From: "Colin King (gmail)" <colin.i.king@gmail.com>
To: Jeff Johnson <jjohnson@kernel.org>,
"linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>,
ath12k@lists.infradead.org, Kalle Valo <kvalo@kernel.org>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: issue wth ath12k in ath12k_dbring_buffer_release_event
Date: Thu, 8 May 2025 12:00:55 +0100 [thread overview]
Message-ID: <e26e4e8b-90d5-4543-af0a-ba5cebf516d8@gmail.com> (raw)
[-- Attachment #1.1.1: Type: text/plain, Size: 2477 bytes --]
Hi,
In drivers/net/wireless/ath/ath12k/dbring.c function
ath12k_dbring_buffer_release_event() there is a large hunk of code that
is never executed because ring is NULL. The code that is never executed
is a fairly large part of the functionality of the code, so I this looks
like a bug to me.
Analysis below, my comments prefixed by //
int ath12k_dbring_buffer_release_event(struct ath12k_base *ab,
linux-kernel@vger.kernel.org
struct ath12k_dbring_buf_release_event *ev)
{
struct ath12k_dbring *ring = NULL;
// ring is set to NULL
struct hal_srng *srng;
struct ath12k *ar;
struct ath12k_dbring_element *buff;
struct ath12k_dbring_data handler_data;
struct ath12k_buffer_addr desc;
u8 *vaddr_unalign;
u32 num_entry, num_buff_reaped;
u8 pdev_idx, rbm;
u32 cookie;
int buf_id;
int size;
dma_addr_t paddr;
int ret = 0;
pdev_idx = le32_to_cpu(ev->fixed.pdev_id);
if (pdev_idx >= ab->num_radios) {
ath12k_warn(ab, "Invalid pdev id %d\n", pdev_idx);
return -EINVAL;
}
if (ev->fixed.num_buf_release_entry !=
ev->fixed.num_meta_data_entry) {
ath12k_warn(ab, "Buffer entry %d mismatch meta entry %d\n",
ev->fixed.num_buf_release_entry,
ev->fixed.num_meta_data_entry);
return -EINVAL;
}
ar = ab->pdevs[pdev_idx].ar;
rcu_read_lock();
if (!rcu_dereference(ab->pdevs_active[pdev_idx])) {
ret = -EINVAL;
goto rcu_unlock;
}
switch (ev->fixed.module_id) {
case WMI_DIRECT_BUF_SPECTRAL:
break;
default:
ring = NULL;
ath12k_warn(ab, "Recv dma buffer release ev on unsupp
module %d\n",
ev->fixed.module_id);
break;
}
// ring is still NULL
if (!ring) {
ret = -EINVAL;
goto rcu_unlock;
}
// the following code is *never* executed
srng = &ab->hal.srng_list[ring->refill_srng.ring_id];
num_entry = le32_to_cpu(ev->fixed.num_buf_release_entry);
....
....
Colin
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 4901 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]
next reply other threads:[~2025-05-08 11:01 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-08 11:00 Colin King (gmail) [this message]
2025-05-09 17:26 ` issue wth ath12k in ath12k_dbring_buffer_release_event Jeff Johnson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e26e4e8b-90d5-4543-af0a-ba5cebf516d8@gmail.com \
--to=colin.i.king@gmail.com \
--cc=ath12k@lists.infradead.org \
--cc=jjohnson@kernel.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox