From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Lorenzo Bianconi <lorenzo@kernel.org>,
Jakub Kicinski <kubakici@wp.pl>,
Kalle Valo <kvalo@codeaurora.org>,
Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.1 142/219] mt7601u: fix possible memory leak when the device is disconnected
Date: Mon, 15 Jul 2019 10:02:23 -0400 [thread overview]
Message-ID: <20190715140341.6443-142-sashal@kernel.org> (raw)
In-Reply-To: <20190715140341.6443-1-sashal@kernel.org>
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 23377c200b2eb48a60d0f228b2a2e75ed6ee6060 ]
When the device is disconnected while passing traffic it is possible
to receive out of order urbs causing a memory leak since the skb linked
to the current tx urb is not removed. Fix the issue deallocating the skb
cleaning up the tx ring. Moreover this patch fixes the following kernel
warning
[ 57.480771] usb 1-1: USB disconnect, device number 2
[ 57.483451] ------------[ cut here ]------------
[ 57.483462] TX urb mismatch
[ 57.483481] WARNING: CPU: 1 PID: 32 at drivers/net/wireless/mediatek/mt7601u/dma.c:245 mt7601u_complete_tx+0x165/00
[ 57.483483] Modules linked in:
[ 57.483496] CPU: 1 PID: 32 Comm: kworker/1:1 Not tainted 5.2.0-rc1+ #72
[ 57.483498] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-2.fc30 04/01/2014
[ 57.483502] Workqueue: usb_hub_wq hub_event
[ 57.483507] RIP: 0010:mt7601u_complete_tx+0x165/0x1e0
[ 57.483510] Code: 8b b5 10 04 00 00 8b 8d 14 04 00 00 eb 8b 80 3d b1 cb e1 00 00 75 9e 48 c7 c7 a4 ea 05 82 c6 05 f
[ 57.483513] RSP: 0000:ffffc900000a0d28 EFLAGS: 00010092
[ 57.483516] RAX: 000000000000000f RBX: ffff88802c0a62c0 RCX: ffffc900000a0c2c
[ 57.483518] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff810a8371
[ 57.483520] RBP: ffff88803ced6858 R08: 0000000000000000 R09: 0000000000000001
[ 57.483540] R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000046
[ 57.483542] R13: ffff88802c0a6c88 R14: ffff88803baab540 R15: ffff88803a0cc078
[ 57.483548] FS: 0000000000000000(0000) GS:ffff88803eb00000(0000) knlGS:0000000000000000
[ 57.483550] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 57.483552] CR2: 000055e7f6780100 CR3: 0000000028c86000 CR4: 00000000000006a0
[ 57.483554] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 57.483556] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 57.483559] Call Trace:
[ 57.483561] <IRQ>
[ 57.483565] __usb_hcd_giveback_urb+0x77/0xe0
[ 57.483570] xhci_giveback_urb_in_irq.isra.0+0x8b/0x140
[ 57.483574] handle_cmd_completion+0xf5b/0x12c0
[ 57.483577] xhci_irq+0x1f6/0x1810
[ 57.483581] ? lockdep_hardirqs_on+0x9e/0x180
[ 57.483584] ? _raw_spin_unlock_irq+0x24/0x30
[ 57.483588] __handle_irq_event_percpu+0x3a/0x260
[ 57.483592] handle_irq_event_percpu+0x1c/0x60
[ 57.483595] handle_irq_event+0x2f/0x4c
[ 57.483599] handle_edge_irq+0x7e/0x1a0
[ 57.483603] handle_irq+0x17/0x20
[ 57.483607] do_IRQ+0x54/0x110
[ 57.483610] common_interrupt+0xf/0xf
[ 57.483612] </IRQ>
Acked-by: Jakub Kicinski <kubakici@wp.pl>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt7601u/dma.c | 21 ++++++++++++++++-----
drivers/net/wireless/mediatek/mt7601u/tx.c | 4 ++--
2 files changed, 18 insertions(+), 7 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt7601u/dma.c b/drivers/net/wireless/mediatek/mt7601u/dma.c
index 134f8a5bb5d4..401444f36402 100644
--- a/drivers/net/wireless/mediatek/mt7601u/dma.c
+++ b/drivers/net/wireless/mediatek/mt7601u/dma.c
@@ -241,14 +241,25 @@ static void mt7601u_complete_tx(struct urb *urb)
struct sk_buff *skb;
unsigned long flags;
- spin_lock_irqsave(&dev->tx_lock, flags);
+ switch (urb->status) {
+ case -ECONNRESET:
+ case -ESHUTDOWN:
+ case -ENOENT:
+ return;
+ default:
+ dev_err_ratelimited(dev->dev, "tx urb failed: %d\n",
+ urb->status);
+ /* fall through */
+ case 0:
+ break;
+ }
- if (mt7601u_urb_has_error(urb))
- dev_err(dev->dev, "Error: TX urb failed:%d\n", urb->status);
+ spin_lock_irqsave(&dev->tx_lock, flags);
if (WARN_ONCE(q->e[q->start].urb != urb, "TX urb mismatch"))
goto out;
skb = q->e[q->start].skb;
+ q->e[q->start].skb = NULL;
