rtl8187: Fix crash on unload when using SLUB debug

Reported-by: Hin-Tak Leung <htl10@users.sourceforge.net> After the code was modified to use urb anchors ("rtl8187: Use usb anchor facilities to manage urbs"), rtl8187 began generating an intermittent GPF on shutdown when using SLUB with debugging enabled. Furthermore, rebooting the system with a ping running caused a GPF every time. There are two problems: (1) incorrect locking in the rtl8187_rx_cb() routine, a pre-existing bug that apparently had not been triggered before, and (2) duplicate freeing of receive skbs that was probably introduced with the change to anchors. Signed-off-by: Herton Ronaldo Krzesinski <herton@mandriva.com.br> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Tested-by: Hin-Tak Leung <htl10@users.sourceforge.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>

rtl8187: Fix crash on unload when using SLUB debug
Reported-by: Hin-Tak Leung <htl10@users.sourceforge.net> After the code was modified to use urb anchors ("rtl8187: Use usb anchor facilities to manage urbs"), rtl8187 began generating an intermittent GPF on shutdown when using SLUB with debugging enabled. Furthermore, rebooting the system with a ping running caused a GPF every time. There are two problems: (1) incorrect locking in the rtl8187_rx_cb() routine, a pre-existing bug that apparently had not been triggered before, and (2) duplicate freeing of receive skbs that was probably introduced with the change to anchors. Signed-off-by: Herton Ronaldo Krzesinski <herton@mandriva.com.br> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Tested-by: Hin-Tak Leung <htl10@users.sourceforge.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
d8588227 · Herton Ronaldo Krzesinski · John W. Linville · 0a5ec96a · d8588227
Commit d8588227 authored Dec 14, 2008 by Herton Ronaldo Krzesinski Committed by John W. Linville Dec 19, 2008
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 8 deletions

drivers/net/wireless/rtl818x/rtl8187_dev.c drivers/net/wireless/rtl818x/rtl8187_dev.c +4 -8

No files found.
--- a/drivers/net/wireless/rtl818x/rtl8187_dev.c
+++ b/drivers/net/wireless/rtl818x/rtl8187_dev.c
@@ -294,15 +294,16 @@ static void rtl8187_rx_cb(struct urb *urb)
 	int rate, signal;
 	u32 flags;
 	u32 quality;
+	unsigned long f;
-	spin_lock(&priv->rx_queue.lock);
+	spin_lock_irqsave(&priv->rx_queue.lock, f);
 	if (skb->next)
 		__skb_unlink(skb, &priv->rx_queue);
 	else {
-		spin_unlock(&priv->rx_queue.lock);
+		spin_unlock_irqrestore(&priv->rx_queue.lock, f);
 		return;
 	}
-	spin_unlock(&priv->rx_queue.lock);
+	spin_unlock_irqrestore(&priv->rx_queue.lock, f);
 	skb_put(skb, urb->actual_length);
 	if (unlikely(urb->status)) {
@@ -942,7 +943,6 @@ static int rtl8187_start(struct ieee80211_hw *dev)
 static void rtl8187_stop(struct ieee80211_hw *dev)
 {
 	struct rtl8187_priv *priv = dev->priv;
-	struct rtl8187_rx_info *info;
 	struct sk_buff *skb;
 	u32 reg;
@@ -961,10 +961,6 @@ static void rtl8187_stop(struct ieee80211_hw *dev)
 	rtl818x_iowrite8(priv, &priv->map->CONFIG4, reg | RTL818X_CONFIG4_VCOOFF);
 	rtl818x_iowrite8(priv, &priv->map->EEPROM_CMD, RTL818X_EEPROM_CMD_NORMAL);
-	while ((skb = skb_dequeue(&priv->rx_queue))) {
-		info = (struct rtl8187_rx_info *)skb->cb;
-		kfree_skb(skb);
-	}
 	while ((skb = skb_dequeue(&priv->b_tx_status.queue)))
 		dev_kfree_skb_any(skb);