From 9cf04dcc9c5ef884e952b2f461f39f682ef5c051 Mon Sep 17 00:00:00 2001 From: Mohammed Shafi Shajakhan Date: Fri, 4 Feb 2011 18:38:23 +0530 Subject: [PATCH] ath9k: Fix possible double free of PAPRD skb's This patch reverts the following commit ath9k: remove bfs_paprd_timestamp from struct ath_buf_state Under high interference/noisy environment conditions where PAPRD frames fails heavily introduces a possibility of double freeing skb's and causes kernel panic after some time.This patch reverts back to the original approach of using paprd_timestamp before freeing the PAPRD frame skb's [ 194.193705] Pid: 0, comm: swapper Tainted: G D WC 2.6.35-22-generic #33-Ubuntu [ 194.193712] Call Trace: [ 194.193722] [] ? printk+0x2d/0x35 [ 194.193732] [] panic+0x5a/0xd2 [ 194.193741] [] oops_end+0xcd/0xd0 [ 194.193750] [] die+0x54/0x80 [ 194.193758] [] do_trap+0x96/0xc0 [ 194.193837] [] ? do_invalid_op+0x0/0xa0 [ 194.193846] [] do_invalid_op+0x8b/0xa0 [ 194.193856] [] ? kfree+0xec/0xf0 [ 194.193866] [] ? default_spin_lock_flags+0x8/0x10 [ 194.193877] [] ? free_one_page+0x12a/0x2d0 [ 194.193888] [] ? __free_pages+0x1c/0x40 [ 194.193897] [] error_code+0x73/0x78 [ 194.193906] [] ? kfree+0xec/0xf0 [ 194.193915] [] ? skb_release_data+0x70/0xa0 [ 194.193924] [] skb_release_data+0x70/0xa0 [ 194.193933] [] __kfree_skb+0x17/0x90 [ 194.193941] [] consume_skb+0x21/0x40 [ 194.193964] [] ieee80211_tx_status+0x760/0x860 [mac80211] [ 194.193979] [] ath_tx_complete_buf+0x1bf/0x2c0 [ath9k] [ 194.193988] [] ? _raw_spin_lock_irqsave+0x2f/0x50 [ 194.193997] [] ? skb_queue_tail+0x3e/0x50 [ 194.194010] [] ath_tx_complete_aggr+0x823/0x940 [ath9k] [ 194.194021] [] ? sched_clock+0x8/0x10 [ 194.194030] [] ? sched_clock_local+0xa4/0x180 [ 194.194040] [] ? enqueue_sleeper+0x1e7/0x2b0 [ 194.194051] [] ? enqueue_entity+0x174/0x200 [ 194.194064] [] ath_tx_edma_tasklet+0x2bd/0x3b0 [ath9k] [ 194.194074] [] ? _raw_spin_lock_irqsave+0x2f/0x50 [ 194.194088] [] ath9k_tasklet+0x9f/0x190 [ath9k] [ 194.194097] [] tasklet_action+0xa7/0xb0 [ 194.194107] [] __do_softirq+0x9c/0x1b0 [ 194.194117] [] ? irq_to_desc+0x14/0x20 [ 194.194126] [] ? ack_apic_level+0x64/0x1f0 [ 194.194136] [] do_softirq+0x45/0x50 [ 194.194145] [] irq_exit+0x65/0x70 [ 194.194153] [] do_IRQ+0x55/0xc0 [ 194.194162] [] ? hrtimer_start+0x27/0x30 [ 194.194171] [] common_interrupt+0x30/0x38 [ 194.194181] [] ? native_safe_halt+0xa/0x10 [ 194.194268] [] default_idle+0x49/0xb0 [ 194.194277] [] cpu_idle+0x8c/0xd0 [ 194.194286] [] rest_init+0x71/0x80 [ 194.194295] [] start_kernel+0x36e/0x374 [ 194.194305] [] ? pass_all_bootoptions+0x0/0xa [ 194.194314] [] i386_start_kernel+0xd7/0xdf [ 194.194364] panic occurred, switching back to text console Signed-off-by: Mohammed Shafi Shajakhan Signed-off-by: John W. Linville --- drivers/net/wireless/ath/ath9k/ath9k.h | 2 +- drivers/net/wireless/ath/ath9k/main.c | 2 -- drivers/net/wireless/ath/ath9k/xmit.c | 7 ++++++- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/ath/ath9k/ath9k.h b/drivers/net/wireless/ath/ath9k/ath9k.h index 3681caf54282..23838e37d45f 100644 --- a/drivers/net/wireless/ath/ath9k/ath9k.h +++ b/drivers/net/wireless/ath/ath9k/ath9k.h @@ -218,6 +218,7 @@ struct ath_frame_info { struct ath_buf_state { u8 bf_type; u8 bfs_paprd; + unsigned long bfs_paprd_timestamp; enum ath9k_internal_frame_type bfs_ftype; }; @@ -593,7 +594,6 @@ struct ath_softc { struct work_struct paprd_work; struct work_struct hw_check_work; struct completion paprd_complete; - bool paprd_pending; u32 intrstatus; u32 sc_flags; /* SC_OP_* */ diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c index 9040c2ff1909..da5c64597c1f 100644 --- a/drivers/net/wireless/ath/ath9k/main.c +++ b/drivers/net/wireless/ath/ath9k/main.c @@ -342,7 +342,6 @@ static bool ath_paprd_send_frame(struct ath_softc *sc, struct sk_buff *skb, int tx_info->control.rates[1].idx = -1; init_completion(&sc->paprd_complete); - sc->paprd_pending = true; txctl.paprd = BIT(chain); if (ath_tx_start(hw, skb, &txctl) != 0) { @@ -353,7 +352,6 @@ static bool ath_paprd_send_frame(struct ath_softc *sc, struct sk_buff *skb, int time_left = wait_for_completion_timeout(&sc->paprd_complete, msecs_to_jiffies(ATH_PAPRD_TIMEOUT)); - sc->paprd_pending = false; if (!time_left) ath_dbg(ath9k_hw_common(sc->sc_ah), ATH_DBG_CALIBRATE, diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c index 33a37edbaf79..07b7804aec5b 100644 --- a/drivers/net/wireless/ath/ath9k/xmit.c +++ b/drivers/net/wireless/ath/ath9k/xmit.c @@ -1725,6 +1725,9 @@ static void ath_tx_start_dma(struct ath_softc *sc, struct ath_buf *bf, ar9003_hw_set_paprd_txdesc(sc->sc_ah, bf->bf_desc, bf->bf_state.bfs_paprd); + if (txctl->paprd) + bf->bf_state.bfs_paprd_timestamp = jiffies; + ath_tx_send_normal(sc, txctl->txq, tid, &bf_head); } @@ -1886,7 +1889,9 @@ static void ath_tx_complete_buf(struct ath_softc *sc, struct ath_buf *bf, bf->bf_buf_addr = 0; if (bf->bf_state.bfs_paprd) { - if (!sc->paprd_pending) + if (time_after(jiffies, + bf->bf_state.bfs_paprd_timestamp + + msecs_to_jiffies(ATH_PAPRD_TIMEOUT))) dev_kfree_skb_any(skb); else complete(&sc->paprd_complete); -- 2.20.1