trace_mt_tx_dma_done(dev, skb);
__skb_queue_tail(&dev->tx_skb_done, skb);
@@ -448,10 +459,10 @@ static void mt7601u_free_tx_queue(struct mt7601u_tx_queue *q)
{
int i;
- WARN_ON(q->used);
-
for (i = 0; i < q->entries; i++) {
usb_poison_urb(q->e[i].urb);
+ if (q->e[i].skb)
+ mt7601u_tx_status(q->dev, q->e[i].skb);
usb_free_urb(q->e[i].urb);
}
}
diff --git a/drivers/net/wireless/mediatek/mt7601u/tx.c b/drivers/net/wireless/mediatek/mt7601u/tx.c
index 3600e911a63e..4d81c45722fb 100644
--- a/drivers/net/wireless/mediatek/mt7601u/tx.c
+++ b/drivers/net/wireless/mediatek/mt7601u/tx.c
@@ -117,9 +117,9 @@ void mt7601u_tx_status(struct mt7601u_dev *dev, struct sk_buff *skb)
info->status.rates[0].idx = -1;
info->flags |= IEEE80211_TX_STAT_ACK;
- spin_lock(&dev->mac_lock);
+ spin_lock_bh(&dev->mac_lock);
ieee80211_tx_status(dev->hw, skb);
- spin_unlock(&dev->mac_lock);
+ spin_unlock_bh(&dev->mac_lock);
}
static int mt7601u_skb_rooms(struct mt7601u_dev *dev, struct sk_buff *skb)
--
2.20.1
next prev parent reply other threads:[~2019-07-15 14:12 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-15 14:00 [PATCH AUTOSEL 5.1 001/219] ath10k: Check tx_stats before use it Sasha Levin
2019-07-15 14:00 ` [PATCH AUTOSEL 5.1 002/219] ath10k: htt: don't use txdone_fifo with SDIO Sasha Levin
2019-07-15 14:00 ` [PATCH AUTOSEL 5.1 003/219] ath10k: fix incorrect multicast/broadcast rate setting Sasha Levin
2019-07-15 14:00 ` [PATCH AUTOSEL 5.1 004/219] ath9k: Don't trust TX status TID number when reporting airtime Sasha Levin
2019-07-15 14:00 ` [PATCH AUTOSEL 5.1 005/219] wil6210: fix potential out-of-bounds read Sasha Levin
2019-07-15 14:00 ` [PATCH AUTOSEL 5.1 006/219] ath10k: Do not send probe response template for mesh Sasha Levin
2019-07-15 14:00 ` [PATCH AUTOSEL 5.1 008/219] ath9k: Check for errors when reading SREV register Sasha Levin
2019-07-15 14:00 ` [PATCH AUTOSEL 5.1 009/219] ath10k: Fix the wrong value of enums for wmi tlv stats id Sasha Levin
2019-07-15 14:00 ` [PATCH AUTOSEL 5.1 010/219] wil6210: fix missed MISC mbox interrupt Sasha Levin
2019-07-15 14:00 ` [PATCH AUTOSEL 5.1 011/219] ath6kl: add some bounds checking Sasha Levin
2019-07-15 14:00 ` [PATCH AUTOSEL 5.1 012/219] ath10k: add peer id check in ath10k_peer_find_by_id Sasha Levin
2019-07-15 14:00 ` [PATCH AUTOSEL 5.1 014/219] wil6210: fix spurious interrupts in 3-msi Sasha Levin
2019-07-15 14:00 ` [PATCH AUTOSEL 5.1 015/219] ath: DFS JP domain W56 fixed pulse type 3 RADAR detection Sasha Levin
2019-07-15 14:00 ` [PATCH AUTOSEL 5.1 016/219] ath10k: Fix encoding for protected management frames Sasha Levin
2019-07-15 14:02 ` [PATCH AUTOSEL 5.1 139/219] rtlwifi: rtl8192cu: fix error handle when usb probe failed Sasha Levin
2019-07-15 14:02 ` [PATCH AUTOSEL 5.1 140/219] mt7601u: do not schedule rx_tasklet when the device has been disconnected Sasha Levin
2019-07-15 14:02 ` Sasha Levin [this message]
2019-07-15 14:02 ` [PATCH AUTOSEL 5.1 144/219] ath10k: add missing error handling Sasha Levin
2019-07-15 14:02 ` [PATCH AUTOSEL 5.1 145/219] ath10k: fix fw crash by moving chip reset after napi disabled Sasha Levin
2019-07-15 14:02 ` [PATCH AUTOSEL 5.1 146/219] ath10k: fix PCIE device wake up failed Sasha Levin
2019-07-15 14:02 ` [PATCH AUTOSEL 5.1 164/219] ath9k: correctly handle short radar pulses Sasha Levin
2019-07-15 14:02 ` [PATCH AUTOSEL 5.1 165/219] wil6210: drop old event after wmi_call timeout Sasha Levin
2019-07-15 14:02 ` [PATCH AUTOSEL 5.1 175/219] ath10k: Fix memory leak in qmi Sasha Levin
2019-07-15 14:02 ` [PATCH AUTOSEL 5.1 176/219] ath10k: destroy sdio workqueue while remove sdio module Sasha Levin
2019-07-15 14:03 ` [PATCH AUTOSEL 5.1 181/219] iwlwifi: mvm: Drop large non sta frames Sasha Levin
2019-07-15 14:03 ` [PATCH AUTOSEL 5.1 184/219] iwlwifi: dbg: fix debug monitor stop and restart delays Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190715140341.6443-142-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=kubakici@wp.pl \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=lorenzo@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).