Daniil Dulov <d.dulov@xxxxxxxxxx> wrote:
> In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing
> b_tx_status.queue. This change prevents callbacks from using already freed
> skb due to anchor was not killed before freeing such skb.
Oh. This is my question in patch 1/2. Seemingly, with this patch, it can
safely flush rtl8187_tx_cb() and stop, no? I mean just this one is enough,
no need patch 1/2.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
Same question as patch 1/2. Do you have a real hardware and test?
>
> Fixes: c1db52b9d27e ("rtl8187: Use usb anchor facilities to manage urbs")
> Signed-off-by: Daniil Dulov <d.dulov@xxxxxxxxxx>
> ---
> drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
> b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
> index 8fe6fdc32e56..12e2042ee2d0 100644
> --- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
> +++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
> @@ -1050,10 +1050,10 @@ static void rtl8187_stop(struct ieee80211_hw *dev, bool suspend)
> rtl818x_iowrite8(priv, &priv->map->CONFIG4, reg | RTL818X_CONFIG4_VCOOFF);
> rtl818x_iowrite8(priv, &priv->map->EEPROM_CMD, RTL818X_EEPROM_CMD_NORMAL);
>
> + usb_kill_anchored_urbs(&priv->anchored);
nit: an empty line.
> while ((skb = skb_dequeue(&priv->b_tx_status.queue)))
> dev_kfree_skb_any(skb);
>
> - usb_kill_anchored_urbs(&priv->anchored);
> mutex_unlock(&priv->conf_mutex);
>
> if (!priv->is_rtl8187b)
> --
> 2.34.1
>
