Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp153307ybg; Mon, 27 Jul 2020 18:46:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzCwhhtU/SlHAqz549d9lqgh4/ewZe0yVRw3SvzNlyrOrgF6M2JP8t2quLz9Qk62RaGD7HQ X-Received: by 2002:a17:906:8602:: with SMTP id o2mr24185949ejx.277.1595900766664; Mon, 27 Jul 2020 18:46:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595900766; cv=none; d=google.com; s=arc-20160816; b=QctwrSKw5XzCRmJ49SwseG9KDtZI7QAaDt8aPJfsyMy5jZAq39mEv4tvueOQgy2RXF sHeRkjpBIUq/VvwK67QmdPWPFCAM6kc3WYlvoLcdSviZTkny/8DKPtqJ9VK8oVyEmPaU 4pRsALi7JDHWaorl9kCW3/pPVlov7WIs/YFpy7aNm4hICRMNx4Zv+t6oR2DvWvpAP5mQ p3NuXB9qTbSRViMmp6Ey7sZU00BB84L96+fNYc/0dBQh6KRJQLzcGHNbJCIEkSkVFOIi bL+67XcztRn6F9iTX2WznIyRk2yFsPWpe5q9AEzabm+E+hT+I6WLW45nd+ZWt6NndlvA Cn6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from; bh=pCfqDQSd9Mh7SMwmIDqDIp6voYLb81dwsAEOs4BqdkQ=; b=i/EfViEmZlBGC1Z+9pJ/CUXAdrMuy8qfK92DrYMZt3zOpTVMTbr7OjoOCDX+dp86a9 AAyyVjHIjK9o74SxvcTNl9xbNMyoC2wbJTKPcStMjxeKT4Zt4LU2WJalUP2I2mH2iqlG qRi1K6bkWcemo6yXuCTNtae8CdHUq9duDyjgspB9c/riPTw60sSjxWQEQLache8IxPvi 0wpn0uCI/YCwLFmMQYFwZuAgWDK2fdAuDDg+Ef0kWFViBH/9dCOwFN4sLB50Mp21WbNn 5NJPwQfbFciVPZUvHZrFLs57hJbFGjNHs/+pXRSry4ak1jih0EUnQWs5UuBrGIaPFBmG e5iw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a6si2390058eda.592.2020.07.27.18.45.29; Mon, 27 Jul 2020 18:46:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726733AbgG1BpA (ORCPT + 99 others); Mon, 27 Jul 2020 21:45:00 -0400 Received: from www262.sakura.ne.jp ([202.181.97.72]:52595 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726575AbgG1BpA (ORCPT ); Mon, 27 Jul 2020 21:45:00 -0400 Received: from fsav303.sakura.ne.jp (fsav303.sakura.ne.jp [153.120.85.134]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 06S1iJxD088794; Tue, 28 Jul 2020 10:44:19 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav303.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav303.sakura.ne.jp); Tue, 28 Jul 2020 10:44:19 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav303.sakura.ne.jp) Received: from localhost.localdomain (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 06S1iFhm088645 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 28 Jul 2020 10:44:19 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) From: Tetsuo Handa To: gbhat@marvell.com Cc: amitkarwar@gmail.com, andreyknvl@google.com, davem@davemloft.net, dvyukov@google.com, huxinming820@gmail.com, kvalo@codeaurora.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, nishants@marvell.com, syzbot+dc4127f950da51639216@syzkaller.appspotmail.com, syzkaller-bugs@googlegroups.com, Tetsuo Handa , syzbot Subject: [PATCH] mwifiex: don't call del_timer_sync() on uninitialized timer Date: Tue, 28 Jul 2020 10:44:12 +0900 Message-Id: <1595900652-3842-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: References: Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org syzbot is reporting that del_timer_sync() is called from mwifiex_usb_cleanup_tx_aggr() from mwifiex_unregister_dev() without checking timer_setup() from mwifiex_usb_tx_init() was called [1]. Since mwifiex_usb_prepare_tx_aggr_skb() is calling del_timer() if is_hold_timer_set == true, use the same condition for del_timer_sync(). [1] https://syzkaller.appspot.com/bug?id=fdeef9cf7348be8b8ab5b847f2ed993aba8ea7b6 Reported-by: syzbot Cc: Ganapathi Bhat Signed-off-by: Tetsuo Handa --- A patch from Ganapathi Bhat ( https://patchwork.kernel.org/patch/10990275/ ) is stalling at https://lore.kernel.org/linux-usb/MN2PR18MB2637D7C742BC235FE38367F0A09C0@MN2PR18MB2637.namprd18.prod.outlook.com/ . syzbot by now got this report for 10000 times. Do we want to go with this simple patch? drivers/net/wireless/marvell/mwifiex/usb.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/marvell/mwifiex/usb.c b/drivers/net/wireless/marvell/mwifiex/usb.c index 6f3cfde..04a1461 100644 --- a/drivers/net/wireless/marvell/mwifiex/usb.c +++ b/drivers/net/wireless/marvell/mwifiex/usb.c @@ -1353,7 +1353,8 @@ static void mwifiex_usb_cleanup_tx_aggr(struct mwifiex_adapter *adapter) skb_dequeue(&port->tx_aggr.aggr_list))) mwifiex_write_data_complete(adapter, skb_tmp, 0, -1); - del_timer_sync(&port->tx_aggr.timer_cnxt.hold_timer); + if (port->tx_aggr.timer_cnxt.is_hold_timer_set) + del_timer_sync(&port->tx_aggr.timer_cnxt.hold_timer); port->tx_aggr.timer_cnxt.is_hold_timer_set = false; port->tx_aggr.timer_cnxt.hold_tmo_msecs = 0; } -- 1.8.3.1