From patchwork Fri Oct 15 13:17:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bryan O'Donoghue X-Patchwork-Id: 515854 Delivered-To: patch@linaro.org Received: by 2002:adf:a11e:0:0:0:0:0 with SMTP id o30csp544149wro; Fri, 15 Oct 2021 06:15:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxAoKoDKLbqKBqNb9fZKisGaS9+Bc8MUt1Rv23ATml9mUwK8ZVARpc/zPdY9i8N8jATXtNt X-Received: by 2002:a62:7cd8:0:b0:44d:4574:ea8a with SMTP id x207-20020a627cd8000000b0044d4574ea8amr11736460pfc.80.1634303757044; Fri, 15 Oct 2021 06:15:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1634303757; cv=none; d=google.com; s=arc-20160816; b=qlx8zUEr0tVSut3KITKJ65TfUQbBbTH1dmixGztK05pwSsJwaBS/i8hz7ns6lJEPtM m4XqMi0Cc7HLtU1l7Scz3euDuAghQmlrPmlt+NYJeYTqsL+K5rNnhLdPcg10rqui/T1K AqwGuqq7erfYa4ojOFPEiv7O0Ax2P/qiKueVm7tzoxN4XNnmYEkEmzUn29suvJ5NgNSB n2CHVOALQ4a1Yz6/JZn2VZh79VJq4RhJkEmTk0ZRpR7C1aK4VMsNWD+9rFGYf5o7U3+k nhpb+jgpGcgwrAeAa3a93mjPNjJ9aEwbrpXkM0H6i4wlQBS7HX3UOrpxMLpcH2acVljq 4p4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature:dkim-signature; bh=vmB9axxt/tH89ROsnS9gEphsus5SBW4lfkahEBeA1y0=; b=VgSvRBqSZpqcgNH8tW35K8gIlVSuIZy1CRR7pnjybQBj6NEZnAic+9TufT3vIEJLSo 61S7JKe+C+vrxjGjhwkbhMAkCgSPf9VnF3LnMjppPMjal2aWA17lVzcpzEOoxpc5sbNE N4O3BmCDUHX1ABOPvY2HQnyxyNWpsn3lSr2ogtxSJjCi4373Q0oq1ZqC8OYRERqBlnYj jZUuRR1KytlWFz4KzaalMEUr4twG9ePMWND6CteY6k2ucmaIJY01aLctB1UCRKcAMX4p qSpTJc48GWRQKCFvCMpVio2W0gF2oGm/Qld213tlahfwBTa7uD/38VpRJWzcUVMQqz9i WEEA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.infradead.org header.s=bombadil.20210309 header.b="gO9/E6ee"; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=swD8uv4x; spf=neutral (google.com: 2607:7c80:54:e::133 is neither permitted nor denied by best guess record for domain of wcn36xx-bounces+patch=linaro.org@lists.infradead.org) smtp.mailfrom="wcn36xx-bounces+patch=linaro.org@lists.infradead.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from bombadil.infradead.org ([2607:7c80:54:e::133]) by mx.google.com with ESMTPS id n12si8436729plh.326.2021.10.15.06.15.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Oct 2021 06:15:57 -0700 (PDT) Received-SPF: neutral (google.com: 2607:7c80:54:e::133 is neither permitted nor denied by best guess record for domain of wcn36xx-bounces+patch=linaro.org@lists.infradead.org) client-ip=2607:7c80:54:e::133; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.infradead.org header.s=bombadil.20210309 header.b="gO9/E6ee"; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=swD8uv4x; spf=neutral (google.com: 2607:7c80:54:e::133 is neither permitted nor denied by best guess record for domain of wcn36xx-bounces+patch=linaro.org@lists.infradead.org) smtp.mailfrom="wcn36xx-bounces+patch=linaro.org@lists.infradead.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=vmB9axxt/tH89ROsnS9gEphsus5SBW4lfkahEBeA1y0=; b=gO9/E6eeEv3duA U4pK5GU3L+6AXKXyZ4QIy/vS5dUkb5ahz2/apDCYDrVHUT7okTODOdob9dO1b6svOhJZzFqWxC+ki DsO84WM0IanjXzXpI1j6hbkQrnTHIYcyr8gEcHmHnEE/W/uySuozPZ2PI3U0DYyX8Kj9st69o6lNq nOvW4OuwNdrS+KRLN2t9XAdO2e0Wnam3RKVmS334yIsC3PQOFm86ekxGos3EJu23fTESwxmwHLuLm zTD3zFT9PCrCp1Knqwf86No3h2cGl07xn88FdIypvOz1sIu8OHp/fw+iHtDpp/8FqzqC+P4CL5zjs XbESTKDhHP5oKkEXGQcg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1mbN3z-007AW5-C9; Fri, 15 Oct 2021 13:15:55 +0000 Received: from mail-wr1-x430.google.com ([2a00:1450:4864:20::430]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mbN3w-007ATg-HP for wcn36xx@lists.infradead.org; Fri, 15 Oct 2021 13:15:54 +0000 Received: by mail-wr1-x430.google.com with SMTP id v17so26401731wrv.9 for ; Fri, 15 Oct 2021 06:15:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=6gmGyGZOX0tnnXnf/J6ROMaBVuBmbeJjJwd98SH6/w8=; b=swD8uv4xh5lHBS/mXNWezLGFNq5/+jbSkjnBi3SmewcfhfUNU6KBN8YZrf5y6P9oiG G9EqyKhBORWixMtktl3MD79UYQZfoP6fkdLOg5pYZHtJvTPynDjiabCD6dj6X6APxsY/ HOtexPglLxjkaaHuntyBwWEKbrXAlUZuLPuA5Kd58QTwkmSP59if6TPCoGu/6PXV61FU i9KintPLyAis9oqHqNBdcrzYglqklDPRnOtAO61YWH2ELneLblnYcka9NcBUbJY5MhMK aYBCQhRetRZgdH0imwVJI7mnoaRuiVboC5W49e4kwUOYjo2OLGPm0rHZePbW+BUkwWHF VqEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=6gmGyGZOX0tnnXnf/J6ROMaBVuBmbeJjJwd98SH6/w8=; b=YssBkZAOl6DlUzztb9cL+zjfvr6TBZFQMEweQTQqFHvWd/Nwy8BQVQfvIl9CPt3n8W tCo1SVAGr/JrjAU04d7WGMsmvkBV832t6H+DxxC4lQcoQyiWtGOGRDWb+8RM1nZzh6PL dfJHmxMrZU3XpK1tSgeIcx10dqwkaa6UmxGhvLpKcOs/DBffMJ6LgHsrqGJCi1mQy89d Vb7wTM/GRYljB7+dLEQCZDneC3XrtV5YFXVubqYWc6O/QQYIMdAxibMeDyJhCaSW29Nm Crq2l1Rndd1GYIK7tJxuBWeKGTSz++ge96UFSUG4mHke3Hhy9EgGhqPlc6iXWyegs6ef dZmQ== X-Gm-Message-State: AOAM530AYsOQNCRywYPSla4ZEGU74qm2lvn+ObYpEzskVkY3Hw+7pDcL wrp4bFzAxO3Wvl0h1d90r+PgbkgYG7zogg== X-Received: by 2002:adf:9c02:: with SMTP id f2mr14507888wrc.329.1634303747566; Fri, 15 Oct 2021 06:15:47 -0700 (PDT) Received: from sagittarius-a.chello.ie (188-141-3-169.dynamic.upc.ie. [188.141.3.169]) by smtp.gmail.com with ESMTPSA id e8sm7091716wrg.48.2021.10.15.06.15.