rt2x00: fix random stalls

Is possible that we stop queue and then do not wake up it again,
especially when packets are transmitted fast. That can be easily
reproduced with modified tx queue entry_num to some small value e.g. 16.

If mac80211 already hold local->queue_stop_reason_lock, then we can wait
on that lock in both rt2x00queue_pause_queue() and
rt2x00queue_unpause_queue(). After drooping ->queue_stop_reason_lock
is possible that __ieee80211_wake_queue() will be performed before
__ieee80211_stop_queue(), hence we stop queue and newer wake up it
again.

Another race condition is possible when between rt2x00queue_threshold()
check and rt2x00queue_pause_queue() we will process all pending tx
buffers on different cpu. This might happen if for example interrupt
will be triggered on cpu performing rt2x00mac_tx().

To prevent race conditions serialize pause/unpause by queue->tx_lock.

Cc: [email protected]
Signed-off-by: Stanislaw Gruszka <[email protected]>
Acked-by: Gertjan van Wingerde <[email protected]>
Signed-off-by: John W. Linville <[email protected]>

diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c
index d2a1ea98d0f23a144653ed7fceefeb62a2191e75..fd356b7c0476effaa6ae99dce025e9b7178e6225 100644 (file)
--- a/drivers/net/wireless/rt2x00/rt2x00dev.c
+++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
@@ -426,10 +426,14 @@ void rt2x00lib_txdone(struct queue_entry *entry,
        /*
         * If the data queue was below the threshold before the txdone
         * handler we must make sure the packet queue in the mac80211 stack
-        * is reenabled when the txdone handler has finished.
+        * is reenabled when the txdone handler has finished. This has to be
+        * serialized with rt2x00mac_tx(), otherwise we can wake up queue
+        * before it was stopped.
         */
+       spin_lock_bh(&entry->queue->tx_lock);
        if (!rt2x00queue_threshold(entry->queue))
                rt2x00queue_unpause_queue(entry->queue);
+       spin_unlock_bh(&entry->queue->tx_lock);
 }
 EXPORT_SYMBOL_GPL(rt2x00lib_txdone);
 

diff --git a/drivers/net/wireless/rt2x00/rt2x00mac.c b/drivers/net/wireless/rt2x00/rt2x00mac.c
index ede3c58e67836e1800662b2c5399e82e85b59442..2df2eb6d3e06bf892d7a52eb9cbd1dd13f5e7c95 100644 (file)
--- a/drivers/net/wireless/rt2x00/rt2x00mac.c
+++ b/drivers/net/wireless/rt2x00/rt2x00mac.c
@@ -152,13 +152,22 @@ void rt2x00mac_tx(struct ieee80211_hw *hw, struct sk_buff *skb)
        if (unlikely(rt2x00queue_write_tx_frame(queue, skb, false)))
                goto exit_fail;
 
+       /*
+        * Pausing queue has to be serialized with rt2x00lib_txdone(). Note
+        * we should not use spin_lock_bh variant as bottom halve was already
+        * disabled before ieee80211_xmit() call.
+        */
+       spin_lock(&queue->tx_lock);
        if (rt2x00queue_threshold(queue))
                rt2x00queue_pause_queue(queue);
+       spin_unlock(&queue->tx_lock);
 
        return;
 
  exit_fail:
+       spin_lock(&queue->tx_lock);
        rt2x00queue_pause_queue(queue);
+       spin_unlock(&queue->tx_lock);
  exit_free_skb:
        ieee80211_free_txskb(hw, skb);
 }

diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c
index 5adfb3eab9cda4c07465fa4ec3ad404e2baba212..9b1b2b7a7807226717a6a1b463cdf9fdc7a70f2e 100644 (file)
--- a/drivers/net/wireless/rt2x00/rt2x00queue.c
+++ b/drivers/net/wireless/rt2x00/rt2x00queue.c
@@ -619,6 +619,9 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb,
        else if (test_bit(REQUIRE_DMA, &queue->rt2x00dev->cap_flags))
                rt2x00queue_align_frame(skb);
 
+       /*
+        * That function must be called with bh disabled.
+        */
        spin_lock(&queue->tx_lock);
 
        if (unlikely(rt2x00queue_full(queue))) {