brcmfmac: Fix driver crash on USB control transfer timeout (93a5bfbc) · Commits · 戴 / test

When the control transfer gets timed out, the error status was returned without killing that urb, this leads to using the same urb. This issue causes the kernel crash as the same urb is sumbitted multiple times. The fix is to kill the urb for timeout transfer before returning error Signed-off-by:

Raveendran Somu <raveendran.somu@cypress.com> Signed-off-by:

Chi-hsien Lin <chi-hsien.lin@cypress.com> Signed-off-by:

Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1585124429-97371-2-git-send-email-chi-hsien.lin@cypress.com

drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c

+4 −2

Original line number	Diff line number	Diff line
		@@ -328,11 +328,12 @@ static int brcmf_usb_tx_ctlpkt(struct device dev, u8 buf, u32 len)
		return err;
		}
		timeout = brcmf_usb_ioctl_resp_wait(devinfo);
		clear_bit(0, &devinfo->ctl_op);
		if (!timeout) {
		brcmf_err("Txctl wait timed out\n");
		usb_kill_urb(devinfo->ctl_urb);
		err = -EIO;
		}
		clear_bit(0, &devinfo->ctl_op);
		return err;
		}

		@@ -358,11 +359,12 @@ static int brcmf_usb_rx_ctlpkt(struct device dev, u8 buf, u32 len)
		}
		timeout = brcmf_usb_ioctl_resp_wait(devinfo);
		err = devinfo->ctl_urb_status;
		clear_bit(0, &devinfo->ctl_op);
		if (!timeout) {
		brcmf_err("rxctl wait timed out\n");
		usb_kill_urb(devinfo->ctl_urb);
		err = -EIO;
		}
		clear_bit(0, &devinfo->ctl_op);
		if (!err)
		return devinfo->ctl_urb_actual_length;
		else

Admin message