marfrit/besser
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fd0f5a8b71b9add312f9ca2fc775bf41018cf2c2
besser/danctnix-besser-pkgbuild/kernel/0019-bes2600-take-pending_record_lock-with-_bh-to-fix-SOF.patch
T
claude-noether fd0f5a8b71 danctnix-besser: replace cumulative patch with per-series (pkgrel=4) 
Replace the single squashed 0001-bes2600-besser-cumulative-series.patch
with 20 individual per-commit patches matching the bes2600/besser-danctnix-v3
branch in marfrit/bes2600-dkms.  Also remove the duplicate 0003-arm64 entry
that was a bug in pkgrel=3.

Patch list:
  0001 c5.1   defer scan and soften WARN on firmware reject
  0002 c5.1.1 widen scan-defer backoff to 30s and decay reject_count
  0003 c5.2   recover wedged firmware via mmc_hw_reset on link break
  0004 c6.1   gate PM indication completion on pending request
  0005 c6.2   short-circuit wake handshake when chip confirmed ACTIVE
  0006 c7     self-detect when firmware does not honor PSM and skip
  0007 c5.2.1 handle multi-function SDIO cards in mmc_hw_reset
  0008 Patch A pre-empt AP-deauth-6 with reassoc on decrypt-fail storm
  0009 Patch B bus_reset on connection-loss storm
  0010 Patch F3 atomicize atomic_add() calls
  0011 Patch F2 fix missing destroy_workqueue() on error in init_common
  0012 Patch F1 fix concurrency UAF in bes2600_hw_scan / sched_scan
  0013 Patch C v3 drop sdio_rx_work relay, IRQ→bh-direct
  0014 Patch G restore SPDX identifiers + ST-Ericsson attribution
  0015 Patch D atomicize ba_lock counters, drop the spinlock
  0016 Patch E skip ps_state_lock when PSM-known-disabled
  0017 Patch C2 replace ieee80211_rx_irqsafe with ieee80211_rx_ni
  0018 Patch H bh.c hygiene cleanup (drop fossil blocks, dead stubs)
  0019 besser#18 pending_record_lock SOFTIRQ-safe fix
  0020 danctnix-flavor: export bus_reset helpers for bes2600_btuart

Build pending (pkgrel=4 makepkg in progress on boltzmann).

