Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1892540ybl;
        Thu, 9 Jan 2020 03:29:01 -0800 (PST)
X-Google-Smtp-Source: APXvYqysb/uT6NM3k+mLK9hp7cGQrEHVgB3p9Lfs8z+Y6trJVofaNpnXVolhXVkySfsGlxanVB2f
X-Received: by 2002:a05:6830:2102:: with SMTP id i2mr7921820otc.123.1578569341801;
        Thu, 09 Jan 2020 03:29:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1578569341; cv=none;
        d=google.com; s=arc-20160816;
        b=mj9C9uGOrxPma12uubIyC4ds4AvqVzMN6Uv0U+ESUesoaUDFHZLZHdCHZRmx5BxObY
         OqwxQyxxBSHLWdncF5HGl306I7Mwh1e5SEsrwsLIL5VEAC1cNJkrRsbTB8wQVmi8V/SS
         Zhghp7nR2VLUtIhD+edTcJ2+lm2FAS2rLJ2b9b9x1d+uE05erJkzjwX/oyk5FfRTwwFv
         xgy5svyIad0+7PEdQP4gtPjDPziklCYx4E+6wNkTBoBUMrTVsjNiwDcMeRnWVo93hOhm
         8stn1flRuFr3thGiT42XsEuvj5QGOJiqlzuUK6F1kZb/pv4O+dSKV+u4cMk9RM+v6/ym
         YMMA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=UQJKMw2DKrzoM93kVfwLvG1Z80enNY4bvse02ifcw+s=;
        b=IaxJESBPIiB6Mbtotb0Wlwd6pTv0JUGn9aM/9XgFE7/33gt9iBeyjoOH72miOK0UT4
         ecPkr9jPAQ6DpMwFh8YYr/51rO5VYDEdhu1qQj/+Sz79d+PykKaZa7DaUtIAp2fVdjjq
         hFHStMFkQzoi7Wgd7TxRK8gMRJ4fO5vJG3Xwz5GbO5QkdX2FsUkspqsY3oLIJJDfmjrW
         ag4TAVfs+tdhpg/R1N5AoQf3WkkmtH8Azv5yxEDL50OFiLCVMxqTdQbJWhd5oZLcEi++
         wVFHv5V6iu7haCHOwchiXDQn2UrPX/z2SrOWhHJRfxdCcR4u57fTSuA9n6PAocy+/M/c
         ZnnA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@endlessm-com.20150623.gappssmtp.com header.s=20150623 header.b=BiTyM1FD;
       spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j19si3372364oij.51.2020.01.09.03.28.37;
        Thu, 09 Jan 2020 03:29:01 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@endlessm-com.20150623.gappssmtp.com header.s=20150623 header.b=BiTyM1FD;
       spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728649AbgAIK0l (ORCPT <rfc822;sgg.btech@gmail.com> + 99 others);
        Thu, 9 Jan 2020 05:26:41 -0500
Received: from mail-oi1-f194.google.com ([209.85.167.194]:41893 "EHLO
        mail-oi1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728614AbgAIK0l (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Thu, 9 Jan 2020 05:26:41 -0500
Received: by mail-oi1-f194.google.com with SMTP id i1so5395407oie.8
        for <linux-wireless@vger.kernel.org>; Thu, 09 Jan 2020 02:26:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=endlessm-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=UQJKMw2DKrzoM93kVfwLvG1Z80enNY4bvse02ifcw+s=;
        b=BiTyM1FDl619QUQWYpQcAUivNguZDOkZ+h3LezLx7CrRiUjuR7hD0x6TQH+xZ0hkf6
         ++Itr7fcj7Fl1a7UJ3VEG1bO0dpisFVWea7IuP6IgchtxT2CihBw8zAb4weMgEN1fqcG
         RLOIfSxgEoMfpTxkcf+xJ6pJNDLXZI1tfsW2EZZUton6hV+x4vx1axO9I2axspnbepH6
         AeAg+IjFVPs+ROYPqhMaoXxMDJBxW8dkDRxapIWoQZSoACtBXtytSMKoHZzki000Z4DP
         Cw/lly5j/7tRin7LQuqZRZ9eA9+tWg+HBwYnoFWZfC5iYDftmNzdm0R9tU4WqyU21Im6
         KuCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=UQJKMw2DKrzoM93kVfwLvG1Z80enNY4bvse02ifcw+s=;
        b=p3oooPMF4YFSOA3pZCfzfHPWP2fTQ0jB8vfdVjuU1Nlvf6pg6/2fEes7YvKxvRtKh1
         AnKvRjs6GSYyxYGxB3GIl1Ldk5YAj0vS+lZkKJTqDnioGutvBN7PW3q8VgdsBs1ufoo7
         79TbulfZUHif+nOBk9uMiruvHbg1AjlQQFdH+zQ+lIuBJcQfnAxWrmd6AhoMXwEjHSWj
         dzSfYQ/bh6Z6b5tnQD2JGoNR9mNTS5yhGrPvheZhYTSF9qLKXPXK6dH44Lxj2upPv4IM
         CIvUmR3vLaV67Se6TUSS/SmR7crZQr853ehmF49N8RyIq+dIDlRsHB7CAQnnzVuTQm5n
         c54A==
X-Gm-Message-State: APjAAAUvNpAUJlFwZa2YwNfanML0AICEPp9/3w5ps1jQcfdmBABFY0Nd
        yHgWNPRoF/61h9crzfqsu6GAYnrfNxf7YWKnEpi5Dw==
X-Received: by 2002:aca:5e02:: with SMTP id s2mr2474761oib.80.1578565600133;
 Thu, 09 Jan 2020 02:26:40 -0800 (PST)
MIME-Version: 1.0
References: <20200107080807.14433-1-yhchuang@realtek.com> <CAB4CAwfxQJzsJfxScVE+Y_xYbdSigTf567b9Xv-LFyQQnOXEAA@mail.gmail.com>
 <5ffa570167b34b77ab05cdf490812a59@realtek.com>
In-Reply-To: <5ffa570167b34b77ab05cdf490812a59@realtek.com>
From:   Chris Chiu <chiu@endlessm.com>
Date:   Thu, 9 Jan 2020 18:26:29 +0800
Message-ID: <CAB4CAwf0G6HMaZwPGSXm3uxUGxipzKp-OS4bpanF6f6xZw1fjQ@mail.gmail.com>
Subject: Re: [PATCH] rtw88: fix potential NULL skb access in TX ISR
To:     Tony Chuang <yhchuang@realtek.com>
Cc:     Kalle Valo <kvalo@codeaurora.org>,
        linux-wireless <linux-wireless@vger.kernel.org>,
        Brian Norris <briannorris@chromium.org>,
        "mikhail.v.gavrilov@gmail.com" <mikhail.v.gavrilov@gmail.com>,
        "rtereguloff@gmail.com" <rtereguloff@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

