From patchwork Wed Oct 3 08:17:11 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stanislaw Gruszka X-Patchwork-Id: 10624415 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B42FE175A for ; Wed, 3 Oct 2018 08:17:17 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9E7DF286C0 for ; Wed, 3 Oct 2018 08:17:17 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 928E2286C8; Wed, 3 Oct 2018 08:17:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3CF70286C0 for ; Wed, 3 Oct 2018 08:17:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727409AbeJCPEf (ORCPT ); Wed, 3 Oct 2018 11:04:35 -0400 Received: from mx1.redhat.com ([209.132.183.28]:33930 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727001AbeJCPEe (ORCPT ); Wed, 3 Oct 2018 11:04:34 -0400 Received: from smtp.corp.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id AA2A6C003EBC; Wed, 3 Oct 2018 08:17:15 +0000 (UTC) Received: from localhost (ovpn-204-105.brq.redhat.com [10.40.204.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id B14A09D7E4; Wed, 3 Oct 2018 08:17:12 +0000 (UTC) From: Stanislaw Gruszka To: Felix Fietkau Cc: Lorenzo Bianconi , linux-wireless@vger.kernel.org Subject: [PATCH] mt76: fix frag length allocation for usb Date: Wed, 3 Oct 2018 10:17:11 +0200 Message-Id: <1538554631-5168-1-git-send-email-sgruszka@redhat.com> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.27 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Wed, 03 Oct 2018 08:17:15 +0000 (UTC) Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This is correct fix for c12128ce44b0 ("mt76: use a per rx queue page fragment cache"). We use wrong length when we allocate segments for MCU transmissions, which require bigger segment size than e->buf_size. Commit 481bb0432414 ("mt76: usb: make rx page_frag_cache access atomic") partially solved the problem or actually mask it by changing mt76u_mcu_init_rx() and mt76u_alloc_queues() sequence, so e->buf_size become non zero any longer, but still not big enough to handle MCU data. Patch fixes memory corruption which can manifest itself as random, not easy to reproduce crashes, during mt76 driver load or unload. Fixes: c12128ce44b0 ("mt76: use a per rx queue page fragment cache") Signed-off-by: Stanislaw Gruszka Acked-by: Lorenzo Bianconi --- drivers/net/wireless/mediatek/mt76/usb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/mediatek/mt76/usb.c b/drivers/net/wireless/mediatek/mt76/usb.c index de7785c4f6af..6b643ea701e3 100644 --- a/drivers/net/wireless/mediatek/mt76/usb.c +++ b/drivers/net/wireless/mediatek/mt76/usb.c @@ -286,7 +286,7 @@ mt76u_fill_rx_sg(struct mt76_dev *dev, struct mt76u_buf *buf, void *data; int offset; - data = page_frag_alloc(&q->rx_page, q->buf_size, GFP_ATOMIC); + data = page_frag_alloc(&q->rx_page, len, GFP_ATOMIC); if (!data) break;