diff mbox series

[v2] wifi: rtw88: delete timer and free skb queue when unloading

Message ID 20230615151911.5793-1-dmantipov@yandex.ru
State Superseded
Headers show
Series [v2] wifi: rtw88: delete timer and free skb queue when unloading | expand

Commit Message

Dmitry Antipov June 15, 2023, 3:19 p.m. UTC
Fix possible crash and memory leak on driver unload by deleting
TX purge timer and freeing C2H queue in 'rtw_core_deinit()'.

Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
---
v2: fix title and commit message (Kalle Valo)
---
 drivers/net/wireless/realtek/rtw88/main.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Ping-Ke Shih June 16, 2023, 1:11 a.m. UTC | #1
> -----Original Message-----
> From: Dmitry Antipov <dmantipov@yandex.ru>
> Sent: Thursday, June 15, 2023 11:19 PM
> To: Kalle Valo <kvalo@kernel.org>
> Cc: Yan-Hsuan Chuang <tony0620emma@gmail.com>; linux-wireless@vger.kernel.org; Dmitry Antipov
> <dmantipov@yandex.ru>
> Subject: [PATCH] [v2] wifi: rtw88: delete timer and free skb queue when unloading
> 
> Fix possible crash and memory leak on driver unload by deleting
> TX purge timer and freeing C2H queue in 'rtw_core_deinit()'.
> 
> Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
> ---
> v2: fix title and commit message (Kalle Valo)
> ---
>  drivers/net/wireless/realtek/rtw88/main.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c
> index 9447a3aae3b5..572fc126b9de 100644
> --- a/drivers/net/wireless/realtek/rtw88/main.c
> +++ b/drivers/net/wireless/realtek/rtw88/main.c
> @@ -2180,9 +2180,11 @@ void rtw_core_deinit(struct rtw_dev *rtwdev)
>                 release_firmware(wow_fw->firmware);
> 
>         destroy_workqueue(rtwdev->tx_wq);
> +       timer_delete_sync(&rtwdev->tx_report.purge_timer);
>         spin_lock_irqsave(&rtwdev->tx_report.q_lock, flags);
>         skb_queue_purge(&rtwdev->tx_report.queue);
>         skb_queue_purge(&rtwdev->coex.queue);
> +       skb_queue_purge(&rtwdev->c2h_queue);

rtwdev->tx_report.q_lock is used to protect rtwdev->tx_report.queue, so don't
add to purge c2h queue in this critical section. I think coex.queue is
the bad example.

>         spin_unlock_irqrestore(&rtwdev->tx_report.q_lock, flags);
> 
>         list_for_each_entry_safe(rsvd_pkt, tmp, &rtwdev->rsvd_page_list,
> --
> 2.40.1
diff mbox series

Patch

diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c
index 9447a3aae3b5..572fc126b9de 100644
--- a/drivers/net/wireless/realtek/rtw88/main.c
+++ b/drivers/net/wireless/realtek/rtw88/main.c
@@ -2180,9 +2180,11 @@  void rtw_core_deinit(struct rtw_dev *rtwdev)
 		release_firmware(wow_fw->firmware);
 
 	destroy_workqueue(rtwdev->tx_wq);
+	timer_delete_sync(&rtwdev->tx_report.purge_timer);
 	spin_lock_irqsave(&rtwdev->tx_report.q_lock, flags);
 	skb_queue_purge(&rtwdev->tx_report.queue);
 	skb_queue_purge(&rtwdev->coex.queue);
+	skb_queue_purge(&rtwdev->c2h_queue);
 	spin_unlock_irqrestore(&rtwdev->tx_report.q_lock, flags);
 
 	list_for_each_entry_safe(rsvd_pkt, tmp, &rtwdev->rsvd_page_list,