| Message ID | 20250430210627.3674314-1-rory@candelatech.com |
|---|---|
| State | New |
| Headers | show |
| Series | [iwlwifi-next] wifi: iwlwifi: mld: Fix iteration of uninitialized async handler list. | expand |
> -----Original Message----- > From: Rory Little <rory@candelatech.com> > Sent: Thursday, 1 May 2025 0:06 > To: Korenblit, Miriam Rachel <miriam.rachel.korenblit@intel.com> > Cc: linux-wireless@vger.kernel.org; Rory Little <rory@candelatech.com> > Subject: [PATCH iwlwifi-next] wifi: iwlwifi: mld: Fix iteration of uninitialized async > handler list. > > There were a few cases where iteration of the async_handlers_list would be > attempted before the list was initialized by async_handlers_wk. This patch > initializes that list during mld construction to guard against that case. > > This fixes a panic seen on boot: > > BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D > 0 > Oops: Oops: 0000 [#1] SMP > CPU: 1 UID: 0 PID: 910 Comm: modprobe Not tainted 6.15.0-rc2+ #3 > PREEMPT(full) Hardware name: Default string Default string/SKYBAY, BIOS 5.12 > 02/21/2023 > RIP: 0010:iwl_mld_cancel_async_notifications+0x4a/0xd0 [iwlmld] > Code: ... > RSP: 0018:ffffc9000097fbf0 EFLAGS: 00010246 > RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000004000000 > RDX: 0000000000000001 RSI: 0000000000000292 RDI: ffff888127d73d70 > RBP: ffff888127d72028 R08: ffffffffa0fc9485 R09: ffffffffa0fc8b8a > R10: 0000000000000001 R11: 0000000000000000 R12: ffff888127d73d60 > R13: 0000000000000003 R14: ffff888127d73150 R15: ffff888127d72020 > FS: 00007f942ece3740(0000) GS:ffff8884da78e000(0000) > knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000000 CR3: 0000000135bd6004 CR4: 00000000003726f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call > Trace: > <TASK> > iwl_mld_stop_fw+0x35/0x40 [iwlmld] > iwl_op_mode_mld_start+0x3b6/0x4c0 [iwlmld] ? > inode_set_ctime_current+0x185/0x220 > _iwl_op_mode_start+0x58/0xd0 [iwlwifi] > iwl_opmode_register+0x69/0xc0 [iwlwifi] ? mt7996_init+0x1000/0x1000 > [mt7996e] > iwl_mld_init+0x19/0x1000 [iwlmld] > ? mt7996_init+0x1000/0x1000 [mt7996e] > do_one_initcall+0x3e/0x2e0 > ? do_init_module+0x22/0x210 > do_init_module+0x60/0x210 > init_module_from_file+0x85/0xc0 > idempotent_init_module+0xfe/0x2f0 > __x64_sys_finit_module+0x61/0xc0 > do_syscall_64+0x4b/0xf50 > entry_SYSCALL_64_after_hwframe+0x4b/0x53 > > Fixes: d1e879ec600f ("wifi: iwlwifi: add iwlmld sub-driver") > Signed-off-by: Rory Little <rory@candelatech.com> > --- > drivers/net/wireless/intel/iwlwifi/mld/mld.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/net/wireless/intel/iwlwifi/mld/mld.c > b/drivers/net/wireless/intel/iwlwifi/mld/mld.c > index 87624730fb50..d78d1b4334de 100644 > --- a/drivers/net/wireless/intel/iwlwifi/mld/mld.c > +++ b/drivers/net/wireless/intel/iwlwifi/mld/mld.c > @@ -77,6 +77,7 @@ void iwl_construct_mld(struct iwl_mld *mld, struct > iwl_trans *trans, > > /* Setup async RX handling */ > spin_lock_init(&mld->async_handlers_lock); > + INIT_LIST_HEAD(&mld->async_handlers_list); > wiphy_work_init(&mld->async_handlers_wk, > iwl_mld_async_handlers_wk); > > -- > 2.45.2 This was already fixed in wireless Miri
diff --git a/drivers/net/wireless/intel/iwlwifi/mld/mld.c b/drivers/net/wireless/intel/iwlwifi/mld/mld.c index 87624730fb50..d78d1b4334de 100644 --- a/drivers/net/wireless/intel/iwlwifi/mld/mld.c +++ b/drivers/net/wireless/intel/iwlwifi/mld/mld.c @@ -77,6 +77,7 @@ void iwl_construct_mld(struct iwl_mld *mld, struct iwl_trans *trans, /* Setup async RX handling */ spin_lock_init(&mld->async_handlers_lock); + INIT_LIST_HEAD(&mld->async_handlers_list); wiphy_work_init(&mld->async_handlers_wk, iwl_mld_async_handlers_wk);
There were a few cases where iteration of the async_handlers_list would be attempted before the list was initialized by async_handlers_wk. This patch initializes that list during mld construction to guard against that case. This fixes a panic seen on boot: BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP CPU: 1 UID: 0 PID: 910 Comm: modprobe Not tainted 6.15.0-rc2+ #3 PREEMPT(full) Hardware name: Default string Default string/SKYBAY, BIOS 5.12 02/21/2023 RIP: 0010:iwl_mld_cancel_async_notifications+0x4a/0xd0 [iwlmld] Code: ... RSP: 0018:ffffc9000097fbf0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000004000000 RDX: 0000000000000001 RSI: 0000000000000292 RDI: ffff888127d73d70 RBP: ffff888127d72028 R08: ffffffffa0fc9485 R09: ffffffffa0fc8b8a R10: 0000000000000001 R11: 0000000000000000 R12: ffff888127d73d60 R13: 0000000000000003 R14: ffff888127d73150 R15: ffff888127d72020 FS: 00007f942ece3740(0000) GS:ffff8884da78e000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000135bd6004 CR4: 00000000003726f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> iwl_mld_stop_fw+0x35/0x40 [iwlmld] iwl_op_mode_mld_start+0x3b6/0x4c0 [iwlmld] ? inode_set_ctime_current+0x185/0x220 _iwl_op_mode_start+0x58/0xd0 [iwlwifi] iwl_opmode_register+0x69/0xc0 [iwlwifi] ? mt7996_init+0x1000/0x1000 [mt7996e] iwl_mld_init+0x19/0x1000 [iwlmld] ? mt7996_init+0x1000/0x1000 [mt7996e] do_one_initcall+0x3e/0x2e0 ? do_init_module+0x22/0x210 do_init_module+0x60/0x210 init_module_from_file+0x85/0xc0 idempotent_init_module+0xfe/0x2f0 __x64_sys_finit_module+0x61/0xc0 do_syscall_64+0x4b/0xf50 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Fixes: d1e879ec600f ("wifi: iwlwifi: add iwlmld sub-driver") Signed-off-by: Rory Little <rory@candelatech.com> --- drivers/net/wireless/intel/iwlwifi/mld/mld.c | 1 + 1 file changed, 1 insertion(+)