Re: [PATCH] wifi: mt76: Stop unmapping all buffers when WED not present

From: Lorenzo Bianconi
Date: Thu Jan 12 2023 - 13:02:53 EST

> Before the introduction of WED RX support, this driver was resetting
> buf0 and the TXWI pointer only on the head of the passed queue but
> now it's doing that on all buffers: while this is fine on systems
> that are not relying on IOMMU, such as the MT8192 Asurada Spherion
> Chromebook (MT7921E), it causes a crash on others using IOMMUs, such
> as the MT8195 Cherry Tomato Chromebook (MT7921E again!).
>
> Reverting to the described behavior solves the following kernel panic:
>
> [ 20.357772] Unable to handle kernel paging request at virtual address ffff170fc0000000
> [ 20.365943] Mem abort info:
> [ 20.368989] ESR = 0x0000000096000145
> [ 20.372988] EC = 0x25: DABT (current EL), IL = 32 bits
> [ 20.378551] SET = 0, FnV = 0
> [ 20.381857] EA = 0, S1PTW = 0
> [ 20.385248] FSC = 0x05: level 1 translation fault
> [ 20.390376] Data abort info:
> [ 20.393507] ISV = 0, ISS = 0x00000145
> [ 20.397593] CM = 1, WnR = 1
> [ 20.400811] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041fb3000
> [ 20.407763] [ffff170fc0000000] pgd=180000023fff7003, p4d=180000023fff7003, pud=0000000000000000
> [ 20.416714] Internal error: Oops: 0000000096000145 [#1] SMP
> [ 20.422535] Modules linked in: af_alg qrtr mt7921e mt7921_common mt76_connac_lib mt76 mac80211 btusb btrtl btintel btmtk btbcm 8021q cfg80211 bluetooth uvcvideo garp mrp snd_sof_ipc_msg_injector snd_sof_ipc_flood_test stp snd_sof_mt8195 videobuf2_vmalloc llc panfrost cros_ec_sensors cros_ec_lid_angle crct10dif_ce mtk_adsp_common ecdh_generic cros_ec_sensors_core ecc snd_sof_xtensa_dsp gpu_sched rfkill snd_sof_of sbs_battery hid_multitouch cros_usbpd_logger snd_sof snd_sof_utils fuse ipv6
> [ 20.465969] CPU: 6 PID: 9 Comm: kworker/u16:0 Tainted: G W 6.2.0-rc3-next-20230111+ #237
> [ 20.475695] Hardware name: Acer Tomato (rev2) board (DT)
> [ 20.481254] Workqueue: phy0 ieee80211_iface_work [mac80211]
> [ 20.487119] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> [ 20.494328] pc : dcache_clean_poc+0x20/0x38
> [ 20.498764] lr : arch_sync_dma_for_device+0x2c/0x40
> [ 20.503893] sp : ffff8000080cb430
> [ 20.507457] x29: ffff8000080cb430 x28: 0000000000000000 x27: ffff1710c740e0d0
> [ 20.514842] x26: ffff1710d8c03b38 x25: ffff1710d75e4fb0 x24: ffff1710c619e280
> [ 20.522225] x23: ffff8000080cb578 x22: 0000000000000001 x21: 0000000000000040
> [ 20.529608] x20: 0000000000000000 x19: ffff1710c740e0d0 x18: 0000000000000030
> [ 20.536991] x17: 000000040044ffff x16: ffffc06d4c37d200 x15: ffffffffffffffff
> [ 20.544373] x14: 0000000000000000 x13: 0000000000007800 x12: 0000000000000000
> [ 20.551755] x11: 0000000000007961 x10: 0000000000007961 x9 : ffffc06d4cbe0ff8
> [ 20.559137] x8 : 0000000000000001 x7 : 0000000000008000 x6 : 0000000000000000
