<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/net/wireless, branch linux-5.0.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>wil6210: fix return code of wmi_mgmt_tx and wmi_mgmt_tx_ext</title>
<updated>2019-05-31T13:45:12+00:00</updated>
<author>
<name>Lior David</name>
<email>liord@codeaurora.org</email>
</author>
<published>2019-02-28T09:35:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8dbae96a237f143909e2e6997f3a9b7d812a3c31'/>
<id>8dbae96a237f143909e2e6997f3a9b7d812a3c31</id>
<content type='text'>
[ Upstream commit 49122ec42634f73babb1dc96f170023e5228d080 ]

The functions that send management TX frame have 3 possible
results: success and other side acknowledged receive (ACK=1),
success and other side did not acknowledge receive(ACK=0) and
failure to send the frame. The current implementation
incorrectly reports the ACK=0 case as failure.

Signed-off-by: Lior David &lt;liord@codeaurora.org&gt;
Signed-off-by: Maya Erez &lt;merez@codeaurora.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 49122ec42634f73babb1dc96f170023e5228d080 ]

The functions that send management TX frame have 3 possible
results: success and other side acknowledged receive (ACK=1),
success and other side did not acknowledge receive(ACK=0) and
failure to send the frame. The current implementation
incorrectly reports the ACK=0 case as failure.

Signed-off-by: Lior David &lt;liord@codeaurora.org&gt;
Signed-off-by: Maya Erez &lt;merez@codeaurora.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rtlwifi: fix potential NULL pointer dereference</title>
<updated>2019-05-31T13:45:11+00:00</updated>
<author>
<name>Ping-Ke Shih</name>
<email>pkshih@realtek.com</email>
</author>
<published>2019-03-12T09:06:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=257002003291f0dc959fcec70a0674020d9f019b'/>
<id>257002003291f0dc959fcec70a0674020d9f019b</id>
<content type='text'>
[ Upstream commit 60209d482b97743915883d293c8b85226d230c19 ]

In case dev_alloc_skb fails, the fix safely returns to avoid
potential NULL pointer dereference.

Signed-off-by: Ping-Ke Shih &lt;pkshih@realtek.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 60209d482b97743915883d293c8b85226d230c19 ]

In case dev_alloc_skb fails, the fix safely returns to avoid
potential NULL pointer dereference.

Signed-off-by: Ping-Ke Shih &lt;pkshih@realtek.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>brcmfmac: fix Oops when bringing up interface during USB disconnect</title>
<updated>2019-05-31T13:45:11+00:00</updated>
<author>
<name>Piotr Figiel</name>
<email>p.figiel@camlintechnologies.com</email>
</author>
<published>2019-03-13T09:52:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=306e799b6d9e8f286e9e19f83f68c3144f5e2fde'/>
<id>306e799b6d9e8f286e9e19f83f68c3144f5e2fde</id>
<content type='text'>
[ Upstream commit 24d413a31afaee9bbbf79226052c386b01780ce2 ]

Fix a race which leads to an Oops with NULL pointer dereference.  The
dereference is in brcmf_config_dongle() when cfg_to_ndev() attempts to get
net_device structure of interface with index 0 via if2bss mapping. This
shouldn't fail because of check for bus being ready in brcmf_netdev_open(),
but it's not synchronised with USB disconnect and there is a race: after
the check the bus can be marked down and the mapping for interface 0 may be
gone.

Solve this by modifying disconnect handling so that the removal of mapping
of ifidx to brcmf_if structure happens after netdev removal (which is
synchronous with brcmf_netdev_open() thanks to rtln being locked in
devinet_ioctl()). This assures brcmf_netdev_open() returns before the
mapping is removed during disconnect.

Unable to handle kernel NULL pointer dereference at virtual address 00000008
pgd = bcae2612
[00000008] *pgd=8be73831
Internal error: Oops: 17 [#1] PREEMPT SMP ARM
Modules linked in: brcmfmac brcmutil nf_log_ipv4 nf_log_common xt_LOG xt_limit
iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6
nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis
u_ether usb_serial_simple usbserial cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc
usbmisc_imx ulpi 8250_exar 8250_pci 8250 8250_base libcomposite configfs
udc_core [last unloaded: brcmutil]
CPU: 2 PID: 24478 Comm: ifconfig Not tainted 4.19.23-00078-ga62866d-dirty #115
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
PC is at brcmf_cfg80211_up+0x94/0x29c [brcmfmac]
LR is at brcmf_cfg80211_up+0x8c/0x29c [brcmfmac]
pc : [&lt;7f26a91c&gt;]    lr : [&lt;7f26a914&gt;]    psr: a0070013
sp : eca99d28  ip : 00000000  fp : ee9c6c00
r10: 00000036  r9 : 00000000  r8 : ece4002c
r7 : edb5b800  r6 : 00000000  r5 : 80f08448  r4 : edb5b968
r3 : ffffffff  r2 : 00000000  r1 : 00000002  r0 : 00000000
Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 10c5387d  Table: 7ca0c04a  DAC: 00000051
Process ifconfig (pid: 24478, stack limit = 0xd9e85a0e)
Stack: (0xeca99d28 to 0xeca9a000)
9d20:                   00000000 80f873b0 0000000d 80f08448 eca99d68 50d45f32
9d40: 7f27de94 ece40000 80f08448 80f08448 7f27de94 ece4002c 00000000 00000036
9d60: ee9c6c00 7f27262c 00001002 50d45f32 ece40000 00000000 80f08448 80772008
9d80: 00000001 00001043 00001002 ece40000 00000000 50d45f32 ece40000 00000001
9da0: 80f08448 00001043 00001002 807723d0 00000000 50d45f32 80f08448 eca99e58
9dc0: 80f87113 50d45f32 80f08448 ece40000 ece40138 00001002 80f08448 00000000
9de0: 00000000 80772434 edbd5380 eca99e58 edbd5380 80f08448 ee9c6c0c 80805f70
9e00: 00000000 ede08e00 00008914 ece40000 00000014 ee9c6c0c 600c0013 00001043
9e20: 0208a8c0 ffffffff 00000000 50d45f32 eca98000 80f08448 7ee9fc38 00008914
9e40: 80f68e40 00000051 eca98000 00000036 00000003 80808b9c 6e616c77 00000030
9e60: 00000000 00000000 00001043 0208a8c0 ffffffff 00000000 80f08448 00000000
9e80: 00000000 816d8b20 600c0013 00000001 ede09320 801763d4 00000000 50d45f32
9ea0: eca98000 80f08448 7ee9fc38 50d45f32 00008914 80f08448 7ee9fc38 80f68e40
9ec0: ed531540 8074721c 00000800 00000001 00000000 6e616c77 00000030 00000000
9ee0: 00000000 00001002 0208a8c0 ffffffff 00000000 50d45f32 80f08448 7ee9fc38
9f00: ed531560 ec8fc900 80285a6c 80285138 edb910c0 00000000 ecd91008 ede08e00
9f20: 80f08448 00000000 00000000 816d8b20 600c0013 00000001 ede09320 801763d4
9f40: 00000000 50d45f32 00021000 edb91118 edb910c0 80f08448 01b29000 edb91118
9f60: eca99f7c 50d45f32 00021000 ec8fc900 00000003 ec8fc900 00008914 7ee9fc38
9f80: eca98000 00000036 00000003 80285a6c 00086364 7ee9fe1c 000000c3 00000036
9fa0: 801011c4 80101000 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc 600c0010 00000003 00000000 00000000
[&lt;7f26a91c&gt;] (brcmf_cfg80211_up [brcmfmac]) from [&lt;7f27262c&gt;] (brcmf_netdev_open+0x74/0xe8 [brcmfmac])
[&lt;7f27262c&gt;] (brcmf_netdev_open [brcmfmac]) from [&lt;80772008&gt;] (__dev_open+0xcc/0x150)
[&lt;80772008&gt;] (__dev_open) from [&lt;807723d0&gt;] (__dev_change_flags+0x168/0x1b4)
[&lt;807723d0&gt;] (__dev_change_flags) from [&lt;80772434&gt;] (dev_change_flags+0x18/0x48)
[&lt;80772434&gt;] (dev_change_flags) from [&lt;80805f70&gt;] (devinet_ioctl+0x67c/0x79c)
[&lt;80805f70&gt;] (devinet_ioctl) from [&lt;80808b9c&gt;] (inet_ioctl+0x210/0x3d4)
[&lt;80808b9c&gt;] (inet_ioctl) from [&lt;8074721c&gt;] (sock_ioctl+0x350/0x524)
[&lt;8074721c&gt;] (sock_ioctl) from [&lt;80285138&gt;] (do_vfs_ioctl+0xb0/0x9b0)
[&lt;80285138&gt;] (do_vfs_ioctl) from [&lt;80285a6c&gt;] (ksys_ioctl+0x34/0x5c)
[&lt;80285a6c&gt;] (ksys_ioctl) from [&lt;80101000&gt;] (ret_fast_syscall+0x0/0x28)
Exception stack(0xeca99fa8 to 0xeca99ff0)
9fa0:                   00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc
Code: e5970328 eb002021 e1a02006 e3a01002 (e5909008)
---[ end trace 5cbac2333f3ac5df ]---

