git.openwrt.org Git - openwrt/openwrt.git/blob

   1 From 6fc2589aae91818dd1183a589ab97d8e5c25364e Mon Sep 17 00:00:00 2001
   2 From: Johan Hovold <johan+linaro@kernel.org>
   3 Date: Wed, 4 Jun 2025 16:34:57 +0200
   4 Subject: wifi: ath11k: fix dest ring-buffer corruption when ring is full
   5
   6 commit aa6956150f820e6a6deba44be325ddfcb5b10f88 upstream.
   7
   8 Add the missing memory barriers to make sure that destination ring
   9 descriptors are read before updating the tail pointer (and passing
  10 ownership to the device) to avoid memory corruption on weakly ordered
  11 architectures like aarch64 when the ring is full.
  12
  13 Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
  14
  15 Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
  16 Cc: stable@vger.kernel.org      # 5.6
  17 Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
  18 Reviewed-by: Baochen Qiang <quic_bqiang@quicinc.com>
  19 Link: https://patch.msgid.link/20250604143457.26032-6-johan+linaro@kernel.org
  20 Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
  21 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  22 ---
  23  drivers/net/wireless/ath/ath11k/hal.c | 11 +++++++++--
  24  1 file changed, 9 insertions(+), 2 deletions(-)
  25
  26 (limited to 'drivers/net/wireless/ath/ath11k')
  27
  28 --- a/drivers/net/wireless/ath/ath11k/hal.c
  29 +++ b/drivers/net/wireless/ath/ath11k/hal.c
  30 @@ -854,7 +854,6 @@ void ath11k_hal_srng_access_end(struct a
  31  {
  32         lockdep_assert_held(&srng->lock);
  33
  34 -       /* TODO: See if we need a write memory barrier here */
  35         if (srng->flags & HAL_SRNG_FLAGS_LMAC_RING) {
  36                 /* For LMAC rings, ring pointer updates are done through FW and
  37                  * hence written to a shared memory location that is read by FW
  38 @@ -869,7 +868,11 @@ void ath11k_hal_srng_access_end(struct a
  39                         WRITE_ONCE(*srng->u.src_ring.hp_addr, srng->u.src_ring.hp);
  40                 } else {
  41                         srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr;
  42 -                       *srng->u.dst_ring.tp_addr = srng->u.dst_ring.tp;
  43 +                       /* Make sure descriptor is read before updating the
  44 +                        * tail pointer.
  45 +                        */
  46 +                       dma_mb();
  47 +                       WRITE_ONCE(*srng->u.dst_ring.tp_addr, srng->u.dst_ring.tp);
  48                 }
  49         } else {
  50                 if (srng->ring_dir == HAL_SRNG_DIR_SRC) {
  51 @@ -885,6 +888,10 @@ void ath11k_hal_srng_access_end(struct a
  52                                            srng->u.src_ring.hp);
  53                 } else {
  54                         srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr;
  55 +                       /* Make sure descriptor is read before updating the
  56 +                        * tail pointer.
  57 +                        */
  58 +                       mb();
  59                         ath11k_hif_write32(ab,
  60                                            (unsigned long)srng->u.dst_ring.tp_addr -
  61                                            (unsigned long)ab->mem,