Digging around through some bugs reported from an extensive testing cycle we've found that wcn36xx has a number of unexplained RX related oopses. In at least one case we appear to have DMA'd data to an unmapped region. The written data appears to be a correctly formed DMA buffer descriptor - a DXE BD in WCNSS parlance, with an AP beacon inside of it. Reasoning about how such a situation might come about and reviewing the run-time code, there was no obvious path where we might free a BD or an skbuff pointed to by a BD, which DXE might not be aware of. However looking at the ieee80211_ops.start and ieee80211_ops.stop callbacks in wcn36xx we can see a number of bugs associated with BD allocation, error handling and leaving the DMA engine active, despite freeing SKBs on the MSM side. This last mention - failure to quiesce potential DMA from the downstream agent - WCNSS DXE despite freeing the memory @ the skbuffs is a decent candidate for our unexplained upstream DMA transaction to unmapped memory. Since wcn36xx_stop and wcn36xx_start can be called a number of times by the controlling upper layers it means there is a potential gap between wcn36xx_stop and wcn36xx_start which could leave WCNSS in a state where it will try to DMA to memory we have freed. This series addresses the obvious bugs that jump out on the start()/stop() path. Patch #1 In order to make it easier to read the DXE code, I've moved all of the lock taking and freeing for DXE into dxe.c Patch #2 Fixes a very obviously broken channel enable/disable cycle Patch #3 Fixes a very obvious memory leak with dma_alloc_coherent() Patch #4 Makes sure before we release skbuffs which we assigned to the RX channels that we ensure the DXE block is put into reset Bryan O'Donoghue (4): wcn36xx: Fix DXE lock layering violation wcn36xx: Fix DXE/DMA channel enable/disable cycle wcn36xx: Release DMA channel descriptor allocations wcn36xx: Put DXE block into reset before freeing memory drivers/net/wireless/ath/wcn36xx/dxe.c | 75 +++++++++++++++++++++---- drivers/net/wireless/ath/wcn36xx/dxe.h | 2 + drivers/net/wireless/ath/wcn36xx/txrx.c | 15 +---- 3 files changed, 68 insertions(+), 24 deletions(-) -- 2.33.0