Signed-off-by: Piotr Figiel &lt;p.figiel@camlintechnologies.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 24d413a31afaee9bbbf79226052c386b01780ce2 ]

Fix a race which leads to an Oops with NULL pointer dereference.  The
dereference is in brcmf_config_dongle() when cfg_to_ndev() attempts to get
net_device structure of interface with index 0 via if2bss mapping. This
shouldn't fail because of check for bus being ready in brcmf_netdev_open(),
but it's not synchronised with USB disconnect and there is a race: after
the check the bus can be marked down and the mapping for interface 0 may be
gone.

Solve this by modifying disconnect handling so that the removal of mapping
of ifidx to brcmf_if structure happens after netdev removal (which is
synchronous with brcmf_netdev_open() thanks to rtln being locked in
devinet_ioctl()). This assures brcmf_netdev_open() returns before the
mapping is removed during disconnect.

Unable to handle kernel NULL pointer dereference at virtual address 00000008
pgd = bcae2612
[00000008] *pgd=8be73831
Internal error: Oops: 17 [#1] PREEMPT SMP ARM
Modules linked in: brcmfmac brcmutil nf_log_ipv4 nf_log_common xt_LOG xt_limit
iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6
nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis
u_ether usb_serial_simple usbserial cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc
usbmisc_imx ulpi 8250_exar 8250_pci 8250 8250_base libcomposite configfs
udc_core [last unloaded: brcmutil]
CPU: 2 PID: 24478 Comm: ifconfig Not tainted 4.19.23-00078-ga62866d-dirty #115
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
PC is at brcmf_cfg80211_up+0x94/0x29c [brcmfmac]
LR is at brcmf_cfg80211_up+0x8c/0x29c [brcmfmac]
pc : [&lt;7f26a91c&gt;]    lr : [&lt;7f26a914&gt;]    psr: a0070013
sp : eca99d28  ip : 00000000  fp : ee9c6c00
r10: 00000036  r9 : 00000000  r8 : ece4002c
r7 : edb5b800  r6 : 00000000  r5 : 80f08448  r4 : edb5b968
r3 : ffffffff  r2 : 00000000  r1 : 00000002  r0 : 00000000
Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 10c5387d  Table: 7ca0c04a  DAC: 00000051
Process ifconfig (pid: 24478, stack limit = 0xd9e85a0e)
Stack: (0xeca99d28 to 0xeca9a000)
9d20:                   00000000 80f873b0 0000000d 80f08448 eca99d68 50d45f32
9d40: 7f27de94 ece40000 80f08448 80f08448 7f27de94 ece4002c 00000000 00000036
9d60: ee9c6c00 7f27262c 00001002 50d45f32 ece40000 00000000 80f08448 80772008
9d80: 00000001 00001043 00001002 ece40000 00000000 50d45f32 ece40000 00000001
9da0: 80f08448 00001043 00001002 807723d0 00000000 50d45f32 80f08448 eca99e58
9dc0: 80f87113 50d45f32 80f08448 ece40000 ece40138 00001002 80f08448 00000000
9de0: 00000000 80772434 edbd5380 eca99e58 edbd5380 80f08448 ee9c6c0c 80805f70
9e00: 00000000 ede08e00 00008914 ece40000 00000014 ee9c6c0c 600c0013 00001043
9e20: 0208a8c0 ffffffff 00000000 50d45f32 eca98000 80f08448 7ee9fc38 00008914
9e40: 80f68e40 00000051 eca98000 00000036 00000003 80808b9c 6e616c77 00000030
9e60: 00000000 00000000 00001043 0208a8c0 ffffffff 00000000 80f08448 00000000
9e80: 00000000 816d8b20 600c0013 00000001 ede09320 801763d4 00000000 50d45f32
9ea0: eca98000 80f08448 7ee9fc38 50d45f32 00008914 80f08448 7ee9fc38 80f68e40
9ec0: ed531540 8074721c 00000800 00000001 00000000 6e616c77 00000030 00000000
9ee0: 00000000 00001002 0208a8c0 ffffffff 00000000 50d45f32 80f08448 7ee9fc38
9f00: ed531560 ec8fc900 80285a6c 80285138 edb910c0 00000000 ecd91008 ede08e00
9f20: 80f08448 00000000 00000000 816d8b20 600c0013 00000001 ede09320 801763d4
9f40: 00000000 50d45f32 00021000 edb91118 edb910c0 80f08448 01b29000 edb91118
9f60: eca99f7c 50d45f32 00021000 ec8fc900 00000003 ec8fc900 00008914 7ee9fc38
9f80: eca98000 00000036 00000003 80285a6c 00086364 7ee9fe1c 000000c3 00000036
9fa0: 801011c4 80101000 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc 600c0010 00000003 00000000 00000000
[&lt;7f26a91c&gt;] (brcmf_cfg80211_up [brcmfmac]) from [&lt;7f27262c&gt;] (brcmf_netdev_open+0x74/0xe8 [brcmfmac])
[&lt;7f27262c&gt;] (brcmf_netdev_open [brcmfmac]) from [&lt;80772008&gt;] (__dev_open+0xcc/0x150)
[&lt;80772008&gt;] (__dev_open) from [&lt;807723d0&gt;] (__dev_change_flags+0x168/0x1b4)
[&lt;807723d0&gt;] (__dev_change_flags) from [&lt;80772434&gt;] (dev_change_flags+0x18/0x48)
[&lt;80772434&gt;] (dev_change_flags) from [&lt;80805f70&gt;] (devinet_ioctl+0x67c/0x79c)
[&lt;80805f70&gt;] (devinet_ioctl) from [&lt;80808b9c&gt;] (inet_ioctl+0x210/0x3d4)
[&lt;80808b9c&gt;] (inet_ioctl) from [&lt;8074721c&gt;] (sock_ioctl+0x350/0x524)
[&lt;8074721c&gt;] (sock_ioctl) from [&lt;80285138&gt;] (do_vfs_ioctl+0xb0/0x9b0)
[&lt;80285138&gt;] (do_vfs_ioctl) from [&lt;80285a6c&gt;] (ksys_ioctl+0x34/0x5c)
[&lt;80285a6c&gt;] (ksys_ioctl) from [&lt;80101000&gt;] (ret_fast_syscall+0x0/0x28)
Exception stack(0xeca99fa8 to 0xeca99ff0)
9fa0:                   00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc
Code: e5970328 eb002021 e1a02006 e3a01002 (e5909008)
---[ end trace 5cbac2333f3ac5df ]---

