• Vasanthakumar Thiagarajan's avatar
    ath9k: Fix leak in tx descriptor · cbfe89c6
    Vasanthakumar Thiagarajan authored
    When we reclaim the tx desc, we always assume that the
    last desc is a holding desc, which is not true, and skip it.
    If the tx queue is drained during channel change, internal
    reset and etc, the last descriptor may not be the holding
    descriptor and we fail to reclaim them. This results in the
    following two issues.
    
    1. Tx stuck - We drop all the frames coming from upper layer
    due to shortage in tx desc.
    
    2. Crash - If we fail to reclaim a tx descriptor, we miss to
    update the tx BA window with the seq number of the frame
    associated to that desc, which, at some point, result in
    the following crash due to an assert failure in ath_tx_addto_baw().
    
    This patch fixes these two issues.
    
     kernel BUG at ../drivers/net/wireless/ath/ath9k/xmit.c:180!
    [155064.304164] invalid opcode: 0000 [#1] SMP
     Call Trace:
      [<fbc6d83b>] ? ath9k_tx+0xeb/0x160 [ath9k]
      [<fbbc9591>]  ipv6? __ieee80211_tx+0x41/0x120 [mac80211]
      [<fbbcb5ae>] ?  aes_i586ieee80211_master_start_xmit+0x28e/0x560 [mac80211]
      [<c037e501>]  aes_generic? _spin_lock_irqsave+0x31/0x40
      [<c02f347b>] ? dev_hard_start_xmit+0x16b/0x1c0
      [<c03058b5>] ? __qdisc_run+0x1b5/0x200
      [<fbbcda5a>] ?  af_packetieee80211_select_queue+0xa/0x100 [mac80211]
      [<c02f53b7>] ?  i915dev_queue_xmit+0x2e7/0x3f0
      [<fbbc9b49>] ? ieee80211_subif_start_xmit+0x369/0x7a0 [mac80211]
      [<c031bc35>] ? ip_output+0x55/0xb0
      [<c02e0188>] ? show_memcpy_count+0x18/0x60
      [<c02eb186>] ? __kfree_skb+0x36/0x90
      [<c02f2202>] ?  binfmt_miscdev_queue_xmit_nit+0xd2/0x110
      [<c02f347b>] ? dev_hard_start_xmit+0x16b/0x1c0
      [<c03058b5>] ? __qdisc_run+0x1b5/0x200
      [<c033bca7>] ?  scoarp_create+0x57/0x2a0
      [<c02f53b7>] ?  bridgedev_queue_xmit+0x2e7/0x3f0
      [<c03034a0>] ? eth_header+0x0/0xc0
      [<c033b95f>]  stp? arp_xmit+0x5f/0x70
      [<c033bf4f>] ? arp_send+0x5f/0x70
      [<c033c8f5>]  bnep? arp_solicit+0x105/0x210
      [<c02fa5aa>] ? neigh_timer_handler+0x19a/0x390
      [<c013bf88>] ? run_timer_softirq+0x138/0x210
      [<c02fa410>] ?  ppdevneigh_timer_handler+0x0/0x390
      [<c02fa410>] ? neigh_timer_handler+0x0/0x390
    Signed-off-by: default avatarVasanthakumar Thiagarajan <vasanth@atheros.com>
    Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
    cbfe89c6
xmit.c 55.4 KB