From d85882273367e98aecb9ff11a9d76515a6d37131 Mon Sep 17 00:00:00 2001 From: Herton Ronaldo Krzesinski Date: Sun, 14 Dec 2008 12:18:09 -0600 Subject: rtl8187: Fix crash on unload when using SLUB debug Reported-by: Hin-Tak Leung After the code was modified to use urb anchors ("rtl8187: Use usb anchor facilities to manage urbs"), rtl8187 began generating an intermittent GPF on shutdown when using SLUB with debugging enabled. Furthermore, rebooting the system with a ping running caused a GPF every time. There are two problems: (1) incorrect locking in the rtl8187_rx_cb() routine, a pre-existing bug that apparently had not been triggered before, and (2) duplicate freeing of receive skbs that was probably introduced with the change to anchors. Signed-off-by: Herton Ronaldo Krzesinski Signed-off-by: Larry Finger Tested-by: Hin-Tak Leung Signed-off-by: John W. Linville --- drivers/net/wireless/rtl818x/rtl8187_dev.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/rtl818x/rtl8187_dev.c b/drivers/net/wireless/rtl818x/rtl8187_dev.c index 3900c479b4e..00ce3ef39ab 100644 --- a/drivers/net/wireless/rtl818x/rtl8187_dev.c +++ b/drivers/net/wireless/rtl818x/rtl8187_dev.c @@ -294,15 +294,16 @@ static void rtl8187_rx_cb(struct urb *urb) int rate, signal; u32 flags; u32 quality; + unsigned long f; - spin_lock(&priv->rx_queue.lock); + spin_lock_irqsave(&priv->rx_queue.lock, f); if (skb->next) __skb_unlink(skb, &priv->rx_queue); else { - spin_unlock(&priv->rx_queue.lock); + spin_unlock_irqrestore(&priv->rx_queue.lock, f); return; } - spin_unlock(&priv->rx_queue.lock); + spin_unlock_irqrestore(&priv->rx_queue.lock, f); skb_put(skb, urb->actual_length); if (unlikely(urb->status)) { @@ -942,7 +943,6 @@ static int rtl8187_start(struct ieee80211_hw *dev) static void rtl8187_stop(struct ieee80211_hw *dev) { struct rtl8187_priv *priv = dev->priv; - struct rtl8187_rx_info *info; struct sk_buff *skb; u32 reg; @@ -961,10 +961,6 @@ static void rtl8187_stop(struct ieee80211_hw *dev) rtl818x_iowrite8(priv, &priv->map->CONFIG4, reg | RTL818X_CONFIG4_VCOOFF); rtl818x_iowrite8(priv, &priv->map->EEPROM_CMD, RTL818X_EEPROM_CMD_NORMAL); - while ((skb = skb_dequeue(&priv->rx_queue))) { - info = (struct rtl8187_rx_info *)skb->cb; - kfree_skb(skb); - } while ((skb = skb_dequeue(&priv->b_tx_status.queue))) dev_kfree_skb_any(skb); -- cgit v1.2.3