[PATCH AUTOSEL 5.3 35/99] iwlwifi: mvm: fix race in sync rx queue notification

From: Sasha Levin
Date: Sat Oct 26 2019 - 09:17:15 EST

Next message: Sasha Levin: "[PATCH AUTOSEL 5.3 36/99] iwlwifi: dbg_ini: fix memory leak in alloc_sgtable"
Previous message: Sasha Levin: "[PATCH AUTOSEL 5.3 34/99] ip6erspan: remove the incorrect mtu limit for ip6erspan"
In reply to: Sasha Levin: "[PATCH AUTOSEL 5.3 34/99] ip6erspan: remove the incorrect mtu limit for ip6erspan"
Next in thread: Sasha Levin: "[PATCH AUTOSEL 5.3 36/99] iwlwifi: dbg_ini: fix memory leak in alloc_sgtable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Naftali Goldstein <naftali.goldstein@xxxxxxxxx>

[ Upstream commit a2113cc44d4387a7c3ef3a9082d273524f9230ac ]

Consider the following flow:
1. Driver starts to sync the rx queues due to a delba.
mvm->queue_sync_cookie=1.
This rx-queues-sync is synchronous, so it doesn't increment the
cookie until all rx queues handle the notification from FW.
2. During this time, driver starts to sync rx queues due to nssn sync
required.
The cookie's value is still 1, but it doesn't matter since this
rx-queue-sync is non-synchronous so in the notification handler the
cookie is ignored.
What _does_ matter is that this flow increments the cookie to 2
immediately.
Remember though that the FW won't start servicing this command until
it's done with the previous one.
3. FW is still handling the first command, so it sends a notification
with internal_notif->sync=1, and internal_notif->cookie=0, which
triggers a WARN_ONCE.

The solution for this race is to only use the mvm->queue_sync_cookie in
case of a synchronous sync-rx-queues. This way in step 2 the cookie's
value won't change so we avoid the WARN.

The commit in the "fixes" field is the first commit to introduce
non-synchronous sending of this command to FW.

Fixes: 3c514bf831ac ("iwlwifi: mvm: add a loose synchronization of the NSSN across Rx queues")
Signed-off-by: Naftali Goldstein <naftali.goldstein@xxxxxxxxx>
Signed-off-by: Luca Coelho <luciano.coelho@xxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
index a7bc00d1296fe..24a6beaacb156 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
@@ -5080,11 +5080,11 @@ void iwl_mvm_sync_rx_queues_internal(struct iwl_mvm *mvm,
if (!iwl_mvm_has_new_rx_api(mvm))
return;

- notif->cookie = mvm->queue_sync_cookie;
-
- if (notif->sync)
+ if (notif->sync) {
+ notif->cookie = mvm->queue_sync_cookie;
atomic_set(&mvm->queue_sync_counter,
mvm->trans->num_rx_queues);
+ }

ret = iwl_mvm_notify_rx_queue(mvm, qmask, (u8 *)notif,
size, !notif->sync);
@@ -5104,7 +5104,8 @@ void iwl_mvm_sync_rx_queues_internal(struct iwl_mvm *mvm,

out:
atomic_set(&mvm->queue_sync_counter, 0);
- mvm->queue_sync_cookie++;
+ if (notif->sync)
+ mvm->queue_sync_cookie++;
}

static void iwl_mvm_sync_rx_queues(struct ieee80211_hw *hw)
--
2.20.1

Next message: Sasha Levin: "[PATCH AUTOSEL 5.3 36/99] iwlwifi: dbg_ini: fix memory leak in alloc_sgtable"
Previous message: Sasha Levin: "[PATCH AUTOSEL 5.3 34/99] ip6erspan: remove the incorrect mtu limit for ip6erspan"
In reply to: Sasha Levin: "[PATCH AUTOSEL 5.3 34/99] ip6erspan: remove the incorrect mtu limit for ip6erspan"
Next in thread: Sasha Levin: "[PATCH AUTOSEL 5.3 36/99] iwlwifi: dbg_ini: fix memory leak in alloc_sgtable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]