119451 – NULL pointer dereference with BCM4350 wireless device

Bug 119451 - NULL pointer dereference with BCM4350 wireless device

Summary: NULL pointer dereference with BCM4350 wireless device

Status:	NEW

Alias:	None

Product:	Networking
Classification:	Unclassified
Component:	Wireless (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	networking_wireless@kernel-bugs.osdl.org

URL:
Keywords:

Duplicates (1):	119761 (view as bug list)
Depends on:
Blocks:

Reported:	2016-06-01 20:08 UTC by Richard van der Hoff
Modified:	2016-11-06 19:03 UTC (History)
CC List:	5 users (show)

See Also:
Kernel Version:	v4.7-rc1
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Richard van der Hoff 2016-06-01 20:08:06 UTC

As soon as the network device connects, I get an oops:

[   34.542863] BUG: unable to handle kernel NULL pointer dereference at 0000000000000048
[   34.544037] IP: [<ffffffff817268f6>] enqueue_to_backlog+0x56/0x230
[   34.545158] PGD 0 
[   34.546252] Oops: 0000 [#1] SMP
[   34.547331] Modules linked in: xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter ip_tables x_tables bnep binfmt_misc snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_soc_skl snd_soc_skl_ipc snd_soc_sst_ipc snd_soc_sst_dsp nls_iso8859_1 snd_hda_ext_core snd_soc_sst_match snd_soc_core x86_pkg_temp_thermal intel_powerclamp coretemp snd_compress ac97_bus i2c_designware_platform snd_pcm_dmaengine dw_dmac_core snd_hda_intel snd_hda_codec joydev snd_hda_core dcdbas kvm_intel i2c_designware_core snd_hwdep kvm irqbypass snd_pcm snd_seq_midi snd_seq_midi_event crct10dif_pclmul
[   34.550006]  snd_rawmidi crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd input_leds serio_raw brcmfmac snd_seq snd_seq_device brcmutil snd_timer cfg80211 snd uvcvideo rtsx_pci_ms videobuf2_vmalloc memstick videobuf2_memops soundcore videobuf2_v4l2 videobuf2_core videodev media hid_multitouch btusb btrtl idma64 virt_dma mei_me mei processor_thermal_device intel_lpss_pci intel_soc_dts_iosf intel_pch_thermal hci_uart btbcm btqca btintel bluetooth intel_lpss_acpi intel_lpss int3403_thermal acpi_pad int340x_thermal_zone int3400_thermal acpi_thermal_rel mac_hid acpi_als kfifo_buf industrialio parport_pc ppdev lp parport autofs4 hid_logitech_hidpp hid_logitech_dj usbhid rtsx_pci_sdmmc i915 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect nvme sysimgblt
[   34.552945]  nvme_core fb_sys_fops ahci rtsx_pci drm libahci wmi i2c_hid hid pinctrl_sunrisepoint video pinctrl_intel fjes
[   34.554390] CPU: 1 PID: 699 Comm: irq/284-brcmf_p Not tainted 4.7.0-rc1-v4.7-rc1 #10
[   34.555878] Hardware name: Dell Inc. XPS 13 9350/09JHRY, BIOS 1.3.3 03/01/2016
[   34.557320] task: ffff88046b211e80 ti: ffff880466ca0000 task.ti: ffff880466ca0000
[   34.558731] RIP: 0010:[<ffffffff817268f6>]  [<ffffffff817268f6>] enqueue_to_backlog+0x56/0x230
[   34.560197] RSP: 0018:ffff880466ca3ca8  EFLAGS: 00010046
[   34.561604] RAX: 0000000000000000 RBX: ffff88047ec98dc0 RCX: 0000000000000018
[   34.563015] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff88047ec98ecc
[   34.564457] RBP: ffff880466ca3ce8 R08: ffff88047ee82000 R09: 0000000000000008
[   34.565871] R10: 0000000000000000 R11: 0000000000000e65 R12: ffff88047ec98ecc
[   34.567285] R13: 0000000000018dc0 R14: ffff880466ca3d00 R15: ffff880464c2f600
[   34.568746] FS:  0000000000000000(0000) GS:ffff88047ec80000(0000) knlGS:0000000000000000
[   34.570166] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   34.571599] CR2: 0000000000000048 CR3: 0000000002e06000 CR4: 00000000003406e0
[   34.573057] Stack:
[   34.574474]  ffffffffc06191d8 ffff880466ca3ce8 0000000000000286 ffff880464c2f600
[   34.575949]  ffff880464c2f600 ffff88007a06c000 ffff88007a06c000 ffff880464c2f600
[   34.577460]  ffff880466ca3d20 ffffffff81726b14 0000000000000286 ffff880466ca3d28
[   34.578922] Call Trace:
[   34.580402]  [<ffffffff81726b14>] netif_rx_internal+0x44/0x110
[   34.581840]  [<ffffffff81726ca0>] netif_rx_ni+0x20/0x80
[   34.583289]  [<ffffffffc05fb0e3>] brcmf_netif_rx+0x73/0x90 [brcmfmac]
[   34.584791]  [<ffffffffc0600a54>] brcmf_msgbuf_process_rx+0x134/0x5d0 [brcmfmac]
[   34.586239]  [<ffffffff810ddac0>] ? irq_finalize_oneshot.part.35+0xe0/0xe0
[   34.587701]  [<ffffffffc0601421>] brcmf_proto_msgbuf_rx_trigger+0x31/0xe0 [brcmfmac]
[   34.589196]  [<ffffffffc060d31f>] brcmf_pcie_isr_thread+0x16f/0x1d0 [brcmfmac]
[   34.590657]  [<ffffffff810ddae0>] irq_thread_fn+0x20/0x50
[   34.592178]  [<ffffffff810dde28>] irq_thread+0x138/0x1c0
[   34.593634]  [<ffffffff8183229b>] ? __schedule+0x2eb/0x760
[   34.595085]  [<ffffffff810ddb80>] ? irq_forced_thread_fn+0x70/0x70
[   34.596570]  [<ffffffff810ddcf0>] ? irq_thread_check_affinity+0xc0/0xc0
[   34.598003]  [<ffffffff810a0f68>] kthread+0xd8/0xf0
[   34.599460]  [<ffffffff81836c9f>] ret_from_fork+0x1f/0x40
[   34.600948]  [<ffffffff810a0e90>] ? kthread_create_on_node+0x1a0/0x1a0
[   34.602417] Code: 1c f5 00 63 f3 81 9c 58 0f 1f 44 00 00 48 89 45 d0 fa 66 0f 1f 44 00 00 4c 8d a3 0c 01 00 00 4c 89 e7 e8 2e 00 11 00 49 8b 47 20 <48> 8b 40 48 a8 01 74 10 8b 93 08 01 00 00 8b 05 2a 70 81 00 39 
[   34.604088] RIP  [<ffffffff817268f6>] enqueue_to_backlog+0x56/0x230
[   34.605617]  RSP <ffff880466ca3ca8>
[   34.607135] CR2: 0000000000000048
[   34.608712] ---[ end trace af2298464e0c5d96 ]---