> [ 20.566518] x5 : 000000000000801e x4 : 0000000054765809 x3 : 000000000000003f
> [ 20.573899] x2 : 0000000000000040 x1 : ffff170fc0000040 x0 : ffff170fc0000000
> [ 20.581282] Call trace:
> [ 20.583976] dcache_clean_poc+0x20/0x38
> [ 20.588061] iommu_dma_sync_single_for_device+0xc4/0xdc
> [ 20.593534] dma_sync_single_for_device+0x38/0x120
> [ 20.598574] mt76_dma_tx_queue_skb+0x4f4/0x5b0 [mt76]
> [ 20.603880] __mt76_tx_queue_skb+0x5c/0xe0 [mt76]
> [ 20.608836] mt76_tx+0xbc/0x164 [mt76]
> [ 20.612838] mt7921_tx+0x9c/0x170 [mt7921_common]
> [ 20.617795] ieee80211_tx_frags+0x22c/0x2a0 [mac80211]
> [ 20.623215] __ieee80211_tx+0x90/0x1c0 [mac80211]
> [ 20.628195] ieee80211_tx+0x114/0x160 [mac80211]
> [ 20.633088] ieee80211_xmit+0xa0/0xd4 [mac80211]
> [ 20.637980] __ieee80211_tx_skb_tid_band+0xa8/0x2e0 [mac80211]
> [ 20.644087] ieee80211_tx_skb_tid+0xac/0x270 [mac80211]
> [ 20.649585] ieee80211_send_auth+0x1ac/0x250 [mac80211]
> [ 20.655080] ieee80211_auth+0x16c/0x2dc [mac80211]
> [ 20.660145] ieee80211_sta_work+0x3a0/0xab4 [mac80211]
> [ 20.665557] ieee80211_iface_work+0x394/0x400 [mac80211]
> [ 20.671144] process_one_work+0x294/0x674
> [ 20.675406] worker_thread+0x7c/0x45c
> [ 20.679316] kthread+0x104/0x110
> [ 20.682793] ret_from_fork+0x10/0x20
> [ 20.686621] Code: d2800082 9ac32042 d1000443 8a230000 (d50b7a20)
> [ 20.692962] ---[ end trace 0000000000000000 ]---
>
> Fixes: cd372b8c99c5 ("wifi: mt76: add WED RX support to mt76_dma_{add,get}_buf")
> Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@xxxxxxxxxxxxx>
> ---
> drivers/net/wireless/mediatek/mt76/dma.c | 11 ++++++-----
> 1 file changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c
> index 420302ff0328..a0fe3ab0126d 100644
> --- a/drivers/net/wireless/mediatek/mt76/dma.c
> +++ b/drivers/net/wireless/mediatek/mt76/dma.c
> @@ -215,6 +215,12 @@ mt76_dma_add_buf(struct mt76_dev *dev, struct mt76_queue *q,
> u32 ctrl;
> int i, idx = -1;
>
> + if (txwi && !(q->flags & MT_QFLAG_WED) &&
> + !FIELD_GET(MT_QFLAG_WED_TYPE, q->flags)) {
> + q->entry[q->head].txwi = DMA_DUMMY_DATA;
> + q->entry[q->head].skip_buf0 = true;
> + }
> +
> for (i = 0; i < nbufs; i += 2, buf += 2) {
> u32 buf0 = buf[0].addr, buf1 = 0;
>
> @@ -238,11 +244,6 @@ mt76_dma_add_buf(struct mt76_dev *dev, struct mt76_queue *q,
> ctrl = FIELD_PREP(MT_DMA_CTL_SD_LEN0, buf[0].len) |
> MT_DMA_CTL_TO_HOST;
> } else {
> - if (txwi) {
> - q->entry[q->head].txwi = DMA_DUMMY_DATA;
> - q->entry[q->head].skip_buf0 = true;
> - }
> -
> if (buf[0].skip_unmap)
> entry->skip_buf0 = true;
> entry->skip_buf1 = i == nbufs - 1;
> --
> 2.39.0
>

I think this issue has been already fixed by Felix here:
https://lore.kernel.org/linux-wireless/a30d8580-936a-79e4-c1c7-70f3d3b8da35@xxxxxxxx/

Regards,
Lorenzo

Attachment: signature.asc
Description: PGP signature