lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Z907FGWBV_MNlTcE@hovoldconsulting.com>
Date: Fri, 21 Mar 2025 11:10:28 +0100
From: Johan Hovold <johan@...nel.org>
To: Miaoqing Pan <quic_miaoqing@...cinc.com>
Cc: quic_jjohnson@...cinc.com, ath11k@...ts.infradead.org,
	linux-wireless@...r.kernel.org, linux-kernel@...r.kernel.org,
	johan+linaro@...nel.org
Subject: Re: [PATCH v4 ath-next 2/2] wifi: ath11k: fix HTC rx insufficient
 length

On Mon, Mar 17, 2025 at 03:20:36PM +0800, Miaoqing Pan wrote:
> A relatively unusual race condition occurs between host software
> and hardware, where the host sees the updated destination ring head
> pointer before the hardware updates the corresponding descriptor.
> When this situation occurs, the length of the descriptor returns 0.
> 
> The current error handling method is to increment descriptor tail
> pointer by 1, but 'sw_index' is not updated, causing descriptor and
> skb to not correspond one-to-one, resulting in the following error:
> 
> ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1488, expected 1492
> ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1460, expected 1484
> 
> To address this problem and work around the broken hardware,
> temporarily skip processing the current descriptor and handle it
> again next time. Also, skip updating the length field of the
> descriptor when it is 0, because there's a racing update, may
> never see the updated length.
> 
> Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04546-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1
> 
> Reported-by: Johan Hovold <johan+linaro@...nel.org>
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218623
> Signed-off-by: Miaoqing Pan <quic_miaoqing@...cinc.com>

As I've argued elsewhere, I think this should be fixed by adding the
missing memory barrier which is needed to prevent ordering issues like
this on aarch64:

	https://lore.kernel.org/lkml/Z90yyrZcORhJJgNU@hovoldconsulting.com/

The fact that this alone does not seem to be sufficient to address the
issue on qcs615 (and qcs8300) suggests that there are further issues
with these platforms that need to be properly understood before adding
workarounds in one place in one driver.

I've just posted my fix, a version of which users have been running now
for a week without hitting the corruption (that some used to hit
multiple times a daily), here:

	https://lore.kernel.org/lkml/20250321094916.19098-1-johan+linaro@kernel.org/

> @@ -387,18 +387,26 @@ static int ath11k_ce_completed_recv_next(struct ath11k_ce_pipe *pipe,
>  
>  	ath11k_hal_srng_access_begin(ab, srng);
>  
> -	desc = ath11k_hal_srng_dst_get_next_entry(ab, srng);
> +	desc = ath11k_hal_srng_dst_peek(ab, srng);
>  	if (!desc) {
>  		ret = -EIO;
>  		goto err;
>  	}
>  
>  	*nbytes = ath11k_hal_ce_dst_status_get_length(desc);
> -	if (*nbytes == 0) {
> +	if (unlikely(*nbytes == 0)) {
> +		/* A relatively unusual race condition occurs between host
> +		 * software and hardware, where the host sees the updated
> +		 * destination ring head pointer before the hardware updates
> +		 * the corresponding descriptor. Temporarily skip processing
> +		 * the current descriptor and handle it again next time.
> +		 */
>  		ret = -EIO;
>  		goto err;

Your tests suggested that you always see the correct length the next
time you process the ring buffer, but AFAICT that is not guaranteed to
happen (i.e. if you hit this on the last transfer).

Johan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