<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/net/wireless/broadcom, branch linux-5.0.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>brcmfmac: fix Oops when bringing up interface during USB disconnect</title>
<updated>2019-05-31T13:45:11+00:00</updated>
<author>
<name>Piotr Figiel</name>
<email>p.figiel@camlintechnologies.com</email>
</author>
<published>2019-03-13T09:52:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=306e799b6d9e8f286e9e19f83f68c3144f5e2fde'/>
<id>306e799b6d9e8f286e9e19f83f68c3144f5e2fde</id>
<content type='text'>
[ Upstream commit 24d413a31afaee9bbbf79226052c386b01780ce2 ]

Fix a race which leads to an Oops with NULL pointer dereference.  The
dereference is in brcmf_config_dongle() when cfg_to_ndev() attempts to get
net_device structure of interface with index 0 via if2bss mapping. This
shouldn't fail because of check for bus being ready in brcmf_netdev_open(),
but it's not synchronised with USB disconnect and there is a race: after
the check the bus can be marked down and the mapping for interface 0 may be
gone.

Solve this by modifying disconnect handling so that the removal of mapping
of ifidx to brcmf_if structure happens after netdev removal (which is
synchronous with brcmf_netdev_open() thanks to rtln being locked in
devinet_ioctl()). This assures brcmf_netdev_open() returns before the
mapping is removed during disconnect.

Unable to handle kernel NULL pointer dereference at virtual address 00000008
pgd = bcae2612
[00000008] *pgd=8be73831
Internal error: Oops: 17 [#1] PREEMPT SMP ARM
Modules linked in: brcmfmac brcmutil nf_log_ipv4 nf_log_common xt_LOG xt_limit
iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6
nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis
u_ether usb_serial_simple usbserial cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc
usbmisc_imx ulpi 8250_exar 8250_pci 8250 8250_base libcomposite configfs
udc_core [last unloaded: brcmutil]
CPU: 2 PID: 24478 Comm: ifconfig Not tainted 4.19.23-00078-ga62866d-dirty #115
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
PC is at brcmf_cfg80211_up+0x94/0x29c [brcmfmac]
LR is at brcmf_cfg80211_up+0x8c/0x29c [brcmfmac]
pc : [&lt;7f26a91c&gt;]    lr : [&lt;7f26a914&gt;]    psr: a0070013
sp : eca99d28  ip : 00000000  fp : ee9c6c00
r10: 00000036  r9 : 00000000  r8 : ece4002c
r7 : edb5b800  r6 : 00000000  r5 : 80f08448  r4 : edb5b968
r3 : ffffffff  r2 : 00000000  r1 : 00000002  r0 : 00000000
Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 10c5387d  Table: 7ca0c04a  DAC: 00000051
Process ifconfig (pid: 24478, stack limit = 0xd9e85a0e)
Stack: (0xeca99d28 to 0xeca9a000)
9d20:                   00000000 80f873b0 0000000d 80f08448 eca99d68 50d45f32
9d40: 7f27de94 ece40000 80f08448 80f08448 7f27de94 ece4002c 00000000 00000036
9d60: ee9c6c00 7f27262c 00001002 50d45f32 ece40000 00000000 80f08448 80772008
9d80: 00000001 00001043 00001002 ece40000 00000000 50d45f32 ece40000 00000001
9da0: 80f08448 00001043 00001002 807723d0 00000000 50d45f32 80f08448 eca99e58
9dc0: 80f87113 50d45f32 80f08448 ece40000 ece40138 00001002 80f08448 00000000
9de0: 00000000 80772434 edbd5380 eca99e58 edbd5380 80f08448 ee9c6c0c 80805f70
9e00: 00000000 ede08e00 00008914 ece40000 00000014 ee9c6c0c 600c0013 00001043
9e20: 0208a8c0 ffffffff 00000000 50d45f32 eca98000 80f08448 7ee9fc38 00008914
9e40: 80f68e40 00000051 eca98000 00000036 00000003 80808b9c 6e616c77 00000030
9e60: 00000000 00000000 00001043 0208a8c0 ffffffff 00000000 80f08448 00000000
9e80: 00000000 816d8b20 600c0013 00000001 ede09320 801763d4 00000000 50d45f32
9ea0: eca98000 80f08448 7ee9fc38 50d45f32 00008914 80f08448 7ee9fc38 80f68e40
9ec0: ed531540 8074721c 00000800 00000001 00000000 6e616c77 00000030 00000000
9ee0: 00000000 00001002 0208a8c0 ffffffff 00000000 50d45f32 80f08448 7ee9fc38
9f00: ed531560 ec8fc900 80285a6c 80285138 edb910c0 00000000 ecd91008 ede08e00
9f20: 80f08448 00000000 00000000 816d8b20 600c0013 00000001 ede09320 801763d4
9f40: 00000000 50d45f32 00021000 edb91118 edb910c0 80f08448 01b29000 edb91118
9f60: eca99f7c 50d45f32 00021000 ec8fc900 00000003 ec8fc900 00008914 7ee9fc38
9f80: eca98000 00000036 00000003 80285a6c 00086364 7ee9fe1c 000000c3 00000036
9fa0: 801011c4 80101000 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc 600c0010 00000003 00000000 00000000
[&lt;7f26a91c&gt;] (brcmf_cfg80211_up [brcmfmac]) from [&lt;7f27262c&gt;] (brcmf_netdev_open+0x74/0xe8 [brcmfmac])
[&lt;7f27262c&gt;] (brcmf_netdev_open [brcmfmac]) from [&lt;80772008&gt;] (__dev_open+0xcc/0x150)
[&lt;80772008&gt;] (__dev_open) from [&lt;807723d0&gt;] (__dev_change_flags+0x168/0x1b4)
[&lt;807723d0&gt;] (__dev_change_flags) from [&lt;80772434&gt;] (dev_change_flags+0x18/0x48)
[&lt;80772434&gt;] (dev_change_flags) from [&lt;80805f70&gt;] (devinet_ioctl+0x67c/0x79c)
[&lt;80805f70&gt;] (devinet_ioctl) from [&lt;80808b9c&gt;] (inet_ioctl+0x210/0x3d4)
[&lt;80808b9c&gt;] (inet_ioctl) from [&lt;8074721c&gt;] (sock_ioctl+0x350/0x524)
[&lt;8074721c&gt;] (sock_ioctl) from [&lt;80285138&gt;] (do_vfs_ioctl+0xb0/0x9b0)
[&lt;80285138&gt;] (do_vfs_ioctl) from [&lt;80285a6c&gt;] (ksys_ioctl+0x34/0x5c)
[&lt;80285a6c&gt;] (ksys_ioctl) from [&lt;80101000&gt;] (ret_fast_syscall+0x0/0x28)
Exception stack(0xeca99fa8 to 0xeca99ff0)
9fa0:                   00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc
Code: e5970328 eb002021 e1a02006 e3a01002 (e5909008)
---[ end trace 5cbac2333f3ac5df ]---

Signed-off-by: Piotr Figiel &lt;p.figiel@camlintechnologies.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 24d413a31afaee9bbbf79226052c386b01780ce2 ]

Fix a race which leads to an Oops with NULL pointer dereference.  The
dereference is in brcmf_config_dongle() when cfg_to_ndev() attempts to get
net_device structure of interface with index 0 via if2bss mapping. This
shouldn't fail because of check for bus being ready in brcmf_netdev_open(),
but it's not synchronised with USB disconnect and there is a race: after
the check the bus can be marked down and the mapping for interface 0 may be
gone.

