From 038318f766a7bd123c4fb413e9a2947445f441d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= Date: Fri, 27 Mar 2020 14:55:58 +0100 Subject: [PATCH] mac80211: fix brcmfmac monitor interface crash MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes bug in brcmfmac *exposed* by ipv6/addrconf fix. Fixes: ec8e8e2ef082 ("kernel: backport out-of-memory fix for non-Ethernet devices") Signed-off-by: Rafał Miłecki --- ...-add-stub-for-monitor-interface-xmit.patch | 100 ++++++++++++++++++ ...-register-wiphy-s-during-module_init.patch | 2 +- 2 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 package/kernel/mac80211/patches/brcm/300-brcmfmac-add-stub-for-monitor-interface-xmit.patch diff --git a/package/kernel/mac80211/patches/brcm/300-brcmfmac-add-stub-for-monitor-interface-xmit.patch b/package/kernel/mac80211/patches/brcm/300-brcmfmac-add-stub-for-monitor-interface-xmit.patch new file mode 100644 index 0000000000..8280918fa2 --- /dev/null +++ b/package/kernel/mac80211/patches/brcm/300-brcmfmac-add-stub-for-monitor-interface-xmit.patch @@ -0,0 +1,100 @@ +From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= +Date: Fri, 27 Mar 2020 13:40:50 +0100 +Subject: [PATCH] brcmfmac: add stub for monitor interface xmit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +According to the struct net_device_ops documentation .ndo_start_xmit is +"Required; cannot be NULL.". Missing it may crash kernel easily: + +[ 341.216709] Unable to handle kernel NULL pointer dereference at virtual address 00000000 +[ 341.224836] pgd = 26088755 +[ 341.227544] [00000000] *pgd=00000000 +[ 341.231135] Internal error: Oops: 80000007 [#1] SMP ARM +[ 341.236367] Modules linked in: pppoe ppp_async iptable_nat brcmfmac xt_state xt_nat xt_conntrack xt_REDIRECT xt_MASQU +[ 341.304689] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.24 #0 +[ 341.310621] Hardware name: BCM5301X +[ 341.314116] PC is at 0x0 +[ 341.316664] LR is at dev_hard_start_xmit+0x8c/0x11c +[ 341.321546] pc : [<00000000>] lr : [] psr: 60000113 +[ 341.327821] sp : c0801c30 ip : c610cf00 fp : c08048e4 +[ 341.333051] r10: c073a63a r9 : c08044dc r8 : c6c04e00 +[ 341.338283] r7 : 00000000 r6 : c60f5000 r5 : 00000000 r4 : c6a9c3c0 +[ 341.344820] r3 : 00000000 r2 : bf25a13c r1 : c60f5000 r0 : c6a9c3c0 +[ 341.351358] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +[ 341.358504] Control: 10c5387d Table: 0611c04a DAC: 00000051 +[ 341.364257] Process swapper/0 (pid: 0, stack limit = 0xc68ed0ca) +[ 341.370271] Stack: (0xc0801c30 to 0xc0802000) +[ 341.374633] 1c20: c6e7d480 c0802d00 c60f5050 c0801c6c +[ 341.382825] 1c40: c60f5000 c6a9c3c0 c6f90000 c6f9005c c6c04e00 c60f5000 00000000 c6f9005c +[ 341.391015] 1c60: 00000000 c04a033c 00f90200 00000010 c6a9c3c0 c6a9c3c0 c6f90000 00000000 +[ 341.399205] 1c80: 00000000 00000000 00000000 c046a7ac c6f9005c 00000001 fffffff4 00000000 +[ 341.407395] 1ca0: c6f90200 00000000 c60f5000 c0479550 00000000 c6f90200 c6a9c3c0 16000000 +[ 341.415586] 1cc0: 0000001c 6f4ad52f c6197040 b6df9387 36000000 c0520404 c073a80c c6a9c3c0 +[ 341.423777] 1ce0: 00000000 c6d643c0 c6a9c3c0 c0800024 00000001 00000001 c6d643c8 c6a9c3c0 +[ 341.431967] 1d00: c081b9c0 c7abca80 c610c840 c081b9c0 0000001c 00400000 c6bc5e6c c0522fb4 +[ 341.440157] 1d20: c6d64400 00000004 c6bc5e0a 00000000 c60f5000 c7abca80 c081b9c0 c0522f54 +[ 341.448348] 1d40: c6a9c3c0 c7abca80 c0803e48 c0549c94 c610c828 0000000a c0801d74 00000003 +[ 341.456538] 1d60: c6ec8f0a 00000000 c60f5000 c7abca80 c081b9c0 c0548520 0000000a 00000000 +[ 341.464728] 1d80: 00000000 003a0000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 341.472919] 1da0: 000002ff 00000000 00000000 16000000 00000000 00000000 00000000 00000000 +[ 341.481110] 1dc0: 00000000 0000008f 00000000 00000000 00000000 2d132a69 