Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp1718056pxb; Fri, 20 Nov 2020 17:45:28 -0800 (PST) X-Google-Smtp-Source: ABdhPJyb//tAOdNqPMTSt8CRpmJlG2EYjE3oLLZZXJ2S7UPM+VubdWAG0Ys1ZHes8S4SS5QXu01a X-Received: by 2002:a05:6402:154b:: with SMTP id p11mr38675072edx.217.1605923127860; Fri, 20 Nov 2020 17:45:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605923127; cv=none; d=google.com; s=arc-20160816; b=xLfI5QUamYUPNeFQNhvZFT0dw1oOH0PPn3rhxAnJXxLAlxyp+I4cbp/LC/eq+CU4Rs UtUkAmPwqoADO83CDT+Uu03TSkrmZXlUPrYKop2613Ul8WufakvgbqvdSvVlWHe6YTm3 hK1oHVS8ma7aIpZOpoNanANsuRaarlOf2cu48IVOliT/daiXZFB97rUyzL0K8kWbgmrf rnXYR8f5hi/ag43l88DPxoLiVDlGNy4rIaNnmYgLQ3XLIDcntExoNcSbt2deZDnKY0zz ATO87C6LI2WtKJh6kwG0176YCZ3gkYW3DqT9LHgeVx51GEjVISmr58ynTMIaghoWKc/m cbPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=vtxx31dFzQGQacf5dTvnj71JjDjHnsR2VLin6Yo8L9U=; b=mGWb8siRVm5odxfySKgahGxrKCG4eZc83sprR35TQ+xQy4hb1p4+VqXYLvquxsR9Hf uPGzq1s9BQfpXn3QWNg9q4qsZqGCJRZJ89S8HpdecUhiPXpX4dwxy8XsQ45SBMSv8U3f hlt0HEQh/96R2URM+7Jd3nCq6OkWbESN2TwnJZ9pvhaY3n+VteX7/s3wfJw0qvHFx2C0 E1IP4vbSUXU/FW0GViqF3zmm0SATuoF/XOWA3LfMRvqdn3692BZTbCLxipU+NywzizRh FleZEbo8ndN3wpA7m2K+LEHpOnVWsMXvOFEghP1A8YTkellalwfhbebZhz4wl6icER2Y sBjQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=CEJuvVvR; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id mf24si1017088ejb.450.2020.11.20.17.44.47; Fri, 20 Nov 2020 17:45:27 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=CEJuvVvR; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725831AbgKUBnt (ORCPT + 99 others); Fri, 20 Nov 2020 20:43:49 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52218 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725796AbgKUBns (ORCPT ); Fri, 20 Nov 2020 20:43:48 -0500 Received: from mail-ot1-x341.google.com (mail-ot1-x341.google.com [IPv6:2607:f8b0:4864:20::341]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B8611C0613CF for ; Fri, 20 Nov 2020 17:43:48 -0800 (PST) Received: by mail-ot1-x341.google.com with SMTP id 92so7511830otd.5 for ; Fri, 20 Nov 2020 17:43:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vtxx31dFzQGQacf5dTvnj71JjDjHnsR2VLin6Yo8L9U=; b=CEJuvVvRB4YSJKMk+QIXF3OW3AZ03qI6Ht7lGJA/2YEGpQWEMs+p0Y9DUVQmI0sEgk 3CWhUzhtCtQBGGrAnABUuscWi7qY1XSXGkA8kqvNdSFyR/FwGm0hmApz68tzP4/ZeHaz C9BKyA8kwWvwXaVN/D7erKCah0RZFemfOOXxs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vtxx31dFzQGQacf5dTvnj71JjDjHnsR2VLin6Yo8L9U=; b=OOXzbnCH8vHy81jYwUCnUvSoQwMnpc+Q+IK4wuUsyfCCHJMTV/u0SY16Iak29D5cMR ODJS34DH7mkHLAEb7kpPesTEJmYH12XgmH5ThGBe0/RVxSoLli+WZNe3+MWTQVWTPh9o cmynuJDIwv6FGYY3AjCLgeqHBwpA6QgWBncHP1p+VbEyi7jXvxXOEyiQj5beXx0/oKVB 6isqRUFDp1yNWtH5XKYkm0bQavk1qGOPLLBiItezAizcqzTw7BLc9QgAtSjYPdZgg+6l V6hcPGD5BPQ/tDEYhCOWTAf/5CUZlfAwTujDncYWbEt3j4ETv7wuLEeHzt9cd31u5ryU Kk/A== X-Gm-Message-State: AOAM530kTO5aoAnBmsbcnpC78tOyYHjh1128fv8NmJLtJkb4zNxfNYvF g3cFadjumBs35LPgzFHuyYel6xdZK3Y1eQ== X-Received: by 2002:a9d:7d14:: with SMTP id v20mr15061714otn.106.1605923027778; Fri, 20 Nov 2020 17:43:47 -0800 (PST) Received: from mail-oi1-f169.google.com (mail-oi1-f169.google.com. [209.85.167.169]) by smtp.gmail.com with ESMTPSA id k1sm2211129otn.25.2020.11.20.17.43.46 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 20 Nov 2020 17:43:46 -0800 (PST) Received: by mail-oi1-f169.google.com with SMTP id f11so12683535oij.6 for ; Fri, 20 Nov 2020 17:43:46 -0800 (PST) X-Received: by 2002:aca:1c17:: with