Solve this by modifying disconnect handling so that the removal of mapping
of ifidx to brcmf_if structure happens after netdev removal (which is
synchronous with brcmf_netdev_open() thanks to rtln being locked in
devinet_ioctl()). This assures brcmf_netdev_open() returns before the
mapping is removed during disconnect.

Unable to handle kernel NULL pointer dereference at virtual address 00000008
pgd = bcae2612
[00000008] *pgd=8be73831
Internal error: Oops: 17 [#1] PREEMPT SMP ARM
Modules linked in: brcmfmac brcmutil nf_log_ipv4 nf_log_common xt_LOG xt_limit
iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6
nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis
u_ether usb_serial_simple usbserial cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc
usbmisc_imx ulpi 8250_exar 8250_pci 8250 8250_base libcomposite configfs
udc_core [last unloaded: brcmutil]
CPU: 2 PID: 24478 Comm: ifconfig Not tainted 4.19.23-00078-ga62866d-dirty #115
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
PC is at brcmf_cfg80211_up+0x94/0x29c [brcmfmac]
LR is at brcmf_cfg80211_up+0x8c/0x29c [brcmfmac]
pc : [&lt;7f26a91c&gt;]    lr : [&lt;7f26a914&gt;]    psr: a0070013
sp : eca99d28  ip : 00000000  fp : ee9c6c00
r10: 00000036  r9 : 00000000  r8 : ece4002c
r7 : edb5b800  r6 : 00000000  r5 : 80f08448  r4 : edb5b968
r3 : ffffffff  r2 : 00000000  r1 : 00000002  r0 : 00000000
Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 10c5387d  Table: 7ca0c04a  DAC: 00000051
Process ifconfig (pid: 24478, stack limit = 0xd9e85a0e)
Stack: (0xeca99d28 to 0xeca9a000)
9d20:                   00000000 80f873b0 0000000d 80f08448 eca99d68 50d45f32
9d40: 7f27de94 ece40000 80f08448 80f08448 7f27de94 ece4002c 00000000 00000036
9d60: ee9c6c00 7f27262c 00001002 50d45f32 ece40000 00000000 80f08448 80772008
9d80: 00000001 00001043 00001002 ece40000 00000000 50d45f32 ece40000 00000001
9da0: 80f08448 00001043 00001002 807723d0 00000000 50d45f32 80f08448 eca99e58
9dc0: 80f87113 50d45f32 80f08448 ece40000 ece40138 00001002 80f08448 00000000
9de0: 00000000 80772434 edbd5380 eca99e58 edbd5380 80f08448 ee9c6c0c 80805f70
9e00: 00000000 ede08e00 00008914 ece40000 00000014 ee9c6c0c 600c0013 00001043
9e20: 0208a8c0 ffffffff 00000000 50d45f32 eca98000 80f08448 7ee9fc38 00008914
9e40: 80f68e40 00000051 eca98000 00000036 00000003 80808b9c 6e616c77 00000030
9e60: 00000000 00000000 00001043 0208a8c0 ffffffff 00000000 80f08448 00000000
9e80: 00000000 816d8b20 600c0013 00000001 ede09320 801763d4 00000000 50d45f32
9ea0: eca98000 80f08448 7ee9fc38 50d45f32 00008914 80f08448 7ee9fc38 80f68e40
9ec0: ed531540 8074721c 00000800 00000001 00000000 6e616c77 00000030 00000000
9ee0: 00000000 00001002 0208a8c0 ffffffff 00000000 50d45f32 80f08448 7ee9fc38
9f00: ed531560 ec8fc900 80285a6c 80285138 edb910c0 00000000 ecd91008 ede08e00
9f20: 80f08448 00000000 00000000 816d8b20 600c0013 00000001 ede09320 801763d4
9f40: 00000000 50d45f32 00021000 edb91118 edb910c0 80f08448 01b29000 edb91118
9f60: eca99f7c 50d45f32 00021000 ec8fc900 00000003 ec8fc900 00008914 7ee9fc38
9f80: eca98000 00000036 00000003 80285a6c 00086364 7ee9fe1c 000000c3 00000036
9fa0: 801011c4 80101000 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc 600c0010 00000003 00000000 00000000
[&lt;7f26a91c&gt;] (brcmf_cfg80211_up [brcmfmac]) from [&lt;7f27262c&gt;] (brcmf_netdev_open+0x74/0xe8 [brcmfmac])
[&lt;7f27262c&gt;] (brcmf_netdev_open [brcmfmac]) from [&lt;80772008&gt;] (__dev_open+0xcc/0x150)
[&lt;80772008&gt;] (__dev_open) from [&lt;807723d0&gt;] (__dev_change_flags+0x168/0x1b4)
[&lt;807723d0&gt;] (__dev_change_flags) from [&lt;80772434&gt;] (dev_change_flags+0x18/0x48)
[&lt;80772434&gt;] (dev_change_flags) from [&lt;80805f70&gt;] (devinet_ioctl+0x67c/0x79c)
[&lt;80805f70&gt;] (devinet_ioctl) from [&lt;80808b9c&gt;] (inet_ioctl+0x210/0x3d4)
[&lt;80808b9c&gt;] (inet_ioctl) from [&lt;8074721c&gt;] (sock_ioctl+0x350/0x524)
[&lt;8074721c&gt;] (sock_ioctl) from [&lt;80285138&gt;] (do_vfs_ioctl+0xb0/0x9b0)
[&lt;80285138&gt;] (do_vfs_ioctl) from [&lt;80285a6c&gt;] (ksys_ioctl+0x34/0x5c)
[&lt;80285a6c&gt;] (ksys_ioctl) from [&lt;80101000&gt;] (ret_fast_syscall+0x0/0x28)
Exception stack(0xeca99fa8 to 0xeca99ff0)
9fa0:                   00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc
Code: e5970328 eb002021 e1a02006 e3a01002 (e5909008)
---[ end trace 5cbac2333f3ac5df ]---

Signed-off-by: Piotr Figiel &lt;p.figiel@camlintechnologies.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>brcmfmac: fix race during disconnect when USB completion is in progress</title>
<updated>2019-05-31T13:45:11+00:00</updated>
<author>
<name>Piotr Figiel</name>
<email>p.figiel@camlintechnologies.com</email>
</author>
<published>2019-03-08T15:25:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d0b552ad0ad3744231e664553aa7212895e17b89'/>
<id>d0b552ad0ad3744231e664553aa7212895e17b89</id>
<content type='text'>
[ Upstream commit db3b9e2e1d58080d0754bdf9293dabf8c6491b67 ]

It was observed that rarely during USB disconnect happening shortly after
connect (before full initialization completes) usb_hub_wq would wait
forever for the dev_init_lock to be unlocked. dev_init_lock would remain
locked though because of infinite wait during usb_kill_urb:

