From: I Viswanath <viswanathiyyappan@gmail.com>
To: andrew@lunn.ch
Cc: andrew+netdev@lunn.ch, davem@davemloft.net,
david.hunter.linux@gmail.com, edumazet@google.com,
kuba@kernel.org, linux-kernel-mentees@lists.linux.dev,
linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
netdev@vger.kernel.org, pabeni@redhat.com, petkan@nucleusys.com,
skhan@linuxfoundation.org,
syzbot+78cae3f37c62ad092caa@syzkaller.appspotmail.com,
viswanathiyyappan@gmail.com
Subject: [PATCH net v2] net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast
Date: Sat, 20 Sep 2025 23:48:52 +0530 [thread overview]
Message-ID: <20250920181852.18164-1-viswanathiyyappan@gmail.com> (raw)
In-Reply-To: <83171a57-cb40-4c97-b736-0e62930b9e5c@lunn.ch>
syzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb.
This is the sequence of events that leads to the Warning:
CPU0 (in rtl8150_start_xmit) CPU1 (in rtl8150_start_xmit) CPU2 (in rtl8150_set_multicast)
netif_stop_queue();
netif_stop_queue();
usb_submit_urb();
netif_wake_queue(); <-- Wakes up TX queue before it's ready
netif_stop_queue();
usb_submit_urb(); <-- Warning
freeing urb
rtl8150_set_multicast is rtl8150's implementation of ndo_set_rx_mode and
should not be calling netif_stop_queue and notif_start_queue as these handle
TX queue synchronization.
The net core function dev_set_rx_mode handles the synchronization
for rtl8150_set_multicast making it safe to remove these locks.
Reported-and-tested-by: syzbot+78cae3f37c62ad092caa@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=78cae3f37c62ad092caa
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: I Viswanath <viswanathiyyappan@gmail.com>
---
v2:
- Add explanation why netif_stop_queue/netif_wake_queue can be safely removed
- Add the net prefix to the patch, designating it to the net tree
Relevant logs:
[ 65.779651][ T5648] About to enter stop queue ffff88805061e000, eth4
[ 65.779664][ T5648] After stop queue ffff88805061e000, eth4
[ 65.780296][ T5648] net eth4: eth name:eth4 SUBMIT: tx_urb=ffff888023219000, status=0, transfer_buffer_length=60, dev=ffff88805061ed80, netdev=ffff88805061e000, skb=ffff88804f907b80
[ 65.790962][ T760] About to enter stop queue ffff88805061e000, eth4
[ 65.790978][ T760] After stop queue ffff88805061e000, eth4
[ 65.791874][ T760] net eth4: We are inside Multicast dev:ffff88805061ed80, netdev:ffff88805061e000
[ 65.793259][ T760] About to enter netif_wake_queue ffff88805061e000, eth4
[ 65.793264][ T760] After netif_wake_queue ffff88805061e000, eth4
[ 65.822319][ T5829] About to enter stop queue ffff88805061e000, eth4
[ 65.823135][ T5829] After stop queue ffff88805061e000, eth4
[ 65.823739][ T5829] net eth4: eth name:eth4 SUBMIT: tx_urb=ffff888023219000, status=-115, transfer_buffer_length=90, dev=ffff88805061ed80, netdev=ffff88805061e000, skb=ffff88804b5363c0
drivers/net/usb/rtl8150.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index ddff6f19ff98..92add3daadbb 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -664,7 +664,6 @@ static void rtl8150_set_multicast(struct net_device *netdev)
rtl8150_t *dev = netdev_priv(netdev);
u16 rx_creg = 0x9e;
- netif_stop_queue(netdev);
if (netdev->flags & IFF_PROMISC) {
rx_creg |= 0x0001;
dev_info(&netdev->dev, "%s: promiscuous mode\n", netdev->name);
@@ -678,7 +677,6 @@ static void rtl8150_set_multicast(struct net_device *netdev)
rx_creg &= 0x00fc;
}
async_set_registers(dev, RCR, sizeof(rx_creg), rx_creg);
- netif_wake_queue(netdev);
}
static netdev_tx_t rtl8150_start_xmit(struct sk_buff *skb,
--
2.47.3
next prev parent reply other threads:[~2025-09-20 18:19 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-20 4:50 [PATCH] net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast I Viswanath
2025-09-20 15:30 ` Andrew Lunn
2025-09-20 16:52 ` viswanath
2025-09-20 17:28 ` Andrew Lunn
2025-09-20 18:18 ` I Viswanath [this message]
2025-09-23 1:07 ` [PATCH net v2] " Jakub Kicinski
2025-09-23 7:47 ` Michal Pecio
2025-09-23 14:28 ` Jakub Kicinski
2025-09-23 23:20 ` Michal Pecio
2025-09-23 23:37 ` Jakub Kicinski
2025-09-25 5:59 ` Deepak Sharma
2025-09-24 7:47 ` Michal Pecio
2025-09-24 8:02 ` viswanath
2025-09-24 9:36 ` Michal Pecio
2025-09-24 10:25 ` viswanath
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250920181852.18164-1-viswanathiyyappan@gmail.com \
--to=viswanathiyyappan@gmail.com \
--cc=andrew+netdev@lunn.ch \
--cc=andrew@lunn.ch \
--cc=davem@davemloft.net \
--cc=david.hunter.linux@gmail.com \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel-mentees@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=petkan@nucleusys.com \
--cc=skhan@linuxfoundation.org \
--cc=syzbot+78cae3f37c62ad092caa@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).