Ramon Fried <[email protected]> wrote: > wcn36xx_start_tx function retrieves the buffer descriptor from the > channel control queue to start filling tx buffer information. However, > nothing prevents this same buffer to be concurrently accessed in a > concurent tx call, leading to potential buffer coruption and firmware > crash (observed during iperf test). The channel control queue should > only be accessed and updated with the channel lock. > > Fix this issue by using a local buffer descriptor which will be copied > in the thread-safe wcn36xx_dxe_tx_frame. > > Note that buffer descriptor size is few bytes so the introduced copy > overhead is insignificant. Moreover, this allows to keep the locked > section minimal. > > Signed-off-by: Loic Poulain <[email protected]> > Signed-off-by: Ramon Fried <[email protected]> > Signed-off-by: Kalle Valo <[email protected]>
Patch applied to ath-next branch of ath.git, thanks. e5f9908155c9 wcn36xx: Fix firmware crash due to corrupted buffer address -- https://patchwork.kernel.org/patch/10284261/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
