360-brcmfmac-disable-PCIe-interrupts-before-bus-reset.patch 1.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354
  1. From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
  2. Date: Mon, 18 Nov 2019 11:52:41 +0100
  3. Subject: [PATCH FIX] brcmfmac: disable PCIe interrupts before bus reset
  4. MIME-Version: 1.0
  5. Content-Type: text/plain; charset=UTF-8
  6. Content-Transfer-Encoding: 8bit
  7. Keeping interrupts on could result in brcmfmac freeing some resources
  8. and then IRQ handlers trying to use them. That was obviously a straight
  9. path for crashing a kernel.
  10. Example:
  11. CPU0 CPU1
  12. ---- ----
  13. brcmf_pcie_reset
  14. brcmf_pcie_bus_console_read
  15. brcmf_detach
  16. ...
  17. brcmf_fweh_detach
  18. brcmf_proto_detach
  19. brcmf_pcie_isr_thread
  20. ...
  21. brcmf_proto_msgbuf_rx_trigger
  22. ...
  23. drvr->proto->pd
  24. brcmf_pcie_release_irq
  25. [ 363.789218] Unable to handle kernel NULL pointer dereference at virtual address 00000038
  26. [ 363.797339] pgd = c0004000
  27. [ 363.800050] [00000038] *pgd=00000000
  28. [ 363.803635] Internal error: Oops: 17 [#1] SMP ARM
  29. (...)
  30. [ 364.029209] Backtrace:
  31. [ 364.031725] [<bf243838>] (brcmf_proto_msgbuf_rx_trigger [brcmfmac]) from [<bf2471dc>] (brcmf_pcie_isr_thread+0x228/0x274 [brcmfmac])
  32. [ 364.043662] r7:00000001 r6:c8ca0000 r5:00010000 r4:c7b4f800
  33. Fixes: 4684997d9eea ("brcmfmac: reset PCIe bus on a firmware crash")
  34. Cc: stable@vger.kernel.org # v5.2+
  35. Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
  36. ---
  37. drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 2 ++
  38. 1 file changed, 2 insertions(+)
  39. --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
  40. +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
  41. @@ -1409,6 +1409,8 @@ static int brcmf_pcie_reset(struct devic
  42. u16 bus_nr;
  43. int err;
  44. + brcmf_pcie_intr_disable(devinfo);
  45. +
  46. brcmf_pcie_bus_console_read(devinfo, true);
  47. brcmf_detach(dev);