[ 2730.656472] kworker/0:2     D    0   260      2 0x00000000
[ 2730.660700] Workqueue: events request_firmware_work_func
[ 2730.664807] [&lt;809dca20&gt;] (__schedule) from [&lt;809dd164&gt;] (schedule+0x4c/0xac)
[ 2730.670587] [&lt;809dd164&gt;] (schedule) from [&lt;8069af44&gt;] (usb_kill_urb+0xdc/0x114)
[ 2730.676815] [&lt;8069af44&gt;] (usb_kill_urb) from [&lt;7f258b50&gt;] (brcmf_usb_free_q+0x34/0xa8 [brcmfmac])
[ 2730.684833] [&lt;7f258b50&gt;] (brcmf_usb_free_q [brcmfmac]) from [&lt;7f2517d4&gt;] (brcmf_detach+0xa0/0xb8 [brcmfmac])
[ 2730.693557] [&lt;7f2517d4&gt;] (brcmf_detach [brcmfmac]) from [&lt;7f251a34&gt;] (brcmf_attach+0xac/0x3d8 [brcmfmac])
[ 2730.702094] [&lt;7f251a34&gt;] (brcmf_attach [brcmfmac]) from [&lt;7f2587ac&gt;] (brcmf_usb_probe_phase2+0x468/0x4a0 [brcmfmac])
[ 2730.711601] [&lt;7f2587ac&gt;] (brcmf_usb_probe_phase2 [brcmfmac]) from [&lt;7f252888&gt;] (brcmf_fw_request_done+0x194/0x220 [brcmfmac])
[ 2730.721795] [&lt;7f252888&gt;] (brcmf_fw_request_done [brcmfmac]) from [&lt;805748e4&gt;] (request_firmware_work_func+0x4c/0x88)
[ 2730.731125] [&lt;805748e4&gt;] (request_firmware_work_func) from [&lt;80141474&gt;] (process_one_work+0x228/0x808)
[ 2730.739223] [&lt;80141474&gt;] (process_one_work) from [&lt;80141a80&gt;] (worker_thread+0x2c/0x564)
[ 2730.746105] [&lt;80141a80&gt;] (worker_thread) from [&lt;80147bcc&gt;] (kthread+0x13c/0x16c)
[ 2730.752227] [&lt;80147bcc&gt;] (kthread) from [&lt;801010b4&gt;] (ret_from_fork+0x14/0x20)

[ 2733.099695] kworker/0:3     D    0  1065      2 0x00000000
[ 2733.103926] Workqueue: usb_hub_wq hub_event
[ 2733.106914] [&lt;809dca20&gt;] (__schedule) from [&lt;809dd164&gt;] (schedule+0x4c/0xac)
[ 2733.112693] [&lt;809dd164&gt;] (schedule) from [&lt;809e2a8c&gt;] (schedule_timeout+0x214/0x3e4)
[ 2733.119621] [&lt;809e2a8c&gt;] (schedule_timeout) from [&lt;809dde2c&gt;] (wait_for_common+0xc4/0x1c0)
[ 2733.126810] [&lt;809dde2c&gt;] (wait_for_common) from [&lt;7f258d00&gt;] (brcmf_usb_disconnect+0x1c/0x4c [brcmfmac])
[ 2733.135206] [&lt;7f258d00&gt;] (brcmf_usb_disconnect [brcmfmac]) from [&lt;8069e0c8&gt;] (usb_unbind_interface+0x5c/0x1e4)
[ 2733.143943] [&lt;8069e0c8&gt;] (usb_unbind_interface) from [&lt;8056d3e8&gt;] (device_release_driver_internal+0x164/0x1fc)
[ 2733.152769] [&lt;8056d3e8&gt;] (device_release_driver_internal) from [&lt;8056c078&gt;] (bus_remove_device+0xd0/0xfc)
[ 2733.161138] [&lt;8056c078&gt;] (bus_remove_device) from [&lt;8056977c&gt;] (device_del+0x11c/0x310)
[ 2733.167939] [&lt;8056977c&gt;] (device_del) from [&lt;8069cba8&gt;] (usb_disable_device+0xa0/0x1cc)
[ 2733.174743] [&lt;8069cba8&gt;] (usb_disable_device) from [&lt;8069507c&gt;] (usb_disconnect+0x74/0x1dc)
[ 2733.181823] [&lt;8069507c&gt;] (usb_disconnect) from [&lt;80695e88&gt;] (hub_event+0x478/0xf88)
[ 2733.188278] [&lt;80695e88&gt;] (hub_event) from [&lt;80141474&gt;] (process_one_work+0x228/0x808)
[ 2733.194905] [&lt;80141474&gt;] (process_one_work) from [&lt;80141a80&gt;] (worker_thread+0x2c/0x564)
[ 2733.201724] [&lt;80141a80&gt;] (worker_thread) from [&lt;80147bcc&gt;] (kthread+0x13c/0x16c)
[ 2733.207913] [&lt;80147bcc&gt;] (kthread) from [&lt;801010b4&gt;] (ret_from_fork+0x14/0x20)

It was traced down to a case where usb_kill_urb would be called on an URB
structure containing more or less random data, including large number in
its use_count. During the debugging it appeared that in brcmf_usb_free_q()
the traversal over URBs' lists is not synchronized with operations on those
lists in brcmf_usb_rx_complete() leading to handling
brcmf_usbdev_info structure (holding lists' head) as lists' element and in
result causing above problem.

Fix it by walking through all URBs during brcmf_cancel_all_urbs using the
arrays of requests instead of linked lists.

Signed-off-by: Piotr Figiel &lt;p.figiel@camlintechnologies.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit db3b9e2e1d58080d0754bdf9293dabf8c6491b67 ]

It was observed that rarely during USB disconnect happening shortly after
connect (before full initialization completes) usb_hub_wq would wait
forever for the dev_init_lock to be unlocked. dev_init_lock would remain
locked though because of infinite wait during usb_kill_urb:

[ 2730.656472] kworker/0:2     D    0   260      2 0x00000000
[ 2730.660700] Workqueue: events request_firmware_work_func
[ 2730.664807] [&lt;809dca20&gt;] (__schedule) from [&lt;809dd164&gt;] (schedule+0x4c/0xac)
[ 2730.670587] [&lt;809dd164&gt;] (schedule) from [&lt;8069af44&gt;] (usb_kill_urb+0xdc/0x114)
[ 2730.676815] [&lt;8069af44&gt;] (usb_kill_urb) from [&lt;7f258b50&gt;] (brcmf_usb_free_q+0x34/0xa8 [brcmfmac])
[ 2730.684833] [&lt;7f258b50&gt;] (brcmf_usb_free_q [brcmfmac]) from [&lt;7f2517d4&gt;] (brcmf_detach+0xa0/0xb8 [brcmfmac])
[ 2730.693557] [&lt;7f2517d4&gt;] (brcmf_detach [brcmfmac]) from [&lt;7f251a34&gt;] (brcmf_attach+0xac/0x3d8 [brcmfmac])
[ 2730.702094] [&lt;7f251a34&gt;] (brcmf_attach [brcmfmac]) from [&lt;7f2587ac&gt;] (brcmf_usb_probe_phase2+0x468/0x4a0 [brcmfmac])
[ 2730.711601] [&lt;7f2587ac&gt;] (brcmf_usb_probe_phase2 [brcmfmac]) from [&lt;7f252888&gt;] (brcmf_fw_request_done+0x194/0x220 [brcmfmac])
[ 2730.721795] [&lt;7f252888&gt;] (brcmf_fw_request_done [brcmfmac]) from [&lt;805748e4&gt;] (request_firmware_work_func+0x4c/0x88)
[ 2730.731125] [&lt;805748e4&gt;] (request_firmware_work_func) from [&lt;80141474&gt;] (process_one_work+0x228/0x808)
[ 2730.739223] [&lt;80141474&gt;] (process_one_work) from [&lt;80141a80&gt;] (worker_thread+0x2c/0x564)
[ 2730.746105] [&lt;80141a80&gt;] (worker_thread) from [&lt;80147bcc&gt;] (kthread+0x13c/0x16c)
[ 2730.752227] [&lt;80147bcc&gt;] (kthread) from [&lt;801010b4&gt;] (ret_from_fork+0x14/0x20)

