From: Chris Chiu
> Subject: Re: [PATCH] rtw88: fix potential NULL skb access in TX ISR
>
> On Tue, Jan 7, 2020 at 4:08 PM <yhchuang@xxxxxxxxxxx> wrote:
> >
> > From: Yan-Hsuan Chuang <yhchuang@xxxxxxxxxxx>
> >
> > Sometimes the TX queue may be empty and we could possible
> > dequeue a NULL pointer, crash the kernel. If the skb is NULL
> > then there is nothing to do, just leave the ISR.
> >
> > And the TX queue should not be empty here, so print an error
> > to see if there is anything wrong for DMA ring.
> >
> > Fixes: e3037485c68e ("rtw88: new Realtek 802.11ac driver")
> > Signed-off-by: Yan-Hsuan Chuang <yhchuang@xxxxxxxxxxx>
> > ---
> > drivers/net/wireless/realtek/rtw88/pci.c | 5 +++++
> > 1 file changed, 5 insertions(+)
> >
> > diff --git a/drivers/net/wireless/realtek/rtw88/pci.c
> b/drivers/net/wireless/realtek/rtw88/pci.c
> > index a58e8276a41a..a6746b5a9ff2 100644
> > --- a/drivers/net/wireless/realtek/rtw88/pci.c
> > +++ b/drivers/net/wireless/realtek/rtw88/pci.c
> > @@ -832,6 +832,11 @@ static void rtw_pci_tx_isr(struct rtw_dev *rtwdev,
> struct rtw_pci *rtwpci,
> >
> > while (count--) {
> > skb = skb_dequeue(&ring->queue);
> > + if (!skb) {
> > + rtw_err(rtwdev, "failed to dequeue %d skb TX
> queue %d, BD=0x%08x, rp %d -> %d\n",
> > + count, hw_queue, bd_idx, ring->r.rp,
> cur_rp);
> > + break;
> > + }
> > tx_data = rtw_pci_get_tx_data(skb);
> > pci_unmap_single(rtwpci->pdev, tx_data->dma,
> skb->len,
> > PCI_DMA_TODEVICE);
> > --
> > 2.17.1
> >
>
> Maybe we can simply do 'while (count -- &&
> !skb_queue_empty(&ring->queue))' to achieve the same thing?
> I don't think it worths to raise an error unless the count is expected
> to exactly match the queue length in any
> circumstances.
>
Yes, I expected that the queue length should match with the DMA ring.
And so I printed an error to see why the count mismatched.
Yan-Hsuan
