All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: Fedor Pchelkin <pchelkin@ispras.ru>
Cc: Kalle Valo <kvalo@kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	"John W. Linville" <linville@tuxdriver.com>,
	Vasanthakumar Thiagarajan <vasanth@atheros.com>,
	Senthil Balasubramanian <senthilkumar@atheros.com>,
	Sujith <Sujith.Manoharan@atheros.com>,
	linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Alexey Khoroshilov <khoroshilov@ispras.ru>,
	lvc-project@linuxtesting.org
Subject: Re: [PATCH 1/1] wifi: ath9k: hif_usb: fix memory leak of remain_skbs
Date: Thu, 16 Feb 2023 19:05:59 +0100	[thread overview]
Message-ID: <87ttzlqyd4.fsf@toke.dk> (raw)
In-Reply-To: <5d67552f-88dd-7bbe-ebeb-888d1efad985@ispras.ru>

Fedor Pchelkin <pchelkin@ispras.ru> writes:

> On 16.02.2023 19:15, Toke Høiland-Jørgensen wrote:
>  > Erm, does this actually fix the leak? AFAICT, ath9k_hif_usb_dev_deinit()
>  > is only called on the error path of ath9k_hif_usb_firmware_cb(), not
>  > when the device is subsequently torn down in
>  > ath9k_htc_disconnect_device()?
>
> ath9k_hif_usb_dev_deinit() is also called inside
> ath9k_hif_usb_disconnect().

No it's not, as of:

f099c5c9e2ba ("wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect()")

I guess you're looking at an older tree? Please base your patches on an
up-to-date ath-next tree.

> I see it to be the only place wherehif_dev is freed (apart from an
> early error path), so the current patchimplementation actually fixes
> the leak. However, as you have noticed, itis not probably the best
> place to put the deallocation: we need to clearthe cached skb not only
> when freeing the device but in urbs deallocationcase, too - in order
> to avoid its irrelevant processing later.
>
>  > I think the right place to put this is probably inside
>  > ath9k_hif_usb_dealloc_urbs()? That gets called on USB suspend as well,
>  > but it seems to me that if we're suspending the device to an extent that
>  > we're deallocating the urbs, we should be clearing out the cached skb in
>  > remain_skb anyway?
>  >
>  > -Toke
>
> Thank you for the advice! As I can see, remain_skb makes sense when
> receiving two consecutive urbs which are logically linked together, i.e.
> a specific data field from the first skb indicates a cached skb to be
> allocated, memcpy'd with some data and subsequently processed in the
> next call to rx callback (see 6ce708f54cc8 ("ath9k: Fix out-of-bound
> memcpy in ath9k_hif_usb_rx_stream")). Urbs deallocation, I suppose,
> makes that link irrelevant.
>
> So I agree with you that remain_skb freeing should be done when
> deallocating the urbs. I would just place that specifically into
> ath9k_hif_usb_dealloc_rx_urbs() as remain_skb is associated with rx
> urbs.

SGTM.

> RX_STAT_INC(hif_dev, skb_dropped), I think, should be also called when
> freeing afilled remain_skb?

Well, if this is mostly something that happens if the device is going
away I'm not sure that anyone will actually see that; but I suppose if
it happens on suspend, the stat increase may be useful, and it shouldn't
hurt otherwise, so sure, let's add that :)

-Toke

  reply	other threads:[~2023-02-16 18:06 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-02-12 14:52 [PATCH 0/1] wifi: ath9k: hif_usb: fix memory leak of remain_skbs Fedor Pchelkin
2023-02-12 14:52 ` [PATCH 1/1] " Fedor Pchelkin
2023-02-16 16:15   ` Toke Høiland-Jørgensen
2023-02-16 17:50     ` Fedor Pchelkin
2023-02-16 18:05       ` Toke Høiland-Jørgensen [this message]
2023-02-16 18:44         ` Fedor Pchelkin
2023-02-16 19:23         ` [PATCH v2] " Fedor Pchelkin
2023-02-16 20:54           ` Toke Høiland-Jørgensen
2023-02-20  8:37           ` Kalle Valo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87ttzlqyd4.fsf@toke.dk \
    --to=toke@toke.dk \
    --cc=Sujith.Manoharan@atheros.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=khoroshilov@ispras.ru \
    --cc=kuba@kernel.org \
    --cc=kvalo@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=linville@tuxdriver.com \
    --cc=lvc-project@linuxtesting.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pchelkin@ispras.ru \
    --cc=senthilkumar@atheros.com \
    --cc=vasanth@atheros.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.