lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aFvCkiJCRmwtqhWt@hovoldconsulting.com>
Date: Wed, 25 Jun 2025 11:34:10 +0200
From: Johan Hovold <johan@...nel.org>
To: Baochen Qiang <quic_bqiang@...cinc.com>
Cc: Johan Hovold <johan+linaro@...nel.org>,
	Jeff Johnson <jjohnson@...nel.org>,
	Miaoqing Pan <quic_miaoqing@...cinc.com>,
	linux-wireless@...r.kernel.org, ath11k@...ts.infradead.org,
	linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH 1/3] wifi: ath11k: fix dest ring-buffer corruption

On Wed, Jun 25, 2025 at 10:06:21AM +0800, Baochen Qiang wrote:
> On 5/26/2025 7:48 PM, Johan Hovold wrote:
> > Add the missing memory barriers to make sure that destination ring
> > descriptors are read after the head pointers to avoid using stale data
> > on weakly ordered architectures like aarch64.
> > 
> > Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
> > 
> > Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
> > Cc: stable@...r.kernel.org	# 5.6
> > Signed-off-by: Johan Hovold <johan+linaro@...nel.org>

> > diff --git a/drivers/net/wireless/ath/ath11k/dp_tx.c b/drivers/net/wireless/ath/ath11k/dp_tx.c
> > index 8522c67baabf..549d17d90503 100644
> > --- a/drivers/net/wireless/ath/ath11k/dp_tx.c
> > +++ b/drivers/net/wireless/ath/ath11k/dp_tx.c
> > @@ -700,6 +700,9 @@ void ath11k_dp_tx_completion_handler(struct ath11k_base *ab, int ring_id)
> >  
> >  	ath11k_hal_srng_access_begin(ab, status_ring);
> >  
> > +	/* Make sure descriptor is read after the head pointer. */
> > +	dma_rmb();
> > +
> >  	while ((ATH11K_TX_COMPL_NEXT(tx_ring->tx_status_head) !=
> >  		tx_ring->tx_status_tail) &&
> >  	       (desc = ath11k_hal_srng_dst_get_next_entry(ab, status_ring))) {
> 
> Johan, dma_rmb() is put inside _srng_access_begin() for ath12k, but here inside each
> caller. Can we achieve consistency between two drivers?

I moved into into the helper also for ath11k in v2:

	https://lore.kernel.org/lkml/20250604143457.26032-2-johan+linaro@kernel.org/

Johan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