diff options
| author | Marcin Ślusarz <[email protected]> | 2024-05-28 13:02:46 +0200 |
|---|---|---|
| committer | Ping-Ke Shih <[email protected]> | 2024-07-05 09:38:18 +0800 |
| commit | adc539784c98a7cc602cbf557debfc2e7b9be8b3 (patch) | |
| tree | 4daea226d5762bfc4ad4ca775f5d1b707e7549e8 /drivers/fpga/tests/fpga-bridge-test.c | |
| parent | 746f4ae52a38459dbed792adb58cadaed370dcc2 (diff) | |
wifi: rtw88: usb: schedule rx work after everything is set up
Right now it's possible to hit NULL pointer dereference in
rtw_rx_fill_rx_status on hw object and/or its fields because
initialization routine can start getting USB replies before
rtw_dev is fully setup.
The stack trace looks like this:
rtw_rx_fill_rx_status
rtw8821c_query_rx_desc
rtw_usb_rx_handler
...
queue_work
rtw_usb_read_port_complete
...
usb_submit_urb
rtw_usb_rx_resubmit
rtw_usb_init_rx
rtw_usb_probe
So while we do the async stuff rtw_usb_probe continues and calls
rtw_register_hw, which does all kinds of initialization (e.g.
via ieee80211_register_hw) that rtw_rx_fill_rx_status relies on.
Fix this by moving the first usb_submit_urb after everything
is set up.
For me, this bug manifested as:
[ 8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped
[ 8.910904] rtw_8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtw_rx_fill_rx_status
because I'm using Larry's backport of rtw88 driver with the NULL
checks in rtw_rx_fill_rx_status.
Link: https://lore.kernel.org/linux-wireless/CA+shoWQ7P49jhQasofDcTdQhiuarPTjYEDa--NiVVx494WcuQw@mail.gmail.com/
Signed-off-by: Marcin Ślusarz <[email protected]>
Cc: Tim K <[email protected]>
Cc: Ping-Ke Shih <[email protected]>
Cc: Larry Finger <[email protected]>
Cc: Kalle Valo <[email protected]>
Cc: [email protected]
Cc: [email protected]
Signed-off-by: Ping-Ke Shih <[email protected]>
Link: https://patch.msgid.link/[email protected]
Diffstat (limited to 'drivers/fpga/tests/fpga-bridge-test.c')
0 files changed, 0 insertions, 0 deletions