wifi: rtw88: usb: kill and free rx urbs on probe failure

commit 290564367ab7fa7e2048bdc00d9c0ad016b41eea upstream.

After rtw_usb_alloc_rx_bufs() has been called rx urbs have been
allocated and must be freed in the error path. After rtw_usb_init_rx()
has been called they are submitted, so they also must be killed.

Add these forgotten steps to the probe error path.

Besides the lost memory this also fixes a problem when the driver
fails to download the firmware in rtw_chip_info_setup(). In this
case it can happen that the completion of the rx urbs handler runs
at a time when we already freed our data structures resulting in
a kernel crash.

Fixes: a82dfd33d123 ("wifi: rtw88: Add common USB chip support")
Cc: stable@vger.kernel.org
Reported-by: Ilgaz Öcal <ilgaz@ilgaz.gen.tr>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230823075021.588596-1-s.hauer@pengutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/net/wireless/realtek/rtw88/usb.c b/drivers/net/wireless/realtek/rtw88/usb.c
index 4a57efdba97bbf3f9a79ae9b38f911934f20136a..875a61c9c80d4b28a97d979e04e154cc9615e41f 100644 (file)
--- a/drivers/net/wireless/realtek/rtw88/usb.c
+++ b/drivers/net/wireless/realtek/rtw88/usb.c
@@ -844,7 +844,7 @@ int rtw_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
 
        ret = rtw_core_init(rtwdev);
        if (ret)
-               goto err_release_hw;
+               goto err_free_rx_bufs;
 
        ret = rtw_usb_intf_init(rtwdev, intf);
        if (ret) {
@@ -890,6 +890,9 @@ int rtw_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
 err_deinit_core:
        rtw_core_deinit(rtwdev);
 
+err_free_rx_bufs:
+       rtw_usb_free_rx_bufs(rtwusb);
+
 err_release_hw:
        ieee80211_free_hw(hw);