]> www.infradead.org Git - users/hch/misc.git/commitdiff
brcmfmac: Fix driver crash on USB control transfer timeout
authorRaveendran Somu <raveendran.somu@cypress.com>
Wed, 25 Mar 2020 08:20:24 +0000 (03:20 -0500)
committerKalle Valo <kvalo@codeaurora.org>
Thu, 26 Mar 2020 09:43:45 +0000 (11:43 +0200)
When the control transfer gets timed out, the error status
was returned without killing that urb, this leads to using
the same urb. This issue causes the kernel crash as the same
urb is sumbitted multiple times. The fix is to kill the
urb for timeout transfer before returning error

Signed-off-by: Raveendran Somu <raveendran.somu@cypress.com>
Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1585124429-97371-2-git-send-email-chi-hsien.lin@cypress.com
drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c

index 575ed19e91951f0acbc9b861e78a81f15b67e5f3..10387a7f5d565fc54cdba8281e9342605148e242 100644 (file)
@@ -328,11 +328,12 @@ static int brcmf_usb_tx_ctlpkt(struct device *dev, u8 *buf, u32 len)
                return err;
        }
        timeout = brcmf_usb_ioctl_resp_wait(devinfo);
-       clear_bit(0, &devinfo->ctl_op);
        if (!timeout) {
                brcmf_err("Txctl wait timed out\n");
+               usb_kill_urb(devinfo->ctl_urb);
                err = -EIO;
        }
+       clear_bit(0, &devinfo->ctl_op);
        return err;
 }
 
@@ -358,11 +359,12 @@ static int brcmf_usb_rx_ctlpkt(struct device *dev, u8 *buf, u32 len)
        }
        timeout = brcmf_usb_ioctl_resp_wait(devinfo);
        err = devinfo->ctl_urb_status;
-       clear_bit(0, &devinfo->ctl_op);
        if (!timeout) {
                brcmf_err("rxctl wait timed out\n");
+               usb_kill_urb(devinfo->ctl_urb);
                err = -EIO;
        }
+       clear_bit(0, &devinfo->ctl_op);
        if (!err)
                return devinfo->ctl_urb_actual_length;
        else