From: Ganapathi Bhat gbhat@marvell.com
[ Upstream commit 33a164fa8a4c91408e0b7738f754cb1a7827c5f2 ]
USB suspend handler will kill the presubmitted rx_cmd URB. This triggers a call to the corresponding URB complete handler, which will free the rx_cmd skb, associated with rx_cmd URB. Due to a possible race betwen suspend handler and main thread, depicted in 'commit bfcacac6c84b ("mwifiex: do no submit URB in suspended state")', it is possible that the rx_cmd skb will fail to get freed. This causes a memory leak, since the resume handler will always allocate a new rx_cmd skb.
To fix this, free the rx_cmd skb in mwifiex_usb_submit_rx_urb, if the device is in suspended state.
Signed-off-by: Vidya Dharmaraju vidyad@marvell.com Signed-off-by: Cathy Luo cluo@marvell.com Signed-off-by: Ganapathi Bhat gbhat@marvell.com Signed-off-by: Kalle Valo kvalo@codeaurora.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/wireless/marvell/mwifiex/usb.c | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/drivers/net/wireless/marvell/mwifiex/usb.c b/drivers/net/wireless/marvell/mwifiex/usb.c index 76d80fd545236..d445acc4786b7 100644 --- a/drivers/net/wireless/marvell/mwifiex/usb.c +++ b/drivers/net/wireless/marvell/mwifiex/usb.c @@ -299,6 +299,12 @@ static int mwifiex_usb_submit_rx_urb(struct urb_context *ctx, int size) struct usb_card_rec *card = (struct usb_card_rec *)adapter->card;
if (test_bit(MWIFIEX_IS_SUSPENDED, &adapter->work_flags)) { + if (card->rx_cmd_ep == ctx->ep) { + mwifiex_dbg(adapter, INFO, "%s: free rx_cmd skb\n", + __func__); + dev_kfree_skb_any(ctx->skb); + ctx->skb = NULL; + } mwifiex_dbg(adapter, ERROR, "%s: card removed/suspended, EP %d rx_cmd URB submit skipped\n", __func__, ctx->ep);