From: "Luis R. Rodriguez" <mcgrof@gmail.com>
To: Ben Greear <greearb@candelatech.com>
Cc: "Björn Smedman" <bjorn.smedman@venatech.se>,
"Vasanthakumar Thiagarajan" <vasanth@atheros.com>,
"Johannes Berg" <johannes@sipsolutions.net>,
"linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>
Subject: Re: memory clobber in rx path, maybe related to ath9k.
Date: Thu, 14 Oct 2010 15:29:02 -0700 [thread overview]
Message-ID: <AANLkTi=1oOCcdvBHo+8WAVHv-M8tE14ntmK4M_09SWh5@mail.gmail.com> (raw)
In-Reply-To: <AANLkTimC0+6PiqWO+LmtBV7uKCVpZueAQs6m_6kAnbq9@mail.gmail.com>
On Thu, Oct 14, 2010 at 3:16 PM, Luis R. Rodriguez <mcgrof@gmail.com> wrote:
> 2010/10/14 Ben Greear <greearb@candelatech.com>:
>> On 10/14/2010 02:52 PM, Björn Smedman wrote:
>>>
>>> 2010/10/13 Björn Smedman<bjorn.smedman@venatech.se>:
>>>>
>>>> Hi Ben,
>>>>
>>>> First of all keep up the good work. :)
>>>>
>>>> On Wed, Oct 13, 2010 at 6:39 PM, Ben Greear<greearb@candelatech.com>
>>>> wrote:
>>>> [snip]
>>>>>
>>>>> Either way, it seems safer to null out the bf_ampdu field after
>>>>> the memory is consumed..it could prevent some tricky bugs later.
>>>>
>>>> I think this is a good idea. But it probably wont be enough to null
>>>> out bf_mpdu. You also need to look at bf_buf_addr (which if I
>>>> understand correctly is the physical address the DMA engine will
>>>> actually write RXed frames to) and bf_dmacontext (which seems in most
>>>> cases to hold an identical address and may in fact be where the DMA
>>>> engine will really write the frame).
>>>
>>> I took another look at the code. It turns out both bf_buf_addr and
>>> bf_dmacontext are in fact meaningless to the DMA. Instead each bf
>>> holds a pointer (bf_desc) to the real DMA descriptor which in turn
>>> holds the address (ds_data) where the DMA will really (really this
>>> time) write the frame. There is also a field to hold the virtual
>>> address of the same place (ds_vdata).
>>>
>>> It's a little too much work for me to set up the testbed you have Ben
>>> but would be interesting to see what happens if you set
>>> bf->bf_desc->ds_{data,vdata} = 0 as well. No?
>>
>> I'll investigate those suggestions.
>>
>> But setting up a test-bed is as easy
>> as getting an ath9k NIC in a system, with a few APs around, and run the
>> script below.
>>
>> You do not need any traffic generation, dhcp, etc...seems just beacons and
>> whatever
>> wpa_supplicant is doing is enough to hit the problem fast. (Make sure
>> you are compiled to detect memory poisoning, of course).
>>
>> You'll need to fix the paths to the executables most likely.
>>
>
> You don't need such complicated scripts, I've managed to reproduce now
> by creating a lot of monitor interfaces and then looping with a
> regular interface issuing a scan command over and over. I suspect
> I'll be able to do this as well by changing channels instead of doing
> a scan. I believe the issue may be due to races in hardware on resets
> and enabling RX on an already freed buffer.
Fun enough if I just create one monitor interface and loop quickly
over some 2 GHz channels where I know I have traffic nearby I don't
see the poison. So channel changes don't seem to do much because this
is changing channels as fast as possible from userspace. I also can
confirm that I see frames from the different channels as I move along.
