Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7147a131 authored by Michal Kazior's avatar Michal Kazior Committed by Kalle Valo
Browse files

ath10k: protect src_ring state with ce_lock in tx_sg() 



It was possible to read invalid state of CE ring
buffer indexes. This could lead to scatter-gather
transfer failure in mid-way and crash firmware
later by leaving garbage data on the ring.

Reported-By: default avatarAvery Pennarun <apenwarr@gmail.com>
Signed-off-by: default avatarMichal Kazior <michal.kazior@tieto.com>
Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
parent 4b81d177

drivers/net/wireless/ath/ath10k/pci.c

+7 −3
Original line number Diff line number Diff line
@@ -762,13 +762,17 @@ static int ath10k_pci_hif_tx_sg(struct ath10k *ar, u8 pipe_id, 
	struct ath10k_pci_pipe *pci_pipe = &ar_pci->pipe_info[pipe_id];

	struct ath10k_ce_pipe *ce_pipe = pci_pipe->ce_hdl;

	struct ath10k_ce_ring *src_ring = ce_pipe->src_ring;

	unsigned int nentries_mask = src_ring->nentries_mask;

	unsigned int sw_index = src_ring->sw_index;

	unsigned int write_index = src_ring->write_index;

	unsigned int nentries_mask;

	unsigned int sw_index;

	unsigned int write_index;

	int err, i;



	spin_lock_bh(&ar_pci->ce_lock);



	nentries_mask = src_ring->nentries_mask;

	sw_index = src_ring->sw_index;

	write_index = src_ring->write_index;



	if (unlikely(CE_RING_DELTA(nentries_mask,

				   write_index, sw_index - 1) < n_items)) {

		err = -ENOBUFS;