| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6f3eb9fa-617e-4434-8fc4-33dd92c4bdd2@quicinc.com>
Date: Thu, 5 Jun 2025 16:41:32 +0800
From: Baochen Qiang <quic_bqiang@...cinc.com>
To: Johan Hovold <johan+linaro@...nel.org>, Jeff Johnson <jjohnson@...nel.org>
CC: Miaoqing Pan <quic_miaoqing@...cinc.com>,
Remi Pommarel
<repk@...plefau.lt>, <linux-wireless@...r.kernel.org>,
<ath12k@...ts.infradead.org>, <linux-kernel@...r.kernel.org>,
<stable@...r.kernel.org>
Subject: Re: [PATCH v2 1/4] wifi: ath12k: fix dest ring-buffer corruption
On 6/4/2025 10:45 PM, Johan Hovold wrote:
> Add the missing memory barrier to make sure that destination ring
> descriptors are read after the head pointers to avoid using stale data
> on weakly ordered architectures like aarch64.
>
> The barrier is added to the ath12k_hal_srng_access_begin() helper for
> symmetry with follow-on fixes for source ring buffer corruption which
> will add barriers to ath12k_hal_srng_access_end().
>
> Note that this may fix the empty descriptor issue recently worked around
> by commit 51ad34a47e9f ("wifi: ath12k: Add drop descriptor handling for
> monitor ring").
why? I would expect drunk cookies are valid in case of HAL_MON_DEST_INFO0_EMPTY_DESC,
rather than anything caused by reordering.
>
> Tested-on: WCN7850 hw2.0 WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
>
> Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
> Cc: stable@...r.kernel.org # 6.3
> Signed-off-by: Johan Hovold <johan+linaro@...nel.org>
> ---
> drivers/net/wireless/ath/ath12k/ce.c | 3 ---
> drivers/net/wireless/ath/ath12k/hal.c | 17 ++++++++++++++---
> 2 files changed, 14 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/net/wireless/ath/ath12k/ce.c b/drivers/net/wireless/ath/ath12k/ce.c
> index 740586fe49d1..b66d23d6b2bd 100644
> --- a/drivers/net/wireless/ath/ath12k/ce.c
> +++ b/drivers/net/wireless/ath/ath12k/ce.c
> @@ -343,9 +343,6 @@ static int ath12k_ce_completed_recv_next(struct ath12k_ce_pipe *pipe,
> goto err;
> }
>
> - /* Make sure descriptor is read after the head pointer. */
> - dma_rmb();
> -
> *nbytes = ath12k_hal_ce_dst_status_get_length(desc);
>
> *skb = pipe->dest_ring->skb[sw_index];
> diff --git a/drivers/net/wireless/ath/ath12k/hal.c b/drivers/net/wireless/ath/ath12k/hal.c
> index 91d5126ca149..9eea13ed5565 100644
> --- a/drivers/net/wireless/ath/ath12k/hal.c
> +++ b/drivers/net/wireless/ath/ath12k/hal.c
> @@ -2126,13 +2126,24 @@ void *ath12k_hal_srng_src_get_next_reaped(struct ath12k_base *ab,
>
> void ath12k_hal_srng_access_begin(struct ath12k_base *ab, struct hal_srng *srng)
> {
> + u32 hp;
> +
> lockdep_assert_held(&srng->lock);
>
> - if (srng->ring_dir == HAL_SRNG_DIR_SRC)
> + if (srng->ring_dir == HAL_SRNG_DIR_SRC) {
> srng->u.src_ring.cached_tp =
> *(volatile u32 *)srng->u.src_ring.tp_addr;
> - else
> - srng->u.dst_ring.cached_hp = READ_ONCE(*srng->u.dst_ring.hp_addr);
> + } else {
> + hp = READ_ONCE(*srng->u.dst_ring.hp_addr);
> +
> + if (hp != srng->u.dst_ring.cached_hp) {
This consumes additional CPU cycles in hot path, which is a concern to me.
Based on that, I prefer the v1 implementation.
> + srng->u.dst_ring.cached_hp = hp;
> + /* Make sure descriptor is read after the head
> + * pointer.
> + */
> + dma_rmb();
> + }
> + }
> }
>
> /* Update cached ring head/tail pointers to HW. ath12k_hal_srng_access_begin()
Powered by blists - more mailing lists