Signed-off-by: Piotr Figiel &lt;p.figiel@camlintechnologies.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>brcmfmac: fix race during disconnect when USB completion is in progress</title>
<updated>2019-05-31T13:45:11+00:00</updated>
<author>
<name>Piotr Figiel</name>
<email>p.figiel@camlintechnologies.com</email>
</author>
<published>2019-03-08T15:25:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d0b552ad0ad3744231e664553aa7212895e17b89'/>
<id>d0b552ad0ad3744231e664553aa7212895e17b89</id>
<content type='text'>
[ Upstream commit db3b9e2e1d58080d0754bdf9293dabf8c6491b67 ]

It was observed that rarely during USB disconnect happening shortly after
connect (before full initialization completes) usb_hub_wq would wait
forever for the dev_init_lock to be unlocked. dev_init_lock would remain
locked though because of infinite wait during usb_kill_urb:

[ 2730.656472] kworker/0:2     D    0   260      2 0x00000000
[ 2730.660700] Workqueue: events request_firmware_work_func
[ 2730.664807] [&lt;809dca20&gt;] (__schedule) from [&lt;809dd164&gt;] (schedule+0x4c/0xac)
[ 2730.670587] [&lt;809dd164&gt;] (schedule) from [&lt;8069af44&gt;] (usb_kill_urb+0xdc/0x114)
[ 2730.676815] [&lt;8069af44&gt;] (usb_kill_urb) from [&lt;7f258b50&gt;] (brcmf_usb_free_q+0x34/0xa8 [brcmfmac])
[ 2730.684833] [&lt;7f258b50&gt;] (brcmf_usb_free_q [brcmfmac]) from [&lt;7f2517d4&gt;] (brcmf_detach+0xa0/0xb8 [brcmfmac])
[ 2730.693557] [&lt;7f2517d4&gt;] (brcmf_detach [brcmfmac]) from [&lt;7f251a34&gt;] (brcmf_attach+0xac/0x3d8 [brcmfmac])
[ 2730.702094] [&lt;7f251a34&gt;] (brcmf_attach [brcmfmac]) from [&lt;7f2587ac&gt;] (brcmf_usb_probe_phase2+0x468/0x4a0 [brcmfmac])
[ 2730.711601] [&lt;7f2587ac&gt;] (brcmf_usb_probe_phase2 [brcmfmac]) from [&lt;7f252888&gt;] (brcmf_fw_request_done+0x194/0x220 [brcmfmac])
[ 2730.721795] [&lt;7f252888&gt;] (brcmf_fw_request_done [brcmfmac]) from [&lt;805748e4&gt;] (request_firmware_work_func+0x4c/0x88)
[ 2730.731125] [&lt;805748e4&gt;] (request_firmware_work_func) from [&lt;80141474&gt;] (process_one_work+0x228/0x808)
[ 2730.739223] [&lt;80141474&gt;] (process_one_work) from [&lt;80141a80&gt;] (worker_thread+0x2c/0x564)
[ 2730.746105] [&lt;80141a80&gt;] (worker_thread) from [&lt;80147bcc&gt;] (kthread+0x13c/0x16c)
[ 2730.752227] [&lt;80147bcc&gt;] (kthread) from [&lt;801010b4&gt;] (ret_from_fork+0x14/0x20)

[ 2733.099695] kworker/0:3     D    0  1065      2 0x00000000
[ 2733.103926] Workqueue: usb_hub_wq hub_event
[ 2733.106914] [&lt;809dca20&gt;] (__schedule) from [&lt;809dd164&gt;] (schedule+0x4c/0xac)
[ 2733.112693] [&lt;809dd164&gt;] (schedule) from [&lt;809e2a8c&gt;] (schedule_timeout+0x214/0x3e4)
[ 2733.119621] [&lt;809e2a8c&gt;] (schedule_timeout) from [&lt;809dde2c&gt;] (wait_for_common+0xc4/0x1c0)
[ 2733.126810] [&lt;809dde2c&gt;] (wait_for_common) from [&lt;7f258d00&gt;] (brcmf_usb_disconnect+0x1c/0x4c [brcmfmac])
[ 2733.135206] [&lt;7f258d00&gt;] (brcmf_usb_disconnect [brcmfmac]) from [&lt;8069e0c8&gt;] (usb_unbind_interface+0x5c/0x1e4)
[ 2733.143943] [&lt;8069e0c8&gt;] (usb_unbind_interface) from [&lt;8056d3e8&gt;] (device_release_driver_internal+0x164/0x1fc)
[ 2733.152769] [&lt;8056d3e8&gt;] (device_release_driver_internal) from [&lt;8056c078&gt;] (bus_remove_device+0xd0/0xfc)
[ 2733.161138] [&lt;8056c078&gt;] (bus_remove_device) from [&lt;8056977c&gt;] (device_del+0x11c/0x310)
[ 2733.167939] [&lt;8056977c&gt;] (device_del) from [&lt;8069cba8&gt;] (usb_disable_device+0xa0/0x1cc)
[ 2733.174743] [&lt;8069cba8&gt;] (usb_disable_device) from [&lt;8069507c&gt;] (usb_disconnect+0x74/0x1dc)
[ 2733.181823] [&lt;8069507c&gt;] (usb_disconnect) from [&lt;80695e88&gt;] (hub_event+0x478/0xf88)
[ 2733.188278] [&lt;80695e88&gt;] (hub_event) from [&lt;80141474&gt;] (process_one_work+0x228/0x808)
[ 2733.194905] [&lt;80141474&gt;] (process_one_work) from [&lt;80141a80&gt;] (worker_thread+0x2c/0x564)
[ 2733.201724] [&lt;80141a80&gt;] (worker_thread) from [&lt;80147bcc&gt;] (kthread+0x13c/0x16c)
[ 2733.207913] [&lt;80147bcc&gt;] (kthread) from [&lt;801010b4&gt;] (ret_from_fork+0x14/0x20)

It was traced down to a case where usb_kill_urb would be called on an URB
structure containing more or less random data, including large number in
its use_count. During the debugging it appeared that in brcmf_usb_free_q()
the traversal over URBs' lists is not synchronized with operations on those
lists in brcmf_usb_rx_complete() leading to handling
brcmf_usbdev_info structure (holding lists' head) as lists' element and in
result causing above problem.

