| Message ID | 20250526114803.2122-2-johan+linaro@kernel.org |
|---|---|
| State | New |
| Headers | show |
| Series | wifi: ath11k: fix dest ring-buffer corruption | expand |
On 5/26/2025 7:48 PM, Johan Hovold wrote: > Add the missing memory barriers to make sure that destination ring > descriptors are read after the head pointers to avoid using stale data > on weakly ordered architectures like aarch64. > > Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 > > Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") > Cc: stable@vger.kernel.org # 5.6 > Signed-off-by: Johan Hovold <johan+linaro@kernel.org> > --- > drivers/net/wireless/ath/ath11k/dp_rx.c | 19 +++++++++++++++++++ > drivers/net/wireless/ath/ath11k/dp_tx.c | 3 +++ > 2 files changed, 22 insertions(+) > > diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c > index ea2959305dec..dfe2d889c20f 100644 > --- a/drivers/net/wireless/ath/ath11k/dp_rx.c > +++ b/drivers/net/wireless/ath/ath11k/dp_rx.c > @@ -3851,6 +3851,9 @@ int ath11k_dp_process_rx_err(struct ath11k_base *ab, struct napi_struct *napi, > > ath11k_hal_srng_access_begin(ab, srng); > > + /* Make sure descriptor is read after the head pointer. */ > + dma_rmb(); > + Thanks Johan, for continuing to follow up on this issue. I have some different opinions. This change somewhat deviates from the fix approach described in https://lore.kernel.org/all/20250321095219.19369-1-johan+linaro@kernel.org/. In this case, the descriptor might be accessed before it is updated or while it is still being updated. Therefore, a dma_rmb() should be added after the call to ath11k_hal_srng_dst_get_next_entry() and before accessing ath11k_hal_ce_dst_status_get_length(), to ensure that the DMA has completed before reading the descriptor. However, in this patch, the memory barrier is used to protect the head pointer (HP). I don't think a memory barrier is necessary for HP, because even if an outdated HP is fetched, ath11k_hal_srng_dst_get_next_entry() will return NULL and exit safely. So, placing the memory barrier inside ath11k_hal_srng_dst_get_next_entry() would be more appropriate. @@ -678,6 +678,8 @@ u32 *ath11k_hal_srng_dst_get_next_entry(struct ath11k_base *ab, if (srng->flags & HAL_SRNG_FLAGS_CACHED) ath11k_hal_srng_prefetch_desc(ab, srng); + dma_rmb(); + return desc; } > while (budget && > (desc = ath11k_hal_srng_dst_get_next_entry(ab, srng))) { > struct hal_reo_dest_ring *reo_desc = (struct hal_reo_dest_ring *)desc; > @@ -4154,6 +4157,9 @@ int ath11k_dp_rx_process_wbm_err(struct ath11k_base *ab, > > ath11k_hal_srng_access_begin(ab, srng); > > + /* Make sure descriptor is read after the head pointer. */ > + dma_rmb(); > + > while (budget) { > rx_desc = ath11k_hal_srng_dst_get_next_entry(ab, srng); > if (!rx_desc) > @@ -4280,6 +4286,9 @@ int ath11k_dp_process_rxdma_err(struct ath11k_base *ab, int mac_id, int budget) > > ath11k_hal_srng_access_begin(ab, srng); > > + /* Make sure descriptor is read after the head pointer. */ > + dma_rmb(); > + > while (quota-- && > (desc = ath11k_hal_srng_dst_get_next_entry(ab, srng))) { > ath11k_hal_rx_reo_ent_paddr_get(ab, desc, &paddr, &desc_bank); > @@ -4353,6 +4362,9 @@ void ath11k_dp_process_reo_status(struct ath11k_base *ab) > > ath11k_hal_srng_access_begin(ab, srng); > > + /* Make sure descriptor is read after the head pointer. */ > + dma_rmb(); > + > while ((reo_desc = ath11k_hal_srng_dst_get_next_entry(ab, srng))) { > tag = FIELD_GET(HAL_SRNG_TLV_HDR_TAG, *reo_desc); > > @@ -5168,6 +5180,9 @@ static void ath11k_dp_rx_mon_dest_process(struct ath11k *ar, int mac_id, > rx_bufs_used = 0; > rx_mon_stats = &pmon->rx_mon_stats; > > + /* Make sure descriptor is read after the head pointer. */ > + dma_rmb(); > + > while ((ring_entry = ath11k_hal_srng_dst_peek(ar->ab, mon_dst_srng))) { > struct sk_buff *head_msdu, *tail_msdu; > > @@ -5630,6 +5645,10 @@ static int ath11k_dp_full_mon_process_rx(struct ath11k_base *ab, int mac_id, > spin_lock_bh(&mon_dst_srng->lock); > > ath11k_hal_srng_access_begin(ar->ab, mon_dst_srng); > + > + /* Make sure descriptor is