From: Stefan Sperling <stsp@stsp.name>
Subject: Re: small set of qwx bug fixes
To: tech@openbsd.org
Date: Mon, 22 Jun 2026 12:49:58 +0200

On Mon, Jun 22, 2026 at 10:18:13AM +0200, Stefan Sperling wrote:
> On Mon, Jun 22, 2026 at 12:57:06AM +0200, Stefan Sperling wrote:
> > i. Dealloc resources via qwx_stop() if we fail to get RUNNING in qwx_init().
> >    Cleanup via qwx_stop() was only performed in case of complete success,
> >    i.e. once IFF_RUNNING is set.
> 
> The above change reintroduced an issue where firmware is not getting
> stopped properly and uses freed buffers during DMA, triggering mbuf
> cluster use-after-free checks.
> Below is a revised patch which aims to address this problem, with all
> my pending changes rolled in.
> 
> Please test this diff instead of previous versions.
> 
> I have this queued as 7 separate commits with a rationale for each change
> in log messages, to make change history easier to follow.
> 

Two more fixes on top:

1. Do not zero the entire qwx sc->hal structure during resume.
   The structure contains pointers to DMA allocations which are leaked and
   replaced by new allocations during resume if we zero the entire structure.
   At attach time, the structure comes pre-zeroed so an initial memset is
   not needed either.

2. Do not attempt to clean up Tx rings which are uninitialized.
   Fixes a crash, seen by jmc@ and reproduced by me, when "qrtr init" times out.

M  sys/dev/ic/qwx.c  |  2+  4-

1 file changed, 2 insertions(+), 4 deletions(-)

commit - 0c78974ffe116468b3f775860f7097bee393ef21
commit + 802a52398c68ce1c37edd96d66d8145ea42b622f
blob - 1d9dbba8a24a04835be8d5d3896ba6ef4503278e
blob + addfaf2cca414a5413d9e627a4d5b2ccf98d0b87
--- sys/dev/ic/qwx.c
+++ sys/dev/ic/qwx.c
@@ -21584,11 +21584,8 @@ qwx_hal_free_cont_wrp(struct qwx_softc *sc)
 int
 qwx_hal_srng_init(struct qwx_softc *sc)
 {
-	struct ath11k_hal *hal = &sc->hal;
 	int ret;
 
-	memset(hal, 0, sizeof(*hal));
-
 	ret = qwx_hal_srng_create_config(sc);
 	if (ret)
 		goto err_hal;
@@ -22668,7 +22665,8 @@ qwx_ce_cleanup_pipes(struct qwx_softc *sc)
 		qwx_ce_rx_pipe_cleanup(pipe);
 
 		/* Cleanup any src CE's which have interrupts disabled */
-		qwx_ce_poll_send_completed(sc, pipe_num);
+		if (!test_bit(ATH11K_FLAG_QMI_FAIL, sc->sc_flags))
+			qwx_ce_poll_send_completed(sc, pipe_num);
 	}
 }