From patchwork Wed Dec 16 15:51:45 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maya Erez X-Patchwork-Id: 7863601 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id E2F16BEEE1 for ; Wed, 16 Dec 2015 15:51:57 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 2C80F20382 for ; Wed, 16 Dec 2015 15:51:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4FE1E202FF for ; Wed, 16 Dec 2015 15:51:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934225AbbLPPvy (ORCPT ); Wed, 16 Dec 2015 10:51:54 -0500 Received: from sabertooth02.qualcomm.com ([65.197.215.38]:5928 "EHLO sabertooth02.qualcomm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932613AbbLPPvx (ORCPT ); Wed, 16 Dec 2015 10:51:53 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qca.qualcomm.com; i=@qca.qualcomm.com; q=dns/txt; s=qcdkim; t=1450281113; x=1481817113; h=cc:from:to:subject:date:message-id:in-reply-to: references; bh=5Ue0xt7bWckV206RWtggC6TVBXiq7bqke7OoSwXLWyw=; b=HFz1Yo8tl6ZGXxRXDKPhAz8ACC2N/IgitvLU8D/doCaHsXvwCJS4nPo3 me+wRpCCsrRJfUMotfgOPpktKPyUTOo/3PkVVl+A0DlN1q+lh209QmURL 5i2dnU45DKxPLR/fq36XY4oby9MFh8zFdcGCz01TbuTJUoxqZiGyox2EB c=; X-IronPort-AV: E=Sophos;i="5.20,437,1444719600"; d="scan'208";a="104381597" Received: from ironmsg03-l-new.qualcomm.com (HELO Ironmsg03-L.qualcomm.com) ([10.53.140.110]) by sabertooth02.qualcomm.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 16 Dec 2015 07:51:53 -0800 Cc: Hamad Kadmany , linux-wireless@vger.kernel.org, wil6210@qca.qualcomm.com, Maya Erez , Vladimir Kondratiev X-IronPort-AV: E=McAfee;i="5700,7163,8016"; a="1055865890" Received: from lx-merez.mea.qualcomm.com ([10.18.177.171]) by Ironmsg03-L.qualcomm.com with ESMTP; 16 Dec 2015 07:51:51 -0800 From: Maya Erez To: Kalle Valo Subject: [PATCH v1 1/2] wil6210: fix kernel OOPS when stopping interface during Rx traffic Date: Wed, 16 Dec 2015 17:51:45 +0200 Message-Id: <1450281106-29416-2-git-send-email-qca_merez@qca.qualcomm.com> X-Mailer: git-send-email 1.8.5.2 In-Reply-To: <1450281106-29416-1-git-send-email-qca_merez@qca.qualcomm.com> References: <1450281106-29416-1-git-send-email-qca_merez@qca.qualcomm.com> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Hamad Kadmany When network interface is stopping, some resources may be already released by the network stack, and Rx frames cause kernel OOPS (observed one is in netfilter code) Proper solution is to drop packets pending in reorder buffer. Signed-off-by: Hamad Kadmany Signed-off-by: Vladimir Kondratiev Signed-off-by: Maya Erez --- drivers/net/wireless/ath/wil6210/rx_reorder.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/wil6210/rx_reorder.c b/drivers/net/wireless/ath/wil6210/rx_reorder.c index e3d1be8..32031e7 100644 --- a/drivers/net/wireless/ath/wil6210/rx_reorder.c +++ b/drivers/net/wireless/ath/wil6210/rx_reorder.c @@ -261,9 +261,19 @@ struct wil_tid_ampdu_rx *wil_tid_ampdu_rx_alloc(struct wil6210_priv *wil, void wil_tid_ampdu_rx_free(struct wil6210_priv *wil, struct wil_tid_ampdu_rx *r) { + int i; + if (!r) return; - wil_release_reorder_frames(wil, r, r->head_seq_num + r->buf_size); + + /* Do not pass remaining frames to the network stack - it may be + * not expecting to get any more Rx. Rx from here may lead to + * kernel OOPS since some per-socket accounting info was already + * released. + */ + for (i = 0; i < r->buf_size; i++) + kfree_skb(r->reorder_buf[i]); + kfree(r->reorder_buf); kfree(r->reorder_time); kfree(r);