[PATCH 6.7 228/713] wifi: iwlwifi: mvm: fix erroneous queue index mask

From: Sasha Levin
Date: Mon Mar 25 2024 - 04:00:13 EST

Next message: Sasha Levin: "[PATCH 6.6 473/638] powerpc/pseries: Fix potential memleak in papr_get_attr()"
Previous message: Sasha Levin: "[PATCH 6.6 466/638] media: mediatek: vcodec: avoid -Wcast-function-type-strict warning"
In reply to: Sasha Levin: "[PATCH 6.7 708/713] selftests: forwarding: Fix ping failure due to short timeout"
Next in thread: Sasha Levin: "[PATCH 6.7 589/713] NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Johannes Berg <johannes.berg@xxxxxxxxx>

[ Upstream commit 2e0e766bd8a7f14f10c3e70b8203c4c1e6d9ec76 ]

When retrieving the queue index ("SCD SSN") from the TX response,
it's currently masked with 0xFFF. However, now that we have queues
longer than 4k, that became wrong, so make the mask depend on the
hardware family.

This fixes an issue where if we get a single frame reclaim while
in the top half of an 8k long queue, we'd reclaim-wrap the queue
twice (once on this and then again on the next non-single reclaim)
which at least triggers the WARN_ON_ONCE() in iwl_txq_reclaim(),
but could have other negative side effects (such as unmapping a
frame that wasn't transmitted yet, and then taking an IOMMU fault)
as well.

Fixes: 7b3e42ea2ead ("iwlwifi: support multiple tfd queue max sizes for different devices")
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@xxxxxxxxx>
Link: https://msgid.link/20240205211151.4148a6ef54e0.I733a70f679c25f9f99097a8dcb3a1f8165da6997@changeid
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
index 461f26d9214e4..930742e75c02a 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
@@ -1,6 +1,6 @@
// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
/*
- * Copyright (C) 2012-2014, 2018-2023 Intel Corporation
+ * Copyright (C) 2012-2014, 2018-2024 Intel Corporation
* Copyright (C) 2013-2015 Intel Mobile Communications GmbH
* Copyright (C) 2016-2017 Intel Deutschland GmbH
*/
@@ -1636,12 +1636,18 @@ static void iwl_mvm_tx_status_check_trigger(struct iwl_mvm *mvm,
* of the batch. This is why the SSN of the SCD is written at the end of the
* whole struct at a variable offset. This function knows how to cope with the
* variable offset and returns the SSN of the SCD.
+ *
+ * For 22000-series and lower, this is just 12 bits. For later, 16 bits.
*/
static inline u32 iwl_mvm_get_scd_ssn(struct iwl_mvm *mvm,
struct iwl_mvm_tx_resp *tx_resp)
{
- return le32_to_cpup((__le32 *)iwl_mvm_get_agg_status(mvm, tx_resp) +
- tx_resp->frame_count) & 0xfff;
+ u32 val = le32_to_cpup((__le32 *)iwl_mvm_get_agg_status(mvm, tx_resp) +
+ tx_resp->frame_count);
+
+ if (mvm->trans->trans_cfg->device_family >= IWL_DEVICE_FAMILY_AX210)
+ return val & 0xFFFF;
+ return val & 0xFFF;
}

static void iwl_mvm_rx_tx_cmd_single(struct iwl_mvm *mvm,
--
2.43.0

Next message: Sasha Levin: "[PATCH 6.6 473/638] powerpc/pseries: Fix potential memleak in papr_get_attr()"
Previous message: Sasha Levin: "[PATCH 6.6 466/638] media: mediatek: vcodec: avoid -Wcast-function-type-strict warning"
In reply to: Sasha Levin: "[PATCH 6.7 708/713] selftests: forwarding: Fix ping failure due to short timeout"
Next in thread: Sasha Levin: "[PATCH 6.7 589/713] NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]