(Soon after, I see 'unable to handle kernel paging request', and things get worse from there.)

lspci for the relevant device:

3a:00.0 Network controller: Broadcom Corporation BCM4350 802.11ac Wireless Network Adapter (rev 08)
	Subsystem: Dell BCM4350 802.11ac Wireless Network Adapter
	Flags: bus master, fast devsel, latency 0, IRQ 284
	Memory at dc400000 (64-bit, non-prefetchable) [size=32K]
	Memory at dc000000 (64-bit, non-prefetchable) [size=4M]
	Capabilities: [48] Power Management version 3
	Capabilities: [58] MSI: Enable+ Count=1/16 Maskable- 64bit+
	Capabilities: [68] Vendor Specific Information: Len=44 <?>
	Capabilities: [ac] Express Endpoint, MSI 00
	Capabilities: [100] Advanced Error Reporting
	Capabilities: [13c] Device Serial Number 00-00-cb-ff-ff-e8-30-52
	Capabilities: [150] Power Budgeting <?>
	Capabilities: [160] Virtual Channel
	Capabilities: [1b0] Latency Tolerance Reporting
	Capabilities: [220] #15
	Capabilities: [240] L1 PM Substates
	Kernel driver in use: brcmfmac
	Kernel modules: brcmfmac

This appears to be a recent regression (since v4.6-rc7).

Comment 1 Richard van der Hoff 2016-06-01 20:12:04 UTC

It looks like skb->dev is NULL in enqueue_to_backlog.

Comment 2 Arend van Spriel 2016-06-02 18:36:23 UTC

A fix has been submitted to linux-wireless:

https://patchwork.kernel.org/patch/9149583/

Comment 3 Richard van der Hoff 2016-06-07 17:13:33 UTC

Thanks, can confirm that patch fixes the problem.

Comment 4 The Linux kernel's regression tracker (Thorsten Leemhuis) 2016-06-17 11:12:30 UTC

This afaics was fixed by https://git.kernel.org/torvalds/c/31143e2933 Should this bug be closed? 
 Sincerely, your regression tracker for Linux 4.7 (http://bit.ly/28JRmJo )

Comment 5 favonia 2016-06-26 11:40:28 UTC

*** Bug 119761 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.