[FS#573] Unloading rt2800soc crashes rt3052 based devices
LEDE Bugs
lede-bugs at lists.infradead.org
Tue Feb 28 22:25:26 PST 2017
A new Flyspray task has been opened. Details are below.
User who did this - Tobias Schramm (tsys)
Attached to Project - LEDE Project
Summary - Unloading rt2800soc crashes rt3052 based devices
Task Type - Bug Report
Category - Kernel
Status - Unconfirmed
Assigned To -
Operating System - All
Severity - Medium
Priority - Very Low
Reported Version - Trunk
Due in Version - Undecided
Due Date - Undecided
Details - On LEDE trunk rt3052 based devices (and all other devices using rt2800 wireless chipset) crash whenever you try to unload rt2800soc. This happens because patch 604-rt2x00-load-eeprom-on-SoC-from-a-mtd-device-defines-.patch interferes with 602-rt2x00-introduce-rt2x00eeprom.patch. In 602 the struct rt2x00_dev is extended by the member eeprom_file. In its initialisation function rt2x00lib_request_eeprom_file eeprom_file is either initialized with a firmware struct from request_firmware or keeps being NULL if an error occurs. Patch 604 hooks into rt2x00lib_request_eeprom_file by the function rt2800lib_read_eeprom_mtd. rt2800lib_read_eeprom_mtd fills eeprom_file with a statically declared struct firmware if loading from the mtd partition succeeds. Now, when we come to uninitialization patch 602s rt2x00lib_free_eeprom_file is called. This function assumes that eeprom_file was dynamically allocated and calls release_firmware(eeprom_file) even if patch 604 allocated it statically. This leads to release_firmware kfree-ing eeprom_file although it was never kmalloced, resulting in a kernelpanic.
More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=573
More information about the lede-bugs
mailing list