fixes: a3128fee ("libertas: use irqsave() in USB's complete callback")
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20221207150008.111743-3-yangyingliang@huawei.com
      3968e81b
    • Yang Yingliang's avatar
      wifi: libertas_tf: don't call kfree_skb() under spin_lock_irqsave() · 9388ce97
      Yang Yingliang authored
      It is not allowed to call kfree_skb() from hardware interrupt
      context or with interrupts being disabled. So replace kfree_skb()
      with dev_kfree_skb_irq() under spin_lock_irqsave(). Compile
      tested only.
      
      Fixes: fc75122f ("libertas_tf: use irqsave() in USB's complete callback")
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20221207150008.111743-2-yangyingliang@huawei.com
      9388ce97
    • Zhengchao Shao's avatar
      wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid() · b9f42003
      Zhengchao Shao authored
      After the DMA buffer is mapped to a physical address, address is stored
      in pktids in brcmf_msgbuf_alloc_pktid(). Then, pktids is parsed in
      brcmf_msgbuf_get_pktid()/brcmf_msgbuf_release_array() to obtain physaddr
      and later unmap the DMA buffer. But when count is always equal to
      pktids->array_size, physaddr isn't stored in pktids and the DMA buffer
      will not be unmapped anyway.
      
      Fixes: 9a1bb602 ("brcmfmac: Adding msgbuf protocol.")
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Reviewed-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20221207013114.1748936-1-shaozhengchao@huawei.com
      b9f42003
    • Zhang Changzhong's avatar
      wifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit() · 212fde3f
      Zhang Changzhong authored
      The brcmf_netdev_start_xmit() returns NETDEV_TX_OK without freeing skb
      in case of pskb_expand_head() fails, add dev_kfree_skb() to fix it.
      Compile tested only.
      
      Fixes: 270a6c1f ("brcmfmac: rework headroom check in .start_xmit()")
      Signed-off-by: default avatarZhang Changzhong <zhangchangzhong@huawei.com>
      Reviewed-by: default avatarArend van Spriel <arend.vanspriel@broadcom.com>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/1668684782-47422-1-git-send-email-zhangchangzhong@huawei.com
      212fde3f
    • Jisoo Jang's avatar
      wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds() · 0a06cadc
      Jisoo Jang authored
      This patch fixes a stack-out-of-bounds read in brcmfmac that occurs
      when 'buf' that is not null-terminated is passed as an argument of
      strsep() in brcmf_c_preinit_dcmds(). This buffer is filled with a firmware
      version string by memcpy() in brcmf_fil_iovar_data_get().
      The patch ensures buf is null-terminated.
      
      Found by a modified version of syzkaller.
      