Fix it by walking through all URBs during brcmf_cancel_all_urbs using the
arrays of requests instead of linked lists.

Signed-off-by: Piotr Figiel &lt;p.figiel@camlintechnologies.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit db3b9e2e1d58080d0754bdf9293dabf8c6491b67 ]

It was observed that rarely during USB disconnect happening shortly after
connect (before full initialization completes) usb_hub_wq would wait
forever for the dev_init_lock to be unlocked. dev_init_lock would remain
locked though because of infinite wait during usb_kill_urb:

[ 2730.656472] kworker/0:2     D    0   260      2 0x00000000
[ 2730.660700] Workqueue: events request_firmware_work_func
[ 2730.664807] [&lt;809dca20&gt;] (__schedule) from [&lt;809dd164&gt;] (schedule+0x4c/0xac)
[ 2730.670587] [&lt;809dd164&gt;] (schedule) from [&lt;8069af44&gt;] (usb_kill_urb+0xdc/0x114)
[ 2730.676815] [&lt;8069af44&gt;] (usb_kill_urb) from [&lt;7f258b50&gt;] (brcmf_usb_free_q+0x34/0xa8 [brcmfmac])
[ 2730.684833] [&lt;7f258b50&gt;] (brcmf_usb_free_q [brcmfmac]) from [&lt;7f2517d4&gt;] (brcmf_detach+0xa0/0xb8 [brcmfmac])
[ 2730.693557] [&lt;7f2517d4&gt;] (brcmf_detach [brcmfmac]) from [&lt;7f251a34&gt;] (brcmf_attach+0xac/0x3d8 [brcmfmac])
[ 2730.702094] [&lt;7f251a34&gt;] (brcmf_attach [brcmfmac]) from [&lt;7f2587ac&gt;] (brcmf_usb_probe_phase2+0x468/0x4a0 [brcmfmac])
[ 2730.711601] [&lt;7f2587ac&gt;] (brcmf_usb_probe_phase2 [brcmfmac]) from [&lt;7f252888&gt;] (brcmf_fw_request_done+0x194/0x220 [brcmfmac])
[ 2730.721795] [&lt;7f252888&gt;] (brcmf_fw_request_done [brcmfmac]) from [&lt;805748e4&gt;] (request_firmware_work_func+0x4c/0x88)
[ 2730.731125] [&lt;805748e4&gt;] (request_firmware_work_func) from [&lt;80141474&gt;] (process_one_work+0x228/0x808)
[ 2730.739223] [&lt;80141474&gt;] (process_one_work) from [&lt;80141a80&gt;] (worker_thread+0x2c/0x564)
[ 2730.746105] [&lt;80141a80&gt;] (worker_thread) from [&lt;80147bcc&gt;] (kthread+0x13c/0x16c)
[ 2730.752227] [&lt;80147bcc&gt;] (kthread) from [&lt;801010b4&gt;] (ret_from_fork+0x14/0x20)

[ 2733.099695] kworker/0:3     D    0  1065      2 0x00000000
[ 2733.103926] Workqueue: usb_hub_wq hub_event
[ 2733.106914] [&lt;809dca20&gt;] (__schedule) from [&lt;809dd164&gt;] (schedule+0x4c/0xac)
[ 2733.112693] [&lt;809dd164&gt;] (schedule) from [&lt;809e2a8c&gt;] (schedule_timeout+0x214/0x3e4)
[ 2733.119621] [&lt;809e2a8c&gt;] (schedule_timeout) from [&lt;809dde2c&gt;] (wait_for_common+0xc4/0x1c0)
[ 2733.126810] [&lt;809dde2c&gt;] (wait_for_common) from [&lt;7f258d00&gt;] (brcmf_usb_disconnect+0x1c/0x4c [brcmfmac])
[ 2733.135206] [&lt;7f258d00&gt;] (brcmf_usb_disconnect [brcmfmac]) from [&lt;8069e0c8&gt;] (usb_unbind_interface+0x5c/0x1e4)
[ 2733.143943] [&lt;8069e0c8&gt;] (usb_unbind_interface) from [&lt;8056d3e8&gt;] (device_release_driver_internal+0x164/0x1fc)
[ 2733.152769] [&lt;8056d3e8&gt;] (device_release_driver_internal) from [&lt;8056c078&gt;] (bus_remove_device+0xd0/0xfc)
[ 2733.161138] [&lt;8056c078&gt;] (bus_remove_device) from [&lt;8056977c&gt;] (device_del+0x11c/0x310)
[ 2733.167939] [&lt;8056977c&gt;] (device_del) from [&lt;8069cba8&gt;] (usb_disable_device+0xa0/0x1cc)
[ 2733.174743] [&lt;8069cba8&gt;] (usb_disable_device) from [&lt;8069507c&gt;] (usb_disconnect+0x74/0x1dc)
[ 2733.181823] [&lt;8069507c&gt;] (usb_disconnect) from [&lt;80695e88&gt;] (hub_event+0x478/0xf88)
[ 2733.188278] [&lt;80695e88&gt;] (hub_event) from [&lt;80141474&gt;] (process_one_work+0x228/0x808)
[ 2733.194905] [&lt;80141474&gt;] (process_one_work) from [&lt;80141a80&gt;] (worker_thread+0x2c/0x564)
[ 2733.201724] [&lt;80141a80&gt;] (worker_thread) from [&lt;80147bcc&gt;] (kthread+0x13c/0x16c)
[ 2733.207913] [&lt;80147bcc&gt;] (kthread) from [&lt;801010b4&gt;] (ret_from_fork+0x14/0x20)

It was traced down to a case where usb_kill_urb would be called on an URB
structure containing more or less random data, including large number in
its use_count. During the debugging it appeared that in brcmf_usb_free_q()
the traversal over URBs' lists is not synchronized with operations on those
lists in brcmf_usb_rx_complete() leading to handling
brcmf_usbdev_info structure (holding lists' head) as lists' element and in
result causing above problem.

