On Wed, Feb 19, 2014 at 02:21:35PM +0100, Stanislaw Gruszka wrote: > > In any case, while this solves the crash which is a good thing, it still > > leaves the code buggy. This crash seems to occur in the following racy > > scenario: > > > > * station is sleeping > > * frame TX to station begins > > * station wakes up > > * frame TX goes into the queue length check, finds long queue > > * pending frames are transmitted > > * queue is now empty > > * old = skb_dequeue() returns NULL > > * *kaboom* > > > > The problem is that you're just fixing the "*kaboom*" part, so the code > > will continue like this: > > > > * old is NULL > > * no kaboom > > * new frame is queued on ps_tx_buf queue > > * frame never gets transmitted > > When started to look at that code I found at least 3 bugs, but miss > this one :-) > > Why frame will not be transmitted, we are disabling PS, but buffers > stays not empty ? Ok, I think I see this, it seems to be race condition in ieee80211_sta_ps_deliver_wakeup(). Perhaps it could be solved by modifying ieee80211_add_pending_skbs_fn() to take list of queues as argument, that function seems properly stop queues, add buffered frames to pending queue, clear WLAN_STA_PS_STA and then wake up queues. Or just stop using ieee80211_add_pending_skbs_fn() and do the same sequence directly on ieee80211_sta_ps_deliver_wakeup() . Stanislaw -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