[ 2733.099695] kworker/0:3     D    0  1065      2 0x00000000
[ 2733.103926] Workqueue: usb_hub_wq hub_event
[ 2733.106914] [&lt;809dca20&gt;] (__schedule) from [&lt;809dd164&gt;] (schedule+0x4c/0xac)
[ 2733.112693] [&lt;809dd164&gt;] (schedule) from [&lt;809e2a8c&gt;] (schedule_timeout+0x214/0x3e4)
[ 2733.119621] [&lt;809e2a8c&gt;] (schedule_timeout) from [&lt;809dde2c&gt;] (wait_for_common+0xc4/0x1c0)
[ 2733.126810] [&lt;809dde2c&gt;] (wait_for_common) from [&lt;7f258d00&gt;] (brcmf_usb_disconnect+0x1c/0x4c [brcmfmac])
[ 2733.135206] [&lt;7f258d00&gt;] (brcmf_usb_disconnect [brcmfmac]) from [&lt;8069e0c8&gt;] (usb_unbind_interface+0x5c/0x1e4)
[ 2733.143943] [&lt;8069e0c8&gt;] (usb_unbind_interface) from [&lt;8056d3e8&gt;] (device_release_driver_internal+0x164/0x1fc)
[ 2733.152769] [&lt;8056d3e8&gt;] (device_release_driver_internal) from [&lt;8056c078&gt;] (bus_remove_device+0xd0/0xfc)
[ 2733.161138] [&lt;8056c078&gt;] (bus_remove_device) from [&lt;8056977c&gt;] (device_del+0x11c/0x310)
[ 2733.167939] [&lt;8056977c&gt;] (device_del) from [&lt;8069cba8&gt;] (usb_disable_device+0xa0/0x1cc)
[ 2733.174743] [&lt;8069cba8&gt;] (usb_disable_device) from [&lt;8069507c&gt;] (usb_disconnect+0x74/0x1dc)
[ 2733.181823] [&lt;8069507c&gt;] (usb_disconnect) from [&lt;80695e88&gt;] (hub_event+0x478/0xf88)
[ 2733.188278] [&lt;80695e88&gt;] (hub_event) from [&lt;80141474&gt;] (process_one_work+0x228/0x808)
[ 2733.194905] [&lt;80141474&gt;] (process_one_work) from [&lt;80141a80&gt;] (worker_thread+0x2c/0x564)
[ 2733.201724] [&lt;80141a80&gt;] (worker_thread) from [&lt;80147bcc&gt;] (kthread+0x13c/0x16c)
[ 2733.207913] [&lt;80147bcc&gt;] (kthread) from [&lt;801010b4&gt;] (ret_from_fork+0x14/0x20)

It was traced down to a case where usb_kill_urb would be called on an URB
structure containing more or less random data, including large number in
its use_count. During the debugging it appeared that in brcmf_usb_free_q()
the traversal over URBs' lists is not synchronized with operations on those
lists in brcmf_usb_rx_complete() leading to handling
brcmf_usbdev_info structure (holding lists' head) as lists' element and in
result causing above problem.

Fix it by walking through all URBs during brcmf_cancel_all_urbs using the
arrays of requests instead of linked lists.

Signed-off-by: Piotr Figiel &lt;p.figiel@camlintechnologies.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>brcmfmac: fix WARNING during USB disconnect in case of unempty psq</title>
<updated>2019-05-31T13:45:11+00:00</updated>
<author>
<name>Piotr Figiel</name>
<email>p.figiel@camlintechnologies.com</email>
</author>
<published>2019-03-04T15:42:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8116fb7f8c8133eb7bc83a20082a10a1e8e962f3'/>
<id>8116fb7f8c8133eb7bc83a20082a10a1e8e962f3</id>
<content type='text'>
[ Upstream commit c80d26e81ef1802f30364b4ad1955c1443a592b9 ]

brcmu_pkt_buf_free_skb emits WARNING when attempting to free a sk_buff
which is part of any queue. After USB disconnect this may have happened
when brcmf_fws_hanger_cleanup() is called as per-interface psq was never
cleaned when removing the interface.
Change brcmf_fws_macdesc_cleanup() in a way that it removes the
corresponding packets from hanger table (to avoid double-free when
brcmf_fws_hanger_cleanup() is called) and add a call to clean-up the
interface specific packet queue.

Below is a WARNING during USB disconnect with Raspberry Pi WiFi dongle
running in AP mode. This was reproducible when the interface was
transmitting during the disconnect and is fixed with this commit.

------------[ cut here ]------------
WARNING: CPU: 0 PID: 1171 at drivers/net/wireless/broadcom/brcm80211/brcmutil/utils.c:49 brcmu_pkt_buf_free_skb+0x3c/0x40
Modules linked in: nf_log_ipv4 nf_log_common xt_LOG xt_limit iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis u_ether cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc ulpi usbmisc_imx 8250_exar 8250_pci 8250 8250_base libcomposite configfs udc_core
CPU: 0 PID: 1171 Comm: kworker/0:0 Not tainted 4.19.23-00075-gde33ed8 #99
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
Workqueue: usb_hub_wq hub_event
[&lt;8010ff84&gt;] (unwind_backtrace) from [&lt;8010bb64&gt;] (show_stack+0x10/0x14)
[&lt;8010bb64&gt;] (show_stack) from [&lt;80840278&gt;] (dump_stack+0x88/0x9c)
[&lt;80840278&gt;] (dump_stack) from [&lt;8011f5ec&gt;] (__warn+0xfc/0x114)
[&lt;8011f5ec&gt;] (__warn) from [&lt;8011f71c&gt;] (warn_slowpath_null+0x40/0x48)
[&lt;8011f71c&gt;] (warn_slowpath_null) from [&lt;805a476c&gt;] (brcmu_pkt_buf_free_skb+0x3c/0x40)
[&lt;805a476c&gt;] (brcmu_pkt_buf_free_skb) from [&lt;805bb6c4&gt;] (brcmf_fws_cleanup+0x1e4/0x22c)
[&lt;805bb6c4&gt;] (brcmf_fws_cleanup) from [&lt;805bc854&gt;] (brcmf_fws_del_interface+0x58/0x68)
[&lt;805bc854&gt;] (brcmf_fws_del_interface) from [&lt;805b66ac&gt;] (brcmf_remove_interface+0x40/0x150)
[&lt;805b66ac&gt;] (brcmf_remove_interface) from [&lt;805b6870&gt;] (brcmf_detach+0x6c/0xb0)
[&lt;805b6870&gt;] (brcmf_detach) from [&lt;805bdbb8&gt;] (brcmf_usb_disconnect+0x30/0x4c)
[&lt;805bdbb8&gt;] (brcmf_usb_disconnect) from [&lt;805e5d64&gt;] (usb_unbind_interface+0x5c/0x1e0)
[&lt;805e5d64&gt;] (usb_unbind_interface) from [&lt;804aab10&gt;] (device_release_driver_internal+0x154/0x1ec)
[&lt;804aab10&gt;] (device_release_driver_internal) from [&lt;804a97f4&gt;] (bus_remove_device+0xcc/0xf8)
[&lt;804a97f4&gt;] (bus_remove_device) from [&lt;804a6fc0&gt;] (device_del+0x118/0x308)
[&lt;804a6fc0&gt;] (device_del) from [&lt;805e488c&gt;] (usb_disable_device+0xa0/0x1c8)
[&lt;805e488c&gt;] (usb_disable_device) from [&lt;805dcf98&gt;] (usb_disconnect+0x70/0x1d8)
[&lt;805dcf98&gt;] (usb_disconnect) from [&lt;805ddd84&gt;] (hub_event+0x464/0xf50)
[&lt;805ddd84&gt;] (hub_event) from [&lt;80135a70&gt;] (process_one_work+0x138/0x3f8)
[&lt;80135a70&gt;] (process_one_work) from [&lt;80135d5c&gt;] (worker_thread+0x2c/0x554)
[&lt;80135d5c&gt;] (worker_thread) from [&lt;8013b1a0&gt;] (kthread+0x124/0x154)
[&lt;8013b1a0&gt;] (kthread) from [&lt;801010e8&gt;] (ret_from_fork+0x14/0x2c)
Exception stack(0xecf8dfb0 to 0xecf8dff8)
dfa0:                                     00000000 00000000 00000000 00000000
dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
---[ end trace 38d234018e9e2a90 ]---
------------[ cut here ]------------

