| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251029190241.1023856-8-pchelkin@ispras.ru>
Date: Wed, 29 Oct 2025 22:02:35 +0300
From: Fedor Pchelkin <pchelkin@...ras.ru>
To: Ping-Ke Shih <pkshih@...ltek.com>,
Bitterblue Smith <rtl8821cerfe2@...il.com>
Cc: Fedor Pchelkin <pchelkin@...ras.ru>,
Zong-Zhe Yang <kevin_yang@...ltek.com>,
Po-Hao Huang <phhuang@...ltek.com>,
linux-wireless@...r.kernel.org,
linux-kernel@...r.kernel.org,
lvc-project@...uxtesting.org
Subject: [PATCH rtw-next v4 07/10] wifi: rtw89: usb: anchor TX URBs
During HCI reset all pending TX URBs should be canceled. Use anchor to
keep track of them and have an ability to cancel them synchronously.
Note however that canceling RX URBs can't be done here in
rtw89_usb_ops_reset() as it breaks driver initialization.
Found by Linux Verification Center (linuxtesting.org).
Signed-off-by: Fedor Pchelkin <pchelkin@...ras.ru>
---
drivers/net/wireless/realtek/rtw89/usb.c | 24 ++++++++++++++++++++----
drivers/net/wireless/realtek/rtw89/usb.h | 1 +
2 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtw89/usb.c b/drivers/net/wireless/realtek/rtw89/usb.c
index 93dc4e91c1d4..c359b469aabe 100644
--- a/drivers/net/wireless/realtek/rtw89/usb.c
+++ b/drivers/net/wireless/realtek/rtw89/usb.c
@@ -242,7 +242,6 @@ static void rtw89_usb_write_port_complete(struct urb *urb)
}
kfree(txcb);
- usb_free_urb(urb);
}
static int rtw89_usb_write_port(struct rtw89_dev *rtwdev, u8 ch_dma,
@@ -267,10 +266,17 @@ static int rtw89_usb_write_port(struct rtw89_dev *rtwdev, u8 ch_dma,
usb_fill_bulk_urb(urb, usbd, pipe, data, len,
rtw89_usb_write_port_complete, context);
urb->transfer_flags |= URB_ZERO_PACKET;
- ret = usb_submit_urb(urb, GFP_ATOMIC);
+ usb_anchor_urb(urb, &rtwusb->tx_submitted);
+ ret = usb_submit_urb(urb, GFP_ATOMIC);
if (ret)
- usb_free_urb(urb);
+ usb_unanchor_urb(urb);
+
+ /* release our reference to this URB, USB core will eventually free it
+ * on its own after the completion callback finishes (or URB is
+ * immediately freed here if its submission has failed)
+ */
+ usb_free_urb(urb);
if (ret == -ENODEV)
set_bit(RTW89_FLAG_UNPLUGGED, rtwdev->flags);
@@ -577,6 +583,11 @@ static void rtw89_usb_cancel_rx_bufs(struct rtw89_usb *rtwusb)
}
}
+static void rtw89_usb_cancel_tx_bufs(struct rtw89_usb *rtwusb)
+{
+ usb_kill_anchored_urbs(&rtwusb->tx_submitted);
+}
+
static void rtw89_usb_free_rx_bufs(struct rtw89_usb *rtwusb)
{
struct rtw89_usb_rx_ctrl_block *rxcb;
@@ -678,7 +689,9 @@ static void rtw89_usb_deinit_tx(struct rtw89_dev *rtwdev)
static void rtw89_usb_ops_reset(struct rtw89_dev *rtwdev)
{
- /* TODO: anything to do here? */
+ struct rtw89_usb *rtwusb = rtw89_usb_priv(rtwdev);
+
+ rtw89_usb_cancel_tx_bufs(rtwusb);
}
static int rtw89_usb_ops_start(struct rtw89_dev *rtwdev)
@@ -911,6 +924,8 @@ static int rtw89_usb_intf_init(struct rtw89_dev *rtwdev,
struct rtw89_usb *rtwusb = rtw89_usb_priv(rtwdev);
int ret;
+ init_usb_anchor(&rtwusb->tx_submitted);
+
ret = rtw89_usb_parse(rtwdev, intf);
if (ret)
return ret;
@@ -1036,6 +1051,7 @@ void rtw89_usb_disconnect(struct usb_interface *intf)
rtwusb = rtw89_usb_priv(rtwdev);
rtw89_usb_cancel_rx_bufs(rtwusb);
+ rtw89_usb_cancel_tx_bufs(rtwusb);
rtw89_core_unregister(rtwdev);
rtw89_core_deinit(rtwdev);
diff --git a/drivers/net/wireless/realtek/rtw89/usb.h b/drivers/net/wireless/realtek/rtw89/usb.h
index c1b4bfa20979..320002c1df42 100644
--- a/drivers/net/wireless/realtek/rtw89/usb.h
+++ b/drivers/net/wireless/realtek/rtw89/usb.h
@@ -49,6 +49,7 @@ struct rtw89_usb {
struct sk_buff_head rx_free_queue;
struct work_struct rx_work;
struct work_struct rx_urb_work;
+ struct usb_anchor tx_submitted;
struct sk_buff_head tx_queue[RTW89_TXCH_NUM];
};
--
2.51.0
Powered by blists - more mailing lists