From: Ben Greear <greearb@candelatech.com>
To: "Luis R. Rodriguez" <mcgrof@gmail.com>
Cc: "linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>
Subject: Re: memory clobber in rx path, maybe related to ath9k.
Date: Thu, 14 Oct 2010 14:31:27 -0700 [thread overview]
Message-ID: <4CB776AF.6090504@candelatech.com> (raw)
In-Reply-To: <AANLkTimCyHRRoh34Cfv=b+h-9SoeuJzur46WyEZ7BKT-@mail.gmail.com>
On 10/14/2010 02:25 PM, Luis R. Rodriguez wrote:
> On Wed, Oct 13, 2010 at 10:48 AM, Ben Greear<greearb@candelatech.com> wrote:
>> On 10/13/2010 10:29 AM, Luis R. Rodriguez wrote:
>>>
>>> On Wed, Oct 13, 2010 at 10:12 AM, Ben Greear<greearb@candelatech.com>
>>> wrote:
>>>>
>>>> On 10/12/2010 11:40 AM, Luis R. Rodriguez wrote:
>>>>>
>>>>> On Tue, Oct 12, 2010 at 11:35 AM, Ben Greear<greearb@candelatech.com>
>>>>> wrote:
>>>>>>
>>>>>> On 10/11/2010 11:10 PM, Luis R. Rodriguez wrote:
>>>>>>>
>>>>>>> On Mon, Oct 11, 2010 at 8:27 PM, Ben Greear<greearb@candelatech.com>
>>>>>>> wrote:
>>>>>>
>>>>>>>> Another thing I was thinking about: Maybe the queue of skbs and dma
>>>>>>>> addresses
>>>>>>>> in ath9k is getting corrupted by multiple VIFs trying to write at
>>>>>>>> once?
>>>>>>>> Maybe
>>>>>>>> some locking is needed in the xmit path?
>>>>>>>
>>>>>>> That was my second hunch. My first shot was to use spin_lock_irqsave()
>>>>>>> over the the uses of the rxbuf list and that seemed to help but I
>>>>>>> still managed to get a poison eventually. My next item to check for is
>>>>>>> of the permissibility of creating too much pressure to the point we
>>>>>>> end up looping over the rxbuf list and race against mac80211 free'ing
>>>>>>> a buffer. Will test that tomorrow if nothing else comes up creeping my
>>>>>>> priority queue.
>>>>>>
>>>>>> This code looks weird to me. One of the paprd branches
>>>>>> deletes the skb, the other doesn't appear to. Neither
>>>>>> null out bf->bf_mpdu, which would appear to leave a dangling
>>>>>> pointer in at least the dev_kfree_skb_any() branch.
>>>>>>
>>>>>> ath_tx_complete frees it's skb in all cases, so another
>>>>>> bf->bf_mpdu dangling pointer issue.
>>>>>>
>>>>>> Maybe at the least we should null out bf->bf_mpdu when
>>>>>> skb is consumed?
>>>>>
>>>>> You're reading my mind, that was what I was going to test today. Still
>>>>> doing e-mail sweep though.
>>>>
>>>> At least in the xmit path, it seems cards that have EDMA support do
>>>> things a bit different. Out of curiosity, on the system(s), you
>>>> reproduce
>>>> this, are any of yours supporting EDMA? Mine appear to not support EDMA.
>>>
>>> EDMA is used on>= AR9003 families by Atheros. And no, I am not
>>> testing with an EDMA card, I am testing with an AR9002 family card,
>>> the AR9280 card. I am going to disregard the TX stuff as the bug is an
>>> RX issue :) I was able to more easily reproduce by doing an skb_copy()
>>> and free'ing the buffer right afterwards on the ath_send_to_mac80211()
>>> thingy, So it does appear that the poison check just happens more
>>> often when we do an skb_copy(). One reason this is easy to reproduce
>>> with multiple STAs is mac80211 uses skb_copy() to process each
>>> received skb for each STA.
>>>
>>> In my tests so far, protecting the rxbuf list with spin_lock_irqsave()
>>> did not help, and the wmb(); didn't either, something else is going on
>>> here. It would be nice to hack slab to keep an entire trace of the
>>> place the buffer was last free'd at instead of just the caller that
>>> freed it.
>>
>> I instrumented slub a while back and got the backtrace. It
>> was always in the same place for my testing.
>>
>> Here's the slub patch if you are interested in using it yourself:
>> https://patchwork.kernel.org/patch/236921/
>
> when compiling this patch I get:
>
> arch/x86/built-in.o: In function `store_stack':
> /home/mcgrof/wireless-testing/arch/x86/kernel/dumpstack.c:259:
> undefined reference to `store_trace'
You are compiling on 32-bit system? I see the method in
the patch, but probably only for 32-bit x86...