c6bc5e40 00000000 +[ 341.489300] 1de0: c6bc5e40 c6a9c3c0 00000000 c6ec8e50 00000001 c054b070 00000001 00000000 +[ 341.497490] 1e00: c0807200 c6bc5e00 00000000 ffffe000 00000100 c054aea4 00000000 00000000 +[ 341.505681] 1e20: 00000122 00400000 c0802d00 c0172e80 6f56a70e ffffffff 6f56a70e c7eb9cc0 +[ 341.513871] 1e40: c7eb82c0 00000000 c0801e60 c017309c 00000000 00000000 07780000 c07382c0 +[ 341.522061] 1e60: 00000000 c7eb9cc0 c0739cc0 c0803f74 c0801e70 c0801e70 c0801ea4 c013d380 +[ 341.530253] 1e80: 00000000 000000a0 00000001 c0802084 c0802080 40000001 ffffe000 00000100 +[ 341.538443] 1ea0: c0802080 c01021e8 c8803100 10c5387d 00000000 c07341f0 c0739880 0000000a +[ 341.546633] 1ec0: c0734180 00001017 c0802d00 c062aa98 00200002 c062aa60 c8803100 c073984c +[ 341.554823] 1ee0: 00000000 00000001 00000000 c7810000 c8803100 10c5387d 00000000 c011c188 +[ 341.563014] 1f00: c073984c c015f0f8 c0804244 c0815ae4 c880210c c8802100 c0801f40 c037c584 +[ 341.571204] 1f20: c01035f8 60000013 ffffffff c0801f74 c080afd4 c0800000 10c5387d c0101a8c +[ 341.579395] 1f40: 00000000 004ac9dc c7eba4b4 c010ee60 ffffe000 c0803e68 c0803ea8 00000001 +[ 341.587587] 1f60: c080afd4 c062ca20 10c5387d 00000000 00000000 c0801f90 c01035f4 c01035f8 +[ 341.595776] 1f80: 60000013 ffffffff 00000051 00000000 ffffe000 c013ff50 000000ce c0803e40 +[ 341.603967] 1fa0: c082216c 00000000 00000001 c072ba38 10c5387d c0140214 c0822184 c0700df8 +[ 341.612157] 1fc0: ffffffff ffffffff 00000000 c070058c c072ba38 2d162e71 00000000 c0700330 +[ 341.620348] 1fe0: 00000051 10c0387d 000000ff 00a521d0 413fc090 00000000 00000000 00000000 +[ 341.628558] [] (dev_hard_start_xmit) from [] (sch_direct_xmit+0xe4/0x2bc) +[ 341.637106] [] (sch_direct_xmit) from [] (__dev_queue_xmit+0x6a4/0x72c) +[ 341.645481] [] (__dev_queue_xmit) from [] (ip6_finish_output2+0x18c/0x434) +[ 341.654112] [] (ip6_finish_output2) from [] (ip6_output+0x5c/0xd0) +[ 341.662053] [] (ip6_output) from [] (mld_sendpack+0x1a0/0x1a8) +[ 341.669640] [] (mld_sendpack) from [] (mld_ifc_timer_expire+0x1cc/0x2e4) +[ 341.678111] [] (mld_ifc_timer_expire) from [] (call_timer_fn.constprop.3+0x24/0x98) +[ 341.687527] [] (call_timer_fn.constprop.3) from [] (run_timer_softirq+0x1a8/0x1e4) +[ 341.696860] [] (run_timer_softirq) from [] (__do_softirq+0x120/0x2b0) +[ 341.705066] [] (__do_softirq) from [] (irq_exit+0x78/0x84) +[ 341.712317] [] (irq_exit) from [] (__handle_domain_irq+0x60/0xb4) +[ 341.720179] [] (__handle_domain_irq) from [] (gic_handle_irq+0x4c/0x90) +[ 341.728549] [] (gic_handle_irq) from [] (__irq_svc+0x6c/0x90) + +Fixes: 20f2c5fa3af0 ("brcmfmac: add initial support for monitor mode") +Signed-off-by: Rafał Miłecki +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -746,9 +746,18 @@ static int brcmf_net_mon_stop(struct net + return err; + } + ++static netdev_tx_t brcmf_net_mon_start_xmit(struct sk_buff *skb, ++ struct net_device *ndev) ++{ ++ dev_kfree_skb_any(skb); ++ ++ return NETDEV_TX_OK; ++} ++ + static const struct net_device_ops brcmf_netdev_ops_mon = { + .ndo_open = brcmf_net_mon_open, + .ndo_stop = brcmf_net_mon_stop, ++ .ndo_start_xmit = brcmf_net_mon_start_xmit, + }; + + int brcmf_net_mon_attach(struct brcmf_if *ifp) diff --git a/package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch b/package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch index a1bcbfaec8..c18a5bfa4a 100644 --- a/package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch +++ b/package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch @@ -13,7 +13,7 @@ Signed-off-by: Rafał Miłecki --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c -@@ -1545,6 +1545,7 @@ int __init brcmf_core_init(void) +@@ -1554,6 +1554,7 @@ int __init brcmf_core_init(void) { if (!schedule_work(&brcmf_driver_work)) return -EBUSY;