[PATCH 4.19 125/361] wil6210: fix RX buffers release and unmap

Sun, 11 Nov 2018 16:09:41 -0800 

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Maya Erez <[email protected]>

[ Upstream commit 84f16fbb62384fb209cd35741d94eb00b5ca2746 ]

RX SKBs are released in both wil6210 rmmod and RX handle.
As there is no lock to protect the buffers DMA unmap,
the SKB pointer in buff_arr is used to check if the buffer
memory was already released.
Setting wil->rx_buff_mgmt.buff_arr[buff_id].skb to NULL before the DMA
memory unmap will prevent duplicate unmapping of the same memory.
Move the buffer ID to the free list also in case the SKB is NULL.

Signed-off-by: Maya Erez <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
 drivers/net/wireless/ath/wil6210/txrx_edma.c |   15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

--- a/drivers/net/wireless/ath/wil6210/txrx_edma.c
+++ b/drivers/net/wireless/ath/wil6210/txrx_edma.c
@@ -279,9 +279,6 @@ static void wil_move_all_rx_buff_to_free
                u16 buff_id;
 
                *d = *_d;
-               pa = wil_rx_desc_get_addr_edma(&d->dma);
-               dmalen = le16_to_cpu(d->dma.length);
-               dma_unmap_single(dev, pa, dmalen, DMA_FROM_DEVICE);
 
                /* Extract the SKB from the rx_buff management array */
                buff_id = __le16_to_cpu(d->mac.buff_id);
@@ -291,10 +288,15 @@ static void wil_move_all_rx_buff_to_free
                }
                skb = wil->rx_buff_mgmt.buff_arr[buff_id].skb;
                wil->rx_buff_mgmt.buff_arr[buff_id].skb = NULL;
-               if (unlikely(!skb))
+               if (unlikely(!skb)) {
                        wil_err(wil, "No Rx skb at buff_id %d\n", buff_id);
-               else
+               } else {
+                       pa = wil_rx_desc_get_addr_edma(&d->dma);
+                       dmalen = le16_to_cpu(d->dma.length);
+                       dma_unmap_single(dev, pa, dmalen, DMA_FROM_DEVICE);
+
                        kfree_skb(skb);
+               }
 
                /* Move the buffer from the active to the free list */
                list_move(&wil->rx_buff_mgmt.buff_arr[buff_id].list,
@@ -906,6 +908,9 @@ again:
        wil->rx_buff_mgmt.buff_arr[buff_id].skb = NULL;
        if (!skb) {
                wil_err(wil, "No Rx skb at buff_id %d\n", buff_id);
+               /* Move the buffer from the active list to the free list */
+               list_move(&wil->rx_buff_mgmt.buff_arr[buff_id].list,
+                         &wil->rx_buff_mgmt.free);
                goto again;
        }

Reply via email to