From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Felix Fietkau <nbd@nbd.name>,
Lorenzo Bianconi <lorenzo@kernel.org>,
Jakub Kicinski <kubakici@wp.pl>,
Kalle Valo <kvalo@codeaurora.org>
Subject: [PATCH 4.14 13/30] mt7601u: fix rx buffer refcounting
Date: Tue, 2 Feb 2021 14:38:54 +0100 [thread overview]
Message-ID: <20210202132942.687792071@linuxfoundation.org> (raw)
In-Reply-To: <20210202132942.138623851@linuxfoundation.org>
From: Lorenzo Bianconi <lorenzo@kernel.org>
commit d24c790577ef01bfa01da2b131313a38c843a634 upstream.
Fix the following crash due to erroneous page refcounting:
[ 32.445919] BUG: Bad page state in process swapper/1 pfn:11f65a
[ 32.447409] page:00000000938f0632 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x11f65a
[ 32.449605] flags: 0x8000000000000000()
[ 32.450421] raw: 8000000000000000 ffffffff825b0148 ffffea00045ae988 0000000000000000
[ 32.451795] raw: 0000000000000000 0000000000000001 00000000ffffff7f 0000000000000000
[ 32.452999] page dumped because: nonzero mapcount
[ 32.453888] Modules linked in:
[ 32.454492] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.11.0-rc2+ #1976
[ 32.455695] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-1.fc33 04/01/2014
[ 32.457157] Call Trace:
[ 32.457636] <IRQ>
[ 32.457993] dump_stack+0x77/0x97
[ 32.458576] bad_page.cold+0x65/0x96
[ 32.459198] get_page_from_freelist+0x46a/0x11f0
[ 32.460008] __alloc_pages_nodemask+0x10a/0x2b0
[ 32.460794] mt7601u_rx_tasklet+0x651/0x720
[ 32.461505] tasklet_action_common.constprop.0+0x6b/0xd0
[ 32.462343] __do_softirq+0x152/0x46c
[ 32.462928] asm_call_irq_on_stack+0x12/0x20
[ 32.463610] </IRQ>
[ 32.463953] do_softirq_own_stack+0x5b/0x70
[ 32.464582] irq_exit_rcu+0x9f/0xe0
[ 32.465028] common_interrupt+0xae/0x1a0
[ 32.465536] asm_common_interrupt+0x1e/0x40
[ 32.466071] RIP: 0010:default_idle+0x18/0x20
[ 32.468981] RSP: 0018:ffffc90000077f00 EFLAGS: 00000246
[ 32.469648] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
[ 32.470550] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff81aac3dd
[ 32.471463] RBP: ffff88810022ab00 R08: 0000000000000001 R09: 0000000000000001
[ 32.472335] R10: 0000000000000046 R11: 0000000000005aa0 R12: 0000000000000000
[ 32.473235] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 32.474139] ? default_idle_call+0x4d/0x200
[ 32.474681] default_idle_call+0x74/0x200
[ 32.475192] do_idle+0x1d5/0x250
[ 32.475612] cpu_startup_entry+0x19/0x20
[ 32.476114] secondary_startup_64_no_verify+0xb0/0xbb
[ 32.476765] Disabling lock debugging due to kernel taint
Fixes: c869f77d6abb ("add mt7601u driver")
Co-developed-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Acked-by: Jakub Kicinski <kubakici@wp.pl>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/62b2380c8c2091834cfad05e1059b55f945bd114.1610643952.git.lorenzo@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt7601u/dma.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/net/wireless/mediatek/mt7601u/dma.c
+++ b/drivers/net/wireless/mediatek/mt7601u/dma.c
@@ -160,8 +160,7 @@ mt7601u_rx_process_entry(struct mt7601u_
if (new_p) {
/* we have one extra ref from the allocator */
- __free_pages(e->p, MT_RX_ORDER);
-
+ put_page(e->p);
e->p = new_p;
}
}
next prev parent reply other threads:[~2021-02-02 14:19 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-02 13:38 [PATCH 4.14 00/30] 4.14.219-rc1 review Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.14 01/30] nbd: freeze the queue while were adding connections Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.14 02/30] ACPI: sysfs: Prefer "compatible" modalias Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.14 03/30] ARM: dts: imx6qdl-gw52xx: fix duplicate regulator naming Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.14 04/30] wext: fix NULL-ptr-dereference with cfg80211s lack of commit() Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.14 05/30] net: usb: qmi_wwan: added support for Thales Cinterion PLSx3 modem family Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.14 06/30] drivers: soc: atmel: Avoid calling at91_soc_init on non AT91 SoCs Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.14 07/30] drivers: soc: atmel: add null entry at the end of at91_soc_allowed_list[] Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.14 08/30] KVM: x86/pmu: Fix HW_REF_CPU_CYCLES event pseudo-encoding in intel_arch_events[] Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.14 09/30] KVM: x86: get smi pending status correctly Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.14 10/30] xen: Fix XenStore initialisation for XS_LOCAL Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.14 11/30] leds: trigger: fix potential deadlock with libata Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.14 12/30] mt7601u: fix kernel crash unplugging the device Greg Kroah-Hartman
2021-02-02 13:38 ` Greg Kroah-Hartman [this message]
2021-02-02 13:38 ` [PATCH 4.14 14/30] xen-blkfront: allow discard-* nodes to be optional Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.14 15/30] ARM: imx: build suspend-imx6.S with arm instruction set Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.14 16/30] netfilter: nft_dynset: add timeout extension to template Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.14 17/30] xfrm: Fix oops in xfrm_replay_advance_bmp Greg Kroah-Hartman
2021-02-02 13:38 ` [PATCH 4.14 18/30] RDMA/cxgb4: Fix the reported max_recv_sge value Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.14 19/30] iwlwifi: pcie: use jiffies for memory read spin time limit Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.14 20/30] iwlwifi: pcie: reschedule in long-running memory reads Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.14 21/30] mac80211: pause TX while changing interface type Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.14 22/30] can: dev: prevent potential information leak in can_fill_info() Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.14 23/30] x86/entry/64/compat: Preserve r8-r11 in int $0x80 Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.14 24/30] x86/entry/64/compat: Fix "x86/entry/64/compat: Preserve r8-r11 in int $0x80" Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.14 25/30] iommu/vt-d: Gracefully handle DMAR units with no supported address widths Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.14 26/30] iommu/vt-d: Dont dereference iommu_device if IOMMU_API is not built Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.14 27/30] NFC: fix resource leak when target index is invalid Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.14 28/30] NFC: fix possible resource leak Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.14 29/30] team: protect features update by RCU to avoid deadlock Greg Kroah-Hartman
2021-02-02 13:39 ` [PATCH 4.14 30/30] tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN Greg Kroah-Hartman
2021-02-03 9:42 ` [PATCH 4.14 00/30] 4.14.219-rc1 review Naresh Kamboju
2021-02-03 20:41 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210202132942.687792071@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=kubakici@wp.pl \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lorenzo@kernel.org \
--cc=nbd@nbd.name \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox