On Wed, Jun 12, 2019 at 6:03 PM Ganapathi Bhat <gbhat@xxxxxxxxxxx> wrote: > > Hi Dmitry, > > We have a patch to fix this: https://patchwork.kernel.org/patch/10990275/ Hi Ganapathi, Great, thanks for working on this! We can ask syzbot to test the fix: #syz test: https://github.com/google/kasan.git usb-fuzzer Thanks! > > Regards, > Ganapathi
diff --git a/drivers/net/wireless/marvell/mwifiex/usb.c b/drivers/net/wireless/marvell/mwifiex/usb.c index c2365ee..939f1e9 100644 --- a/drivers/net/wireless/marvell/mwifiex/usb.c +++ b/drivers/net/wireless/marvell/mwifiex/usb.c @@ -1348,6 +1348,8 @@ static void mwifiex_usb_cleanup_tx_aggr(struct mwifiex_adapter *adapter) for (idx = 0; idx < MWIFIEX_TX_DATA_PORT; idx++) { port = &card->port[idx]; + if (!port->tx_data_ep) + continue; if (adapter->bus_aggr.enable) while ((skb_tmp = skb_dequeue(&port->tx_aggr.aggr_list))) @@ -1365,8 +1367,6 @@ static void mwifiex_unregister_dev(struct mwifiex_adapter *adapter) mwifiex_usb_free(card); - mwifiex_usb_cleanup_tx_aggr(adapter); - card->adapter = NULL; } @@ -1510,7 +1510,7 @@ static int mwifiex_prog_fw_w_helper(struct mwifiex_adapter *adapter, static int mwifiex_usb_dnld_fw(struct mwifiex_adapter *adapter, struct mwifiex_fw_image *fw) { - int ret; + int ret = 0; struct usb_card_rec *card = (struct usb_card_rec *)adapter->card; if (card->usb_boot_state == USB8XXX_FW_DNLD) { @@ -1523,10 +1523,6 @@ static int mwifiex_usb_dnld_fw(struct mwifiex_adapter *adapter, return -1; } - ret = mwifiex_usb_rx_init(adapter); - if (!ret) - ret = mwifiex_usb_tx_init(adapter); - return ret; } @@ -1584,7 +1580,29 @@ static void mwifiex_usb_submit_rem_rx_urbs(struct mwifiex_adapter *adapter) return 0; } +static int mwifiex_init_usb(struct mwifiex_adapter *adapter) +{ + struct usb_card_rec *card = (struct usb_card_rec *)adapter->card; + int ret = 0; + + if (card->usb_boot_state == USB8XXX_FW_DNLD) + return 0; + + ret = mwifiex_usb_rx_init(adapter); + if (!ret) + ret = mwifiex_usb_tx_init(adapter); + + return ret; +} + +static void mwifiex_cleanup_usb(struct mwifiex_adapter *adapter) +{ + mwifiex_usb_cleanup_tx_aggr(adapter); +} + static struct mwifiex_if_ops usb_ops = { + .init_if = mwifiex_init_usb, + .cleanup_if = mwifiex_cleanup_usb, .register_dev = mwifiex_register_dev, .unregister_dev = mwifiex_unregister_dev, .wakeup = mwifiex_pm_wakeup_card,