ath9k: Postpone key cache entry deletion for TXQ frames reference it

commit ca2848022c12789685d3fab3227df02b863f9696 upstream.

Do not delete a key cache entry that is still being referenced by
pending frames in TXQs. This avoids reuse of the key cache entry while a
frame might still be transmitted using it.

To avoid having to do any additional operations during the main TX path
operations, track pending key cache entries in a new bitmap and check
whether any pending entries can be deleted before every new key
add/remove operation. Also clear any remaining entries when stopping the
interface.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20201214172118.18100-6-jouni@codeaurora.org
Cc: Pali Rohár <pali@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h
index 2e4489700a859722b2c54d817a91d8aea4040bcb..2842ca205a0a97af675b38dcd926738684a6e21c 100644 (file)
--- a/drivers/net/wireless/ath/ath9k/hw.h
+++ b/drivers/net/wireless/ath/ath9k/hw.h
@@ -819,6 +819,7 @@ struct ath_hw {
        struct ath9k_pacal_info pacal_info;
        struct ar5416Stats stats;
        struct ath9k_tx_queue_info txq[ATH9K_NUM_TX_QUEUES];
+       DECLARE_BITMAP(pending_del_keymap, ATH_KEYMAX);
 
        enum ath9k_int imask;
        u32 imrs2_reg;

diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
index c08a7202dca2d270de19a8ee4095179b51eb155a..28ccdcb197de23ca03370f49874de4accf761593 100644 (file)
--- a/drivers/net/wireless/ath/ath9k/main.c
+++ b/drivers/net/wireless/ath/ath9k/main.c
@@ -823,12 +823,80 @@ static void ath9k_tx(struct ieee80211_hw *hw,
        ieee80211_free_txskb(hw, skb);
 }
 
+static bool ath9k_txq_list_has_key(struct list_head *txq_list, u32 keyix)
+{
+       struct ath_buf *bf;
+       struct ieee80211_tx_info *txinfo;
+       struct ath_frame_info *fi;
+
+       list_for_each_entry(bf, txq_list, list) {
+               if (bf->bf_state.stale || !bf->bf_mpdu)
+                       continue;
+
+               txinfo = IEEE80211_SKB_CB(bf->bf_mpdu);
+               fi = (struct ath_frame_info *)&txinfo->rate_driver_data[0];
+               if (fi->keyix == keyix)
+                       return true;
+       }
+
+       return false;
+}
+
+static bool ath9k_txq_has_key(struct ath_softc *sc, u32 keyix)
+{
+       struct ath_hw *ah = sc->sc_ah;
+       int i;
+       struct ath_txq *txq;
+       bool key_in_use = false;
+
+       for (i = 0; !key_in_use && i < ATH9K_NUM_TX_QUEUES; i++) {
+               if (!ATH_TXQ_SETUP(sc, i))
+                       continue;
+               txq = &sc->tx.txq[i];
+               if (!txq->axq_depth)
+                       continue;
+               if (!ath9k_hw_numtxpending(ah, txq->axq_qnum))
+                       continue;
+
+               ath_txq_lock(sc, txq);
+               key_in_use = ath9k_txq_list_has_key(&txq->axq_q, keyix);
+               if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) {
+                       int idx = txq->txq_tailidx;
+
+                       while (!key_in_use &&
+                              !list_empty(&txq->txq_fifo[idx])) {
+                               key_in_use = ath9k_txq_list_has_key(
+                                       &txq->txq_fifo[idx], keyix);
+                               INCR(idx, ATH_TXFIFO_DEPTH);
+                       }
+               }
+               ath_txq_unlock(sc, txq);
+       }
+
+       return key_in_use;
+}
+
+static void ath9k_pending_key_del(struct ath_softc *sc, u8 keyix)
+{
+       struct ath_hw *ah = sc->sc_ah;
+       struct ath_common *common = ath9k_hw_common(ah);
+
+       if (!test_bit(keyix, ah->pending_del_keymap) ||
+           ath9k_txq_has_key(sc, keyix))
+               return;
+
+       /* No more TXQ frames point to this key cache entry, so delete it. */
+       clear_bit(keyix, ah->pending_del_keymap);
+       ath_key_delete(common, keyix);
+}
+
 static void ath9k_stop(struct ieee80211_hw *hw)
 {
        struct ath_softc *sc = hw->priv;
        struct ath_hw *ah = sc->sc_ah;
        struct ath_common *common = ath9k_hw_common(ah);
        bool prev_idle;
+       int i;
 
        ath9k_deinit_channel_context(sc);
 
@@ -896,6 +964,9 @@ static void ath9k_stop(struct ieee80211_hw *hw)
 
        spin_unlock_bh(&sc->sc_pcu_lock);
 
+       for (i = 0; i < ATH_KEYMAX; i++)
+               ath9k_pending_key_del(sc, i);
+
        /* Clear key cache entries explicitly to get rid of any potentially
         * remaining keys.
         */
@@ -1712,6 +1783,12 @@ static int ath9k_set_key(struct ieee80211_hw *hw,
        if (sta)
                an = (struct ath_node *)sta->drv_priv;
 
+       /* Delete pending key cache entries if no more frames are pointing to
+        * them in TXQs.
+        */
+       for (i = 0; i < ATH_KEYMAX; i++)
+               ath9k_pending_key_del(sc, i);
+
        switch (cmd) {
        case SET_KEY:
                if (sta)
@@ -1741,7 +1818,15 @@ static int ath9k_set_key(struct ieee80211_hw *hw,
                }
                break;
        case DISABLE_KEY:
-               ath_key_delete(common, key->hw_key_idx);
+               if (ath9k_txq_has_key(sc, key->hw_key_idx)) {
+                       /* Delay key cache entry deletion until there are no
+                        * remaining TXQ frames pointing to this entry.
+                        */
+                       set_bit(key->hw_key_idx, sc->sc_ah->pending_del_keymap);
+                       ath_hw_keysetmac(common, key->hw_key_idx, NULL);
+               } else {
+                       ath_key_delete(common, key->hw_key_idx);
+               }
                if (an) {
                        for (i = 0; i < ARRAY_SIZE(an->key_idx); i++) {
                                if (an->key_idx[i] != key->hw_key_idx)