Fix it by walking through all URBs during brcmf_cancel_all_urbs using the
arrays of requests instead of linked lists.

Signed-off-by: Piotr Figiel &lt;p.figiel@camlintechnologies.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>brcmfmac: fix WARNING during USB disconnect in case of unempty psq</title>
<updated>2019-05-31T13:45:11+00:00</updated>
<author>
<name>Piotr Figiel</name>
<email>p.figiel@camlintechnologies.com</email>
</author>
<published>2019-03-04T15:42:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8116fb7f8c8133eb7bc83a20082a10a1e8e962f3'/>
<id>8116fb7f8c8133eb7bc83a20082a10a1e8e962f3</id>
<content type='text'>
[ Upstream commit c80d26e81ef1802f30364b4ad1955c1443a592b9 ]

brcmu_pkt_buf_free_skb emits WARNING when attempting to free a sk_buff
which is part of any queue. After USB disconnect this may have happened
when brcmf_fws_hanger_cleanup() is called as per-interface psq was never
cleaned when removing the interface.
Change brcmf_fws_macdesc_cleanup() in a way that it removes the
corresponding packets from hanger table (to avoid double-free when
brcmf_fws_hanger_cleanup() is called) and add a call to clean-up the
interface specific packet queue.

Below is a WARNING during USB disconnect with Raspberry Pi WiFi dongle
running in AP mode. This was reproducible when the interface was
transmitting during the disconnect and is fixed with this commit.

------------[ cut here ]------------
WARNING: CPU: 0 PID: 1171 at drivers/net/wireless/broadcom/brcm80211/brcmutil/utils.c:49 brcmu_pkt_buf_free_skb+0x3c/0x40
Modules linked in: nf_log_ipv4 nf_log_common xt_LOG xt_limit iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis u_ether cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc ulpi usbmisc_imx 8250_exar 8250_pci 8250 8250_base libcomposite configfs udc_core
CPU: 0 PID: 1171 Comm: kworker/0:0 Not tainted 4.19.23-00075-gde33ed8 #99
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
Workqueue: usb_hub_wq hub_event
[&lt;8010ff84&gt;] (unwind_backtrace) from [&lt;8010bb64&gt;] (show_stack+0x10/0x14)
[&lt;8010bb64&gt;] (show_stack) from [&lt;80840278&gt;] (dump_stack+0x88/0x9c)
[&lt;80840278&gt;] (dump_stack) from [&lt;8011f5ec&gt;] (__warn+0xfc/0x114)
[&lt;8011f5ec&gt;] (__warn) from [&lt;8011f71c&gt;] (warn_slowpath_null+0x40/0x48)
[&lt;8011f71c&gt;] (warn_slowpath_null) from [&lt;805a476c&gt;] (brcmu_pkt_buf_free_skb+0x3c/0x40)
[&lt;805a476c&gt;] (brcmu_pkt_buf_free_skb) from [&lt;805bb6c4&gt;] (brcmf_fws_cleanup+0x1e4/0x22c)
[&lt;805bb6c4&gt;] (brcmf_fws_cleanup) from [&lt;805bc854&gt;] (brcmf_fws_del_interface+0x58/0x68)
[&lt;805bc854&gt;] (brcmf_fws_del_interface) from [&lt;805b66ac&gt;] (brcmf_remove_interface+0x40/0x150)
[&lt;805b66ac&gt;] (brcmf_remove_interface) from [&lt;805b6870&gt;] (brcmf_detach+0x6c/0xb0)
[&lt;805b6870&gt;] (brcmf_detach) from [&lt;805bdbb8&gt;] (brcmf_usb_disconnect+0x30/0x4c)
[&lt;805bdbb8&gt;] (brcmf_usb_disconnect) from [&lt;805e5d64&gt;] (usb_unbind_interface+0x5c/0x1e0)
[&lt;805e5d64&gt;] (usb_unbind_interface) from [&lt;804aab10&gt;] (device_release_driver_internal+0x154/0x1ec)
[&lt;804aab10&gt;] (device_release_driver_internal) from [&lt;804a97f4&gt;] (bus_remove_device+0xcc/0xf8)
[&lt;804a97f4&gt;] (bus_remove_device) from [&lt;804a6fc0&gt;] (device_del+0x118/0x308)
[&lt;804a6fc0&gt;] (device_del) from [&lt;805e488c&gt;] (usb_disable_device+0xa0/0x1c8)
[&lt;805e488c&gt;] (usb_disable_device) from [&lt;805dcf98&gt;] (usb_disconnect+0x70/0x1d8)
[&lt;805dcf98&gt;] (usb_disconnect) from [&lt;805ddd84&gt;] (hub_event+0x464/0xf50)
[&lt;805ddd84&gt;] (hub_event) from [&lt;80135a70&gt;] (process_one_work+0x138/0x3f8)
[&lt;80135a70&gt;] (process_one_work) from [&lt;80135d5c&gt;] (worker_thread+0x2c/0x554)
[&lt;80135d5c&gt;] (worker_thread) from [&lt;8013b1a0&gt;] (kthread+0x124/0x154)
[&lt;8013b1a0&gt;] (kthread) from [&lt;801010e8&gt;] (ret_from_fork+0x14/0x2c)
Exception stack(0xecf8dfb0 to 0xecf8dff8)
dfa0:                                     00000000 00000000 00000000 00000000
dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
---[ end trace 38d234018e9e2a90 ]---
------------[ cut here ]------------

Signed-off-by: Piotr Figiel &lt;p.figiel@camlintechnologies.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit c80d26e81ef1802f30364b4ad1955c1443a592b9 ]

brcmu_pkt_buf_free_skb emits WARNING when attempting to free a sk_buff
which is part of any queue. After USB disconnect this may have happened
when brcmf_fws_hanger_cleanup() is called as per-interface psq was never
cleaned when removing the interface.
Change brcmf_fws_macdesc_cleanup() in a way that it removes the
corresponding packets from hanger table (to avoid double-free when
brcmf_fws_hanger_cleanup() is called) and add a call to clean-up the
interface specific packet queue.

Below is a WARNING during USB disconnect with Raspberry Pi WiFi dongle
running in AP mode. This was reproducible when the interface was
transmitting during the disconnect and is fixed with this commit.

