| Message ID | 20230823075021.588596-1-s.hauer@pengutronix.de (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 290564367ab7fa7e2048bdc00d9c0ad016b41eea |
| Delegated to: | Kalle Valo |
| Headers | show |
| Series | wifi: rtw88: usb: kill and free rx urbs on probe failure | expand |
Sascha Hauer <s.hauer@pengutronix.de> writes: > After rtw_usb_alloc_rx_bufs() has been called rx urbs have been > allocated and must be freed in the error path. After rtw_usb_init_rx() > has been called they are submitted, so they also must be killed. > > Add these forgotten steps to the probe error path. > > Besides the lost memory this also fixes a problem when the driver > fails to download the firmware in rtw_chip_info_setup(). In this > case it can happen that the completion of the rx urbs handler runs > at a time when we already freed our data structures resulting in > a kernel crash. > > fixes: a82dfd33d1237 ("wifi: rtw88: Add common USB chip support") This should be: Fixes: a82dfd33d123 ("wifi: rtw88: Add common USB chip support") I can fix that, no need to resend because of this.
On 8/23/23 02:50, Sascha Hauer wrote: > After rtw_usb_alloc_rx_bufs() has been called rx urbs have been > allocated and must be freed in the error path. After rtw_usb_init_rx() > has been called they are submitted, so they also must be killed. > > Add these forgotten steps to the probe error path. > > Besides the lost memory this also fixes a problem when the driver > fails to download the firmware in rtw_chip_info_setup(). In this > case it can happen that the completion of the rx urbs handler runs > at a time when we already freed our data structures resulting in > a kernel crash. > > fixes: a82dfd33d1237 ("wifi: rtw88: Add common USB chip support") > Cc: stable@vger.kernel.org > Reported-by: Ilgaz Öcal <ilgaz@ilgaz.gen.tr> > Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> > --- > drivers/net/wireless/realtek/rtw88/usb.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/drivers/net/wireless/realtek/rtw88/usb.c b/drivers/net/wireless/realtek/rtw88/usb.c > index 4a57efdba97bb..875a61c9c80d4 100644 > --- a/drivers/net/wireless/realtek/rtw88/usb.c > +++ b/drivers/net/wireless/realtek/rtw88/usb.c > @@ -844,7 +844,7 @@ int rtw_usb_probe(struct usb_interface *intf, const struct usb_device_id *id) > > ret = rtw_core_init(rtwdev); > if (ret) > - goto err_release_hw; > + goto err_free_rx_bufs; > > ret = rtw_usb_intf_init(rtwdev, intf); > if (ret) { > @@ -890,6 +890,9 @@ int rtw_usb_probe(struct usb_interface *intf, const struct usb_device_id *id) > err_deinit_core: > rtw_core_deinit(rtwdev); > > +err_free_rx_bufs: > + rtw_usb_free_rx_bufs(rtwusb); > + > err_release_hw: > ieee80211_free_hw(hw); > Acked-by: Larry Finger <Larry.Finger@lwfinger.net> Thanks Sasha, Larry
> -----Original Message----- > From: Sascha Hauer <s.hauer@pengutronix.de> > Sent: Wednesday, August 23, 2023 3:50 PM > To: linux-wireless@vger.kernel.org > Cc: linux-kernel@vger.kernel.org; Ping-Ke Shih <pkshih@realtek.com>; Kalle Valo <kvalo@kernel.org>; Ilgaz > Öcal <ilgaz@ilgaz.gen.tr>; kernel@pengutronix.de > Subject: [PATCH] wifi: rtw88: usb: kill and free rx urbs on probe failure > > After rtw_usb_alloc_rx_bufs() has been called rx urbs have been > allocated and must be freed in the error path. After rtw_usb_init_rx() > has been called they are submitted, so they also must be killed. > > Add these forgotten steps to the probe error path. > > Besides the lost memory this also fixes a problem when the driver > fails to download the firmware in rtw_chip_info_setup(). In this > case it can happen that the completion of the rx urbs handler runs > at a time when we already freed our data structures resulting in > a kernel crash. > > fixes: a82dfd33d1237 ("wifi: rtw88: Add common USB chip support") > Cc: stable@vger.kernel.org > Reported-by: Ilgaz Öcal <ilgaz@ilgaz.gen.tr> > Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Sascha Hauer <s.hauer@pengutronix.de> wrote: > After rtw_usb_alloc_rx_bufs() has been called rx urbs have been > allocated and must be freed in the error path. After rtw_usb_init_rx() > has been called they are submitted, so they also must be killed. > > Add these forgotten steps to the probe error path. > > Besides the lost memory this also fixes a problem when the driver > fails to download the firmware in rtw_chip_info_setup(). In this > case it can happen that the completion of the rx urbs handler runs > at a time when we already freed our data structures resulting in > a kernel crash. > > Fixes: a82dfd33d123 ("wifi: rtw88: Add common USB chip support") > Cc: stable@vger.kernel.org > Reported-by: Ilgaz Öcal <ilgaz@ilgaz.gen.tr> > Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> > Acked-by: Larry Finger <Larry.Finger@lwfinger.net> > Acked-by: Ping-Ke Shih <pkshih@realtek.com> Patch applied to wireless-next.git, thanks. 290564367ab7 wifi: rtw88: usb: kill and free rx urbs on probe failure
diff --git a/drivers/net/wireless/realtek/rtw88/usb.c b/drivers/net/wireless/realtek/rtw88/usb.c index 4a57efdba97bb..875a61c9c80d4 100644 --- a/drivers/net/wireless/realtek/rtw88/usb.c +++ b/drivers/net/wireless/realtek/rtw88/usb.c @@ -844,7 +844,7 @@ int rtw_usb_probe(struct usb_interface *intf, const struct usb_device_id *id) ret = rtw_core_init(rtwdev); if (ret) - goto err_release_hw; + goto err_free_rx_bufs; ret = rtw_usb_intf_init(rtwdev, intf); if (ret) { @@ -890,6 +890,9 @@ int rtw_usb_probe(struct usb_interface *intf, const struct usb_device_id *id) err_deinit_core: rtw_core_deinit(rtwdev); +err_free_rx_bufs: + rtw_usb_free_rx_bufs(rtwusb); + err_release_hw: ieee80211_free_hw(hw);
After rtw_usb_alloc_rx_bufs() has been called rx urbs have been allocated and must be freed in the error path. After rtw_usb_init_rx() has been called they are submitted, so they also must be killed. Add these forgotten steps to the probe error path. Besides the lost memory this also fixes a problem when the driver fails to download the firmware in rtw_chip_info_setup(). In this case it can happen that the completion of the rx urbs handler runs at a time when we already freed our data structures resulting in a kernel crash. fixes: a82dfd33d1237 ("wifi: rtw88: Add common USB chip support") Cc: stable@vger.kernel.org Reported-by: Ilgaz Öcal <ilgaz@ilgaz.gen.tr> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> --- drivers/net/wireless/realtek/rtw88/usb.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)