lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 22 Sep 2021 14:08:39 +0200
From:   Jonas Dreßler <verdre@...d.nl>
To:     Andy Shevchenko <andriy.shevchenko@...ux.intel.com>
Cc:     Amitkumar Karwar <amitkarwar@...il.com>,
        Ganapathi Bhat <ganapathi017@...il.com>,
        Xinming Hu <huxinming820@...il.com>,
        Kalle Valo <kvalo@...eaurora.org>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Tsuchiya Yuto <kitakar@...il.com>,
        linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-pci@...r.kernel.org,
        Maximilian Luz <luzmaximilian@...il.com>,
        Bjorn Helgaas <bhelgaas@...gle.com>,
        Pali Rohár <pali@...nel.org>,
        Heiner Kallweit <hkallweit1@...il.com>,
        Johannes Berg <johannes@...solutions.net>,
        Brian Norris <briannorris@...omium.org>, stable@...r.kernel.org
Subject: Re: [PATCH v2 1/2] mwifiex: Use non-posted PCI write when setting TX
 ring write pointer

On 9/22/21 1:17 PM, Andy Shevchenko wrote:
> On Tue, Sep 14, 2021 at 01:48:12PM +0200, Jonas Dreßler wrote:
>> On the 88W8897 card it's very important the TX ring write pointer is
>> updated correctly to its new value before setting the TX ready
>> interrupt, otherwise the firmware appears to crash (probably because
>> it's trying to DMA-read from the wrong place). The issue is present in
>> the latest firmware version 15.68.19.p21 of the pcie+usb card.
> 
> Please, be consistent in the commit message(s) and the code (esp. if the term
> comes from a specification).
> 
> Here, PCIe (same in the code, at least that I have noticed, but should be done
> everywhere).
> 
>> Since PCI uses "posted writes" when writing to a register, it's not
>> guaranteed that a write will happen immediately. That means the pointer
>> might be outdated when setting the TX ready interrupt, leading to
>> firmware crashes especially when ASPM L1 and L1 substates are enabled
>> (because of the higher link latency, the write will probably take
>> longer).
>>
>> So fix those firmware crashes by always using a non-posted write for
>> this specific register write. We do that by simply reading back the
>> register after writing it, just as a few other PCI drivers do.
>>
>> This fixes a bug where during rx/tx traffic and with ASPM L1 substates
> 
> Ditto. TX/RX.
> 
>> enabled (the enabled substates are platform dependent), the firmware
>> crashes and eventually a command timeout appears in the logs.
> 
> Should it have a Fixes tag?
> 

Don't think so, there's the infamous 
(https://bugzilla.kernel.org/show_bug.cgi?id=109681) Bugzilla bug it 
fixes though, I'll mention that in v3.

>> Cc: stable@...r.kernel.org
>> Signed-off-by: Jonas Dreßler <verdre@...d.nl>
> 
> ...
> 
>> -		/* Write the TX ring write pointer in to reg->tx_wrptr */
>> -		if (mwifiex_write_reg(adapter, reg->tx_wrptr,
>> -				      card->txbd_wrptr | rx_val)) {
>> +		/* Write the TX ring write pointer in to reg->tx_wrptr.
>> +		 * The firmware (latest version 15.68.19.p21) of the 88W8897
>> +		 * pcie+usb card seems to crash when getting the TX ready
>> +		 * interrupt but the TX ring write pointer points to an outdated
>> +		 * address, so it's important we do a non-posted write here to
>> +		 * force the completion of the write.
>> +		 */
>> +		if (mwifiex_write_reg_np(adapter, reg->tx_wrptr,
>> +				        card->txbd_wrptr | rx_val)) {
> 
>>   			mwifiex_dbg(adapter, ERROR,
>>   				    "SEND DATA: failed to write reg->tx_wrptr\n");
>>   			ret = -1;
> 
> I'm not sure how this is not a dead code.
> 
> On top of that, I would rather to call old function and explicitly put the
> dummy read after it
> 
> 		/* Write the TX ring write pointer in to reg->tx_wrptr */
> 		if (mwifiex_write_reg(adapter, reg->tx_wrptr,
> 				      card->txbd_wrptr | rx_val)) {
> 			...eliminate dead code in the following patch(es)...
> 		}
> 
> +		/* The firmware (latest version 15.68.19.p21) of the 88W8897
> +		 * pcie+usb card seems to crash when getting the TX ready
> +		 * interrupt but the TX ring write pointer points to an outdated
> +		 * address, so it's important we do a non-posted write here to
> +		 * force the completion of the write.
> +		 */
> 		mwifiex_read_reg(...);
> 
> Now, since I found the dummy read function to be present, perhaps you need to
> dive more into the code and understand why it exists.
> 

Interesting, I haven't noticed that mwifiex_write_reg() always returns 
0. So are you suggesting to remove that return value and get rid of all 
the "if (mwifiex_write_reg()) {}" checks in a separate commit?

As for why the dummy read/write functions exist, I have no idea. Looking 
at git history it seems they were always there (only change is that 
mwifiex_read_reg() started to handle read errors with commit 
af05148392f50490c662dccee6c502d9fcba33e2). My bet would be that they 
were created to be consistent with sdio.c which is the oldest supported 
bus type in mwifiex.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