mirros/rockchip-kernel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CHROMIUM: mwifiex: don't leak DMA command skbuffs

Browse Source 
The current mwifiex pcie driver assumed that it would get
its cmdrsp_complete() callback called before another command
was sent to unmap the command's skbuff. However, that is not
true. The mwifiex_check_ps_cond() will send a sleep command
to the card without having adapter->curr_cmd set. Within the
workqueue's state machine the adapter's state would be set
to allow commands (curr_cmd = NULL && cmd_sent = false) after
having receieved the response from the sleep command. The
card->cmd_buf would then be overridden with the new command
but the first command's skbuff was not unmapped. This leaks
mapped skbuffs when a bounce buffer is employed.

To rectify this unmap the card->cmd_buf when the response is
received from the card instead of waiting for the
cmdrsp_complete() callback.

BUG=chrome-os-partner:24817
BUG=chrome-os-partner:24397
BRANCH=none
TEST=Ran factory test Stress Runin with stack of patches.
     No more failures.

Change-Id: I548814edd0ac79585f07a17fad1ec2c9b9f344a9
Signed-off-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/183254
Reviewed-by: Bing Zhao <bzhao@marvell.com>
Reviewed-by: Paul Stewart <pstew@chromium.org>
This commit is contained in:
Aaron Durbin
2014-01-21 11:18:00 -06:00
committed by Ben Zhang
parent 6cf8b10d1f
commit c14d1ebcb5
1 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
drivers/net/wireless-3.8/mwifiex/pcie.c
View File

@@ -1497,6 +1497,13 @@ static int mwifiex_pcie_process_cmd_complete(struct mwifiex_adapter *adapter)
mwifiex_unmap_pci_memory(adapter, skb, PCI_DMA_FROMDEVICE);
/* Unmap the command as a response has been received. */
if (card->cmd_buf) {
mwifiex_unmap_pci_memory(adapter, card->cmd_buf,
PCI_DMA_TODEVICE);
card->cmd_buf = NULL;
}
pkt_len = *((__le16 *)skb->data);
rx_len = le16_to_cpu(pkt_len);
skb_trim(skb, rx_len);
@@ -1553,7 +1560,6 @@ static int mwifiex_pcie_cmdrsp_complete(struct mwifiex_adapter *adapter,
struct sk_buff *skb)
{
struct pcie_service_card *card = adapter->card;
struct sk_buff *skb_tmp;
if (skb) {
card->cmdrsp_buf = skb;
@@ -1563,12 +1569,6 @@ static int mwifiex_pcie_cmdrsp_complete(struct mwifiex_adapter *adapter,
return -1;
}
skb_tmp = card->cmd_buf;
if (skb_tmp) {
mwifiex_unmap_pci_memory(adapter, skb_tmp, PCI_DMA_FROMDEVICE);
card->cmd_buf = NULL;
}
return 0;
}