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Oct 2021 06:15:47 -0700 (PDT) From: Bryan O'Donoghue To: kvalo@codeaurora.org, linux-wireless@vger.kernel.org, wcn36xx@lists.infradead.org Cc: loic.poulain@linaro.org, benl@squareup.com, daniel.thompson@linaro.org, bryan.odonoghue@linaro.org Subject: [PATCH 4/4] wcn36xx: Put DXE block into reset before freeing memory Date: Fri, 15 Oct 2021 14:17:41 +0100 Message-Id: <20211015131741.2455824-5-bryan.odonoghue@linaro.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211015131741.2455824-1-bryan.odonoghue@linaro.org> References: <20211015131741.2455824-1-bryan.odonoghue@linaro.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20211015_061552_613661_AB885414 X-CRM114-Status: GOOD ( 13.65 ) X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: When deiniting the DXE hardware we should reset the block to ensure there is no spurious DMA write transaction from the downstream WCNSS to upstream MSM at a skbuff address we will have released. This is actually a pretty serious bug. Immediately after the reset we release skbs, skbs which are from the perspective of the WCNSS DXE still valid addresses for DMA. Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:430 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: wcn36xx@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "wcn36xx" Errors-To: wcn36xx-bounces+patch=linaro.org@lists.infradead.org When deiniting the DXE hardware we should reset the block to ensure there is no spurious DMA write transaction from the downstream WCNSS to upstream MSM at a skbuff address we will have released. This is actually a pretty serious bug. Immediately after the reset we release skbs, skbs which are from the perspective of the WCNSS DXE still valid addresses for DMA. Without first placing the DXE block into reset, it is possible for an upstream DMA transaction to write to skbs we have freed. We have seen some backtraces from usage in testing on 50k+ devices which indicates an invalid RX of an APs beacon to unmapped memory. The logical conclusion is that an RX transaction happened to a region of memory that was previously valid but was subsequently released. The only time such a window of opportunity exists is when we have deallocated the skbs attached to the DMA BDs in other words after doing wcn36xx_stop(). If we free the skbs on the DMA channel, we need to make sure we have quiesced potential DMA on that channel prior to freeing. This patch should eliminate that error. Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") Signed-off-by: Bryan O'Donoghue --- drivers/net/wireless/ath/wcn36xx/dxe.c | 6 ++++++ 1 file changed, 6 insertions(+) -- 2.33.0 _______________________________________________ wcn36xx mailing list wcn36xx@lists.infradead.org http://lists.infradead.org/mailman/listinfo/wcn36xx diff --git a/drivers/net/wireless/ath/wcn36xx/dxe.c b/drivers/net/wireless/ath/wcn36xx/dxe.c index e89002502869a..56f605c23f36c 100644 --- a/drivers/net/wireless/ath/wcn36xx/dxe.c +++ b/drivers/net/wireless/ath/wcn36xx/dxe.c @@ -1020,6 +1020,8 @@ int wcn36xx_dxe_init(struct wcn36xx *wcn) void wcn36xx_dxe_deinit(struct wcn36xx *wcn) { + int reg_data = 0; + /* Disable channel interrupts */ wcn36xx_dxe_disable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_RX_H); wcn36xx_dxe_disable_ch_int(wcn, WCN36XX_INT_MASK_CHAN_RX_L); @@ -1035,6 +1037,10 @@ void wcn36xx_dxe_deinit(struct wcn36xx *wcn) wcn->tx_ack_skb = NULL; } + /* Put the DXE block into reset before freeing memory */ + reg_data = WCN36XX_DXE_REG_RESET; + wcn36xx_dxe_write_register(wcn, WCN36XX_DXE_REG_CSR_RESET, reg_data); + wcn36xx_dxe_ch_free_skbs(wcn, &wcn->dxe_rx_l_ch); wcn36xx_dxe_ch_free_skbs(wcn, &wcn->dxe_rx_h_ch);