Signed-off-by: Piotr Figiel &lt;p.figiel@camlintechnologies.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit c80d26e81ef1802f30364b4ad1955c1443a592b9 ]

brcmu_pkt_buf_free_skb emits WARNING when attempting to free a sk_buff
which is part of any queue. After USB disconnect this may have happened
when brcmf_fws_hanger_cleanup() is called as per-interface psq was never
cleaned when removing the interface.
Change brcmf_fws_macdesc_cleanup() in a way that it removes the
corresponding packets from hanger table (to avoid double-free when
brcmf_fws_hanger_cleanup() is called) and add a call to clean-up the
interface specific packet queue.

Below is a WARNING during USB disconnect with Raspberry Pi WiFi dongle
running in AP mode. This was reproducible when the interface was
transmitting during the disconnect and is fixed with this commit.

------------[ cut here ]------------
WARNING: CPU: 0 PID: 1171 at drivers/net/wireless/broadcom/brcm80211/brcmutil/utils.c:49 brcmu_pkt_buf_free_skb+0x3c/0x40
Modules linked in: nf_log_ipv4 nf_log_common xt_LOG xt_limit iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis u_ether cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc ulpi usbmisc_imx 8250_exar 8250_pci 8250 8250_base libcomposite configfs udc_core
CPU: 0 PID: 1171 Comm: kworker/0:0 Not tainted 4.19.23-00075-gde33ed8 #99
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
Workqueue: usb_hub_wq hub_event
[&lt;8010ff84&gt;] (unwind_backtrace) from [&lt;8010bb64&gt;] (show_stack+0x10/0x14)
[&lt;8010bb64&gt;] (show_stack) from [&lt;80840278&gt;] (dump_stack+0x88/0x9c)
[&lt;80840278&gt;] (dump_stack) from [&lt;8011f5ec&gt;] (__warn+0xfc/0x114)
[&lt;8011f5ec&gt;] (__warn) from [&lt;8011f71c&gt;] (warn_slowpath_null+0x40/0x48)
[&lt;8011f71c&gt;] (warn_slowpath_null) from [&lt;805a476c&gt;] (brcmu_pkt_buf_free_skb+0x3c/0x40)
[&lt;805a476c&gt;] (brcmu_pkt_buf_free_skb) from [&lt;805bb6c4&gt;] (brcmf_fws_cleanup+0x1e4/0x22c)
[&lt;805bb6c4&gt;] (brcmf_fws_cleanup) from [&lt;805bc854&gt;] (brcmf_fws_del_interface+0x58/0x68)
[&lt;805bc854&gt;] (brcmf_fws_del_interface) from [&lt;805b66ac&gt;] (brcmf_remove_interface+0x40/0x150)
[&lt;805b66ac&gt;] (brcmf_remove_interface) from [&lt;805b6870&gt;] (brcmf_detach+0x6c/0xb0)
[&lt;805b6870&gt;] (brcmf_detach) from [&lt;805bdbb8&gt;] (brcmf_usb_disconnect+0x30/0x4c)
[&lt;805bdbb8&gt;] (brcmf_usb_disconnect) from [&lt;805e5d64&gt;] (usb_unbind_interface+0x5c/0x1e0)
[&lt;805e5d64&gt;] (usb_unbind_interface) from [&lt;804aab10&gt;] (device_release_driver_internal+0x154/0x1ec)
[&lt;804aab10&gt;] (device_release_driver_internal) from [&lt;804a97f4&gt;] (bus_remove_device+0xcc/0xf8)
[&lt;804a97f4&gt;] (bus_remove_device) from [&lt;804a6fc0&gt;] (device_del+0x118/0x308)
[&lt;804a6fc0&gt;] (device_del) from [&lt;805e488c&gt;] (usb_disable_device+0xa0/0x1c8)
[&lt;805e488c&gt;] (usb_disable_device) from [&lt;805dcf98&gt;] (usb_disconnect+0x70/0x1d8)
[&lt;805dcf98&gt;] (usb_disconnect) from [&lt;805ddd84&gt;] (hub_event+0x464/0xf50)
[&lt;805ddd84&gt;] (hub_event) from [&lt;80135a70&gt;] (process_one_work+0x138/0x3f8)
[&lt;80135a70&gt;] (process_one_work) from [&lt;80135d5c&gt;] (worker_thread+0x2c/0x554)
[&lt;80135d5c&gt;] (worker_thread) from [&lt;8013b1a0&gt;] (kthread+0x124/0x154)
[&lt;8013b1a0&gt;] (kthread) from [&lt;801010e8&gt;] (ret_from_fork+0x14/0x2c)
Exception stack(0xecf8dfb0 to 0xecf8dff8)
dfa0:                                     00000000 00000000 00000000 00000000
dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
---[ end trace 38d234018e9e2a90 ]---
------------[ cut here ]------------

Signed-off-by: Piotr Figiel &lt;p.figiel@camlintechnologies.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>brcmfmac: convert dev_init_lock mutex to completion</title>
<updated>2019-05-31T13:45:11+00:00</updated>
<author>
<name>Piotr Figiel</name>
<email>p.figiel@camlintechnologies.com</email>
</author>
<published>2019-03-13T09:52:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4eec2427daaa86f7de36660dc57fd86082194a10'/>
<id>4eec2427daaa86f7de36660dc57fd86082194a10</id>
<content type='text'>
[ Upstream commit a9fd0953fa4a62887306be28641b4b0809f3b2fd ]

Leaving dev_init_lock mutex locked in probe causes BUG and a WARNING when
kernel is compiled with CONFIG_PROVE_LOCKING. Convert mutex to completion
which silences those warnings and improves code readability.