      [   47.569679][ T1897] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43236b for chip BCM43236/3
      [   47.582839][ T1897] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available
      [   47.601565][ T1897] ==================================================================
      [   47.602574][ T1897] BUG: KASAN: stack-out-of-bounds in strsep+0x1b2/0x1f0
      [   47.603447][ T1897] Read of size 1 at addr ffffc90001f6f000 by task kworker/0:2/1897
      [   47.604336][ T1897]
      [   47.604621][ T1897] CPU: 0 PID: 1897 Comm: kworker/0:2 Tainted: G           O      5.14.0+ #131
      [   47.605617][ T1897] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
      [   47.606907][ T1897] Workqueue: usb_hub_wq hub_event
      [   47.607453][ T1897] Call Trace:
      [   47.607801][ T1897]  dump_stack_lvl+0x8e/0xd1
      [   47.608295][ T1897]  print_address_description.constprop.0.cold+0xf/0x334
      [   47.609009][ T1897]  ? strsep+0x1b2/0x1f0
      [   47.609434][ T1897]  ? strsep+0x1b2/0x1f0
      [   47.609863][ T1897]  kasan_report.cold+0x83/0xdf
      [   47.610366][ T1897]  ? strsep+0x1b2/0x1f0
      [   47.610882][ T1897]  strsep+0x1b2/0x1f0
      [   47.611300][ T1897]  ? brcmf_fil_iovar_data_get+0x3a/0xf0
      [   47.611883][ T1897]  brcmf_c_preinit_dcmds+0x995/0xc40
      [   47.612434][ T1897]  ? brcmf_c_set_joinpref_default+0x100/0x100
      [   47.613078][ T1897]  ? rcu_read_lock_sched_held+0xa1/0xd0
      [   47.613662][ T1897]  ? rcu_read_lock_bh_held+0xb0/0xb0
      [   47.614208][ T1897]  ? lock_acquire+0x19d/0x4e0
      [   47.614704][ T1897]  ? find_held_lock+0x2d/0x110
      [   47.615236][ T1897]  ? brcmf_usb_deq+0x1a7/0x260
      [   47.615741][ T1897]  ? brcmf_usb_rx_fill_all+0x5a/0xf0
      [   47.616288][ T1897]  brcmf_attach+0x246/0xd40
      [   47.616758][ T1897]  ? wiphy_new_nm+0x1703/0x1dd0
      [   47.617280][ T1897]  ? kmemdup+0x43/0x50
      [   47.617720][ T1897]  brcmf_usb_probe+0x12de/0x1690
      [   47.618244][ T1897]  ? brcmf_usbdev_qinit.constprop.0+0x470/0x470
      [   47.618901][ T1897]  usb_probe_interface+0x2aa/0x760
      [   47.619429][ T1897]  ? usb_probe_device+0x250/0x250
      [   47.619950][ T1897]  really_probe+0x205/0xb70
      [   47.620435][ T1897]  ? driver_allows_async_probing+0x130/0x130
      [   47.621048][ T1897]  __driver_probe_device+0x311/0x4b0
      [   47.621595][ T1897]  ? driver_allows_async_probing+0x130/0x130
      [   47.622209][ T1897]  driver_probe_device+0x4e/0x150
      [   47.622739][ T1897]  __device_attach_driver+0x1cc/0x2a0
      [   47.623287][ T1897]  bus_for_each_drv+0x156/0x1d0
      [   47.623796][ T1897]  ? bus_rescan_devices+0x30/0x30
      [   47.624309][ T1897]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0
      [   47.624907][ T1897]  ? trace_hardirqs_on+0x46/0x160
      [   47.625437][ T1897]  __device_attach+0x23f/0x3a0
      [   47.625924][ T1897]  ? device_bind_driver+0xd0/0xd0
      [   47.626433][ T1897]  ? kobject_uevent_env+0x287/0x14b0
      [   47.627057][ T1897]  bus_probe_device+0x1da/0x290
      [   47.627557][ T1897]  device_add+0xb7b/0x1eb0
      [   47.628027][ T1897]  ? wait_for_completion+0x290/0x290
      [   47.628593][ T1897]  ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0
      [   47.629249][ T1897]  usb_set_configuration+0xf59/0x16f0
      [   47.629829][ T1897]  usb_generic_driver_probe+0x82/0xa0
      [   47.630385][ T1897]  usb_probe_device+0xbb/0x250
      [   47.630927][ T1897]  ? usb_suspend+0x590/0x590
      [   47.631397][ T1897]  really_probe+0x205/0xb70
      [   47.631855][ T1897]  ? driver_allows_async_probing+0x130/0x130
      [   47.632469][ T1897]  __driver_probe_device+0x311/0x4b0
      [   47.633002][ T1897]  ? usb_generic_driver_match+0x75/0x90
      [   47.633573][ T1897]  ? driver_allows_async_probing+0x130/0x130
      [   47.634170][ T1897]  driver_probe_device+0x4e/0x150
      [   47.634703][ T1897]  __device_attach_driver+0x1cc/0x2a0
