issue wth ath12k in ath12k_dbring_buffer_release_event

Colin King (gmail) colin.i.king at gmail.com
Thu May 8 04:00:55 PDT 2025 

Hi,

In drivers/net/wireless/ath/ath12k/dbring.c function 
ath12k_dbring_buffer_release_event() there is a large hunk of code that 
is never executed because ring is NULL.  The code that is never executed 
is a fairly large part of the functionality of the code, so I this looks 
like a bug to me.

Analysis below, my comments prefixed by //

int ath12k_dbring_buffer_release_event(struct ath12k_base *ab,
                                  linux-kernel at vger.kernel.org 
struct ath12k_dbring_buf_release_event *ev)
{
         struct ath12k_dbring *ring = NULL;

// ring is set to NULL

         struct hal_srng *srng;
         struct ath12k *ar;
         struct ath12k_dbring_element *buff;
         struct ath12k_dbring_data handler_data;
         struct ath12k_buffer_addr desc;
         u8 *vaddr_unalign;
         u32 num_entry, num_buff_reaped;
         u8 pdev_idx, rbm;
         u32 cookie;
         int buf_id;
         int size;
         dma_addr_t paddr;
         int ret = 0;

         pdev_idx = le32_to_cpu(ev->fixed.pdev_id);

         if (pdev_idx >= ab->num_radios) {
                 ath12k_warn(ab, "Invalid pdev id %d\n", pdev_idx);
                 return -EINVAL;
         }

         if (ev->fixed.num_buf_release_entry !=
             ev->fixed.num_meta_data_entry) {
                 ath12k_warn(ab, "Buffer entry %d mismatch meta entry %d\n",
                             ev->fixed.num_buf_release_entry,
                             ev->fixed.num_meta_data_entry);
                 return -EINVAL;
         }

         ar = ab->pdevs[pdev_idx].ar;

         rcu_read_lock();
         if (!rcu_dereference(ab->pdevs_active[pdev_idx])) {
                 ret = -EINVAL;
                 goto rcu_unlock;
         }

         switch (ev->fixed.module_id) {
         case WMI_DIRECT_BUF_SPECTRAL:
                 break;
         default:
                 ring = NULL;
                 ath12k_warn(ab, "Recv dma buffer release ev on unsupp 
module %d\n",
                             ev->fixed.module_id);
                 break;
         }

// ring is still NULL

         if (!ring) {
                 ret = -EINVAL;
                 goto rcu_unlock;
         }

// the following code is *never* executed

         srng = &ab->hal.srng_list[ring->refill_srng.ring_id];
         num_entry = le32_to_cpu(ev->fixed.num_buf_release_entry);
         ....
         ....


Colin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x68C287DFC6A80226.asc
Type: application/pgp-keys
Size: 4824 bytes
Desc: OpenPGP public key
URL: <http://lists.infradead.org/pipermail/ath12k/attachments/20250508/0a06eba9/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/ath12k/attachments/20250508/0a06eba9/attachment.sig>

More information about the ath12k mailing list