Ben
>
> Luis
--
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc http://www.candelatech.com
next prev parent reply other threads:[~2010-10-14 21:31 UTC|newest]
Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-05 17:00 memory clobber in rx path, maybe related to ath9k Ben Greear
2010-10-05 17:16 ` Luis R. Rodriguez
2010-10-05 17:24 ` Ben Greear
2010-10-05 17:36 ` Luis R. Rodriguez
2010-10-05 17:38 ` Ben Greear
2010-10-05 17:43 ` Luis R. Rodriguez
2010-10-05 17:47 ` Ben Greear
2010-10-05 17:55 ` Luis R. Rodriguez
2010-10-05 18:14 ` Ben Greear
2010-10-05 21:12 ` Ben Greear
2010-10-07 17:33 ` Ben Greear
2010-10-07 18:14 ` Johannes Berg
2010-10-07 18:29 ` Luis R. Rodriguez
2010-10-07 18:39 ` Ben Greear
2010-10-07 18:42 ` Luis R. Rodriguez
2010-10-07 18:45 ` Ben Greear
2010-10-07 19:14 ` Ben Greear
2010-10-07 19:17 ` Johannes Berg
2010-10-07 19:22 ` Ben Greear
2010-10-07 19:27 ` Johannes Berg
2010-10-07 21:31 ` Luis R. Rodriguez
2010-10-07 21:36 ` Luis R. Rodriguez
2010-10-07 21:59 ` Luis R. Rodriguez
2010-10-11 20:51 ` Ben Greear
2010-10-12 1:03 ` Luis R. Rodriguez
2010-10-12 3:27 ` Ben Greear
2010-10-12 6:10 ` Luis R. Rodriguez
2010-10-12 18:35 ` Ben Greear
2010-10-12 18:40 ` Luis R. Rodriguez
2010-10-12 18:43 ` Ben Greear
2010-10-12 19:51 ` Ben Greear
2010-10-13 17:12 ` Ben Greear
2010-10-13 17:29 ` Luis R. Rodriguez
2010-10-13 17:48 ` Ben Greear
2010-10-14 21:25 ` Luis R. Rodriguez
2010-10-14 21:31 ` Ben Greear [this message]
2010-10-14 21:32 ` Luis R. Rodriguez
2010-10-14 21:39 ` Ben Greear
2010-10-14 21:45 ` Johannes Berg
2010-10-14 21:47 ` Ben Greear
2010-10-13 5:31 ` Vasanthakumar Thiagarajan
2010-10-13 16:39 ` Ben Greear
2010-10-13 19:56 ` Björn Smedman
2010-10-13 20:03 ` Luis R. Rodriguez
2010-10-14 19:15 ` Ben Greear
2010-10-14 19:17 ` Luis R. Rodriguez
2010-10-14 21:52 ` Björn Smedman
2010-10-14 22:05 ` Ben Greear
2010-10-14 22:16 ` Luis R. Rodriguez
2010-10-14 22:29 ` Luis R. Rodriguez
2010-10-14 22:35 ` Luis R. Rodriguez
2010-10-14 22:44 ` Ben Greear
2010-10-14 22:54 ` Luis R. Rodriguez
2010-10-14 22:51 ` Luis R. Rodriguez
2010-10-14 23:19 ` Luis R. Rodriguez
2010-10-14 23:30 ` Ben Greear
2010-10-14 23:39 ` Luis R. Rodriguez
2010-10-14 23:48 ` Luis R. Rodriguez
2010-10-15 16:51 ` Ben Greear
2010-10-15 18:47 ` Luis R. Rodriguez
2010-10-15 19:36 ` Ben Greear
2010-10-15 21:07 ` Luis R. Rodriguez
2010-10-15 23:21 ` Luis R. Rodriguez
2010-10-15 23:33 ` Ben Greear
2010-10-15 23:38 ` Luis R. Rodriguez
2010-10-15 23:41 ` Luis R. Rodriguez
2010-10-16 0:07 ` Ben Greear
2010-10-15 23:42 ` Ben Greear
2010-10-15 23:57 ` Luis R. Rodriguez
2010-10-17 19:44 ` Ben Greear
2010-10-18 22:46 ` Luis R. Rodriguez
2010-10-15 23:39 ` Ben Greear
2010-10-14 23:51 ` Ben Greear
2010-10-14 22:47 ` Ben Greear
2010-10-14 23:46 ` Björn Smedman
2010-10-18 13:48 ` Björn Smedman
2010-10-18 17:24 ` Luis R. Rodriguez
2010-10-18 22:34 ` Björn Smedman
2010-10-18 22:41 ` Luis R. Rodriguez
2010-10-14 5:37 ` Vasanthakumar Thiagarajan
2010-10-07 21:52 ` Ben Greear
2010-10-08 0:42 ` Bruno Randolf
2010-10-08 2:30 ` Ben Greear
2010-10-05 17:22 ` Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CB776AF.6090504@candelatech.com \
--to=greearb@candelatech.com \
--cc=linux-wireless@vger.kernel.org \
--cc=mcgrof@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).