diff mbox series

[V2,1/6] brcmfmac: Fix driver crash on USB control transfer timeout

Message ID 1584096620-101123-2-git-send-email-chi-hsien.lin@cypress.com (mailing list archive)
State Changes Requested
Delegated to: Kalle Valo
Headers show
Series brcmfmac: USB change series | expand

Commit Message

Chi-Hsien Lin March 13, 2020, 10:50 a.m. UTC 
From: Raveendran Somu <raveendran.somu@cypress.com>

When the control transfer gets timed out, the error status
was returned without killing that urb, this leads to using
the same urb. This issue causes the kernel crash as the same
urb is sumbitted multiple times. The fix is to kill the
urb for timeout transfer before returning error

Signed-off-by: Raveendran Somu <raveendran.somu@cypress.com>
Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com>
---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Comments

Kalle Valo March 23, 2020, 5:32 p.m. UTC | #1 
Chi-Hsien Lin <chi-hsien.lin@cypress.com> wrote:

> From: Raveendran Somu <raveendran.somu@cypress.com>
> 
> When the control transfer gets timed out, the error status
> was returned without killing that urb, this leads to using
> the same urb. This issue causes the kernel crash as the same
> urb is sumbitted multiple times. The fix is to kill the
> urb for timeout transfer before returning error
> 
> Signed-off-by: Raveendran Somu <raveendran.somu@cypress.com>
> Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com>

Fails to build:

drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c: In function 'brcmf_usb_rx_ctlpkt':
drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c:390:3: error: label 'fail' used but not defined
   goto fail;
   ^~~~
make[6]: *** [drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.o] Error 1
make[6]: *** Waiting for unfinished jobs....
make[5]: *** [drivers/net/wireless/broadcom/brcm80211/brcmfmac] Error 2
make[4]: *** [drivers/net/wireless/broadcom/brcm80211] Error 2
make[3]: *** [drivers/net/wireless/broadcom] Error 2
make[2]: *** [drivers/net/wireless] Error 2
make[1]: *** [drivers/net] Error 2
make: *** [drivers] Error 2

6 patches set to Changes Requested.

11436667 [V2,1/6] brcmfmac: Fix driver crash on USB control transfer timeout
11436669 [V2,2/6] brcmfmac: Fix double freeing in the fmac usb data path
11436671 [V2,3/6] brcmfmac: fix the incorrect return value in brcmf_inform_single_bss().
11436673 [V2,4/6] brcmfmac: increase max hanger slots from 1K to 3K in fws layer
11436675 [V2,5/6] brcmfmac: add USB autosuspend feature support
11436677 [V2,6/6] brcmfmac: To support printing USB console messages
diff mbox series

Patch

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
index 575ed19e9195..10387a7f5d56 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
@@ -328,11 +328,12 @@  static int brcmf_usb_tx_ctlpkt(struct device *dev, u8 *buf, u32 len)
 		return err;
 	}
 	timeout = brcmf_usb_ioctl_resp_wait(devinfo);
-	clear_bit(0, &devinfo->ctl_op);
 	if (!timeout) {
 		brcmf_err("Txctl wait timed out\n");
+		usb_kill_urb(devinfo->ctl_urb);
 		err = -EIO;
 	}
+	clear_bit(0, &devinfo->ctl_op);
 	return err;
 }
 
@@ -358,11 +359,12 @@  static int brcmf_usb_rx_ctlpkt(struct device *dev, u8 *buf, u32 len)
 	}
 	timeout = brcmf_usb_ioctl_resp_wait(devinfo);
 	err = devinfo->ctl_urb_status;
-	clear_bit(0, &devinfo->ctl_op);
 	if (!timeout) {
 		brcmf_err("rxctl wait timed out\n");
+		usb_kill_urb(devinfo->ctl_urb);
 		err = -EIO;
 	}
+	clear_bit(0, &devinfo->ctl_op);
 	if (!err)
 		return devinfo->ctl_urb_actual_length;
 	else