Christian, Will you be able to test this patch for us? Thanks, John On Mon, Oct 26, 2009 at 09:38:28PM +0100, Michael Buesch wrote: > On Monday 26 October 2009 20:37:33 Michael Buesch wrote: > > Ok, it just turns out this actually is a driver bug. > > Thanks to Johannes Berg for tracking it down. > > > > I think it's caused by the DMA bouncebuffer stuff that does not copy the skb->cb > > and does not adjust the "tx-info" pointer. > > I wonder why this didn't blow up easlier, because this bug is there since mac80211 > > switched to using the CB. > > > > Here's a completely untested patch. > > Here's a new version of the patch that also fixes queue mapping bugs: > > --- > drivers/net/wireless/b43/dma.c | 15 +++++++++++++-- > 1 file changed, 13 insertions(+), 2 deletions(-) > > --- wireless-testing.orig/drivers/net/wireless/b43/dma.c > +++ wireless-testing/drivers/net/wireless/b43/dma.c > @@ -1157,8 +1157,9 @@ struct b43_dmaring *parse_cookie(struct > } > > static int dma_tx_fragment(struct b43_dmaring *ring, > - struct sk_buff *skb) > + struct sk_buff **in_skb) > { > + struct sk_buff *skb = *in_skb; > const struct b43_dma_ops *ops = ring->ops; > struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); > u8 *header; > @@ -1224,8 +1225,14 @@ static int dma_tx_fragment(struct b43_dm > } > > memcpy(skb_put(bounce_skb, skb->len), skb->data, skb->len); > + memcpy(bounce_skb->cb, skb->cb, sizeof(skb->cb)); > + bounce_skb->dev = skb->dev; > + skb_set_queue_mapping(bounce_skb, skb_get_queue_mapping(skb)); > + info = IEEE80211_SKB_CB(bounce_skb); > + > dev_kfree_skb_any(skb); > skb = bounce_skb; > + *in_skb = bounce_skb; > meta->skb = skb; > meta->dmaaddr = map_descbuffer(ring, skb->data, skb->len, 1); > if (b43_dma_mapping_error(ring, meta->dmaaddr, skb->len, 1)) { > @@ -1355,7 +1362,11 @@ int b43_dma_tx(struct b43_wldev *dev, st > * static, so we don't need to store it per frame. */ > ring->queue_prio = skb_get_queue_mapping(skb); > > - err = dma_tx_fragment(ring, skb); > + /* dma_tx_fragment might reallocate the skb, so invalidate pointers pointing > + * into the skb data or cb now. */ > + hdr = NULL; > + info = NULL; > + err = dma_tx_fragment(ring, &skb); > if (unlikely(err == -ENOKEY)) { > /* Drop this packet, as we don't have the encryption key > * anymore and must not transmit it unencrypted. */ > > > > -- > Greetings, Michael. > -- John W. Linville Someday the world will need a hero, and you linville@xxxxxxxxxxxxx might be all we have. Be ready. -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html