From: Larry Finger <Larry.Finger@lwfinger.net>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: David Miller <davem@davemloft.net>,
ncardwell@google.com, linville@tuxdriver.com,
linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: Regression associated with commit c8628155ece3 - "tcp: reduce out_of_order memory use"
Date: Fri, 24 Aug 2012 11:58:20 -0500 [thread overview]
Message-ID: <5037B2AC.50704@lwfinger.net> (raw)
In-Reply-To: <1345825432.19483.20.camel@edumazet-glaptop>
On 08/24/2012 11:23 AM, Eric Dumazet wrote:
> On Fri, 2012-08-24 at 18:18 +0200, Eric Dumazet wrote:
>> On Fri, 2012-08-24 at 10:58 -0500, Larry Finger wrote:
>>> On 08/24/2012 10:19 AM, David Miller wrote:
>>>>
>>>> This looks like full-on data corruption to me.
>>>
>>> I agree. The question is why does it happen with r8712u, and only after the
>>> commit in the subject. Drivers for other devices that I have are OK. Thus far, I
>>> have tested b43, rtl8187, ath9k_htc, and rtl8192cu. To my knowledge, there are
>>> no reports posted for this bug with any other device.
>>
>> bugs can sit unnoticed, and one change somewhere can uncover them.
>>
>> Really this driver must have a bug, if not half a dozen of bugs.
>>
>> For example this sequence of code is a clear bug :
>>
>> sub_skb = dev_alloc_skb(nSubframe_Length + 12);
>> skb_reserve(sub_skb, 12);
>>
>>
>> Also the free_recv_skb_queue looks really suspect to me
>>
>> What the hell is doing recv_tasklet() I really wonder.
>>
>> This code, combined with the skb_clone() in recvbuf2recvframe()
>> can clearly reuse an skb passed to upper stacks.
>>
>>
>> queueing one skb in free_recv_skb_queue should be done
>> only if no clone of this skb exist somewhere.
>>
>> Please someone fix this buggy driver.
>>
>
> Try the following patch for a start
>
> diff --git a/drivers/staging/rtl8712/rtl8712_recv.c b/drivers/staging/rtl8712/rtl8712_recv.c
> index 8e82ce2..88e3ca6 100644
> --- a/drivers/staging/rtl8712/rtl8712_recv.c
> +++ b/drivers/staging/rtl8712/rtl8712_recv.c
> @@ -1127,6 +1127,9 @@ static void recv_tasklet(void *priv)
> recvbuf2recvframe(padapter, pskb);
> skb_reset_tail_pointer(pskb);
> pskb->len = 0;
> - skb_queue_tail(&precvpriv->free_recv_skb_queue, pskb);
> + if (!skb_cloned(pskb))
> + skb_queue_tail(&precvpriv->free_recv_skb_queue, pskb);
> + else
> + consume_skb(pskb);
> }
> }
This one did not help. There is no doubt it is needed for the case where memory
is tight, an allocation fails, and the driver clones the skb. In the present
case, debug statements have shown that the skb_clone() call was not made.
In the long term, this driver will be replaced with one that uses mac80211, but
in the short term, I am trying to fix it.
As I said earlier, my skb skills are minimal. Could you explain what is wrong
with the following sequence?
sub_skb = dev_alloc_skb(nSubframe_Length + 12);
skb_reserve(sub_skb, 12);
Thanks,
Larry
next prev parent reply other threads:[~2012-08-24 16:58 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-22 4:07 Regression associated with commit c8628155ece3 - "tcp: reduce out_of_order memory use" Larry Finger
2012-08-22 4:26 ` David Miller
2012-08-22 5:15 ` Eric Dumazet
2012-08-22 16:00 ` Larry Finger
2012-08-22 21:33 ` Larry Finger
2012-08-23 4:03 ` Eric Dumazet
2012-08-23 20:57 ` Larry Finger
2012-08-23 21:26 ` Eric Dumazet
2012-08-24 14:09 ` Larry Finger
2012-08-24 14:55 ` Eric Dumazet
2012-08-24 15:49 ` Larry Finger
2012-08-24 16:01 ` Eric Dumazet
2012-08-24 16:29 ` Larry Finger
2012-08-24 15:19 ` David Miller
2012-08-24 15:58 ` Larry Finger
2012-08-24 16:18 ` Eric Dumazet
2012-08-24 16:23 ` Eric Dumazet
2012-08-24 16:58 ` Larry Finger [this message]
2012-08-24 17:47 ` Eric Dumazet
2012-08-27 17:55 ` Larry Finger
2012-08-27 18:21 ` Eric Dumazet
2012-08-27 20:39 ` Larry Finger
2012-09-10 8:39 ` Eric Dumazet
2012-09-10 14:53 ` Larry Finger
2012-09-10 15:04 ` Eric Dumazet
2012-09-10 17:55 ` [PATCH] staging: r8712u: fix bug in r8712_recv_indicatepkt() Eric Dumazet
2012-09-10 18:34 ` Larry Finger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5037B2AC.50704@lwfinger.net \
--to=larry.finger@lwfinger.net \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=ncardwell@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).