Ramon Fried <rfried@xxxxxxxxxxxxxx> wrote: > wcn36xx_start_tx function retrieves the buffer descriptor from the > channel control queue to start filling tx buffer information. However, > nothing prevents this same buffer to be concurrently accessed in a > concurent tx call, leading to potential buffer coruption and firmware > crash (observed during iperf test). The channel control queue should > only be accessed and updated with the channel lock. > > Fix this issue by using a local buffer descriptor which will be copied > in the thread-safe wcn36xx_dxe_tx_frame. > > Note that buffer descriptor size is few bytes so the introduced copy > overhead is insignificant. Moreover, this allows to keep the locked > section minimal. > > Signed-off-by: Loic Poulain <loic.poulain@xxxxxxxxxx> > Signed-off-by: Ramon Fried <rfried@xxxxxxxxxxxxxx> > Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx> Patch applied to ath-next branch of ath.git, thanks. e5f9908155c9 wcn36xx: Fix firmware crash due to corrupted buffer address -- https://patchwork.kernel.org/patch/10284261/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
