On Thu, 14 Feb 2019 at 23:37, Arend Van Spriel <arend.vanspriel@xxxxxxxxxxxx> wrote: > On 2/14/2019 11:30 PM, Rafał Miłecki wrote: > > I've just found a well reproducible brcmfmac crash (NULL pointer > > dereference). > > > > Steps: > > 1. Wait for or trigger a FullMAC firmware crash > > 2. Wait for some skb to get queued on a flowring > > 3. Call rmmod brcmfmac > > > > Problem: > > There is a NULL pointer dereference in one of the brcmf_detach() calls. > > > > Explanation: > > brcmf_detach() first frees all "ifp"s and then deletes flowrings. If any > > flowring has a skb it results in calling brcmf_txfinalize() which tries > > to access "ifp" (struct brcmf_if) which is a NULL. > > Hi Rafał, > > Thanks for diving in. That was my suspicion. Does it mean you are > working on a patch or shall I take care of it. It would be nice to have someone more experienced with detaching & rings look at it. Is adding a simple if (ifp) enough? Or should that code get redesigned? Should we e.g. reorder detach order? -- Rafał