Fix for kernel crash observed with following test procedure [1]:
while true;
do ifconfig wlan0 up;
iw dev wlan0 scan &
ifconfig wlan0 down;
done
During the above test procedure, the scan results are received from firmware
for 'iw scan' command gets queued even when the interface is going down. It
was causing the kernel oops when dereferencing the freed pointers.
For synchronization, 'mac_close()' calls flush_workqueue() to block its
execution till all pending work is completed. Afterwards 'wilc->close' flag
which is set before the flush_workqueue() should avoid adding new work.
Added 'wilc->close' check in wilc_handle_isr() which is common for
SPI/SDIO bus to ignore the interrupts from firmware that inturns adds the
work since the interface is getting closed.
1. https://lore.kernel.org/linux-wireless/20221024135407.7udo3dwl3mqyv2yj@xxxxxxxxxxxx/
Reported-by: Michael Walle <mwalle@xxxxxxxxxx>
Signed-off-by: Ajay Singh <ajay.kathat@xxxxxxxxxxxxx>
---
drivers/net/wireless/microchip/wilc1000/netdev.c | 9 +++------
drivers/net/wireless/microchip/wilc1000/wlan.c | 3 +++
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/microchip/wilc1000/netdev.c b/drivers/net/wireless/microchip/wilc1000/netdev.c
index e9f59de31b0b..40edee10a81f 100644
--- a/drivers/net/wireless/microchip/wilc1000/netdev.c
+++ b/drivers/net/wireless/microchip/wilc1000/netdev.c
@@ -38,11 +38,6 @@ static irqreturn_t isr_bh_routine(int irq, void *userdata)
{
struct wilc *wilc = userdata;
- if (wilc->close) {
- pr_err("Can't handle BH interrupt\n");
- return IRQ_HANDLED;
- }
-
wilc_handle_isr(wilc);
return IRQ_HANDLED;
@@ -781,13 +776,15 @@ static int wilc_mac_close(struct net_device *ndev)
if (vif->ndev) {
netif_stop_queue(vif->ndev);
+ if (wl->open_ifcs == 0)
+ wl->close = 1;
+
wilc_handle_disconnect(vif);
wilc_deinit_host_int(vif->ndev);
}
if (wl->open_ifcs == 0) {
netdev_dbg(ndev, "Deinitializing wilc1000\n");
- wl->close = 1;
wilc_wlan_deinitialize(ndev);
}
diff --git a/drivers/net/wireless/microchip/wilc1000/wlan.c b/drivers/net/wireless/microchip/wilc1000/wlan.c
index 58bbf50081e4..700cb657be00 100644
--- a/drivers/net/wireless/microchip/wilc1000/wlan.c
+++ b/drivers/net/wireless/microchip/wilc1000/wlan.c
@@ -1066,6 +1066,9 @@ void wilc_handle_isr(struct wilc *wilc)
{
u32 int_status;
+ if (wilc->close)
+ return;
+
acquire_bus(wilc, WILC_BUS_ACQUIRE_AND_WAKEUP);
wilc->hif_func->hif_read_int(wilc, &int_status);
--
2.34.1