Fix below errors when connecting the USB WiFi dongle:

brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43143 for chip BCM43143/2
BUG: workqueue leaked lock or atomic: kworker/0:2/0x00000000/434
     last function: hub_event
1 lock held by kworker/0:2/434:
 #0: 18d5dcdf (&amp;devinfo-&gt;dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
Workqueue: usb_hub_wq hub_event
[&lt;8011237c&gt;] (unwind_backtrace) from [&lt;8010d74c&gt;] (show_stack+0x10/0x14)
[&lt;8010d74c&gt;] (show_stack) from [&lt;809c4324&gt;] (dump_stack+0xa8/0xd4)
[&lt;809c4324&gt;] (dump_stack) from [&lt;8014195c&gt;] (process_one_work+0x710/0x808)
[&lt;8014195c&gt;] (process_one_work) from [&lt;80141a80&gt;] (worker_thread+0x2c/0x564)
[&lt;80141a80&gt;] (worker_thread) from [&lt;80147bcc&gt;] (kthread+0x13c/0x16c)
[&lt;80147bcc&gt;] (kthread) from [&lt;801010b4&gt;] (ret_from_fork+0x14/0x20)
Exception stack(0xed1d9fb0 to 0xed1d9ff8)
9fa0:                                     00000000 00000000 00000000 00000000
9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fe0: 00000000 00000000 00000000 00000000 00000013 00000000

======================================================
WARNING: possible circular locking dependency detected
4.19.23-00084-g454a789-dirty #123 Not tainted
------------------------------------------------------
kworker/0:2/434 is trying to acquire lock:
e29cf799 ((wq_completion)"events"){+.+.}, at: process_one_work+0x174/0x808

but task is already holding lock:
18d5dcdf (&amp;devinfo-&gt;dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-&gt; #2 (&amp;devinfo-&gt;dev_init_lock){+.+.}:
       mutex_lock_nested+0x1c/0x24
       brcmf_usb_probe+0x78/0x550 [brcmfmac]
       usb_probe_interface+0xc0/0x1bc
       really_probe+0x228/0x2c0
       __driver_attach+0xe4/0xe8
       bus_for_each_dev+0x68/0xb4
       bus_add_driver+0x19c/0x214
       driver_register+0x78/0x110
       usb_register_driver+0x84/0x148
       process_one_work+0x228/0x808
       worker_thread+0x2c/0x564
       kthread+0x13c/0x16c
       ret_from_fork+0x14/0x20
         (null)

-&gt; #1 (brcmf_driver_work){+.+.}:
       worker_thread+0x2c/0x564
       kthread+0x13c/0x16c
       ret_from_fork+0x14/0x20
         (null)

-&gt; #0 ((wq_completion)"events"){+.+.}:
       process_one_work+0x1b8/0x808
       worker_thread+0x2c/0x564
       kthread+0x13c/0x16c
       ret_from_fork+0x14/0x20
         (null)

other info that might help us debug this:

Chain exists of:
  (wq_completion)"events" --&gt; brcmf_driver_work --&gt; &amp;devinfo-&gt;dev_init_lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&amp;devinfo-&gt;dev_init_lock);
                               lock(brcmf_driver_work);
                               lock(&amp;devinfo-&gt;dev_init_lock);
  lock((wq_completion)"events");

 *** DEADLOCK ***

1 lock held by kworker/0:2/434:
 #0: 18d5dcdf (&amp;devinfo-&gt;dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]

stack backtrace:
CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
Workqueue: events request_firmware_work_func
[&lt;8011237c&gt;] (unwind_backtrace) from [&lt;8010d74c&gt;] (show_stack+0x10/0x14)
[&lt;8010d74c&gt;] (show_stack) from [&lt;809c4324&gt;] (dump_stack+0xa8/0xd4)
[&lt;809c4324&gt;] (dump_stack) from [&lt;80172838&gt;] (print_circular_bug+0x210/0x330)
[&lt;80172838&gt;] (print_circular_bug) from [&lt;80175940&gt;] (__lock_acquire+0x160c/0x1a30)
[&lt;80175940&gt;] (__lock_acquire) from [&lt;8017671c&gt;] (lock_acquire+0xe0/0x268)
[&lt;8017671c&gt;] (lock_acquire) from [&lt;80141404&gt;] (process_one_work+0x1b8/0x808)
[&lt;80141404&gt;] (process_one_work) from [&lt;80141a80&gt;] (worker_thread+0x2c/0x564)
[&lt;80141a80&gt;] (worker_thread) from [&lt;80147bcc&gt;] (kthread+0x13c/0x16c)
[&lt;80147bcc&gt;] (kthread) from [&lt;801010b4&gt;] (ret_from_fork+0x14/0x20)
Exception stack(0xed1d9fb0 to 0xed1d9ff8)
9fa0:                                     00000000 00000000 00000000 00000000
9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fe0: 00000000 00000000 00000000 00000000 00000013 00000000

Signed-off-by: Piotr Figiel &lt;p.figiel@camlintechnologies.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit a9fd0953fa4a62887306be28641b4b0809f3b2fd ]

Leaving dev_init_lock mutex locked in probe causes BUG and a WARNING when
kernel is compiled with CONFIG_PROVE_LOCKING. Convert mutex to completion
which silences those warnings and improves code readability.

Fix below errors when connecting the USB WiFi dongle:

brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43143 for chip BCM43143/2
BUG: workqueue leaked lock or atomic: kworker/0:2/0x00000000/434
     last function: hub_event
1 lock held by kworker/0:2/434:
 #0: 18d5dcdf (&amp;devinfo-&gt;dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
Workqueue: usb_hub_wq hub_event
[&lt;8011237c&gt;] (unwind_backtrace) from [&lt;8010d74c&gt;] (show_stack+0x10/0x14)
[&lt;8010d74c&gt;] (show_stack) from [&lt;809c4324&gt;] (dump_stack+0xa8/0xd4)
[&lt;809c4324&gt;] (dump_stack) from [&lt;8014195c&gt;] (process_one_work+0x710/0x808)
[&lt;8014195c&gt;] (process_one_work) from [&lt;80141a80&gt;] (worker_thread+0x2c/0x564)
[&lt;80141a80&gt;] (worker_thread) from [&lt;80147bcc&gt;] (kthread+0x13c/0x16c)
[&lt;80147bcc&gt;] (kthread) from [&lt;801010b4&gt;] (ret_from_fork+0x14/0x20)
Exception stack(0xed1d9fb0 to 0xed1d9ff8)
9fa0:                                     00000000 00000000 00000000 00000000
9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fe0: 00000000 00000000 00000000 00000000 00000013 00000000

======================================================
WARNING: possible circular locking dependency detected
4.19.23-00084-g454a789-dirty #123 Not tainted
------------------------------------------------------
kworker/0:2/434 is trying to acquire lock:
e29cf799 ((wq_completion)"events"){+.+.}, at: process_one_work+0x174/0x808

but task is already holding lock:
18d5dcdf (&amp;devinfo-&gt;dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-&gt; #2 (&amp;devinfo-&gt;dev_init_lock){+.+.}:
       mutex_lock_nested+0x1c/0x24
       brcmf_usb_probe+0x78/0x550 [brcmfmac]
       usb_probe_interface+0xc0/0x1bc
       really_probe+0x228/0x2c0
       __driver_attach+0xe4/0xe8
       bus_for_each_dev+0x68/0xb4
       bus_add_driver+0x19c/0x214
       driver_register+0x78/0x110
       usb_register_driver+0x84/0x148
       process_one_work+0x228/0x808
       worker_thread+0x2c/0x564
       kthread+0x13c/0x16c
       ret_from_fork+0x14/0x20
         (null)

-&gt; #1 (brcmf_driver_work){+.+.}:
       worker_thread+0x2c/0x564
       kthread+0x13c/0x16c
       ret_from_fork+0x14/0x20
         (null)