Luis
next prev parent reply other threads:[~2010-10-14 22:29 UTC|newest]
Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-05 17:00 memory clobber in rx path, maybe related to ath9k Ben Greear
2010-10-05 17:16 ` Luis R. Rodriguez
2010-10-05 17:24 ` Ben Greear
2010-10-05 17:36 ` Luis R. Rodriguez
2010-10-05 17:38 ` Ben Greear
2010-10-05 17:43 ` Luis R. Rodriguez
2010-10-05 17:47 ` Ben Greear
2010-10-05 17:55 ` Luis R. Rodriguez
2010-10-05 18:14 ` Ben Greear
2010-10-05 21:12 ` Ben Greear
2010-10-07 17:33 ` Ben Greear
2010-10-07 18:14 ` Johannes Berg
2010-10-07 18:29 ` Luis R. Rodriguez
2010-10-07 18:39 ` Ben Greear
2010-10-07 18:42 ` Luis R. Rodriguez
2010-10-07 18:45 ` Ben Greear
2010-10-07 19:14 ` Ben Greear
2010-10-07 19:17 ` Johannes Berg
2010-10-07 19:22 ` Ben Greear
2010-10-07 19:27 ` Johannes Berg
2010-10-07 21:31 ` Luis R. Rodriguez
2010-10-07 21:36 ` Luis R. Rodriguez
2010-10-07 21:59 ` Luis R. Rodriguez
2010-10-11 20:51 ` Ben Greear
2010-10-12 1:03 ` Luis R. Rodriguez
2010-10-12 3:27 ` Ben Greear
2010-10-12 6:10 ` Luis R. Rodriguez
2010-10-12 18:35 ` Ben Greear
2010-10-12 18:40 ` Luis R. Rodriguez
2010-10-12 18:43 ` Ben Greear
2010-10-12 19:51 ` Ben Greear
2010-10-13 17:12 ` Ben Greear
2010-10-13 17:29 ` Luis R. Rodriguez
2010-10-13 17:48 ` Ben Greear
2010-10-14 21:25 ` Luis R. Rodriguez
2010-10-14 21:31 ` Ben Greear
2010-10-14 21:32 ` Luis R. Rodriguez
2010-10-14 21:39 ` Ben Greear
2010-10-14 21:45 ` Johannes Berg
2010-10-14 21:47 ` Ben Greear
2010-10-13 5:31 ` Vasanthakumar Thiagarajan
2010-10-13 16:39 ` Ben Greear
2010-10-13 19:56 ` Björn Smedman
2010-10-13 20:03 ` Luis R. Rodriguez
2010-10-14 19:15 ` Ben Greear
2010-10-14 19:17 ` Luis R. Rodriguez
2010-10-14 21:52 ` Björn Smedman
2010-10-14 22:05 ` Ben Greear
2010-10-14 22:16 ` Luis R. Rodriguez
2010-10-14 22:29 ` Luis R. Rodriguez [this message]
2010-10-14 22:35 ` Luis R. Rodriguez
2010-10-14 22:44 ` Ben Greear
2010-10-14 22:54 ` Luis R. Rodriguez
2010-10-14 22:51 ` Luis R. Rodriguez
2010-10-14 23:19 ` Luis R. Rodriguez
2010-10-14 23:30 ` Ben Greear
2010-10-14 23:39 ` Luis R. Rodriguez
2010-10-14 23:48 ` Luis R. Rodriguez
2010-10-15 16:51 ` Ben Greear
2010-10-15 18:47 ` Luis R. Rodriguez
2010-10-15 19:36 ` Ben Greear
2010-10-15 21:07 ` Luis R. Rodriguez
2010-10-15 23:21 ` Luis R. Rodriguez
2010-10-15 23:33 ` Ben Greear
2010-10-15 23:38 ` Luis R. Rodriguez
2010-10-15 23:41 ` Luis R. Rodriguez
2010-10-16 0:07 ` Ben Greear
2010-10-15 23:42 ` Ben Greear
2010-10-15 23:57 ` Luis R. Rodriguez
2010-10-17 19:44 ` Ben Greear
2010-10-18 22:46 ` Luis R. Rodriguez
2010-10-15 23:39 ` Ben Greear
2010-10-14 23:51 ` Ben Greear
2010-10-14 22:47 ` Ben Greear
2010-10-14 23:46 ` Björn Smedman
2010-10-18 13:48 ` Björn Smedman
2010-10-18 17:24 ` Luis R. Rodriguez
2010-10-18 22:34 ` Björn Smedman
2010-10-18 22:41 ` Luis R. Rodriguez
2010-10-14 5:37 ` Vasanthakumar Thiagarajan
2010-10-07 21:52 ` Ben Greear
2010-10-08 0:42 ` Bruno Randolf
2010-10-08 2:30 ` Ben Greear
2010-10-05 17:22 ` Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='AANLkTi=1oOCcdvBHo+8WAVHv-M8tE14ntmK4M_09SWh5@mail.gmail.com' \
--to=mcgrof@gmail.com \
--cc=bjorn.smedman@venatech.se \
--cc=greearb@candelatech.com \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=vasanth@atheros.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).