Ajay.Kathat@microchip.com writes:
Fix for kernel crash observed with following test procedure: while true; do ifconfig wlan0 up; iw dev wlan0 scan & ifconfig wlan0 down; done
During the above test procedure, the scan results are received from firmware for 'iw scan' command gets queued even when the interface is going down. It was causing the kernel oops when dereferencing the freed pointers.
For synchronization, 'mac_close()' calls flush_workqueue() to block its execution till all pending work is completed. Afterwards 'wilc->close' flag which is set before the flush_workqueue() should avoid adding new work. Added 'wilc->close' check in wilc_handle_isr() which is common for SPI/SDIO bus to ignore the interrupts from firmware that inturns adds the work since the interface is getting closed.
Also, removed isr_uh_routine() as it's not necessary after 'wl->close' check is added in wilc_handle_isr(). So now the default primary handler would be used for threaded IRQ.
Cc: stable@vger.kernel.org Reported-by: Michael Walle mwalle@kernel.org Link: https://lore.kernel.org/linux-wireless/20221024135407.7udo3dwl3mqyv2yj@0002.... Signed-off-by: Ajay Singh ajay.kathat@microchip.com
changes since v1:
- updated commit description and included 'Link:' tag
- use atomic_t type for 'close' variable
- set close state after clearing ongoing scan operation
- make use of default primary handler for threaded_irq
- avoid false failure debug message during mac_close
Like I said in v1, atomic_t with only values 0 and 1 does not really make sense.