------------[ cut here ]------------
WARNING: CPU: 0 PID: 1171 at drivers/net/wireless/broadcom/brcm80211/brcmutil/utils.c:49 brcmu_pkt_buf_free_skb+0x3c/0x40
Modules linked in: nf_log_ipv4 nf_log_common xt_LOG xt_limit iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis u_ether cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc ulpi usbmisc_imx 8250_exar 8250_pci 8250 8250_base libcomposite configfs udc_core
CPU: 0 PID: 1171 Comm: kworker/0:0 Not tainted 4.19.23-00075-gde33ed8 #99
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
Workqueue: usb_hub_wq hub_event
[&lt;8010ff84&gt;] (unwind_backtrace) from [&lt;8010bb64&gt;] (show_stack+0x10/0x14)
[&lt;8010bb64&gt;] (show_stack) from [&lt;80840278&gt;] (dump_stack+0x88/0x9c)
[&lt;80840278&gt;] (dump_stack) from [&lt;8011f5ec&gt;] (__warn+0xfc/0x114)
[&lt;8011f5ec&gt;] (__warn) from [&lt;8011f71c&gt;] (warn_slowpath_null+0x40/0x48)
[&lt;8011f71c&gt;] (warn_slowpath_null) from [&lt;805a476c&gt;] (brcmu_pkt_buf_free_skb+0x3c/0x40)
[&lt;805a476c&gt;] (brcmu_pkt_buf_free_skb) from [&lt;805bb6c4&gt;] (brcmf_fws_cleanup+0x1e4/0x22c)
[&lt;805bb6c4&gt;] (brcmf_fws_cleanup) from [&lt;805bc854&gt;] (brcmf_fws_del_interface+0x58/0x68)
[&lt;805bc854&gt;] (brcmf_fws_del_interface) from [&lt;805b66ac&gt;] (brcmf_remove_interface+0x40/0x150)
[&lt;805b66ac&gt;] (brcmf_remove_interface) from [&lt;805b6870&gt;] (brcmf_detach+0x6c/0xb0)
[&lt;805b6870&gt;] (brcmf_detach) from [&lt;805bdbb8&gt;] (brcmf_usb_disconnect+0x30/0x4c)
[&lt;805bdbb8&gt;] (brcmf_usb_disconnect) from [&lt;805e5d64&gt;] (usb_unbind_interface+0x5c/0x1e0)
[&lt;805e5d64&gt;] (usb_unbind_interface) from [&lt;804aab10&gt;] (device_release_driver_internal+0x154/0x1ec)
[&lt;804aab10&gt;] (device_release_driver_internal) from [&lt;804a97f4&gt;] (bus_remove_device+0xcc/0xf8)
[&lt;804a97f4&gt;] (bus_remove_device) from [&lt;804a6fc0&gt;] (device_del+0x118/0x308)
[&lt;804a6fc0&gt;] (device_del) from [&lt;805e488c&gt;] (usb_disable_device+0xa0/0x1c8)
[&lt;805e488c&gt;] (usb_disable_device) from [&lt;805dcf98&gt;] (usb_disconnect+0x70/0x1d8)
[&lt;805dcf98&gt;] (usb_disconnect) from [&lt;805ddd84&gt;] (hub_event+0x464/0xf50)
[&lt;805ddd84&gt;] (hub_event) from [&lt;80135a70&gt;] (process_one_work+0x138/0x3f8)
[&lt;80135a70&gt;] (process_one_work) from [&lt;80135d5c&gt;] (worker_thread+0x2c/0x554)
[&lt;80135d5c&gt;] (worker_thread) from [&lt;8013b1a0&gt;] (kthread+0x124/0x154)
[&lt;8013b1a0&gt;] (kthread) from [&lt;801010e8&gt;] (ret_from_fork+0x14/0x2c)
Exception stack(0xecf8dfb0 to 0xecf8dff8)
dfa0:                                     00000000 00000000 00000000 00000000
dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
---[ end trace 38d234018e9e2a90 ]---
------------[ cut here ]------------

Signed-off-by: Piotr Figiel &lt;p.figiel@camlintechnologies.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>brcmfmac: convert dev_init_lock mutex to completion</title>
<updated>2019-05-31T13:45:11+00:00</updated>
<author>
<name>Piotr Figiel</name>
<email>p.figiel@camlintechnologies.com</email>
</author>
<published>2019-03-13T09:52:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4eec2427daaa86f7de36660dc57fd86082194a10'/>
<id>4eec2427daaa86f7de36660dc57fd86082194a10</id>
<content type='text'>
[ Upstream commit a9fd0953fa4a62887306be28641b4b0809f3b2fd ]

Leaving dev_init_lock mutex locked in probe causes BUG and a WARNING when
kernel is compiled with CONFIG_PROVE_LOCKING. Convert mutex to completion
which silences those warnings and improves code readability.

Fix below errors when connecting the USB WiFi dongle:

brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43143 for chip BCM43143/2
BUG: workqueue leaked lock or atomic: kworker/0:2/0x00000000/434
     last function: hub_event
1 lock held by kworker/0:2/434:
 #0: 18d5dcdf (&amp;devinfo-&gt;dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
Workqueue: usb_hub_wq hub_event
[&lt;8011237c&gt;] (unwind_backtrace) from [&lt;8010d74c&gt;] (show_stack+0x10/0x14)
[&lt;8010d74c&gt;] (show_stack) from [&lt;809c4324&gt;] (dump_stack+0xa8/0xd4)
[&lt;809c4324&gt;] (dump_stack) from [&lt;8014195c&gt;] (process_one_work+0x710/0x808)
[&lt;8014195c&gt;] (process_one_work) from [&lt;80141a80&gt;] (worker_thread+0x2c/0x564)
[&lt;80141a80&gt;] (worker_thread) from [&lt;80147bcc&gt;] (kthread+0x13c/0x16c)
[&lt;80147bcc&gt;] (kthread) from [&lt;801010b4&gt;] (ret_from_fork+0x14/0x20)
Exception stack(0xed1d9fb0 to 0xed1d9ff8)
9fa0:                                     00000000 00000000 00000000 00000000
9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fe0: 00000000 00000000 00000000 00000000 00000013 00000000

======================================================
WARNING: possible circular locking dependency detected
4.19.23-00084-g454a789-dirty #123 Not tainted
------------------------------------------------------
kworker/0:2/434 is trying to acquire lock:
e29cf799 ((wq_completion)"events"){+.+.}, at: process_one_work+0x174/0x808

but task is already holding lock:
18d5dcdf (&amp;devinfo-&gt;dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-&gt; #2 (&amp;devinfo-&gt;dev_init_lock){+.+.}:
       mutex_lock_nested+0x1c/0x24
       brcmf_usb_probe+0x78/0x550 [brcmfmac]
       usb_probe_interface+0xc0/0x1bc
       really_probe+0x228/0x2c0
       __driver_attach+0xe4/0xe8
       bus_for_each_dev+0x68/0xb4
       bus_add_driver+0x19c/0x214
       driver_register+0x78/0x110
       usb_register_driver+0x84/0x148
       process_one_work+0x228/0x808
       worker_thread+0x2c/0x564
       kthread+0x13c/0x16c
       ret_from_fork+0x14/0x20
         (null)

-&gt; #1 (brcmf_driver_work){+.+.}:
       worker_thread+0x2c/0x564
       kthread+0x13c/0x16c
       ret_from_fork+0x14/0x20
         (null)

-&gt; #0 ((wq_completion)"events"){+.+.}:
       process_one_work+0x1b8/0x808
       worker_thread+0x2c/0x564
       kthread+0x13c/0x16c
       ret_from_fork+0x14/0x20
         (null)

other info that might help us debug this:

