Linux wireless drivers development
 help / color / mirror / Atom feed
* [PATCH] ath9k: Fix kernel panic during rmmod ath9k
@ 2010-06-21  7:36 Vasanthakumar Thiagarajan
  2010-06-21  8:32 ` Vasanthakumar Thiagarajan
  0 siblings, 1 reply; 2+ messages in thread
From: Vasanthakumar Thiagarajan @ 2010-06-21  7:36 UTC (permalink / raw)
  To: linville; +Cc: linux-wireless

This panic was introduced in ar9003 family chipsets
by the following commit

	Author: Felix Fietkau <nbd@openwrt.org>
	Date:   Sat Jun 12 00:34:01 2010 -0400

	ath9k: implement PA predistortion support

Above patch does kfree_skb on a PA predistortion frame
in ath_paprd_calibrate(). This is fine for the cases
where this frame could not be queued onto sw/hw queues
or the tx of this frame is completed. But freeing this
frame upon a failed completion event will result in
dereferencing a freed memory in ath_tx_complete_buf()
while draining pending tx frames.

This patch fixes this issue by moving kfree_skb to
ath_tx_complete_buf() once the frame is successfully
queued.

Signed-off-by: Vasanthakumar Thiagarajan <vasanth@atheros.com>
---
 drivers/net/wireless/ath/ath9k/main.c |    5 +++--
 drivers/net/wireless/ath/ath9k/xmit.c |    1 +
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
index c8de50f..37933d3 100644
--- a/drivers/net/wireless/ath/ath9k/main.c
+++ b/drivers/net/wireless/ath/ath9k/main.c
@@ -306,8 +306,10 @@ void ath_paprd_calibrate(struct work_struct *work)
 		init_completion(&sc->paprd_complete);
 		ar9003_paprd_setup_gain_table(ah, chain);
 		txctl.paprd = BIT(chain);
-		if (ath_tx_start(hw, skb, &txctl) != 0)
+		if (ath_tx_start(hw, skb, &txctl) != 0) {
+			kfree_skb(skb);
 			break;
+		}
 
 		time_left = wait_for_completion_timeout(&sc->paprd_complete,
 							100);
@@ -327,7 +329,6 @@ void ath_paprd_calibrate(struct work_struct *work)
 
 		chain_ok = 1;
 	}
-	kfree_skb(skb);
 
 	if (chain_ok) {
 		ah->curchan->paprd_done = true;
diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c
index 8c7c615..197e898 100644
--- a/drivers/net/wireless/ath/ath9k/xmit.c
+++ b/drivers/net/wireless/ath/ath9k/xmit.c
@@ -1946,6 +1946,7 @@ static void ath_tx_complete_buf(struct ath_softc *sc, struct ath_buf *bf,
 	if (bf->bf_state.bfs_paprd) {
 		sc->paprd_txok = txok;
 		complete(&sc->paprd_complete);
+		dev_kfree_skb_any(skb);
 	} else {
 		ath_tx_complete(sc, skb, bf->aphy, tx_flags);
 		ath_debug_stat_tx(sc, txq, bf, ts);
-- 
1.7.0.4


^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2010-06-21  8:32 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-06-21  7:36 [PATCH] ath9k: Fix kernel panic during rmmod ath9k Vasanthakumar Thiagarajan
2010-06-21  8:32 ` Vasanthakumar Thiagarajan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox