From patchwork Fri May  5 12:08:16 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Xinming Hu <huxinming820@gmail.com>
X-Patchwork-Id: 9713437
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	B018A60235 for <patchwork-linux-wireless@patchwork.kernel.org>;
	Fri,  5 May 2017 12:08:34 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9F2C228627
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Fri,  5 May 2017 12:08:34 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 937D82869A; Fri,  5 May 2017 12:08:34 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI,
	RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3451A28627
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Fri,  5 May 2017 12:08:34 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752482AbdEEMIc (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Fri, 5 May 2017 08:08:32 -0400
Received: from mail-pf0-f193.google.com ([209.85.192.193]:34486 "EHLO
	mail-pf0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751383AbdEEMIb (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Fri, 5 May 2017 08:08:31 -0400
Received: by mail-pf0-f193.google.com with SMTP id d1so554792pfe.1
	for <linux-wireless@vger.kernel.org>;
	Fri, 05 May 2017 05:08:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=0m7PBZOyfiANj7fIHeMFJ5SybB4XnrAtBFHizc/mkm0=;
	b=f2D4B0jbNmq28lEa/50qiXjVGj8MwK8CxL41EQm7xU4V/fpjx6V82RuwkNnl/eDYkS
	5cgDFBkAb6qAClAs4ZgHVExKCDaEZizXYR6fRw1I/VBQ+61HRj+6rReHqVB5gJDfuvW6
	3m6Fpet/jeszeJ/wixgpOPj4lodxKqSRaT45Yl4JVehbYRVTdUWZqcjdtAUii/M55hAL
	lNlQKFMwWlLHnTluZ5922QDeNNDoxbGsJshmF/tjlPfv59QyGOvCPqFqTakRZWuQpJBi
	mohECswR7v2yOGvz7SJ9bo+DMWGn0DPNdPI1/9cCJOpSZNlyNa0CTzUM3c58xBSpTgKq
	kSvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=0m7PBZOyfiANj7fIHeMFJ5SybB4XnrAtBFHizc/mkm0=;
	b=IdSxsihR8cgdZ4MMnF+xBcEKLYSQykxJwexAFxY84WtV+fEkIju2YDlEnO3MBlrtZb
	s/4xWWmKbFICfnBr2KDKNVGGpItxlVYv8e7Hl76aRMdZpET4Oa4bLAgIQAxPJ2USI5oX
	2J7Gs0W26t5XvMiS0PVtxgei6gIJrXNdhlub9378kc6wVNhKtl6+xuF6ljJ28PBkLAYV
	rpZeYctbUqqAJjpHbUq3545A7UC16aiwrF2jwEr4GxeEoepo7mqIHWNm7ciEHbqVbZ36
	5e7OONdHW6RlWys3pqVDgFvBL2W/8ibXw3dgyaSOfzb2rTCxqkEKwISZJT5tXhbjJVER
	/n0g==
X-Gm-Message-State: AN3rC/4pe1p6qJ3R9tZiJC8eRwKkjL39G7jB6P8ZU3Vd3hq8FLh/Axah
	grj5haREao6adA==
X-Received: by 10.98.68.8 with SMTP id r8mr16913412pfa.168.1493986110618;
	Fri, 05 May 2017 05:08:30 -0700 (PDT)
Received: from ubuntu.members.linode.com ([2400:8902::f03c:91ff:fee7:7cf1])
	by smtp.gmail.com with ESMTPSA id
	i15sm13743913pfj.51.2017.05.05.05.08.28
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Fri, 05 May 2017 05:08:30 -0700 (PDT)
From: Xinming Hu <huxinming820@gmail.com>
To: Linux Wireless <linux-wireless@vger.kernel.org>
Cc: Kalle Valo <kvalo@qca.qualcomm.com>,
	Brian Norris <briannorris@google.com>,
	Dmitry Torokhov <dtor@google.com>, rajatja@google.com,
	Zhiyuan Yang <yangzy@marvell.com>,
	Cathy Luo <cluo@marvell.com>, Xinming Hu <huxm@marvell.com>
Subject: [PATCH v2 2/6] mwifiex: usb: kill urb before free its memory
Date: Fri,  5 May 2017 12:08:16 +0000
Message-Id: <1493986100-24509-2-git-send-email-huxinming820@gmail.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1493986100-24509-1-git-send-email-huxinming820@gmail.com>
References: <1493986100-24509-1-git-send-email-huxinming820@gmail.com>
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Xinming Hu <huxm@marvell.com>

we have observed host system hang when device firmware crash,
stack trace show it was an use-after-free case: previous submitted
urb will be holding in usbcore, and given back to device driver
when device disconnected, while the urb have been freed in usb
device disconnect handler. This patch kill the holding urb before
free its memory.

Signed-off-by: Xinming Hu <huxm@marvell.com>
---
v2: replace unnecessary sanity check with right handle of
    pending urb (Arend)
---
 drivers/net/wireless/marvell/mwifiex/usb.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/wireless/marvell/mwifiex/usb.c b/drivers/net/wireless/marvell/mwifiex/usb.c
index 2f7705c..5a760ec 100644
--- a/drivers/net/wireless/marvell/mwifiex/usb.c
+++ b/drivers/net/wireless/marvell/mwifiex/usb.c
@@ -363,6 +363,7 @@ static void mwifiex_usb_free(struct usb_card_rec *card)
 	for (i = 0; i < MWIFIEX_TX_DATA_PORT; i++) {
 		port = &card->port[i];
 		for (j = 0; j < MWIFIEX_TX_DATA_URB; j++) {
+			usb_kill_urb(port->tx_data_list[j].urb);
 			usb_free_urb(port->tx_data_list[j].urb);
 			port->tx_data_list[j].urb = NULL;
 		}