Signed-off-by: Claude (noether) <claude@reauktion.de>
2026-05-20 20:37:30 +02:00

122 lines
5.2 KiB
Diff
Raw Blame History

From f469448c605e41bb90440c6d48047830c6febe33 Mon Sep 17 00:00:00 2001
From: Markus Fritsche <fritsche.markus@gmail.com>
Date: Mon, 18 May 2026 16:58:49 +0200
Subject: [PATCH 19/20] =?UTF-8?q?bes2600:=20take=20pending=5Frecord=5Flock?=
=?UTF-8?q?=20with=20=5Fbh()=20to=20fix=20SOFTIRQ-safe=20=E2=86=92=20-unsa?=
=?UTF-8?q?fe=20inversion=20(besser#18)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
PROVE_LOCKING reports:
WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
kworker/u16:1 is trying to acquire:
&hw_priv->tx_loop.pending_record_lock at bes2600_queue_clear+0x80
and this task is already holding:
&queue->lock at bes2600_queue_clear+0x60
which would create a new lock dependency:
(&queue->lock){+.-.} -> (&hw_priv->tx_loop.pending_record_lock){+.+.}
but this new dependency connects a SOFTIRQ-irq-safe lock:
(&queue->lock){+.-.}
... which became SOFTIRQ-irq-safe at:
bes2600_tx -> ieee80211_handle_wake_tx_queue -> tasklet_action
to a SOFTIRQ-irq-unsafe lock:
(&hw_priv->tx_loop.pending_record_lock){+.+.}
... which became SOFTIRQ-irq-unsafe at:
bes2600_queue_get_skb -> bes2600_join_work -> process_one_work
queue->lock is taken consistently with spin_lock_bh() at 22 sites;
the nested acquisition of pending_record_lock at queue.c:289 (inside
the outer queue->lock_bh held at line 285) had it implicitly BH-safe
via the outer scope. But pending_record_lock is ALSO taken from
non-BH-disabled contexts:
bes2600_queue_get_skb (queue.c:832) — process context via
bes2600_join_work (workqueue), no outer queue->lock held
bes2600_tx_loop_item_pending_check (tx_loop.c:112)
— TX-loop context, no outer
queue->lock held
When CPU0 holds pending_record_lock from one of those non-BH paths
and a softirq fires that wants queue->lock, and CPU1 in softirq has
queue->lock and is about to acquire pending_record_lock — classic AB-BA
SOFTIRQ deadlock.
The fix is the conservative one: take pending_record_lock with _bh()
at every site that's not already inside a queue->lock_bh-held scope.
That makes the lock consistently SOFTIRQ-safe, eliminating the
inversion. queue.c:289/295 stays as plain spin_lock because BH is
already disabled by the outer queue->lock_bh acquired at queue.c:285.
Five sites converted:
bes2600/queue.c:832 -- spin_lock -> spin_lock_bh
bes2600/queue.c:839 -- spin_unlock -> spin_unlock_bh
bes2600/queue.c:844 -- spin_unlock -> spin_unlock_bh
bes2600/tx_loop.c:112 -- spin_lock -> spin_lock_bh
bes2600/tx_loop.c:114 -- spin_unlock -> spin_unlock_bh
Contract:
- Documentation/locking/locktypes.rst spelling: spin_lock_bh() is
the canonical way to make a non-IRQ spinlock safe against
softirq preemption that might re-enter the same lock.
- Same shape as queue->lock in this driver and as is_drv->lock
in the cw1200 ancestor.
Closes: besser#18
Fixes: <bes2600 base import>
Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>
---
bes2600/queue.c | 6 +++---
bes2600/tx_loop.c | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/staging/bes2600/queue.c b/drivers/staging/bes2600/queue.c
index b56ca43..1e8390f 100644
--- a/drivers/staging/bes2600/queue.c
+++ b/drivers/staging/bes2600/queue.c
@@ -827,19 +827,19 @@ int bes2600_queue_get_skb(struct bes2600_queue *queue, u32 packetID,
bes2600_queue_parse_id(packetID, &queue_generation, &queue_id,
&item_generation, &item_id, &if_id, &link_id);
- spin_lock(&queue->stats->hw_priv->tx_loop.pending_record_lock);
+ spin_lock_bh(&queue->stats->hw_priv->tx_loop.pending_record_lock);
if (!list_empty(&queue->stats->hw_priv->tx_loop.pending_record_list)) {
list_for_each_entry_safe(record_item, temp_record_item, &queue->stats->hw_priv->tx_loop.pending_record_list, head) {
if (record_item->packetID == packetID) {
list_del(&record_item->head);
dev_kfree_skb(record_item->skb);
kfree(record_item);
- spin_unlock(&queue->stats->hw_priv->tx_loop.pending_record_lock);
+ spin_unlock_bh(&queue->stats->hw_priv->tx_loop.pending_record_lock);
return -EINVAL;
}
}
}
- spin_unlock(&queue->stats->hw_priv->tx_loop.pending_record_lock);
+ spin_unlock_bh(&queue->stats->hw_priv->tx_loop.pending_record_lock);
item = &queue->pool[item_id];
diff --git a/drivers/staging/bes2600/tx_loop.c b/drivers/staging/bes2600/tx_loop.c
index e6cf072..0cf7ce1 100644
--- a/drivers/staging/bes2600/tx_loop.c
+++ b/drivers/staging/bes2600/tx_loop.c
@@ -109,9 +109,9 @@ void bes2600_tx_loop_set_enable(struct bes2600_common *hw_priv, bool need_warn)
bes2600_queue_iterate_pending_packet(&hw_priv->tx_queue[i],
bes2600_tx_loop_item_pending_item);
}
- spin_lock(&hw_priv->tx_loop.pending_record_lock);
+ spin_lock_bh(&hw_priv->tx_loop.pending_record_lock);
bes2600_queue_iterate_record_pending_packet(hw_priv, bes2600_tx_loop_item_pending_item);
- spin_unlock(&hw_priv->tx_loop.pending_record_lock);
+ spin_unlock_bh(&hw_priv->tx_loop.pending_record_lock);
if (atomic_read(&hw_priv->bh_rx) > 0)
wake_up(&hw_priv->bh_wq);
--
2.54.0
Reference in New Issue View Git Blame Copy Permalink