linux/drivers/net/wireless/iwlwifi
Emmanuel Grumbach 4cd4b50cc2 iwlwifi: mvm: BT Coex - fix a NULL pointer exception
The commit below introduced an unsafe dereference of
mvmvif->phy_ctxt. It can be NULL even if we hold the mutex.
We can be handling a BT Coex notification while the vif has
already been unassigned. This can happen since the BT Coex
notification is hanled asynchronuously: we can have started
to handle the BT Coex notification trying to acquire the
mutex while the unassign flow already got it. The BT Coex
notification handling will wait for the mutext. I'll get it
later, but then mvmvif->phy_ctxt will be NULL.

Panic log:

BUG: unable to handle kernel NULL pointer dereference at   (null)
IP: [<f985180d>] iwl_mvm_bt_notif_iterator+0x9d/0x340 [iwlmvm]
*pdpt = 0000000000000000 *pde = f000eef300000007
Oops: 0000 [#1] SMP
Workqueue: events iwl_mvm_async_handlers_wk [iwlmvm]
task: ed719b20 ti: ec03e000 task.ti: ec03e000
EIP: 0060:[<f985180d>] EFLAGS: 00010202 CPU: 2
EIP is at iwl_mvm_bt_notif_iterator+0x9d/0x340 [iwlmvm]
EAX: 00000000 EBX: f6d3cb70 ECX: f6d3cb70 EDX: 00000000
ESI: ec03fe40 EDI: efeb8810 EBP: ec03fdf0 ESP: ec03fdac
 DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
CR0: 80050033 CR2: 00000000 CR3: 01a1a000 CR4: 001407f0
Stack:
 f743ca80 f744a404 ec03fdcc c10e3952 00003aba f743ca80 00000246 f743ca80
 00000246 00000000 00000001 00000000 ebd45ff6 ebd458a4 f6d3c500 ebd45578
 ebd44b01 ec03fe18 f99e1bc2 00000002 ebd44bc0 f9851770 00000000 f6d3c500
Call Trace:
 [<c10e3952>] ? ring_buffer_unlock_commit+0xa2/0xd0
 [<f99e1bc2>] __iterate_interfaces+0x82/0x110 [mac80211]
 [<f9851770>] ? iwl_mvm_bt_coex_reduced_txp+0x140/0x140 [iwlmvm]
 [<f99e1c6a>] ieee80211_iterate_active_interfaces_atomic+0x1a/0x20 [mac80211]
 [<f9851427>] iwl_mvm_bt_coex_notif_handle+0x77/0x280 [iwlmvm]
 [<f9852161>] iwl_mvm_rx_bt_coex_notif_old+0x211/0x220 [iwlmvm]
 [<f9850b8b>] iwl_mvm_rx_bt_coex_notif+0x19b/0x1b0 [iwlmvm]
 [<f983944f>] iwl_mvm_async_handlers_wk+0x7f/0xe0 [iwlmvm]

