Hi Arend, > Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx> hat am 22. November 2017 um 19:23 geschrieben: > > > On 22-11-17 17:20, Stefan Wahren wrote: > > Hi, > > > >> Stefan Wahren <stefan.wahren@xxxxxxxx> hat am 12. November 2017 um 17:50 geschrieben: > >> > >> > >> Hi, > >> i discovered a random oops during probe of brcmfmac on Raspberry Pi 3 in yesterdays kernelci run for net-next [1]. I need to point out there is no DT entry for the wifi chip on Raspberry Pi 3 in the lack of a driver for the necessary GPIO expander. So the "HT Avail timeout" is expected. > >> > >> I was also able to trigger this oops by calling "modprobe brcmfmac" on my Raspberry Pi 3 with latest linux-next. > >> > >> Any help to fix this is appreciated. > >> > >> [1] - https://storage.kernelci.org/net-next/master/v4.14-rc8-2221-ga8a6f1e4ea78/arm64/defconfig+kselftest/lab-baylibre/boot-bcm2837-rpi-3-b.txt > >> > > > > the issue still persists in linux-next-20171122: > > > ... > > seems like a use-after-free. We do a device_release_driver() twice. Once > for sdio func #1 and for sdio func #2. This was introduced by: > > commit 7a51461fc2da82a6c565a3ee65c41c197f28225d > Author: Arend Van Spriel <arend.vanspriel@xxxxxxxxxxxx> > Date: Mon Jun 12 12:47:34 2017 +0100 > > brcmfmac: unbind all devices upon failure in firmware callback > > What we do is: > > device_release_driver(dev); > device_release_driver(&sdiodev->func[2]->dev); > > with the assumption that dev == &sdiodev->func[1]->dev. I wonder if that > is always true. The error print did not make it in your log. Maybe we > should make it explicit here (see below). i tried it, but the issue still occurs. Maybe this is helpful but this issue doesn't happend everytime. Sometimes i need 2 attemps via unloading/loading. > > Regards, > Arend > --- > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c > b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c > index 613caca..0fda9a4 100644 > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c > @@ -4096,7 +4096,7 @@ static void brcmf_sdio_firmware_callback(struct > device *dev, int err, > sdio_release_host(sdiodev->func[1]); > fail: > brcmf_dbg(TRACE, "failed: dev=%s, err=%d\n", dev_name(dev), err); > - device_release_driver(dev); > + device_release_driver(&sdiodev->func[1]->dev); > device_release_driver(&sdiodev->func[2]->dev); > } >
