diff mbox series

[wpan-next,v2,4/9] net: ieee802154: at86rf230: Stop leaking skb's

Message ID 20220120112115.448077-5-miquel.raynal@bootlin.com (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series ieee802154: A bunch of fixes | expand

Checks

Context Check Description
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix success Link
netdev/cover_letter success Series has a cover letter
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers success CCed 6 of 6 maintainers
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 7 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/tree_selection success Guessing tree name failed - patch did not apply

Commit Message

Miquel Raynal Jan. 20, 2022, 11:21 a.m. UTC 
Upon error the ieee802154_xmit_complete() helper is not called. Only
ieee802154_wake_queue() is called manually. We then leak the skb
structure.

Free the skb structure upon error before returning.

There is no Fixes tag applying here, many changes have been made on this
area and the issue kind of always existed.

Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
---
 drivers/net/ieee802154/at86rf230.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Alexander Aring Jan. 23, 2022, 8:43 p.m. UTC | #1 
Hi,

On Thu, 20 Jan 2022 at 06:21, Miquel Raynal <miquel.raynal@bootlin.com> wrote:
>
> Upon error the ieee802154_xmit_complete() helper is not called. Only
> ieee802154_wake_queue() is called manually. We then leak the skb
> structure.
>
> Free the skb structure upon error before returning.
>
> There is no Fixes tag applying here, many changes have been made on this
> area and the issue kind of always existed.
>
> Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
> ---
>  drivers/net/ieee802154/at86rf230.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/drivers/net/ieee802154/at86rf230.c b/drivers/net/ieee802154/at86rf230.c
> index 7d67f41387f5..0746150f78cf 100644
> --- a/drivers/net/ieee802154/at86rf230.c
> +++ b/drivers/net/ieee802154/at86rf230.c
> @@ -344,6 +344,7 @@ at86rf230_async_error_recover_complete(void *context)
>                 kfree(ctx);
>
>         ieee802154_wake_queue(lp->hw);
> +       dev_kfree_skb_any(lp->tx_skb);

as I said in other mails there is more broken, we need a:

if (lp->is_tx) {
        ieee802154_wake_queue(lp->hw);
        dev_kfree_skb_any(lp->tx_skb);
        lp->is_tx = 0;
}

in at86rf230_async_error_recover().

Thanks.

- Alex
Alexander Aring Jan. 23, 2022, 8:59 p.m. UTC | #2 
Hi,

On Sun, 23 Jan 2022 at 15:43, Alexander Aring <alex.aring@gmail.com> wrote:
>
> Hi,
>
> On Thu, 20 Jan 2022 at 06:21, Miquel Raynal <miquel.raynal@bootlin.com> wrote:
> >
> > Upon error the ieee802154_xmit_complete() helper is not called. Only
> > ieee802154_wake_queue() is called manually. We then leak the skb
> > structure.
> >
> > Free the skb structure upon error before returning.
> >
> > There is no Fixes tag applying here, many changes have been made on this
> > area and the issue kind of always existed.
> >
> > Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
> > ---
> >  drivers/net/ieee802154/at86rf230.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/drivers/net/ieee802154/at86rf230.c b/drivers/net/ieee802154/at86rf230.c
> > index 7d67f41387f5..0746150f78cf 100644
> > --- a/drivers/net/ieee802154/at86rf230.c
> > +++ b/drivers/net/ieee802154/at86rf230.c
> > @@ -344,6 +344,7 @@ at86rf230_async_error_recover_complete(void *context)
> >                 kfree(ctx);
> >
> >         ieee802154_wake_queue(lp->hw);
> > +       dev_kfree_skb_any(lp->tx_skb);
>
> as I said in other mails there is more broken, we need a:
>
> if (lp->is_tx) {
>         ieee802154_wake_queue(lp->hw);
>         dev_kfree_skb_any(lp->tx_skb);
>         lp->is_tx = 0;
> }
>

Also we should free the skb at first _then_ wake_queue().

