wifi: rtlwifi: rtl8723be: don't call kfree_skb() under spin_lock_irqsave()

[ Upstream commit 313950c2114e7051c4e3020fd82495fa1fb526a8 ]

It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. All the SKBs have
been dequeued from the old queue, so it's safe to enqueue these
SKBs to a free queue, then free them after spin_unlock_irqrestore()
at once. Compile tested only.

Fixes: 5c99f04fec93 ("rtlwifi: rtl8723be: Update driver to match Realtek release of 06/28/14")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221207141411.46098-4-yangyingliang@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c
index 189cc64..0ba3bbe 100644 (file)
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c
@@ -30,8 +30,10 @@ static void _rtl8723be_return_beacon_queue_skb(struct ieee80211_hw *hw)
        struct rtl_priv *rtlpriv = rtl_priv(hw);
        struct rtl_pci *rtlpci = rtl_pcidev(rtl_pcipriv(hw));
        struct rtl8192_tx_ring *ring = &rtlpci->tx_ring[BEACON_QUEUE];
+       struct sk_buff_head free_list;
        unsigned long flags;
 
+       skb_queue_head_init(&free_list);
        spin_lock_irqsave(&rtlpriv->locks.irq_th_lock, flags);
        while (skb_queue_len(&ring->queue)) {
                struct rtl_tx_desc *entry = &ring->desc[ring->idx];
@@ -41,10 +43,12 @@ static void _rtl8723be_return_beacon_queue_skb(struct ieee80211_hw *hw)
                                 rtlpriv->cfg->ops->get_desc(hw, (u8 *)entry,
                                                true, HW_DESC_TXBUFF_ADDR),
                                 skb->len, DMA_TO_DEVICE);
-               kfree_skb(skb);
+               __skb_queue_tail(&free_list, skb);
                ring->idx = (ring->idx + 1) % ring->entries;
        }
        spin_unlock_irqrestore(&rtlpriv->locks.irq_th_lock, flags);
+
+       __skb_queue_purge(&free_list);
 }
 
 static void _rtl8723be_set_bcn_ctrl_reg(struct ieee80211_hw *hw,