From 68cd737461f628ec98ffceefaa8acb8089da1d20 Mon Sep 17 00:00:00 2001 From: Manikanta Pubbisetty Date: Wed, 14 May 2025 10:36:35 +0530 Subject: [PATCH] qcacmn: Fix stale rx buffer allocation from refill thread When NBUFs are allocated from the refill thread buffer queue, there is a very rare possibility of attaching same NBUF to two different SW RX descriptors. When this happens, it may result in a scenario where the driver submits the NBUF to network stack but still operates on the same buffer in the driver. Both network stack and driver will operate on the buffer simultaneously resulting in stability issues. Allocating same NBUF can happen when the buffer queue head pointer is incremented before the NBUFF is updated in the buffer queue head. In the replenish path, this can result in old/stale NBUF allocation. To fix this, introduce a write memory barrier before updating the buffer queue head pointer. CRs-Fixed: 4142932 Change-Id: Ifc7a0a9ac0489d4ffe3f74a7ea064d68a993c731 --- dp/wifi3.0/dp_rx_buffer_pool.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/dp/wifi3.0/dp_rx_buffer_pool.c b/dp/wifi3.0/dp_rx_buffer_pool.c index 3ba6a84ae2..2afcf2a97e 100644 --- a/dp/wifi3.0/dp_rx_buffer_pool.c +++ b/dp/wifi3.0/dp_rx_buffer_pool.c @@ -174,6 +174,13 @@ void dp_rx_refill_buff_pool_enqueue(struct dp_soc *soc) count++; } + /* All operations above have to be completed before + * assigning the head pointer to buff_pool->head. + * Otherwise, we will end up using a stale NBUF in + * the RX replenish path. + */ + qdf_wmb(); + if (count) { buff_pool->head = head; total_num_refill -= count;