- Alex
Alexander Aring Jan. 23, 2022, 10:41 p.m. UTC | #3 
Hi,

On Sun, 23 Jan 2022 at 15:43, Alexander Aring <alex.aring@gmail.com> wrote:
>
> Hi,
>
> On Thu, 20 Jan 2022 at 06:21, Miquel Raynal <miquel.raynal@bootlin.com> wrote:
> >
> > Upon error the ieee802154_xmit_complete() helper is not called. Only
> > ieee802154_wake_queue() is called manually. We then leak the skb
> > structure.
> >
> > Free the skb structure upon error before returning.
> >
> > There is no Fixes tag applying here, many changes have been made on this
> > area and the issue kind of always existed.
> >
> > Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
> > ---
> >  drivers/net/ieee802154/at86rf230.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/drivers/net/ieee802154/at86rf230.c b/drivers/net/ieee802154/at86rf230.c
> > index 7d67f41387f5..0746150f78cf 100644
> > --- a/drivers/net/ieee802154/at86rf230.c
> > +++ b/drivers/net/ieee802154/at86rf230.c
> > @@ -344,6 +344,7 @@ at86rf230_async_error_recover_complete(void *context)
> >                 kfree(ctx);
> >
> >         ieee802154_wake_queue(lp->hw);
> > +       dev_kfree_skb_any(lp->tx_skb);
>
> as I said in other mails there is more broken, we need a:
>
> if (lp->is_tx) {
>         ieee802154_wake_queue(lp->hw);
>         dev_kfree_skb_any(lp->tx_skb);
>         lp->is_tx = 0;
> }
>
> in at86rf230_async_error_recover().
>
s/at86rf230_async_error_recover/at86rf230_async_error_recover_complete/

move the is_tx = 0 out of at86rf230_async_error_recover().

- Alex
Alexander Aring Jan. 23, 2022, 11:14 p.m. UTC | #4 
Hi,

On Sun, 23 Jan 2022 at 17:41, Alexander Aring <alex.aring@gmail.com> wrote:
>
> Hi,
>
> On Sun, 23 Jan 2022 at 15:43, Alexander Aring <alex.aring@gmail.com> wrote:
> >
> > Hi,
> >
> > On Thu, 20 Jan 2022 at 06:21, Miquel Raynal <miquel.raynal@bootlin.com> wrote:
> > >
> > > Upon error the ieee802154_xmit_complete() helper is not called. Only
> > > ieee802154_wake_queue() is called manually. We then leak the skb
> > > structure.
> > >
> > > Free the skb structure upon error before returning.
> > >
> > > There is no Fixes tag applying here, many changes have been made on this
> > > area and the issue kind of always existed.
> > >
> > > Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
> > > ---
> > >  drivers/net/ieee802154/at86rf230.c | 1 +
> > >  1 file changed, 1 insertion(+)
> > >
> > > diff --git a/drivers/net/ieee802154/at86rf230.c b/drivers/net/ieee802154/at86rf230.c
> > > index 7d67f41387f5..0746150f78cf 100644
> > > --- a/drivers/net/ieee802154/at86rf230.c
> > > +++ b/drivers/net/ieee802154/at86rf230.c
> > > @@ -344,6 +344,7 @@ at86rf230_async_error_recover_complete(void *context)
> > >                 kfree(ctx);
> > >
> > >         ieee802154_wake_queue(lp->hw);
> > > +       dev_kfree_skb_any(lp->tx_skb);
> >
> > as I said in other mails there is more broken, we need a:
> >
> > if (lp->is_tx) {
> >         ieee802154_wake_queue(lp->hw);
> >         dev_kfree_skb_any(lp->tx_skb);
> >         lp->is_tx = 0;
> > }
> >
> > in at86rf230_async_error_recover().
> >
> s/at86rf230_async_error_recover/at86rf230_async_error_recover_complete/
>
> move the is_tx = 0 out of at86rf230_async_error_recover().

