From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A3592C61DB2 for ; Wed, 4 Jun 2025 14:38:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding: MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From: Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=mwqup3r6JxH9i8pSLzpsnDgiD7bbfEDZwioESPdMvA8=; b=ZdaDTXGme6LE896+8DyBZsZPKY Pdk8pvEm5YtGUolH2nS55E6DkqXdLO6cYCeUmkxOpacpaFTZP5tMH3lp67imH9S+JnORE8cYzXSCh APkhGCSO6IzLpWGsY9kcMjKDVKdzKbyTxQI8yk4orw+dsZygrvs1Peo74CiUn4hAGdn3AtC8/P87q IgW1ZzKC/Z8UQfo5TATsii8ICKXinRPRj7NKLCBuHDJUj2irwGWzsx9A9lXuAOK9fpJsRNYmWHK/J g9hdo3KLvYKKweDdru+CGr4cB3kgoE65MO7tSURnZ6IJh644W9kywRx5qY5viAsm9Ceh8UFk97hyY yK/vwEBg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux)) id 1uMpFl-0000000Daty-1LQa; Wed, 04 Jun 2025 14:38:05 +0000 Received: from sea.source.kernel.org ([172.234.252.31]) by bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux)) id 1uMpDx-0000000Dab3-0KyB for ath11k@lists.infradead.org; Wed, 04 Jun 2025 14:36:14 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sea.source.kernel.org (Postfix) with ESMTP id 3FCAE4A84A; Wed, 4 Jun 2025 14:36:12 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1EA9AC4CEE4; Wed, 4 Jun 2025 14:36:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1749047772; bh=57PGqZIr4MccX98/Q9s3avEIt4j4j+e1Z330hecZA8c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EWPkp9GIk6Tclt42p7KK/Qk0o++CraPChb3Lhx0BjWRxcV9ea3KG8TYrsT5s9wUmO yYGkzR/9gDPYZaIRx9cYxGlGBSS5feyKj08Flsx6haFbRnZ7wPrn585ftDZkNVuN/X nFtI3N512CiJURPD7pdOODbFzWESo99WEKK/DN4xr8wOXc+uGc3NEGcQvlukjK81Ji wQuDutr3o7GoTvwHNwhyYux63/UNasbADPm9ZgJPMASFv54qZ+4ZuX0VdEibef1wT2 yT7/aX5SVWq3RlDNa7mrosS5ftbmrf2WIu4n4hOd01CfMZXsRb+01NapgT8vEWqGsf RdEDX8/GdM/Yg== Received: from johan by xi.lan with local (Exim 4.97.1) (envelope-from ) id 1uMpDt-000000006nT-3w5U; Wed, 04 Jun 2025 16:36:09 +0200 From: Johan Hovold To: Jeff Johnson Cc: Miaoqing Pan , Baochen Qiang , linux-wireless@vger.kernel.org, ath11k@lists.infradead.org, linux-kernel@vger.kernel.org, Johan Hovold , stable@vger.kernel.org Subject: [PATCH v2 5/5] wifi: ath11k: fix dest ring-buffer corruption when ring is full Date: Wed, 4 Jun 2025 16:34:57 +0200 Message-ID: <20250604143457.26032-6-johan+linaro@kernel.org> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250604143457.26032-1-johan+linaro@kernel.org> References: <20250604143457.26032-1-johan+linaro@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20250604_073613_137148_BA739492 X-CRM114-Status: GOOD ( 11.13 ) X-BeenThere: ath11k@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "ath11k" Errors-To: ath11k-bounces+ath11k=archiver.kernel.org@lists.infradead.org Add the missing memory barriers to make sure that destination ring descriptors are read before updating the tail pointer (and passing ownership to the device) to avoid memory corruption on weakly ordered architectures like aarch64 when the ring is full. Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Cc: stable@vger.kernel.org # 5.6 Signed-off-by: Johan Hovold --- drivers/net/wireless/ath/ath11k/hal.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c index 927ed2bc3fbf..7eeffb36899e 100644 --- a/drivers/net/wireless/ath/ath11k/hal.c +++ b/drivers/net/wireless/ath/ath11k/hal.c @@ -854,7 +854,6 @@ void ath11k_hal_srng_access_end(struct ath11k_base *ab, struct hal_srng *srng) { lockdep_assert_held(&srng->lock); - /* TODO: See if we need a write memory barrier here */ if (srng->flags & HAL_SRNG_FLAGS_LMAC_RING) { /* For LMAC rings, ring pointer updates are done through FW and * hence written to a shared memory location that is read by FW @@ -869,7 +868,11 @@ void ath11k_hal_srng_access_end(struct ath11k_base *ab, struct hal_srng *srng) WRITE_ONCE(*srng->u.src_ring.hp_addr, srng->u.src_ring.hp); } else { srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr; - *srng->u.dst_ring.tp_addr = srng->u.dst_ring.tp; + /* Make sure descriptor is read before updating the + * tail pointer. + */ + dma_mb(); + WRITE_ONCE(*srng->u.dst_ring.tp_addr, srng->u.dst_ring.tp); } } else { if (srng->ring_dir == HAL_SRNG_DIR_SRC) { @@ -885,6 +888,10 @@ void ath11k_hal_srng_access_end(struct ath11k_base *ab, struct hal_srng *srng) srng->u.src_ring.hp); } else { srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr; + /* Make sure descriptor is read before updating the + * tail pointer. + */ + mb(); ath11k_hif_write32(ab, (unsigned long)srng->u.dst_ring.tp_addr - (unsigned long)ab->mem, -- 2.49.0