Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b88a2e80 authored by Christian Daudt's avatar Christian Daudt Committed by Kalle Valo
Browse files

brcmfmac: Fix kernel oops in failed chip_attach 



When chip attach fails, brcmf_sdiod_intr_unregister is being called
but that is too early as sdiodev->settings has not been set yet
nor has brcmf_sdiod_intr_register been called.
Change to use oob_irq_requested + newly created sd_irq_requested
to decide on what to unregister at intr_unregister time.

Steps to reproduce problem:
- modprobe brcmfmac using buggy FW
- rmmod brcmfmac
- modprobe brcmfmac again.

If done with a buggy firmware, brcm_chip_attach will fail on the
2nd modprobe triggering the call to intr_unregister and the
kernel oops when attempting to de-reference sdiodev->settings->bus.sdio
which has not yet been set.

Signed-off-by: default avatarChristian Daudt <csd@broadcom.com>
Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
parent 83e41e77

drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c

+17 −13
Original line number Diff line number Diff line
@@ -166,6 +166,7 @@ int brcmf_sdiod_intr_register(struct brcmf_sdio_dev *sdiodev) 
		sdio_claim_irq(sdiodev->func[1], brcmf_sdiod_ib_irqhandler);

		sdio_claim_irq(sdiodev->func[2], brcmf_sdiod_dummy_irqhandler);

		sdio_release_host(sdiodev->func[1]);

		sdiodev->sd_irq_requested = true;

	}



	return 0;
@@ -173,18 +174,20 @@ int brcmf_sdiod_intr_register(struct brcmf_sdio_dev *sdiodev) 


int brcmf_sdiod_intr_unregister(struct brcmf_sdio_dev *sdiodev)

{

	struct brcmfmac_sdio_pd *pdata;



	brcmf_dbg(SDIO, "Entering\n");

	brcmf_dbg(SDIO, "Entering oob=%d sd=%d\n",

		  sdiodev->oob_irq_requested,

		  sdiodev->sd_irq_requested);



	if (sdiodev->oob_irq_requested) {

		struct brcmfmac_sdio_pd *pdata;



		pdata = &sdiodev->settings->bus.sdio;

	if (pdata->oob_irq_supported) {

		sdio_claim_host(sdiodev->func[1]);

		brcmf_sdiod_regwb(sdiodev, SDIO_CCCR_BRCM_SEPINT, 0, NULL);

		brcmf_sdiod_regwb(sdiodev, SDIO_CCCR_IENx, 0, NULL);

		sdio_release_host(sdiodev->func[1]);



		if (sdiodev->oob_irq_requested) {

		sdiodev->oob_irq_requested = false;

		if (sdiodev->irq_wake) {

			disable_irq_wake(pdata->oob_irq_nr);
@@ -193,7 +196,8 @@ int brcmf_sdiod_intr_unregister(struct brcmf_sdio_dev *sdiodev) 
		free_irq(pdata->oob_irq_nr, &sdiodev->func[1]->dev);

		sdiodev->irq_en = false;

	}

	} else {



	if (sdiodev->sd_irq_requested) {

		sdio_claim_host(sdiodev->func[1]);

		sdio_release_irq(sdiodev->func[2]);

		sdio_release_irq(sdiodev->func[1]);

drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.h

+1 −0
Original line number Diff line number Diff line
@@ -186,6 +186,7 @@ struct brcmf_sdio_dev { 
	struct brcmf_bus *bus_if;

	struct brcmf_mp_device *settings;

	bool oob_irq_requested;

	bool sd_irq_requested;

	bool irq_en;			/* irq enable flags */

	spinlock_t irq_en_lock;

	bool irq_wake;			/* irq wake enable flags */