Sorry, still seeing an issue here.

We cannot move is_tx = 0 out of at86rf230_async_error_recover()
because switching to RX_AACK_ON races with a new interrupt and is_tx
is not correct anymore. We need something new like "was_tx" to
remember that it was a tx case for the error handling in
at86rf230_async_error_recover_complete().

- Alex
Miquel Raynal Jan. 25, 2022, 10:58 a.m. UTC | #5 
Hi Alexander,

alex.aring@gmail.com wrote on Sun, 23 Jan 2022 18:14:12 -0500:

> Hi,
> 
> On Sun, 23 Jan 2022 at 17:41, Alexander Aring <alex.aring@gmail.com> wrote:
> >
> > Hi,
> >
> > On Sun, 23 Jan 2022 at 15:43, Alexander Aring <alex.aring@gmail.com> wrote:  
> > >
> > > Hi,
> > >
> > > On Thu, 20 Jan 2022 at 06:21, Miquel Raynal <miquel.raynal@bootlin.com> wrote:  
> > > >
> > > > Upon error the ieee802154_xmit_complete() helper is not called. Only
> > > > ieee802154_wake_queue() is called manually. We then leak the skb
> > > > structure.
> > > >
> > > > Free the skb structure upon error before returning.
> > > >
> > > > There is no Fixes tag applying here, many changes have been made on this
> > > > area and the issue kind of always existed.
> > > >
> > > > Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
> > > > ---
> > > >  drivers/net/ieee802154/at86rf230.c | 1 +
> > > >  1 file changed, 1 insertion(+)
> > > >
> > > > diff --git a/drivers/net/ieee802154/at86rf230.c b/drivers/net/ieee802154/at86rf230.c
> > > > index 7d67f41387f5..0746150f78cf 100644
> > > > --- a/drivers/net/ieee802154/at86rf230.c
> > > > +++ b/drivers/net/ieee802154/at86rf230.c
> > > > @@ -344,6 +344,7 @@ at86rf230_async_error_recover_complete(void *context)
> > > >                 kfree(ctx);
> > > >
> > > >         ieee802154_wake_queue(lp->hw);
> > > > +       dev_kfree_skb_any(lp->tx_skb);  
> > >
> > > as I said in other mails there is more broken, we need a:
> > >
> > > if (lp->is_tx) {
> > >         ieee802154_wake_queue(lp->hw);
> > >         dev_kfree_skb_any(lp->tx_skb);
> > >         lp->is_tx = 0;
> > > }
> > >
> > > in at86rf230_async_error_recover().
> > >  
> > s/at86rf230_async_error_recover/at86rf230_async_error_recover_complete/
> >
> > move the is_tx = 0 out of at86rf230_async_error_recover().  
> 
> Sorry, still seeing an issue here.
> 
> We cannot move is_tx = 0 out of at86rf230_async_error_recover()
> because switching to RX_AACK_ON races with a new interrupt and is_tx
> is not correct anymore. We need something new like "was_tx" to
> remember that it was a tx case for the error handling in
> at86rf230_async_error_recover_complete().

It wasn't easy to catch...

I've added a was_tx boolean which is set at the same time is_tx is
reset. Then, in the complete handler, if was_tx was set we reset it and
run the kfree/wake calls. I believe this should sort it out.

Thanks,
Miquèl
diff mbox series

Patch

diff --git a/drivers/net/ieee802154/at86rf230.c b/drivers/net/ieee802154/at86rf230.c
index 7d67f41387f5..0746150f78cf 100644
--- a/drivers/net/ieee802154/at86rf230.c
+++ b/drivers/net/ieee802154/at86rf230.c
@@ -344,6 +344,7 @@  at86rf230_async_error_recover_complete(void *context)
 		kfree(ctx);
 
 	ieee802154_wake_queue(lp->hw);
+	dev_kfree_skb_any(lp->tx_skb);
 }
 
 static void