4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ganapathi Bhat gbhat@marvell.com
[ Upstream commit b817047ae70c0bd67b677b65d0d69d72cd6e9728 ]
Race condition is observed during rmmod of mwifiex_usb:
1. The rmmod thread will call mwifiex_usb_disconnect(), download SHUTDOWN command and do wait_event_interruptible_timeout(), waiting for response.
2. The main thread will handle the response and will do a wake_up_interruptible(), unblocking rmmod thread.
3. On getting unblocked, rmmod thread will make rx_cmd.urb = NULL in mwifiex_usb_free().
4. The main thread will try to resubmit rx_cmd.urb in mwifiex_usb_submit_rx_urb(), which is NULL.
To fix, wait for main thread to complete before calling mwifiex_usb_free().
Signed-off-by: Ganapathi Bhat gbhat@marvell.com Signed-off-by: Kalle Valo kvalo@codeaurora.org Signed-off-by: Sasha Levin alexander.levin@microsoft.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/net/wireless/mwifiex/usb.c | 3 +++ 1 file changed, 3 insertions(+)
--- a/drivers/net/wireless/mwifiex/usb.c +++ b/drivers/net/wireless/mwifiex/usb.c @@ -624,6 +624,9 @@ static void mwifiex_usb_disconnect(struc MWIFIEX_FUNC_SHUTDOWN); }
+ if (adapter->workqueue) + flush_workqueue(adapter->workqueue); + mwifiex_usb_free(card);
mwifiex_dbg(adapter, FATAL,