Chain exists of:
  (wq_completion)"events" --&gt; brcmf_driver_work --&gt; &amp;devinfo-&gt;dev_init_lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&amp;devinfo-&gt;dev_init_lock);
                               lock(brcmf_driver_work);
                               lock(&amp;devinfo-&gt;dev_init_lock);
  lock((wq_completion)"events");

 *** DEADLOCK ***

1 lock held by kworker/0:2/434:
 #0: 18d5dcdf (&amp;devinfo-&gt;dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]

stack backtrace:
CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
Workqueue: events request_firmware_work_func
[&lt;8011237c&gt;] (unwind_backtrace) from [&lt;8010d74c&gt;] (show_stack+0x10/0x14)
[&lt;8010d74c&gt;] (show_stack) from [&lt;809c4324&gt;] (dump_stack+0xa8/0xd4)
[&lt;809c4324&gt;] (dump_stack) from [&lt;80172838&gt;] (print_circular_bug+0x210/0x330)
[&lt;80172838&gt;] (print_circular_bug) from [&lt;80175940&gt;] (__lock_acquire+0x160c/0x1a30)
[&lt;80175940&gt;] (__lock_acquire) from [&lt;8017671c&gt;] (lock_acquire+0xe0/0x268)
[&lt;8017671c&gt;] (lock_acquire) from [&lt;80141404&gt;] (process_one_work+0x1b8/0x808)
[&lt;80141404&gt;] (process_one_work) from [&lt;80141a80&gt;] (worker_thread+0x2c/0x564)
[&lt;80141a80&gt;] (worker_thread) from [&lt;80147bcc&gt;] (kthread+0x13c/0x16c)
[&lt;80147bcc&gt;] (kthread) from [&lt;801010b4&gt;] (ret_from_fork+0x14/0x20)
Exception stack(0xed1d9fb0 to 0xed1d9ff8)
9fa0:                                     00000000 00000000 00000000 00000000
9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fe0: 00000000 00000000 00000000 00000000 00000013 00000000

Signed-off-by: Piotr Figiel &lt;p.figiel@camlintechnologies.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit a9fd0953fa4a62887306be28641b4b0809f3b2fd ]

Leaving dev_init_lock mutex locked in probe causes BUG and a WARNING when
kernel is compiled with CONFIG_PROVE_LOCKING. Convert mutex to completion
which silences those warnings and improves code readability.

Fix below errors when connecting the USB WiFi dongle:

brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43143 for chip BCM43143/2
BUG: workqueue leaked lock or atomic: kworker/0:2/0x00000000/434
     last function: hub_event
1 lock held by kworker/0:2/434:
 #0: 18d5dcdf (&amp;devinfo-&gt;dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
Workqueue: usb_hub_wq hub_event
[&lt;8011237c&gt;] (unwind_backtrace) from [&lt;8010d74c&gt;] (show_stack+0x10/0x14)
[&lt;8010d74c&gt;] (show_stack) from [&lt;809c4324&gt;] (dump_stack+0xa8/0xd4)
[&lt;809c4324&gt;] (dump_stack) from [&lt;8014195c&gt;] (process_one_work+0x710/0x808)
[&lt;8014195c&gt;] (process_one_work) from [&lt;80141a80&gt;] (worker_thread+0x2c/0x564)
[&lt;80141a80&gt;] (worker_thread) from [&lt;80147bcc&gt;] (kthread+0x13c/0x16c)
[&lt;80147bcc&gt;] (kthread) from [&lt;801010b4&gt;] (ret_from_fork+0x14/0x20)
Exception stack(0xed1d9fb0 to 0xed1d9ff8)
9fa0:                                     00000000 00000000 00000000 00000000
9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fe0: 00000000 00000000 00000000 00000000 00000013 00000000

======================================================
WARNING: possible circular locking dependency detected
4.19.23-00084-g454a789-dirty #123 Not tainted
------------------------------------------------------
kworker/0:2/434 is trying to acquire lock:
e29cf799 ((wq_completion)"events"){+.+.}, at: process_one_work+0x174/0x808

but task is already holding lock:
18d5dcdf (&amp;devinfo-&gt;dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-&gt; #2 (&amp;devinfo-&gt;dev_init_lock){+.+.}:
       mutex_lock_nested+0x1c/0x24
       brcmf_usb_probe+0x78/0x550 [brcmfmac]
       usb_probe_interface+0xc0/0x1bc
       really_probe+0x228/0x2c0
       __driver_attach+0xe4/0xe8
       bus_for_each_dev+0x68/0xb4
       bus_add_driver+0x19c/0x214
       driver_register+0x78/0x110
       usb_register_driver+0x84/0x148
       process_one_work+0x228/0x808
       worker_thread+0x2c/0x564
       kthread+0x13c/0x16c
       ret_from_fork+0x14/0x20
         (null)

-&gt; #1 (brcmf_driver_work){+.+.}:
       worker_thread+0x2c/0x564
       kthread+0x13c/0x16c
       ret_from_fork+0x14/0x20
         (null)

-&gt; #0 ((wq_completion)"events"){+.+.}:
       process_one_work+0x1b8/0x808
       worker_thread+0x2c/0x564
       kthread+0x13c/0x16c
       ret_from_fork+0x14/0x20
         (null)

other info that might help us debug this:

Chain exists of:
  (wq_completion)"events" --&gt; brcmf_driver_work --&gt; &amp;devinfo-&gt;dev_init_lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&amp;devinfo-&gt;dev_init_lock);
                               lock(brcmf_driver_work);
                               lock(&amp;devinfo-&gt;dev_init_lock);
  lock((wq_completion)"events");

 *** DEADLOCK ***

1 lock held by kworker/0:2/434:
 #0: 18d5dcdf (&amp;devinfo-&gt;dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]

stack backtrace:
CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
Workqueue: events request_firmware_work_func
[&lt;8011237c&gt;] (unwind_backtrace) from [&lt;8010d74c&gt;] (show_stack+0x10/0x14)
[&lt;8010d74c&gt;] (show_stack) from [&lt;809c4324&gt;] (dump_stack+0xa8/0xd4)
[&lt;809c4324&gt;] (dump_stack) from [&lt;80172838&gt;] (print_circular_bug+0x210/0x330)
[&lt;80172838&gt;] (print_circular_bug) from [&lt;80175940&gt;] (__lock_acquire+0x160c/0x1a30)
[&lt;80175940&gt;] (__lock_acquire) from [&lt;8017671c&gt;] (lock_acquire+0xe0/0x268)
[&lt;8017671c&gt;] (lock_acquire) from [&lt;80141404&gt;] (process_one_work+0x1b8/0x808)
[&lt;80141404&gt;] (process_one_work) from [&lt;80141a80&gt;] (worker_thread+0x2c/0x564)
[&lt;80141a80&gt;] (worker_thread) from [&lt;80147bcc&gt;] (kthread+0x13c/0x16c)
[&lt;80147bcc&gt;] (kthread) from [&lt;801010b4&gt;] (ret_from_fork+0x14/0x20)
Exception stack(0xed1d9fb0 to 0xed1d9ff8)
9fa0:                                     00000000 00000000 00000000 00000000
9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fe0: 00000000 00000000 00000000 00000000 00000013 00000000