-&gt; #0 ((wq_completion)"events"){+.+.}:
       process_one_work+0x1b8/0x808
       worker_thread+0x2c/0x564
       kthread+0x13c/0x16c
       ret_from_fork+0x14/0x20
         (null)

other info that might help us debug this:

Chain exists of:
  (wq_completion)"events" --&gt; brcmf_driver_work --&gt; &amp;devinfo-&gt;dev_init_lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&amp;devinfo-&gt;dev_init_lock);
                               lock(brcmf_driver_work);
                               lock(&amp;devinfo-&gt;dev_init_lock);
  lock((wq_completion)"events");

 *** DEADLOCK ***

1 lock held by kworker/0:2/434:
 #0: 18d5dcdf (&amp;devinfo-&gt;dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]

stack backtrace:
CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
Workqueue: events request_firmware_work_func
[&lt;8011237c&gt;] (unwind_backtrace) from [&lt;8010d74c&gt;] (show_stack+0x10/0x14)
[&lt;8010d74c&gt;] (show_stack) from [&lt;809c4324&gt;] (dump_stack+0xa8/0xd4)
[&lt;809c4324&gt;] (dump_stack) from [&lt;80172838&gt;] (print_circular_bug+0x210/0x330)
[&lt;80172838&gt;] (print_circular_bug) from [&lt;80175940&gt;] (__lock_acquire+0x160c/0x1a30)
[&lt;80175940&gt;] (__lock_acquire) from [&lt;8017671c&gt;] (lock_acquire+0xe0/0x268)
[&lt;8017671c&gt;] (lock_acquire) from [&lt;80141404&gt;] (process_one_work+0x1b8/0x808)
[&lt;80141404&gt;] (process_one_work) from [&lt;80141a80&gt;] (worker_thread+0x2c/0x564)
[&lt;80141a80&gt;] (worker_thread) from [&lt;80147bcc&gt;] (kthread+0x13c/0x16c)
[&lt;80147bcc&gt;] (kthread) from [&lt;801010b4&gt;] (ret_from_fork+0x14/0x20)
Exception stack(0xed1d9fb0 to 0xed1d9ff8)
9fa0:                                     00000000 00000000 00000000 00000000
9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fe0: 00000000 00000000 00000000 00000000 00000013 00000000

Signed-off-by: Piotr Figiel &lt;p.figiel@camlintechnologies.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>b43: shut up clang -Wuninitialized variable warning</title>
<updated>2019-05-31T13:45:11+00:00</updated>
<author>
<name>Arnd Bergmann</name>
<email>arnd@arndb.de</email>
</author>
<published>2019-03-22T14:37:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3fb9b1b0a0fabc31f90c15a3f61d5d91e28227dc'/>
<id>3fb9b1b0a0fabc31f90c15a3f61d5d91e28227dc</id>
<content type='text'>
[ Upstream commit d825db346270dbceef83b7b750dbc29f1d7dcc0e ]

Clang warns about what is clearly a case of passing an uninitalized
variable into a static function:

drivers/net/wireless/broadcom/b43/phy_lp.c:1852:23: error: variable 'gains' is uninitialized when used here
      [-Werror,-Wuninitialized]
                lpphy_papd_cal(dev, gains, 0, 1, 30);
                                    ^~~~~
drivers/net/wireless/broadcom/b43/phy_lp.c:1838:2: note: variable 'gains' is declared here
        struct lpphy_tx_gains gains, oldgains;
        ^
1 error generated.

However, this function is empty, and its arguments are never evaluated,
so gcc in contrast does not warn here. Both compilers behave in a
reasonable way as far as I can tell, so we should change the code
to avoid the warning everywhere.

We could just eliminate the lpphy_papd_cal() function entirely,
given that it has had the TODO comment in it for 10 years now
and is rather unlikely to ever get done. I'm doing a simpler
change here, and just pass the 'oldgains' variable in that has
been initialized, based on the guess that this is what was
originally meant.

Fixes: 2c0d6100da3e ("b43: LP-PHY: Begin implementing calibration &amp; software RFKILL support")
Signed-off-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Acked-by: Larry Finger &lt;Larry.Finger@lwfinger.net&gt;
Reviewed-by: Nathan Chancellor &lt;natechancellor@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit d825db346270dbceef83b7b750dbc29f1d7dcc0e ]

Clang warns about what is clearly a case of passing an uninitalized
variable into a static function:

drivers/net/wireless/broadcom/b43/phy_lp.c:1852:23: error: variable 'gains' is uninitialized when used here
      [-Werror,-Wuninitialized]
                lpphy_papd_cal(dev, gains, 0, 1, 30);
                                    ^~~~~
drivers/net/wireless/broadcom/b43/phy_lp.c:1838:2: note: variable 'gains' is declared here
        struct lpphy_tx_gains gains, oldgains;
        ^
1 error generated.

However, this function is empty, and its arguments are never evaluated,
so gcc in contrast does not warn here. Both compilers behave in a
reasonable way as far as I can tell, so we should change the code
to avoid the warning everywhere.

We could just eliminate the lpphy_papd_cal() function entirely,
given that it has had the TODO comment in it for 10 years now
and is rather unlikely to ever get done. I'm doing a simpler
change here, and just pass the 'oldgains' variable in that has
been initialized, based on the guess that this is what was
originally meant.

Fixes: 2c0d6100da3e ("b43: LP-PHY: Begin implementing calibration &amp; software RFKILL support")
Signed-off-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Acked-by: Larry Finger &lt;Larry.Finger@lwfinger.net&gt;
Reviewed-by: Nathan Chancellor &lt;natechancellor@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>brcmfmac: fix missing checks for kmemdup</title>
<updated>2019-05-31T13:45:11+00:00</updated>
<author>
<name>Kangjie Lu</name>
<email>kjlu@umn.edu</email>
</author>
<published>2019-03-15T17:04:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e8e75263fa4e8c4577ccfdcc420e12b7da85fd74'/>
<id>e8e75263fa4e8c4577ccfdcc420e12b7da85fd74</id>
<content type='text'>
[ Upstream commit 46953f97224d56a12ccbe9c6acaa84ca0dab2780 ]

In case kmemdup fails, the fix sets conn_info-&gt;req_ie_len and
conn_info-&gt;resp_ie_len to zero to avoid buffer overflows.

Signed-off-by: Kangjie Lu &lt;kjlu@umn.edu&gt;
Acked-by: Arend van Spriel &lt;arend.vanspriel@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 46953f97224d56a12ccbe9c6acaa84ca0dab2780 ]

In case kmemdup fails, the fix sets conn_info-&gt;req_ie_len and
conn_info-&gt;resp_ie_len to zero to avoid buffer overflows.

Signed-off-by: Kangjie Lu &lt;kjlu@umn.edu&gt;
Acked-by: Arend van Spriel &lt;arend.vanspriel@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler()</title>
<updated>2019-05-31T13:44:55+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2019-04-24T09:52:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=037f8c6296b6527b3a8df8500b0e5680c0578be2'/>
<id>037f8c6296b6527b3a8df8500b0e5680c0578be2</id>
<content type='text'>
[ Upstream commit e025da3d7aa4770bb1d1b3b0aa7cc4da1744852d ]

If "ret_len" is negative then it could lead to a NULL dereference.