read after the head pointer. */ > + dma_rmb(); > + > while ((ring_entry = ath11k_hal_srng_dst_peek(ar->ab, mon_dst_srng))) { > head_msdu = NULL; > tail_msdu = NULL; > diff --git a/drivers/net/wireless/ath/ath11k/dp_tx.c b/drivers/net/wireless/ath/ath11k/dp_tx.c > index 8522c67baabf..549d17d90503 100644 > --- a/drivers/net/wireless/ath/ath11k/dp_tx.c > +++ b/drivers/net/wireless/ath/ath11k/dp_tx.c > @@ -700,6 +700,9 @@ void ath11k_dp_tx_completion_handler(struct ath11k_base *ab, int ring_id) > > ath11k_hal_srng_access_begin(ab, status_ring); > > + /* Make sure descriptor is read after the head pointer. */ > + dma_rmb(); > + > while ((ATH11K_TX_COMPL_NEXT(tx_ring->tx_status_head) != > tx_ring->tx_status_tail) && > (desc = ath11k_hal_srng_dst_get_next_entry(ab, status_ring))) {
diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c index ea2959305dec..dfe2d889c20f 100644 --- a/drivers/net/wireless/ath/ath11k/dp_rx.c +++ b/drivers/net/wireless/ath/ath11k/dp_rx.c @@ -3851,6 +3851,9 @@ int ath11k_dp_process_rx_err(struct ath11k_base *ab, struct napi_struct *napi, ath11k_hal_srng_access_begin(ab, srng); + /* Make sure descriptor is read after the head pointer. */ + dma_rmb(); + while (budget && (desc = ath11k_hal_srng_dst_get_next_entry(ab, srng))) { struct hal_reo_dest_ring *reo_desc = (struct hal_reo_dest_ring *)desc; @@ -4154,6 +4157,9 @@ int ath11k_dp_rx_process_wbm_err(struct ath11k_base *ab, ath11k_hal_srng_access_begin(ab, srng); + /* Make sure descriptor is read after the head pointer. */ + dma_rmb(); + while (budget) { rx_desc = ath11k_hal_srng_dst_get_next_entry(ab, srng); if (!rx_desc) @@ -4280,6 +4286,9 @@ int ath11k_dp_process_rxdma_err(struct ath11k_base *ab, int mac_id, int budget) ath11k_hal_srng_access_begin(ab, srng); + /* Make sure descriptor is read after the head pointer. */ + dma_rmb(); + while (quota-- && (desc = ath11k_hal_srng_dst_get_next_entry(ab, srng))) { ath11k_hal_rx_reo_ent_paddr_get(ab, desc, &paddr, &desc_bank); @@ -4353,6 +4362,9 @@ void ath11k_dp_process_reo_status(struct ath11k_base *ab) ath11k_hal_srng_access_begin(ab, srng); + /* Make sure descriptor is read after the head pointer. */ + dma_rmb(); + while ((reo_desc = ath11k_hal_srng_dst_get_next_entry(ab, srng))) { tag = FIELD_GET(HAL_SRNG_TLV_HDR_TAG, *reo_desc); @@ -5168,6 +5180,9 @@ static void ath11k_dp_rx_mon_dest_process(struct ath11k *ar, int mac_id, rx_bufs_used = 0; rx_mon_stats = &pmon->rx_mon_stats; + /* Make sure descriptor is read after the head pointer. */ + dma_rmb(); + while ((ring_entry = ath11k_hal_srng_dst_peek(ar->ab, mon_dst_srng))) { struct sk_buff *head_msdu, *tail_msdu; @@ -5630,6 +5645,10 @@ static int ath11k_dp_full_mon_process_rx(struct ath11k_base *ab, int mac_id, spin_lock_bh(&mon_dst_srng->lock); ath11k_hal_srng_access_begin(ar->ab, mon_dst_srng); + + /* Make sure descriptor is read after the head pointer. */ + dma_rmb(); + while ((ring_entry = ath11k_hal_srng_dst_peek(ar->ab, mon_dst_srng))) { head_msdu = NULL; tail_msdu = NULL; diff --git a/drivers/net/wireless/ath/ath11k/dp_tx.c b/drivers/net/wireless/ath/ath11k/dp_tx.c index 8522c67baabf..549d17d90503 100644 --- a/drivers/net/wireless/ath/ath11k/dp_tx.c +++ b/drivers/net/wireless/ath/ath11k/dp_tx.c @@ -700,6 +700,9 @@ void ath11k_dp_tx_completion_handler(struct ath11k_base *ab, int ring_id) ath11k_hal_srng_access_begin(ab, status_ring); + /* Make sure descriptor is read after the head pointer. */ + dma_rmb(); + while ((ATH11K_TX_COMPL_NEXT(tx_ring->tx_status_head) != tx_ring->tx_status_tail) && (desc = ath11k_hal_srng_dst_get_next_entry(ab, status_ring))) {
Add the missing memory barriers to make sure that destination ring descriptors are read after the head pointers to avoid using stale data on weakly ordered architectures like aarch64. Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Cc: stable@vger.kernel.org # 5.6 Signed-off-by: Johan Hovold <johan+linaro@kernel.org> --- drivers/net/wireless/ath/ath11k/dp_rx.c | 19 +++++++++++++++++++ drivers/net/wireless/ath/ath11k/dp_tx.c | 3 +++ 2 files changed, 22 insertions(+)