On Tue, Jan 7, 2020 at 7:21 PM Tony Chuang <yhchuang@realtek.com> wrote:
>
> From: Chris Chiu
> > Subject: Re: [PATCH] rtw88: fix potential NULL skb access in TX ISR
> >
> > On Tue, Jan 7, 2020 at 4:08 PM <yhchuang@realtek.com> wrote:
> > >
> > > From: Yan-Hsuan Chuang <yhchuang@realtek.com>
> > >
> > > Sometimes the TX queue may be empty and we could possible
> > > dequeue a NULL pointer, crash the kernel. If the skb is NULL
> > > then there is nothing to do, just leave the ISR.
> > >
> > > And the TX queue should not be empty here, so print an error
> > > to see if there is anything wrong for DMA ring.
> > >
> > > Fixes: e3037485c68e ("rtw88: new Realtek 802.11ac driver")
> > > Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
> > > ---
> > >  drivers/net/wireless/realtek/rtw88/pci.c | 5 +++++
> > >  1 file changed, 5 insertions(+)
> > >
> > > diff --git a/drivers/net/wireless/realtek/rtw88/pci.c
> > b/drivers/net/wireless/realtek/rtw88/pci.c
> > > index a58e8276a41a..a6746b5a9ff2 100644
> > > --- a/drivers/net/wireless/realtek/rtw88/pci.c
> > > +++ b/drivers/net/wireless/realtek/rtw88/pci.c
> > > @@ -832,6 +832,11 @@ static void rtw_pci_tx_isr(struct rtw_dev *rtwdev,
> > struct rtw_pci *rtwpci,
> > >
> > >         while (count--) {
> > >                 skb = skb_dequeue(&ring->queue);
> > > +               if (!skb) {
> > > +                       rtw_err(rtwdev, "failed to dequeue %d skb TX
> > queue %d, BD=0x%08x, rp %d -> %d\n",
> > > +                               count, hw_queue, bd_idx, ring->r.rp,
> > cur_rp);
> > > +                       break;
> > > +               }
> > >                 tx_data = rtw_pci_get_tx_data(skb);
> > >                 pci_unmap_single(rtwpci->pdev, tx_data->dma,
> > skb->len,
> > >                                  PCI_DMA_TODEVICE);
> > > --
> > > 2.17.1
> > >
> >
> > Maybe we can simply do 'while (count -- &&
> > !skb_queue_empty(&ring->queue))' to achieve the same thing?
> > I don't think it worths to raise an error unless the count is expected
> > to exactly match the queue length in any
> > circumstances.
> >
>
> Yes, I expected that the queue length should match with the DMA ring.
> And so I printed an error to see why the count mismatched.
>
> Yan-Hsuan

Maybe you can spin lock around skb_dequeue and skb_enqueue to prevent
some possible race conditions?

Chris