The "ret_len" value comes from nl80211_vendor_cmd(), if it's negative
then we don't allocate the "dcmd_buf" buffer.  Then we pass "ret_len" to
brcmf_fil_cmd_data_set() where it is cast to a very high u32 value.
Most of the functions in that call tree check whether the buffer we pass
is NULL but there are at least a couple places which don't such as
brcmf_dbg_hex_dump() and brcmf_msgbuf_query_dcmd().  We memcpy() to and
from the buffer so it would result in a NULL dereference.

The fix is to change the types so that "ret_len" can't be negative.  (If
we memcpy() zero bytes to NULL, that's a no-op and doesn't cause an
issue).

Fixes: 1bacb0487d0e ("brcmfmac: replace cfg80211 testmode with vendor command")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit e025da3d7aa4770bb1d1b3b0aa7cc4da1744852d ]

If "ret_len" is negative then it could lead to a NULL dereference.

The "ret_len" value comes from nl80211_vendor_cmd(), if it's negative
then we don't allocate the "dcmd_buf" buffer.  Then we pass "ret_len" to
brcmf_fil_cmd_data_set() where it is cast to a very high u32 value.
Most of the functions in that call tree check whether the buffer we pass
is NULL but there are at least a couple places which don't such as
brcmf_dbg_hex_dump() and brcmf_msgbuf_query_dcmd().  We memcpy() to and
from the buffer so it would result in a NULL dereference.

The fix is to change the types so that "ret_len" can't be negative.  (If
we memcpy() zero bytes to NULL, that's a no-op and doesn't cause an
issue).

Fixes: 1bacb0487d0e ("brcmfmac: replace cfg80211 testmode with vendor command")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>brcmfmac: add subtype check for event handling in data path</title>
<updated>2019-05-31T13:44:47+00:00</updated>
<author>
<name>Arend van Spriel</name>
<email>arend.vanspriel@broadcom.com</email>
</author>
<published>2019-02-14T12:43:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=72be314718b0e0e3a4d3f7c02aca65bc12aada95'/>
<id>72be314718b0e0e3a4d3f7c02aca65bc12aada95</id>
<content type='text'>
commit a4176ec356c73a46c07c181c6d04039fafa34a9f upstream.

For USB there is no separate channel being used to pass events
from firmware to the host driver and as such are passed over the
data path. In order to detect mock event messages an additional
check is needed on event subtype. This check is added conditionally
using unlikely() keyword.

Reviewed-by: Hante Meuleman &lt;hante.meuleman@broadcom.com&gt;
Reviewed-by: Pieter-Paul Giesberts &lt;pieter-paul.giesberts@broadcom.com&gt;
Reviewed-by: Franky Lin &lt;franky.lin@broadcom.com&gt;
Signed-off-by: Arend van Spriel &lt;arend.vanspriel@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Cc: Ben Hutchings &lt;ben.hutchings@codethink.co.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit a4176ec356c73a46c07c181c6d04039fafa34a9f upstream.

For USB there is no separate channel being used to pass events
from firmware to the host driver and as such are passed over the
data path. In order to detect mock event messages an additional
check is needed on event subtype. This check is added conditionally
using unlikely() keyword.

Reviewed-by: Hante Meuleman &lt;hante.meuleman@broadcom.com&gt;
Reviewed-by: Pieter-Paul Giesberts &lt;pieter-paul.giesberts@broadcom.com&gt;
Reviewed-by: Franky Lin &lt;franky.lin@broadcom.com&gt;
Signed-off-by: Arend van Spriel &lt;arend.vanspriel@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Cc: Ben Hutchings &lt;ben.hutchings@codethink.co.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>brcmfmac: assure SSID length from firmware is limited</title>
<updated>2019-05-31T13:44:47+00:00</updated>
<author>
<name>Arend van Spriel</name>
<email>arend.vanspriel@broadcom.com</email>
</author>
<published>2019-02-14T12:43:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c40be0dd9af9ec1289527761b35e940f757581ca'/>
<id>c40be0dd9af9ec1289527761b35e940f757581ca</id>
<content type='text'>
commit 1b5e2423164b3670e8bc9174e4762d297990deff upstream.

The SSID length as received from firmware should not exceed
IEEE80211_MAX_SSID_LEN as that would result in heap overflow.

Reviewed-by: Hante Meuleman &lt;hante.meuleman@broadcom.com&gt;
Reviewed-by: Pieter-Paul Giesberts &lt;pieter-paul.giesberts@broadcom.com&gt;
Reviewed-by: Franky Lin &lt;franky.lin@broadcom.com&gt;
Signed-off-by: Arend van Spriel &lt;arend.vanspriel@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Cc: Ben Hutchings &lt;ben.hutchings@codethink.co.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1b5e2423164b3670e8bc9174e4762d297990deff upstream.

The SSID length as received from firmware should not exceed
IEEE80211_MAX_SSID_LEN as that would result in heap overflow.

Reviewed-by: Hante Meuleman &lt;hante.meuleman@broadcom.com&gt;
Reviewed-by: Pieter-Paul Giesberts &lt;pieter-paul.giesberts@broadcom.com&gt;
Reviewed-by: Franky Lin &lt;franky.lin@broadcom.com&gt;
Signed-off-by: Arend van Spriel &lt;arend.vanspriel@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Cc: Ben Hutchings &lt;ben.hutchings@codethink.co.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>brcmfmac: Add DMI nvram filename quirk for ACEPC T8 and T11 mini PCs</title>
<updated>2019-05-25T16:22:04+00:00</updated>
<author>
<name>Hans de Goede</name>
<email>hdegoede@redhat.com</email>
</author>
<published>2019-04-22T20:41:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6c65b5a9d8293dd7493d62f4b3e25e7a1c800be9'/>
<id>6c65b5a9d8293dd7493d62f4b3e25e7a1c800be9</id>
<content type='text'>
commit b1a0ba8f772d7a6dcb5aa3e856f5bd8274989ebe upstream.

The ACEPC T8 and T11 mini PCs contain quite generic names in the sys_vendor
and product_name DMI strings, without this patch brcmfmac will try to load:
"brcmfmac43455-sdio.Default string-Default string.txt" as nvram file which
is way too generic.

The DMI strings on which we are matching are somewhat generic too, but
"To be filled by O.E.M." is less common then "Default string" and the
system-sku and bios-version strings are pretty unique. Beside the DMI
strings we also check the wifi-module chip-id and revision. I'm confident
that the combination of all this is unique.

Both the T8 and T11 use the same wifi-module, this commit adds DMI
quirks for both mini PCs pointing to brcmfmac43455-sdio.acepc-t8.txt .

BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1690852
Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede &lt;hdegoede@redhat.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b1a0ba8f772d7a6dcb5aa3e856f5bd8274989ebe upstream.

The ACEPC T8 and T11 mini PCs contain quite generic names in the sys_vendor
and product_name DMI strings, without this patch brcmfmac will try to load:
"brcmfmac43455-sdio.Default string-Default string.txt" as nvram file which
is way too generic.

The DMI strings on which we are matching are somewhat generic too, but
"To be filled by O.E.M." is less common then "Default string" and the
system-sku and bios-version strings are pretty unique. Beside the DMI
strings we also check the wifi-module chip-id and revision. I'm confident
that the combination of all this is unique.

Both the T8 and T11 use the same wifi-module, this commit adds DMI
quirks for both mini PCs pointing to brcmfmac43455-sdio.acepc-t8.txt .

BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1690852
Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede &lt;hdegoede@redhat.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
</feed>
