Bug Report Filed: https://bugzilla.kernel.org/show_bug.cgi?id=82901 Linux Version [3.2] and [android-omap-3.0] Function's Source Code: http://lxr.free-electrons.com/source/drivers/net/wireless/wl12xx/sdio.c?v=3.2#L313 function (wl1271_remove) in file (linux3.2/drivers/net/wireless/wl12xx/sdio.c): The mutex object (&wl->mutex) may get locked upon exit of function (wl1271_unregister_hw) through the call to function (__wl1271_plt_stop). However, the lock is never released upon exit of function (wl1271_unregister_hw). The buggy scenario happens as follows: (wl1271_remove) calls (wl1271_unregister_hw) which acquires the locks. Then, (wl1271_remove) calls (wl1271_free_hw) which tries to lock the object the already locked in (wl1271_unregister_hw) which causes a race scenario. Possible fix is to call (wl1271_plt_stop) instead of (__wl1271_plt_stop) in function (wl1271_unregister_hw) in file (http://lxr.free-electrons.com/source/drivers/net/wireless/wl12xx/main.c?v=3.2#L4650). The bug also occurs in Android Linux kernel: https://android.googlesource.com/kernel/omap/+/android-omap-3.0/drivers/net/wireless/wl12xx/sdio.c @ line 319 Bug found via C-Atlas tool [http://www.ensoftcorp.com/] -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
