[PATCH v2 4/4] wifi: ath12k: fix dest ring-buffer corruption when ring is full

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Johan Hovold <johan+linaro@kernel.org>
To: Jeff Johnson <jjohnson@kernel.org>
Cc: Miaoqing Pan <quic_miaoqing@quicinc.com>,
	Remi Pommarel <repk@triplefau.lt>,
	Baochen Qiang <quic_bqiang@quicinc.com>,
	linux-wireless@vger.kernel.org, ath12k@lists.infradead.org,
	linux-kernel@vger.kernel.org,
	Johan Hovold <johan+linaro@kernel.org>,
	stable@vger.kernel.org
Subject: [PATCH v2 4/4] wifi: ath12k: fix dest ring-buffer corruption when ring is full
Date: Wed,  4 Jun 2025 16:45:09 +0200	[thread overview]
Message-ID: <20250604144509.28374-5-johan+linaro@kernel.org> (raw)
In-Reply-To: <20250604144509.28374-1-johan+linaro@kernel.org>

Add the missing memory barriers to make sure that destination ring
descriptors are read before updating the tail pointer (and passing
ownership to the device) to avoid memory corruption on weakly ordered
architectures like aarch64 when the ring is full.

Tested-on: WCN7850 hw2.0 WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3

Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
Cc: stable@vger.kernel.org      # 6.3
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
---
 drivers/net/wireless/ath/ath12k/hal.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/ath/ath12k/hal.c b/drivers/net/wireless/ath/ath12k/hal.c
index 1e2d13cc2d19..4da354e86a75 100644
--- a/drivers/net/wireless/ath/ath12k/hal.c
+++ b/drivers/net/wireless/ath/ath12k/hal.c
@@ -2153,7 +2153,6 @@ void ath12k_hal_srng_access_end(struct ath12k_base *ab, struct hal_srng *srng)
 {
 	lockdep_assert_held(&srng->lock);
 
-	/* TODO: See if we need a write memory barrier here */
 	if (srng->flags & HAL_SRNG_FLAGS_LMAC_RING) {
 		/* For LMAC rings, ring pointer updates are done through FW and
 		 * hence written to a shared memory location that is read by FW
@@ -2168,7 +2167,11 @@ void ath12k_hal_srng_access_end(struct ath12k_base *ab, struct hal_srng *srng)
 			WRITE_ONCE(*srng->u.src_ring.hp_addr, srng->u.src_ring.hp);
 		} else {
 			srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr;
-			*srng->u.dst_ring.tp_addr = srng->u.dst_ring.tp;
+			/* Make sure descriptor is read before updating the
+			 * tail pointer.
+			 */
+			dma_mb();
+			WRITE_ONCE(*srng->u.dst_ring.tp_addr, srng->u.dst_ring.tp);
 		}
 	} else {
 		if (srng->ring_dir == HAL_SRNG_DIR_SRC) {
@@ -2184,6 +2187,10 @@ void ath12k_hal_srng_access_end(struct ath12k_base *ab, struct hal_srng *srng)
 					   srng->u.src_ring.hp);
 		} else {
 			srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr;
+			/* Make sure descriptor is read before updating the
+			 * tail pointer.
+			 */
+			mb();
 			ath12k_hif_write32(ab,
 					   (unsigned long)srng->u.dst_ring.tp_addr -
 					   (unsigned long)ab->mem,
-- 
2.49.0

next prev parent reply	other threads:[~2025-06-04 14:45 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-06-04 14:45 [PATCH v2 0/4] wifi: ath12k: fix dest ring-buffer corruption Johan Hovold
2025-06-04 14:45 ` [PATCH v2 1/4] " Johan Hovold
2025-06-05  8:41   ` Baochen Qiang
2025-06-05 10:00     ` Johan Hovold
2025-06-05 10:49       ` Baochen Qiang
2025-06-16  9:29         ` Praneesh P
2025-06-16 10:59           ` Baochen Qiang
2025-06-17  8:46           ` Johan Hovold
2025-06-04 14:45 ` [PATCH v2 2/4] wifi: ath12k: use plain access for descriptor length Johan Hovold
2025-06-04 14:45 ` [PATCH v2 3/4] wifi: ath12k: fix source ring-buffer corruption Johan Hovold
2025-06-04 14:45 ` Johan Hovold [this message]
2025-06-06  7:27   ` [PATCH v2 4/4] wifi: ath12k: fix dest ring-buffer corruption when ring is full Miaoqing Pan
2025-06-06  9:19     ` Johan Hovold
2025-06-06  9:37       ` Johan Hovold
2025-06-05  8:37 ` [PATCH v2 0/4] wifi: ath12k: fix dest ring-buffer corruption Baochen Qiang
2025-06-05  8:44   ` Johan Hovold
2025-06-05  8:51     ` Baochen Qiang

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:1e2d13cc2d1 dfblob:4da354e86a7 )
 OR (
bs:"[PATCH v2 4/4] wifi: ath12k: fix dest ring-buffer corruption when ring is full" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250604144509.28374-5-johan+linaro@kernel.org \
    --to=johan+linaro@kernel.org \
    --cc=ath12k@lists.infradead.org \
    --cc=jjohnson@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=quic_bqiang@quicinc.com \
    --cc=quic_miaoqing@quicinc.com \
    --cc=repk@triplefau.lt \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).