| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250317072036.2066518-3-quic_miaoqing@quicinc.com>
Date: Mon, 17 Mar 2025 15:20:36 +0800
From: Miaoqing Pan <quic_miaoqing@...cinc.com>
To: <quic_jjohnson@...cinc.com>
CC: <ath11k@...ts.infradead.org>, <linux-wireless@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <johan+linaro@...nel.org>,
Miaoqing Pan
<quic_miaoqing@...cinc.com>
Subject: [PATCH v4 ath-next 2/2] wifi: ath11k: fix HTC rx insufficient length
A relatively unusual race condition occurs between host software
and hardware, where the host sees the updated destination ring head
pointer before the hardware updates the corresponding descriptor.
When this situation occurs, the length of the descriptor returns 0.
The current error handling method is to increment descriptor tail
pointer by 1, but 'sw_index' is not updated, causing descriptor and
skb to not correspond one-to-one, resulting in the following error:
ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1488, expected 1492
ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1460, expected 1484
To address this problem and work around the broken hardware,
temporarily skip processing the current descriptor and handle it
again next time. Also, skip updating the length field of the
descriptor when it is 0, because there's a racing update, may
never see the updated length.
Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04546-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1
Reported-by: Johan Hovold <johan+linaro@...nel.org>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218623
Signed-off-by: Miaoqing Pan <quic_miaoqing@...cinc.com>
---
drivers/net/wireless/ath/ath11k/ce.c | 14 +++++++++++---
drivers/net/wireless/ath/ath11k/hal.c | 6 +++++-
2 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/ce.c b/drivers/net/wireless/ath/ath11k/ce.c
index e66e86bdec20..2bc8bc97165a 100644
--- a/drivers/net/wireless/ath/ath11k/ce.c
+++ b/drivers/net/wireless/ath/ath11k/ce.c
@@ -1,7 +1,7 @@
// SPDX-License-Identifier: BSD-3-Clause-Clear
/*
* Copyright (c) 2018-2019 The Linux Foundation. All rights reserved.
- * Copyright (c) 2021-2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2021-2023, 2025 Qualcomm Innovation Center, Inc. All rights reserved.
*/
#include "dp_rx.h"
@@ -387,18 +387,26 @@ static int ath11k_ce_completed_recv_next(struct ath11k_ce_pipe *pipe,
ath11k_hal_srng_access_begin(ab, srng);
- desc = ath11k_hal_srng_dst_get_next_entry(ab, srng);
+ desc = ath11k_hal_srng_dst_peek(ab, srng);
if (!desc) {
ret = -EIO;
goto err;
}
*nbytes = ath11k_hal_ce_dst_status_get_length(desc);
- if (*nbytes == 0) {
+ if (unlikely(*nbytes == 0)) {
+ /* A relatively unusual race condition occurs between host
+ * software and hardware, where the host sees the updated
+ * destination ring head pointer before the hardware updates
+ * the corresponding descriptor. Temporarily skip processing
+ * the current descriptor and handle it again next time.
+ */
ret = -EIO;
goto err;
}
+ ath11k_hal_srng_dst_next(ab, srng);
+
*skb = pipe->dest_ring->skb[sw_index];
pipe->dest_ring->skb[sw_index] = NULL;
diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c
index 211c085921b6..16e0b5713445 100644
--- a/drivers/net/wireless/ath/ath11k/hal.c
+++ b/drivers/net/wireless/ath/ath11k/hal.c
@@ -600,7 +600,11 @@ u32 ath11k_hal_ce_dst_status_get_length(void *buf)
u32 len;
len = FIELD_GET(HAL_CE_DST_STATUS_DESC_FLAGS_LEN, desc->flags);
- desc->flags &= ~HAL_CE_DST_STATUS_DESC_FLAGS_LEN;
+ /* Skip updating the length field of the descriptor when it is 0,
+ * because there's a racing update, may never see the updated length.
+ */
+ if (likely(len))
+ desc->flags &= ~HAL_CE_DST_STATUS_DESC_FLAGS_LEN;
return len;
}
--
2.25.1
Powered by blists - more mailing lists