From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
To: Stanislaw Gruszka <sgruszka@redhat.com>
Cc: Felix Fietkau <nbd@nbd.name>, linux-wireless@vger.kernel.org
Subject: Re: [PATCH] mt76: fix frag length allocation for usb
Date: Wed, 3 Oct 2018 11:12:07 +0200 [thread overview]
Message-ID: <20181003091206.GA27279@localhost.localdomain> (raw)
In-Reply-To: <1538554631-5168-1-git-send-email-sgruszka@redhat.com>
> This is correct fix for c12128ce44b0 ("mt76: use a per rx queue page
> fragment cache"). We use wrong length when we allocate segments for
> MCU transmissions, which require bigger segment size than e->buf_size.
>
> Commit 481bb0432414 ("mt76: usb: make rx page_frag_cache access atomic")
> partially solved the problem or actually mask it by changing
> mt76u_mcu_init_rx() and mt76u_alloc_queues() sequence, so e->buf_size
> become non zero any longer, but still not big enough to handle MCU data.
Hi Stanislaw,
I agree that we should use len in page_frag_alloc() instead of q->buf_size, so
Acked-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
but reviewing the code I guess the real issue is not q->buf_size (since it should
be bigger than MCU_RESP_URB_SIZE) but it is the sequence of calls in
mt76x0u_register_device() since mt76u_alloc_queues need to be called before
mt76u_mcu_init_rx()
Regards,
Lorenzo
>
> Patch fixes memory corruption which can manifest itself as random,
> not easy to reproduce crashes, during mt76 driver load or unload.
>
> Fixes: c12128ce44b0 ("mt76: use a per rx queue page fragment cache")
> Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
> ---
> drivers/net/wireless/mediatek/mt76/usb.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/mediatek/mt76/usb.c b/drivers/net/wireless/mediatek/mt76/usb.c
> index de7785c4f6af..6b643ea701e3 100644
> --- a/drivers/net/wireless/mediatek/mt76/usb.c
> +++ b/drivers/net/wireless/mediatek/mt76/usb.c
> @@ -286,7 +286,7 @@ mt76u_fill_rx_sg(struct mt76_dev *dev, struct mt76u_buf *buf,
> void *data;
> int offset;
>
> - data = page_frag_alloc(&q->rx_page, q->buf_size, GFP_ATOMIC);
> + data = page_frag_alloc(&q->rx_page, len, GFP_ATOMIC);
> if (!data)
> break;
>
> --
> 2.7.5
>
next prev parent reply other threads:[~2018-10-03 9:12 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-03 8:17 [PATCH] mt76: fix frag length allocation for usb Stanislaw Gruszka
2018-10-03 9:12 ` Lorenzo Bianconi [this message]
2018-10-03 10:19 ` Stanislaw Gruszka
2018-10-03 10:31 ` Lorenzo Bianconi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181003091206.GA27279@localhost.localdomain \
--to=lorenzo.bianconi@redhat.com \
--cc=linux-wireless@vger.kernel.org \
--cc=nbd@nbd.name \
--cc=sgruszka@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.