SMTP id c23mr8463977oic.117.1605923025590; Fri, 20 Nov 2020 17:43:45 -0800 (PST) MIME-Version: 1.0 References: <20200625201857.almm27xgzburyxxu@wololo.home.arpa> <3d8546b66a4f2027a7fab1de291ec40f@adapt-ip.com> In-Reply-To: From: Brian Norris Date: Fri, 20 Nov 2020 17:43:31 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] rtw88: fix skb_under_panic in tx path To: Yan-Hsuan Chuang , Nick Owens Cc: Thomas Pedersen , "linux-wireless@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org (Swapping out Yen-Hsuan's new email) Necromancing an old thread, since it's still relevant, and I had it sitting in my inbox to deal with. Now I have something useful to say! On Mon, Jun 29, 2020 at 11:50 AM Tony Chuang wrote: > > On 2020-06-25 13:18, Nick Owens wrote: > > > fixes the following panic on my thinkpad A485 > > > > > > Oops#1 Part3 > > > <0>[ 3743.881656] skbuff: skb_under_panic: text:000000005f69fd98 > > > len:208 put:48 head:000000009e2719e8 data:00000000bd3795e0 tail:0xc2 > > > end:0x2c0 dev:wlp2s0 ... > > skb->head and skb->data here are really far (0.5GB) apart. Maybe > > skb->data actually got corrupted earlier? For the record, I've reproduced similar issues myself, and the problem occurs when (a) the initial SKB starts with minimal headroom (I find that many SKBs come into mac80211 with plenty of headroom) (b) the SKB participates in AMSDU aggregation I've spotted a specific bug, which I'll point out below. But I remain confused why in many cases the SKB ends up looking so corrupted. ... > > If it is a headroom issue, you can actually express the needed headroom > > needed by the driver in hw->extra_tx_headroom during init and avoid the > > pskb_expand_head() here. > > Looks like a headroom issue, but the driver already assigned headroom. > max_tx_headroom = rtwdev->chip->tx_pkt_desc_sz; > hw->extra_tx_headroom = max_tx_headroom; > > Then I am not sure why this happens. Nick, can you help to dump_stack() > so we can see where is the skb from? That's not so easy, because of the layers and queueing involved, but per the above, I've blamed mac80211's AMSDU aggregation. Specifically: ieee80211_amsdu_aggregate() -> ieee80211_amsdu_prepare_head(), where we pad out / expand the SKB to fit some additional AMSDU headers (and later append additional data). But the padding function (ieee80211_amsdu_realloc_pad()) accounts only for the 802.11 protocol headroom, and not for the driver-specific headroom. So it chooses not to expand the headroom, and instead eats into rtw88's space. For such SKBs, they end up in the driver without sufficient headroom -- thus, Nick's bug report. NB: the seemingly-obvious fix (changing the headroom checks in ieee80211_amsdu_realloc_pad()) does not seem to work, as I hit other bugs along the way. Unfortunately, I haven't had the time to fix this all myself properly, nor have I convinced Realtek to fix this themselves. So in the meantime, Chrome OS is running with this: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/260a7d4939c323aebe80efc73610682ad2cb187a%5E%21/#F0 It's a similar idea. We should of course fix the mac80211 bug, but I wonder if we also deserve some patch similar to either the Chromium patch or Nick's somewhere (perhaps with a loud warning, etc.), because it's much more user friendly (in the face of similar future bugs) to do some suboptimal memcpy()'s, etc., than to crash their systems Brian