[PATCH ath-next] wifi: ath12k: Fix invalid IRQ requests during AHB probe
Baochen Qiang
baochen.qiang at oss.qualcomm.com
Sun Apr 19 19:55:00 PDT 2026
On 4/14/2026 2:28 PM, Aaradhana Sahu wrote:
> ath12k_ahb_config_ext_irq() iterates over ATH12K_EXT_IRQ_NUM_MAX (16)
> entries while checking TX ring masks, but the tcl_to_wbm_rbm_map array
> contains only DP_TCL_NUM_RING_MAX (4) valid elements.
>
> When the iterator (j) is greater than or equal to DP_TCL_NUM_RING_MAX,
> it accesses tcl_to_wbm_rbm_map[j] out of bounds. This results in
> reading uninitialized memory for wbm_ring_num, causing the driver to
> evaluate incorrect BIT() conditions and request IRQs for rings that do
> not have an assigned interrupt line or device tree entry.
>
> This leads to request_irq() failures with -ENXIO or -EINVAL during
> ath12k AHB probe.
>
> Fix this by splitting the loop into two separate loops: one iterating
> over DP_TCL_NUM_RING_MAX for TX ring, and another iterating over
> ATH12K_EXT_IRQ_NUM_MAX for remaining IRQ entries.
> Also add a bounds check for num_irq.
>
> Tested-on: IPQ5332 hw1.0 AHB WLAN.WBE.1.6-01275-QCAHKSWPL_SILICONZ-1
>
> Fixes: 6cee30f0da75 ("wifi: ath12k: add AHB driver support for IPQ5332")
> Signed-off-by: Aaradhana Sahu <aaradhana.sahu at oss.qualcomm.com>
> ---
> drivers/net/wireless/ath/ath12k/ahb.c | 25 +++++++++++++++----------
> 1 file changed, 15 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/net/wireless/ath/ath12k/ahb.c b/drivers/net/wireless/ath/ath12k/ahb.c
> index 2dcf0a52e4c1..30733a244454 100644
> --- a/drivers/net/wireless/ath/ath12k/ahb.c
> +++ b/drivers/net/wireless/ath/ath12k/ahb.c
> @@ -583,31 +583,36 @@ static int ath12k_ahb_config_ext_irq(struct ath12k_base *ab)
> netif_napi_add(irq_grp->napi_ndev, &irq_grp->napi,
> ath12k_ahb_ext_grp_napi_poll);
>
> - for (j = 0; j < ATH12K_EXT_IRQ_NUM_MAX; j++) {
> - /* For TX ring, ensure that the ring mask and the
> - * tcl_to_wbm_rbm_map point to the same ring number.
> - */
> + for (j = 0; j < DP_TCL_NUM_RING_MAX; j++) {
> if (ring_mask->tx[i] &
> - BIT(ab->hal.tcl_to_wbm_rbm_map[j].wbm_ring_num)) {
> + BIT(ab->hal.tcl_to_wbm_rbm_map[j].wbm_ring_num) &&
> + num_irq < ATH12K_EXT_IRQ_NUM_MAX) {
> irq_grp->irqs[num_irq++] =
> wbm2host_tx_completions_ring1 - j;
> }
> + }
>
> - if (ring_mask->rx[i] & BIT(j)) {
> + for (j = 0; j < ATH12K_EXT_IRQ_NUM_MAX; j++) {
> + if (ring_mask->rx[i] & BIT(j) &&
> + num_irq < ATH12K_EXT_IRQ_NUM_MAX) {
> irq_grp->irqs[num_irq++] =
> reo2host_destination_ring1 - j;
> }
>
> - if (ring_mask->rx_err[i] & BIT(j))
> + if (ring_mask->rx_err[i] & BIT(j) &&
> + num_irq < ATH12K_EXT_IRQ_NUM_MAX)
> irq_grp->irqs[num_irq++] = reo2host_exception;
>
> - if (ring_mask->rx_wbm_rel[i] & BIT(j))
> + if (ring_mask->rx_wbm_rel[i] & BIT(j) &&
> + num_irq < ATH12K_EXT_IRQ_NUM_MAX)
> irq_grp->irqs[num_irq++] = wbm2host_rx_release;
>
> - if (ring_mask->reo_status[i] & BIT(j))
> + if (ring_mask->reo_status[i] & BIT(j) &&
> + num_irq < ATH12K_EXT_IRQ_NUM_MAX)
> irq_grp->irqs[num_irq++] = reo2host_status;
>
> - if (ring_mask->rx_mon_dest[i] & BIT(j))
> + if (ring_mask->rx_mon_dest[i] & BIT(j) &&
> + num_irq < ATH12K_EXT_IRQ_NUM_MAX)
> irq_grp->irqs[num_irq++] =
> rxdma2host_monitor_destination_mac1;
> }
>
> base-commit: e6630ad4c58f89ba72e64fca5989ecf1e06319c9
Reviewed-by: Baochen Qiang <baochen.qiang at oss.qualcomm.com>
More information about the ath12k
mailing list