| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2b56c510-2e49-451d-bb50-d96ce3aacff1@oss.qualcomm.com>
Date: Fri, 6 Jun 2025 16:00:17 -0700
From: Jeff Johnson <jeff.johnson@....qualcomm.com>
To: Johan Hovold <johan@...nel.org>, Miaoqing Pan <quic_miaoqing@...cinc.com>
Cc: quic_jjohnson@...cinc.com, ath11k@...ts.infradead.org,
linux-wireless@...r.kernel.org, linux-kernel@...r.kernel.org,
johan+linaro@...nel.org
Subject: Re: [PATCH v4 ath-next 2/2] wifi: ath11k: fix HTC rx insufficient
length
On 3/21/2025 3:10 AM, Johan Hovold wrote:
> On Mon, Mar 17, 2025 at 03:20:36PM +0800, Miaoqing Pan wrote:
>> A relatively unusual race condition occurs between host software
>> and hardware, where the host sees the updated destination ring head
>> pointer before the hardware updates the corresponding descriptor.
>> When this situation occurs, the length of the descriptor returns 0.
>>
>> The current error handling method is to increment descriptor tail
>> pointer by 1, but 'sw_index' is not updated, causing descriptor and
>> skb to not correspond one-to-one, resulting in the following error:
>>
>> ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1488, expected 1492
>> ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1460, expected 1484
>>
>> To address this problem and work around the broken hardware,
>> temporarily skip processing the current descriptor and handle it
>> again next time. Also, skip updating the length field of the
>> descriptor when it is 0, because there's a racing update, may
>> never see the updated length.
>>
>> Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04546-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1
>>
>> Reported-by: Johan Hovold <johan+linaro@...nel.org>
>> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218623
>> Signed-off-by: Miaoqing Pan <quic_miaoqing@...cinc.com>
>
> As I've argued elsewhere, I think this should be fixed by adding the
> missing memory barrier which is needed to prevent ordering issues like
> this on aarch64:
>
> https://lore.kernel.org/lkml/Z90yyrZcORhJJgNU@hovoldconsulting.com/
>
> The fact that this alone does not seem to be sufficient to address the
> issue on qcs615 (and qcs8300) suggests that there are further issues
> with these platforms that need to be properly understood before adding
> workarounds in one place in one driver.
>
> I've just posted my fix, a version of which users have been running now
> for a week without hitting the corruption (that some used to hit
> multiple times a daily), here:
>
> https://lore.kernel.org/lkml/20250321094916.19098-1-johan+linaro@kernel.org/
>
>> @@ -387,18 +387,26 @@ static int ath11k_ce_completed_recv_next(struct ath11k_ce_pipe *pipe,
>>
>> ath11k_hal_srng_access_begin(ab, srng);
>>
>> - desc = ath11k_hal_srng_dst_get_next_entry(ab, srng);
>> + desc = ath11k_hal_srng_dst_peek(ab, srng);
>> if (!desc) {
>> ret = -EIO;
>> goto err;
>> }
>>
>> *nbytes = ath11k_hal_ce_dst_status_get_length(desc);
>> - if (*nbytes == 0) {
>> + if (unlikely(*nbytes == 0)) {
>> + /* A relatively unusual race condition occurs between host
>> + * software and hardware, where the host sees the updated
>> + * destination ring head pointer before the hardware updates
>> + * the corresponding descriptor. Temporarily skip processing
>> + * the current descriptor and handle it again next time.
>> + */
>> ret = -EIO;
>> goto err;
>
> Your tests suggested that you always see the correct length the next
> time you process the ring buffer, but AFAICT that is not guaranteed to
> happen (i.e. if you hit this on the last transfer).
I'm going to mark this as Deferred in patchwork.
Let's have Johan's complete set of barrier changes land both in ath11k and
ath12k, and then re-evaluate the need for your workaround after that.
/jeff
Powered by blists - more mailing lists