CC: <stable@vger.kernel.org> [3.19+]
Fixes: 123f515635 ("iwlwifi: mvm: BT Coex - add support for TTC / RRC")
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2015-03-05 14:13:20 +02:00
..
dvm iwlwifi: allow to define the stuck queue timer per queue 2015-02-01 15:57:23 +02:00
mvm iwlwifi: mvm: BT Coex - fix a NULL pointer exception 2015-03-05 14:13:20 +02:00
pcie iwlwifi: allow to define the stuck queue timer per queue 2015-02-01 15:57:23 +02:00
iwl-1000.c iwlwifi: fix max_ht_ampdu_exponent for older devices 2015-02-25 10:39:19 +02:00
iwl-2000.c iwlwifi: fix max_ht_ampdu_exponent for older devices 2015-02-25 10:39:19 +02:00
iwl-5000.c iwlwifi: fix max_ht_ampdu_exponent for older devices 2015-02-25 10:39:19 +02:00
iwl-6000.c iwlwifi: fix max_ht_ampdu_exponent for older devices 2015-02-25 10:39:19 +02:00
iwl-7000.c Merge remote-tracking branch 'iwlwifi-fixes/master' into iwlwifi-next 2015-01-22 17:55:12 +02:00
iwl-8000.c Merge remote-tracking branch 'iwlwifi-fixes/master' into iwlwifi-next 2015-01-22 17:55:12 +02:00
iwl-agn-hw.h iwlwifi: mvm: fix bug with OTP memory size 2014-05-06 20:40:01 +03:00
iwl-config.h iwlwifi: allow to define the stuck queue timer per queue 2015-02-01 15:57:23 +02:00
iwl-csr.h iwlwifi: mvm: support family 8000 C step 2015-01-22 17:55:20 +02:00
iwl-debug.c iwlwifi: use dev_printk instead of dev_dbg for debug logs 2014-05-13 13:52:22 +03:00
iwl-debug.h iwlwifi: mvm: declare TDLS support 2014-11-24 08:30:19 +02:00
iwl-devtrace.c iwlwifi: don't export tracepoints unnecessarily 2014-09-03 22:49:03 +03:00
iwl-devtrace.h iwlwifi: Update Copyright to 2014 2013-12-31 19:03:53 +02:00
iwl-drv.c iwlwifi: mvm: enable watchdog on Tx queues for mvm 2015-02-01 15:57:22 +02:00
iwl-drv.h iwlwifi: remove MODULE_VERSION 2014-12-28 10:17:40 +02:00
iwl-eeprom-parse.c iwlwifi: change max HT and VHT A-MPDU exponent 2014-11-23 19:57:30 +02:00
iwl-eeprom-parse.h iwlwifi: mvm: new NVM format in family 8000 2014-02-13 13:49:37 +02:00
iwl-eeprom-read.c iwlwifi: Update Copyright to 2014 2013-12-31 19:03:53 +02:00
iwl-eeprom-read.h iwlwifi: Update Copyright to 2014 2013-12-31 19:03:53 +02:00
iwl-fh.h iwlwifi: pcie: limit fw chunk sizes given to fh 2014-12-14 10:20:30 +02:00
iwl-fw-error-dump.h iwlwifi: mvm: add rxf and txf to dump data 2015-01-22 17:54:05 +02:00
iwl-fw-file.h iwlwifi: mvm: add beamformer support 2015-02-01 15:39:19 +02:00
iwl-fw.h iwlwifi: tlv: add support for IWL_UCODE_TLV_SDIO_ADMA_ADDR TLV 2014-12-28 20:05:09 +02:00
iwl-io.c iwlwifi: correctly set the NMI register 2015-01-22 17:54:05 +02:00
iwl-io.h iwlwifi: update nmi register 2014-05-15 19:50:51 +03:00
iwl-modparams.h iwlwifi: mvm: enable watchdog on Tx queues for mvm 2015-02-01 15:57:22 +02:00
iwl-notif-wait.c iwlwifi: Update Copyright to 2014 2013-12-31 19:03:53 +02:00
iwl-notif-wait.h iwlwifi: Update Copyright to 2014 2013-12-31 19:03:53 +02:00
iwl-nvm-parse.c iwlwifi: mvm: support LnP 1x1 antenna configuration 2014-12-28 20:00:12 +02:00
iwl-nvm-parse.h iwlwifi: mvm: new NVM format in family 8000 2014-02-13 13:49:37 +02:00
iwl-op-mode.h iwlwifi: mvm/trans: abort d0i3_enter in case of held ref 2014-11-11 17:15:04 +02:00
iwl-phy-db.c iwlwifi: remove CMD_SYNC 2014-05-13 13:52:19 +03:00
iwl-phy-db.h iwlwifi: Update Copyright to 2014 2013-12-31 19:03:53 +02:00
iwl-prph.h iwlwifi: pcie: prepare the enablement of 31 TFD queues 2015-02-01 15:57:20 +02:00
iwl-scd.h iwlwifi: pcie: prepare the enablement of 31 TFD queues 2015-02-01 15:57:20 +02:00
iwl-trans.h iwlwifi: allow to define the stuck queue timer per queue 2015-02-01 15:57:23 +02:00
Kconfig iwlwfifi: fix WANT_DEV_COREDUMP selection in Kconfig 2014-10-31 13:10:32 +02:00
Makefile iwlwifi: Add 8000 HW family support 2014-02-03 22:23:31 +02:00