Search Linux Wireless

RE: [PATCH] rtw88: fix skb_under_panic in tx path

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> On 2020-06-25 13:18, Nick Owens wrote:
> > hello :)
> 
> Hi Nick :)
> 
> > this change fixes a reliable crash on my thinkpad A485.
> >
> > please note i have no prior experience doing kernel development or
> > sending patches, and i'm not sure if this is a correct approach.
> 
> You probably want to submit patches with git-send-email. See
> https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatch
> es
> 
> > From aa589182d30a0f99e1b3201ed4f3830e8af71dac Mon Sep 17 00:00:00
> 2001
> > From: Nick Owens <mischief@xxxxxxxxxxxx>
> > Date: Thu, 25 Jun 2020 12:55:41 -0700
> > Subject: [PATCH] rtw88: fix skb_under_panic in tx path
> >
> > fixes the following panic on my thinkpad A485
> >
> > Oops#1 Part3
> > <0>[ 3743.881656] skbuff: skb_under_panic: text:000000005f69fd98
> > len:208 put:48 head:000000009e2719e8 data:00000000bd3795e0 tail:0xc2
> > end:0x2c0 dev:wlp2s0
> 
> skb->head and skb->data here are really far (0.5GB) apart. Maybe
> skb->data actually got corrupted earlier?
> 
> > diff --git a/drivers/net/wireless/realtek/rtw88/pci.c
> > b/drivers/net/wireless/realtek/rtw88/pci.c
> > index d735f3127fe8..21b3b268cb25 100644
> > --- a/drivers/net/wireless/realtek/rtw88/pci.c
> > +++ b/drivers/net/wireless/realtek/rtw88/pci.c
> > @@ -741,6 +741,12 @@ static int rtw_pci_tx_write_data(struct rtw_dev
> > *rtwdev,
> >  	else if (!avail_desc(ring->r.wp, ring->r.rp, ring->r.len))
> >  		return -ENOSPC;
> >
> > +	if (skb_headroom(skb) < chip->tx_pkt_desc_sz &&
> > +	    pskb_expand_head(skb, chip->tx_pkt_desc_sz - skb_headroom(skb),
> > 0, GFP_ATOMIC)) {
> > +		dev_err(rtwdev->dev, "no headroom available");
> > +		return -ENOMEM;
> > +	}
> > +
> 
> If it is a headroom issue, you can actually express the needed headroom
> needed by the driver in hw->extra_tx_headroom during init and avoid the
> pskb_expand_head() here.
> 

Looks like a headroom issue, but the driver already assigned headroom.
	max_tx_headroom = rtwdev->chip->tx_pkt_desc_sz;
	hw->extra_tx_headroom = max_tx_headroom;

Then I am not sure why this happens. Nick, can you help to dump_stack()
so we can see where is the skb from?

Yen-Hsuan
[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Wireless Regulations]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux