diff options
| author | Johannes Berg <johannes.berg@intel.com> | 2019-11-12 10:32:42 +0100 |
|---|---|---|
| committer | Luca Coelho <luciano.coelho@intel.com> | 2019-12-23 11:17:00 +0200 |
| commit | c4a786b32621850775dedd1a329de0c060f9c904 (patch) | |
| tree | 1e9c293519468abcd88c68312756bbb9efbcabbf /drivers/net/wireless/intel/iwlwifi/pcie/tx.c | |
| parent | 7b02bf6194887eab2f8912f7284a9e407329a255 (diff) | |
iwlwifi: pcie: work around DMA hardware bug
There's a hardware bug in the flow handler (DMA engine), if the
address + len of some TB wraps around a 2^32 boundary, the carry
bit is then carried over into the next TB.
Work around this by copying the data to a new page when we find
this situation, and then copy it in a way that we cannot hit the
very end of the page.
To be able to free the new page again later we need to chain it
to the TSO page, use the last pointer there to make sure we can
never use the page fully for DMA, and thus cannot cause the same
overflow situation on this page.
This leaves a few potential places (where we didn't observe the
problem) unaddressed:
* The second TB could reach or cross the end of a page (and thus
2^32) due to the way we allocate the dev_cmd for the header
* For host commands, a similar thing could happen since they're
just kmalloc().
We'll address these in further commits.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Diffstat (limited to 'drivers/net/wireless/intel/iwlwifi/pcie/tx.c')
| -rw-r--r-- | drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 28 |
1 files changed, 23 insertions, 5 deletions
diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c index 2d1758031a0a..ba37b780dec4 100644 --- a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c +++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c @@ -624,12 +624,18 @@ void iwl_pcie_free_tso_page(struct iwl_trans_pcie *trans_pcie, struct sk_buff *skb) { struct page **page_ptr; + struct page *next; page_ptr = (void *)((u8 *)skb->cb + trans_pcie->page_offs); + next = *page_ptr; + *page_ptr = NULL; - if (*page_ptr) { - __free_page(*page_ptr); - *page_ptr = NULL; + while (next) { + struct page *tmp = next; + + next = *(void **)(page_address(next) + PAGE_SIZE - + sizeof(void *)); + __free_page(tmp); } } @@ -2067,8 +2073,18 @@ struct iwl_tso_hdr_page *get_page_hdr(struct iwl_trans *trans, size_t len, if (!p->page) goto alloc; - /* enough room on this page */ - if (p->pos + len < (u8 *)page_address(p->page) + PAGE_SIZE) + /* + * Check if there's enough room on this page + * + * Note that we put a page chaining pointer *last* in the + * page - we need it somewhere, and if it's there then we + * avoid DMA mapping the last bits of the page which may + * trigger the 32-bit boundary hardware bug. + * + * (see also get_workaround_page() in tx-gen2.c) + */ + if (p->pos + len < (u8 *)page_address(p->page) + PAGE_SIZE - + sizeof(void *)) goto out; /* We don't have enough room on this page, get a new one. */ @@ -2079,6 +2095,8 @@ alloc: if (!p->page) return NULL; p->pos = page_address(p->page); + /* set the chaining pointer to NULL */ + *(void **)(page_address(p->page) + PAGE_SIZE - sizeof(void *)) = NULL; out: *page_ptr = p->page; get_page(p->page); |