      [   47.635248][ T1897]  bus_for_each_drv+0x156/0x1d0
      [   47.635748][ T1897]  ? bus_rescan_devices+0x30/0x30
      [   47.636271][ T1897]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0
      [   47.636881][ T1897]  ? trace_hardirqs_on+0x46/0x160
      [   47.637396][ T1897]  __device_attach+0x23f/0x3a0
      [   47.637904][ T1897]  ? device_bind_driver+0xd0/0xd0
      [   47.638426][ T1897]  ? kobject_uevent_env+0x287/0x14b0
      [   47.638985][ T1897]  bus_probe_device+0x1da/0x290
      [   47.639512][ T1897]  device_add+0xb7b/0x1eb0
      [   47.639977][ T1897]  ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0
      [   47.640612][ T1897]  ? kfree+0x14a/0x6b0
      [   47.641055][ T1897]  ? __usb_get_extra_descriptor+0x116/0x160
      [   47.641679][ T1897]  usb_new_device.cold+0x49c/0x1029
      [   47.642245][ T1897]  ? hub_disconnect+0x450/0x450
      [   47.642756][ T1897]  ? rwlock_bug.part.0+0x90/0x90
      [   47.643273][ T1897]  ? _raw_spin_unlock_irq+0x24/0x30
      [   47.643822][ T1897]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0
      [   47.644445][ T1897]  hub_event+0x1c98/0x3950
      [   47.644939][ T1897]  ? hub_port_debounce+0x2e0/0x2e0
      [   47.645467][ T1897]  ? check_irq_usage+0x861/0xf20
      [   47.645975][ T1897]  ? drain_workqueue+0x280/0x360
      [   47.646506][ T1897]  ? lock_release+0x640/0x640
      [   47.646994][ T1897]  ? rcu_read_lock_sched_held+0xa1/0xd0
      [   47.647572][ T1897]  ? rcu_read_lock_bh_held+0xb0/0xb0
      [   47.648111][ T1897]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0
      [   47.648735][ T1897]  process_one_work+0x92b/0x1460
      [   47.649262][ T1897]  ? pwq_dec_nr_in_flight+0x330/0x330
      [   47.649816][ T1897]  ? rwlock_bug.part.0+0x90/0x90
      [   47.650336][ T1897]  worker_thread+0x95/0xe00
      [   47.650830][ T1897]  ? __kthread_parkme+0x115/0x1e0
      [   47.651361][ T1897]  ? process_one_work+0x1460/0x1460
      [   47.651904][ T1897]  kthread+0x3a1/0x480
      [   47.652329][ T1897]  ? set_kthread_struct+0x120/0x120
      [   47.652878][ T1897]  ret_from_fork+0x1f/0x30
      [   47.653370][ T1897]
      [   47.653608][ T1897]
      [   47.653848][ T1897] addr ffffc90001f6f000 is located in stack of task kworker/0:2/1897 at offset 512 in frame:
      [   47.654891][ T1897]  brcmf_c_preinit_dcmds+0x0/0xc40
      [   47.655442][ T1897]
      [   47.655690][ T1897] this frame has 4 objects:
      [   47.656151][ T1897]  [48, 56) 'ptr'
      [   47.656159][ T1897]  [80, 148) 'revinfo'
      [   47.656534][ T1897]  [192, 210) 'eventmask'
      [   47.656953][ T1897]  [256, 512) 'buf'
      [   47.657410][ T1897]
      [   47.658035][ T1897] Memory state around the buggy address:
      [   47.658743][ T1897]  ffffc90001f6ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   47.659577][ T1897]  ffffc90001f6ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   47.660394][ T1897] >ffffc90001f6f000: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
      [   47.661199][ T1897]                    ^
      [   47.661625][ T1897]  ffffc90001f6f080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   47.662455][ T1897]  ffffc90001f6f100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
      [   47.663318][ T1897] ==================================================================
      [   47.664147][ T1897] Disabling lock debugging due to kernel taint
      Reported-by: default avatarDokyung Song <dokyungs@yonsei.ac.kr>
      Reported-by: default avatarJisoo Jang <jisoo.jang@yonsei.ac.kr>
      Reported-by: default avatarMinsuk Kang <linuxlovemin@yonsei.ac.kr>
      Signed-off-by: default avatarJisoo Jang <jisoo.jang@yonsei.ac.kr>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20221115043458.37562-1-jisoo.jang@yonsei.ac.kr
      0a06cadc
    • Wang Yufen's avatar
      wifi: wilc1000: add missing unregister_netdev() in wilc_netdev_ifc_init() · 2b88974e
      Wang Yufen authored
      Fault injection test reports this issue:
      