Signed-off-by: Piotr Figiel &lt;p.figiel@camlintechnologies.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>b43: shut up clang -Wuninitialized variable warning</title>
<updated>2019-05-31T13:45:11+00:00</updated>
<author>
<name>Arnd Bergmann</name>
<email>arnd@arndb.de</email>
</author>
<published>2019-03-22T14:37:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3fb9b1b0a0fabc31f90c15a3f61d5d91e28227dc'/>
<id>3fb9b1b0a0fabc31f90c15a3f61d5d91e28227dc</id>
<content type='text'>
[ Upstream commit d825db346270dbceef83b7b750dbc29f1d7dcc0e ]

Clang warns about what is clearly a case of passing an uninitalized
variable into a static function:

drivers/net/wireless/broadcom/b43/phy_lp.c:1852:23: error: variable 'gains' is uninitialized when used here
      [-Werror,-Wuninitialized]
                lpphy_papd_cal(dev, gains, 0, 1, 30);
                                    ^~~~~
drivers/net/wireless/broadcom/b43/phy_lp.c:1838:2: note: variable 'gains' is declared here
        struct lpphy_tx_gains gains, oldgains;
        ^
1 error generated.

However, this function is empty, and its arguments are never evaluated,
so gcc in contrast does not warn here. Both compilers behave in a
reasonable way as far as I can tell, so we should change the code
to avoid the warning everywhere.

We could just eliminate the lpphy_papd_cal() function entirely,
given that it has had the TODO comment in it for 10 years now
and is rather unlikely to ever get done. I'm doing a simpler
change here, and just pass the 'oldgains' variable in that has
been initialized, based on the guess that this is what was
originally meant.

Fixes: 2c0d6100da3e ("b43: LP-PHY: Begin implementing calibration &amp; software RFKILL support")
Signed-off-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Acked-by: Larry Finger &lt;Larry.Finger@lwfinger.net&gt;
Reviewed-by: Nathan Chancellor &lt;natechancellor@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit d825db346270dbceef83b7b750dbc29f1d7dcc0e ]

Clang warns about what is clearly a case of passing an uninitalized
variable into a static function:

drivers/net/wireless/broadcom/b43/phy_lp.c:1852:23: error: variable 'gains' is uninitialized when used here
      [-Werror,-Wuninitialized]
                lpphy_papd_cal(dev, gains, 0, 1, 30);
                                    ^~~~~
drivers/net/wireless/broadcom/b43/phy_lp.c:1838:2: note: variable 'gains' is declared here
        struct lpphy_tx_gains gains, oldgains;
        ^
1 error generated.

However, this function is empty, and its arguments are never evaluated,
so gcc in contrast does not warn here. Both compilers behave in a
reasonable way as far as I can tell, so we should change the code
to avoid the warning everywhere.

We could just eliminate the lpphy_papd_cal() function entirely,
given that it has had the TODO comment in it for 10 years now
and is rather unlikely to ever get done. I'm doing a simpler
change here, and just pass the 'oldgains' variable in that has
been initialized, based on the guess that this is what was
originally meant.

Fixes: 2c0d6100da3e ("b43: LP-PHY: Begin implementing calibration &amp; software RFKILL support")
Signed-off-by: Arnd Bergmann &lt;arnd@arndb.de&gt;
Acked-by: Larry Finger &lt;Larry.Finger@lwfinger.net&gt;
Reviewed-by: Nathan Chancellor &lt;natechancellor@gmail.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>brcmfmac: fix missing checks for kmemdup</title>
<updated>2019-05-31T13:45:11+00:00</updated>
<author>
<name>Kangjie Lu</name>
<email>kjlu@umn.edu</email>
</author>
<published>2019-03-15T17:04:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e8e75263fa4e8c4577ccfdcc420e12b7da85fd74'/>
<id>e8e75263fa4e8c4577ccfdcc420e12b7da85fd74</id>
<content type='text'>
[ Upstream commit 46953f97224d56a12ccbe9c6acaa84ca0dab2780 ]

In case kmemdup fails, the fix sets conn_info-&gt;req_ie_len and
conn_info-&gt;resp_ie_len to zero to avoid buffer overflows.

Signed-off-by: Kangjie Lu &lt;kjlu@umn.edu&gt;
Acked-by: Arend van Spriel &lt;arend.vanspriel@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 46953f97224d56a12ccbe9c6acaa84ca0dab2780 ]

In case kmemdup fails, the fix sets conn_info-&gt;req_ie_len and
conn_info-&gt;resp_ie_len to zero to avoid buffer overflows.

Signed-off-by: Kangjie Lu &lt;kjlu@umn.edu&gt;
Acked-by: Arend van Spriel &lt;arend.vanspriel@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mwifiex: Fix mem leak in mwifiex_tm_cmd</title>
<updated>2019-05-31T13:45:10+00:00</updated>
<author>
<name>YueHaibing</name>
<email>yuehaibing@huawei.com</email>
</author>
<published>2019-03-12T07:03:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=741d25eaa6c5786a4f6a842ea5da140a3eb8cf46'/>
<id>741d25eaa6c5786a4f6a842ea5da140a3eb8cf46</id>
<content type='text'>
[ Upstream commit 003b686ace820ce2d635a83f10f2d7f9c147dabc ]

'hostcmd' is alloced by kzalloc, should be freed before
leaving from the error handling cases, otherwise it will
cause mem leak.

Fixes: 3935ccc14d2c ("mwifiex: add cfg80211 testmode support")
Signed-off-by: YueHaibing &lt;yuehaibing@huawei.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 003b686ace820ce2d635a83f10f2d7f9c147dabc ]

'hostcmd' is alloced by kzalloc, should be freed before
leaving from the error handling cases, otherwise it will
cause mem leak.

Fixes: 3935ccc14d2c ("mwifiex: add cfg80211 testmode support")
Signed-off-by: YueHaibing &lt;yuehaibing@huawei.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rtlwifi: fix a potential NULL pointer dereference</title>
<updated>2019-05-31T13:45:10+00:00</updated>
<author>
<name>Kangjie Lu</name>
<email>kjlu@umn.edu</email>
</author>
<published>2019-03-12T07:56:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=afef821f106fc89a90d69246b7b1714b99a277f3'/>
<id>afef821f106fc89a90d69246b7b1714b99a277f3</id>
<content type='text'>
[ Upstream commit 765976285a8c8db3f0eb7f033829a899d0c2786e ]

In case alloc_workqueue fails, the fix reports the error and
returns to avoid NULL pointer dereference.

Signed-off-by: Kangjie Lu &lt;kjlu@umn.edu&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 765976285a8c8db3f0eb7f033829a899d0c2786e ]

In case alloc_workqueue fails, the fix reports the error and
returns to avoid NULL pointer dereference.

Signed-off-by: Kangjie Lu &lt;kjlu@umn.edu&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
