diff mbox

[1/2] wil6210: fix kernel OOPS when stopping interface during Rx traffic

Message ID 1449926565-888-2-git-send-email-qca_merez@qca.qualcomm.com (mailing list archive)
State Changes Requested
Delegated to: Kalle Valo
Headers show

Commit Message

Maya Erez Dec. 12, 2015, 1:22 p.m. UTC 
From: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com>

When network interface is stopping, some resources may
be already released by the network stack, and Rx frames
cause kernel OOPS (observed one is in netfilter code)

Proper solution is to drop packets pending in reorder buffer.

Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
---
 drivers/net/wireless/ath/wil6210/rx_reorder.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

Comments

Kalle Valo Dec. 16, 2015, 2:39 p.m. UTC | #1 
Maya Erez <qca_merez@qca.qualcomm.com> writes:

> From: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com>
>
> When network interface is stopping, some resources may
> be already released by the network stack, and Rx frames
> cause kernel OOPS (observed one is in netfilter code)
>
> Proper solution is to drop packets pending in reorder buffer.
>
> Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
> Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>

This is missing Hamad's Signed-off-by line. It should be the first
before Vladimir's and yours.
diff mbox

Patch

diff --git a/drivers/net/wireless/ath/wil6210/rx_reorder.c b/drivers/net/wireless/ath/wil6210/rx_reorder.c
index e3d1be8..32031e7 100644
--- a/drivers/net/wireless/ath/wil6210/rx_reorder.c
+++ b/drivers/net/wireless/ath/wil6210/rx_reorder.c
@@ -261,9 +261,19 @@  struct wil_tid_ampdu_rx *wil_tid_ampdu_rx_alloc(struct wil6210_priv *wil,
 void wil_tid_ampdu_rx_free(struct wil6210_priv *wil,
 			   struct wil_tid_ampdu_rx *r)
 {
+	int i;
+
 	if (!r)
 		return;
-	wil_release_reorder_frames(wil, r, r->head_seq_num + r->buf_size);
+
+	/* Do not pass remaining frames to the network stack - it may be
+	 * not expecting to get any more Rx. Rx from here may lead to
+	 * kernel OOPS since some per-socket accounting info was already
+	 * released.
+	 */
+	for (i = 0; i < r->buf_size; i++)
+		kfree_skb(r->reorder_buf[i]);
+
 	kfree(r->reorder_buf);
 	kfree(r->reorder_time);
 	kfree(r);