      kernel BUG at net/core/dev.c:10731!
      invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
      Call Trace:
        <TASK>
        wilc_netdev_ifc_init+0x19f/0x220 [wilc1000 884bf126e9e98af6a708f266a8dffd53f99e4bf5]
        wilc_cfg80211_init+0x30c/0x380 [wilc1000 884bf126e9e98af6a708f266a8dffd53f99e4bf5]
        wilc_bus_probe+0xad/0x2b0 [wilc1000_spi 1520a7539b6589cc6cde2ae826a523a33f8bacff]
        spi_probe+0xe4/0x140
        really_probe+0x17e/0x3f0
        __driver_probe_device+0xe3/0x170
        driver_probe_device+0x49/0x120
      
      The root case here is alloc_ordered_workqueue() fails, but
      cfg80211_unregister_netdevice() or unregister_netdev() not be called in
      error handling path. To fix add unregister_netdev goto lable to add the
      unregister operation in error handling path.
      
      Fixes: 09ed8bfc ("wilc1000: Rename workqueue from "WILC_wq" to "NETDEV-wq"")
      Signed-off-by: default avatarWang Yufen <wangyufen@huawei.com>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/1669289902-23639-1-git-send-email-wangyufen@huawei.com
      2b88974e
    • Zhang Changzhong's avatar
      wifi: wilc1000: fix potential memory leak in wilc_mac_xmit() · deb962ec
      Zhang Changzhong authored
      The wilc_mac_xmit() returns NETDEV_TX_OK without freeing skb, add
      dev_kfree_skb() to fix it. Compile tested only.
      
      Fixes: c5c77ba1 ("staging: wilc1000: Add SDIO/SPI 802.11 driver")
      Signed-off-by: default avatarZhang Changzhong <zhangchangzhong@huawei.com>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/1668684964-48622-1-git-send-email-zhangchangzhong@huawei.com
      deb962ec
    • Zhengchao Shao's avatar
      wifi: ipw2200: fix memory leak in ipw_wdev_init() · 9fe21dc6
      Zhengchao Shao authored
      In the error path of ipw_wdev_init(), exception value is returned, and
      the memory applied for in the function is not released. Also the memory
      is not released in ipw_pci_probe(). As a result, memory leakage occurs.
      So memory release needs to be added to the error path of ipw_wdev_init().
      
      Fixes: a3caa99e ("libipw: initiate cfg80211 API conversion (v2)")
      Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20221209012422.182669-1-shaozhengchao@huawei.com
      9fe21dc6
    • Yang Yingliang's avatar
      wifi: ipw2x00: don't call dev_kfree_skb() under spin_lock_irqsave() · 45fc6d74
      Yang Yingliang authored
      It is not allowed to call kfree_skb() or consume_skb() from hardware
      interrupt context or with hardware interrupts being disabled.
      
      It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
      The difference between them is free reason, dev_kfree_skb_irq() means
      the SKB is dropped in error and dev_consume_skb_irq() means the SKB
      is consumed in normal.
      
      In this case, dev_kfree_skb() is called to free and drop the SKB when
      it's reset, so replace it with dev_kfree_skb_irq(). Compile tested
      only.
      
      Fixes: 43f66a6c ("Add ipw2200 wireless driver.")
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20221208143826.2385218-1-yangyingliang@huawei.com
      45fc6d74
  4. 21 Dec, 2022 17 commits
  5. 14 Dec, 2022 6 commits