rpms/kernel/F-11 linux-2.6-iwlwifi_-fix-TX-queue-race.patch, NONE, 1.1 kernel.spec, 1.1700, 1.1701
John W. Linville
linville at fedoraproject.org
Wed Aug 12 15:26:51 UTC 2009
Author: linville
Update of /cvs/pkgs/rpms/kernel/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13433
Modified Files:
kernel.spec
Added Files:
linux-2.6-iwlwifi_-fix-TX-queue-race.patch
Log Message:
iwlwifi: fix TX queue race
linux-2.6-iwlwifi_-fix-TX-queue-race.patch:
iwl-tx.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- NEW FILE linux-2.6-iwlwifi_-fix-TX-queue-race.patch ---
commit 3995bd9332a51b626237d6671cfeb7235e6c1305
Author: Johannes Berg <johannes at sipsolutions.net>
Date: Fri Jul 24 11:13:14 2009 -0700
iwlwifi: fix TX queue race
I had a problem on 4965 hardware (well, probably other hardware too,
but others don't survive my stress testing right now, unfortunately)
where the driver was sending invalid commands to the device, but no
such thing could be seen from the driver's point of view. I could
reproduce this fairly easily by sending multiple TCP streams with
iperf on different TIDs, though sometimes a single iperf stream was
sufficient. It even happened with a single core, but I have forced
preemption turned on.
The culprit was a queue overrun, where we advanced the queue's write
pointer over the read pointer. After careful analysis I've come to
the conclusion that the cause is a race condition between iwlwifi
and mac80211.
mac80211, of course, checks whether the queue is stopped, before
transmitting a frame. This effectively looks like this:
lock(queues)
if (stopped(queue)) {
unlock(queues)
return busy;
}
unlock(queues)
... <-- this place will be important
there is some more code here
drv_tx(frame)
The driver, on the other hand, can stop and start queues, which does
lock(queues)
mark_running/stopped(queue)
unlock(queues)
[if marked running: wake up tasklet to send pending frames]
Now, however, once the driver starts the queue, mac80211 can see that
and end up at the marked place above, at which point for some reason the
driver seems to stop the queue again (I don't understand that) and then
we end up transmitting while the queue is actually full.
Now, this shouldn't actually matter much, but for some reason I've seen
it happen multiple times in a row and the queue actually overflows, at
which point the queue bites itself in the tail and things go completely
wrong.
This patch fixes this by just dropping the packet should this have
happened, and making the lock in iwlwifi cover everything so iwlwifi
can't race against itself (dropping the lock there might make it more
likely, but it did seem to happen without that too).
Since we can't hold the lock across drv_tx() above, I see no way to fix
this in mac80211, but I also don't understand why I haven't seen this
before -- maybe I just never stress tested it this badly.
With this patch, the device has survived many minutes of simultanously
sending two iperf streams on different TIDs with combined throughput
of about 60 Mbps.
Signed-off-by: Johannes Berg <johannes at sipsolutions.net>
Signed-off-by: Reinette Chatre <reinette.chatre at intel.com>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
diff --git a/drivers/net/wireless/iwlwifi/iwl-tx.c b/drivers/net/wireless/iwlwifi/iwl-tx.c
index 9bbeec9..5febb31 100644
--- a/drivers/net/wireless/iwlwifi/iwl-tx.c
+++ b/drivers/net/wireless/iwlwifi/iwl-tx.c
@@ -720,8 +720,6 @@ int iwl_tx_skb(struct iwl_priv *priv, struct sk_buff *skb)
goto drop_unlock;
}
- spin_unlock_irqrestore(&priv->lock, flags);
-
hdr_len = ieee80211_hdrlen(fc);
/* Find (or create) index into station table for destination station */
@@ -729,7 +727,7 @@ int iwl_tx_skb(struct iwl_priv *priv, struct sk_buff *skb)
if (sta_id == IWL_INVALID_STATION) {
IWL_DEBUG_DROP(priv, "Dropping - INVALID STATION: %pM\n",
hdr->addr1);
- goto drop;
+ goto drop_unlock;
}
IWL_DEBUG_TX(priv, "station Id %d\n", sta_id);
@@ -750,14 +748,17 @@ int iwl_tx_skb(struct iwl_priv *priv, struct sk_buff *skb)
txq_id = priv->stations[sta_id].tid[tid].agg.txq_id;
swq_id = iwl_virtual_agg_queue_num(swq_id, txq_id);
}
- priv->stations[sta_id].tid[tid].tfds_in_queue++;
}
txq = &priv->txq[txq_id];
q = &txq->q;
txq->swq_id = swq_id;
- spin_lock_irqsave(&priv->lock, flags);
+ if (unlikely(iwl_queue_space(q) < q->high_mark))
+ goto drop_unlock;
+
+ if (ieee80211_is_data_qos(fc))
+ priv->stations[sta_id].tid[tid].tfds_in_queue++;
/* Set up driver data for this TFD */
memset(&(txq->txb[q->write_ptr]), 0, sizeof(struct iwl_tx_info));
@@ -902,7 +903,6 @@ int iwl_tx_skb(struct iwl_priv *priv, struct sk_buff *skb)
drop_unlock:
spin_unlock_irqrestore(&priv->lock, flags);
-drop:
return -1;
}
EXPORT_SYMBOL(iwl_tx_skb);
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/kernel.spec,v
retrieving revision 1.1700
retrieving revision 1.1701
diff -u -p -r1.1700 -r1.1701
--- kernel.spec 10 Aug 2009 20:49:41 -0000 1.1700
+++ kernel.spec 12 Aug 2009 15:26:50 -0000 1.1701
@@ -642,6 +642,7 @@ Patch670: linux-2.6-ata-quirk.patch
Patch680: linux-2.6-rt2x00-asus-leds.patch
Patch681: linux-2.6-mac80211-age-scan-results-on-resume.patch
+Patch682: linux-2.6-iwlwifi_-fix-TX-queue-race.patch
Patch800: linux-2.6-crash-driver.patch
@@ -1251,6 +1252,9 @@ ApplyPatch linux-2.6-ata-quirk.patch
# back-port scan result aging patches
#ApplyPatch linux-2.6-mac80211-age-scan-results-on-resume.patch
+# iwlwifi: fix TX queue race
+ApplyPatch linux-2.6-iwlwifi_-fix-TX-queue-race.patch
+
# /dev/crash driver.
ApplyPatch linux-2.6-crash-driver.patch
@@ -1875,6 +1879,9 @@ fi
# and build.
%changelog
+* Wed Aug 12 2009 John W. Linville <linville at redhat.com>
+- iwlwifi: fix TX queue race
+
* Mon Aug 10 2009 Kyle McMartin <kyle at redhat.com>
- Patch sync-up with F-11-2.6.29.y:
- linux-2.6-x86-delay-tsc-barrier.patch
More information about the fedora-extras-commits
mailing list