drivers/net/usb/usbnet.c | 1 + 1 file changed, 1 insertion(+)
In commit 7ff14c52049e ("usbnet: Add support for Byte Queue Limits
(BQL)"), it was missed that usbnet_resume() may enqueue SKBs using
__skb_queue_tail() without reporting them to BQL. As a result, the next
call to netdev_completed_queue() triggers a BUG_ON() in dql_completed(),
since the SKBs queued during resume were never accounted for.
This patch fixes the issue by adding a corresponding netdev_sent_queue()
call in usbnet_resume() when SKBs are queued after suspend. Because
dev->txq.lock is held at this point, no concurrent calls to
netdev_sent_queue() from usbnet_start_xmit() can occur.
The crash can be reproduced by generating network traffic
(e.g. iperf3 -c ... -t 0), suspending the system, and then waking it up
(e.g. rtcwake -m mem -s 5).
When testing USB2 Android tethering (cdc_ncm), the system crashed within
three suspend/resume cycles without this patch. With the patch applied,
no crashes were observed after 90 cycles. Testing with an AX88179 USB
Ethernet adapter also showed no crashes.
Reported-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Tested-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Tested-by: Simon Schippers <simon.schippers@tu-dortmund.de>
Signed-off-by: Simon Schippers <simon.schippers@tu-dortmund.de>
---
drivers/net/usb/usbnet.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index 36742e64cff7..35789ff4dd55 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1984,6 +1984,7 @@ int usbnet_resume(struct usb_interface *intf)
} else {
netif_trans_update(dev->net);
__skb_queue_tail(&dev->txq, skb);
+ netdev_sent_queue(dev->net, skb->len);
}
}
--
2.43.0On Tue, Jan 13, 2026 at 8:51 AM Simon Schippers
<simon.schippers@tu-dortmund.de> wrote:
>
> In commit 7ff14c52049e ("usbnet: Add support for Byte Queue Limits
> (BQL)"), it was missed that usbnet_resume() may enqueue SKBs using
> __skb_queue_tail() without reporting them to BQL. As a result, the next
> call to netdev_completed_queue() triggers a BUG_ON() in dql_completed(),
> since the SKBs queued during resume were never accounted for.
>
> This patch fixes the issue by adding a corresponding netdev_sent_queue()
> call in usbnet_resume() when SKBs are queued after suspend. Because
> dev->txq.lock is held at this point, no concurrent calls to
> netdev_sent_queue() from usbnet_start_xmit() can occur.
>
> The crash can be reproduced by generating network traffic
> (e.g. iperf3 -c ... -t 0), suspending the system, and then waking it up
> (e.g. rtcwake -m mem -s 5).
>
> When testing USB2 Android tethering (cdc_ncm), the system crashed within
> three suspend/resume cycles without this patch. With the patch applied,
> no crashes were observed after 90 cycles. Testing with an AX88179 USB
> Ethernet adapter also showed no crashes.
>
> Reported-by: Bard Liao <yung-chuan.liao@linux.intel.com>
> Tested-by: Bard Liao <yung-chuan.liao@linux.intel.com>
> Tested-by: Simon Schippers <simon.schippers@tu-dortmund.de>
> Signed-off-by: Simon Schippers <simon.schippers@tu-dortmund.de>
> ---
We request/need Fixes: tag for net patches, in the footer.
And we prefer it to be the first tag.
Fixes: 7ff14c52049e ("usbnet: Add support for Byte Queue Limits (BQL)")
...
Reviewed-by: Eric Dumazet <edumazet@google.com>
Thanks !
> drivers/net/usb/usbnet.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
> index 36742e64cff7..35789ff4dd55 100644
> --- a/drivers/net/usb/usbnet.c
> +++ b/drivers/net/usb/usbnet.c
> @@ -1984,6 +1984,7 @@ int usbnet_resume(struct usb_interface *intf)
> } else {
> netif_trans_update(dev->net);
> __skb_queue_tail(&dev->txq, skb);
> + netdev_sent_queue(dev->net, skb->len);
> }
> }
>
> --
> 2.43.0
>
© 2016 - 2026 Red Hat, Inc.