From: Wen Gong <wgong@codeaurora.org>
To: ath10k@lists.infradead.org
Cc: linux-wireless@vger.kernel.org
Subject: [PATCH v3 1/8] ath10k: adjust skb length in ath10k_sdio_mbox_rx_packet
Date: Wed, 28 Aug 2019 21:16:10 +0800 [thread overview]
Message-ID: <1566998177-2658-2-git-send-email-wgong@codeaurora.org> (raw)
In-Reply-To: <1566998177-2658-1-git-send-email-wgong@codeaurora.org>
When the FW bundles multiple packets, pkt->act_len may be incorrect
as it refers to the first packet only (however, the FW will only
bundle packets that fit into the same pkt->alloc_len).
Before this patch, the skb length would be set (incorrectly) to
pkt->act_len in ath10k_sdio_mbox_rx_packet, and then later manually
adjusted in ath10k_sdio_mbox_rx_process_packet.
The first problem is that ath10k_sdio_mbox_rx_process_packet does not
use proper skb_put commands to adjust the length (it directly changes
skb->len), so we end up with a mismatch between skb->head + skb->tail
and skb->data + skb->len. This is quite serious, and causes corruptions
in the TCP stack, as the stack tries to coalesce packets, and relies
on skb->tail being correct (that is, skb_tail_pointer must point to
the first byte_after_ the data).
Instead of re-adjusting the size in ath10k_sdio_mbox_rx_process_packet,
this moves the code to ath10k_sdio_mbox_rx_packet, and also add a
bounds check, as skb_put would crash the kernel if not enough space is
available.
Tested with QCA6174 SDIO with firmware
WLAN.RMH.4.4.1-00007-QCARMSWP-1.
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Signed-off-by: Wen Gong <wgong@codeaurora.org>
---
v2:no this patch
v2:new added
drivers/net/wireless/ath/ath10k/sdio.c | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c
index 8ed4fbd..1127e44 100644
--- a/drivers/net/wireless/ath/ath10k/sdio.c
+++ b/drivers/net/wireless/ath/ath10k/sdio.c
@@ -381,16 +381,11 @@ static int ath10k_sdio_mbox_rx_process_packet(struct ath10k *ar,
struct ath10k_htc_hdr *htc_hdr = (struct ath10k_htc_hdr *)skb->data;
bool trailer_present = htc_hdr->flags & ATH10K_HTC_FLAG_TRAILER_PRESENT;
enum ath10k_htc_ep_id eid;
- u16 payload_len;
u8 *trailer;
int ret;
- payload_len = le16_to_cpu(htc_hdr->len);
- skb->len = payload_len + sizeof(struct ath10k_htc_hdr);
-
if (trailer_present) {
- trailer = skb->data + sizeof(*htc_hdr) +
- payload_len - htc_hdr->trailer_len;
+ trailer = skb->data + skb->len - htc_hdr->trailer_len;
eid = pipe_id_to_eid(htc_hdr->eid);
@@ -632,13 +627,29 @@ static int ath10k_sdio_mbox_rx_packet(struct ath10k *ar,
{
struct ath10k_sdio *ar_sdio = ath10k_sdio_priv(ar);
struct sk_buff *skb = pkt->skb;
+ struct ath10k_htc_hdr *htc_hdr;
int ret;
ret = ath10k_sdio_readsb(ar, ar_sdio->mbox_info.htc_addr,
skb->data, pkt->alloc_len);
+
+ if (!ret) {
+ /* Update actual length. The original length may be incorrect,
+ * as the FW will bundle multiple packets as long as their sizes
+ * fit within the same aligned length (pkt->alloc_len).
+ */
+ htc_hdr = (struct ath10k_htc_hdr *)skb->data;
+ pkt->act_len = le16_to_cpu(htc_hdr->len) + sizeof(*htc_hdr);
+ if (pkt->act_len <= pkt->alloc_len) {
+ skb_put(skb, pkt->act_len);
+ } else {
+ ath10k_warn(ar, "rx packet too large (%zu > %zu)\n",
+ pkt->act_len, pkt->alloc_len);
+ ret = -EMSGSIZE;
+ }
+ }
+
pkt->status = ret;
- if (!ret)
- skb_put(skb, pkt->act_len);
return ret;
}
--
1.9.1
WARNING: multiple messages have this Message-ID (diff)
From: Wen Gong <wgong@codeaurora.org>
To: ath10k@lists.infradead.org
Cc: linux-wireless@vger.kernel.org
Subject: [PATCH v3 1/8] ath10k: adjust skb length in ath10k_sdio_mbox_rx_packet
Date: Wed, 28 Aug 2019 21:16:10 +0800 [thread overview]
Message-ID: <1566998177-2658-2-git-send-email-wgong@codeaurora.org> (raw)
In-Reply-To: <1566998177-2658-1-git-send-email-wgong@codeaurora.org>
When the FW bundles multiple packets, pkt->act_len may be incorrect
as it refers to the first packet only (however, the FW will only
bundle packets that fit into the same pkt->alloc_len).
Before this patch, the skb length would be set (incorrectly) to
pkt->act_len in ath10k_sdio_mbox_rx_packet, and then later manually
adjusted in ath10k_sdio_mbox_rx_process_packet.
The first problem is that ath10k_sdio_mbox_rx_process_packet does not
use proper skb_put commands to adjust the length (it directly changes
skb->len), so we end up with a mismatch between skb->head + skb->tail
and skb->data + skb->len. This is quite serious, and causes corruptions
in the TCP stack, as the stack tries to coalesce packets, and relies
on skb->tail being correct (that is, skb_tail_pointer must point to
the first byte_after_ the data).
Instead of re-adjusting the size in ath10k_sdio_mbox_rx_process_packet,
this moves the code to ath10k_sdio_mbox_rx_packet, and also add a
bounds check, as skb_put would crash the kernel if not enough space is
available.
Tested with QCA6174 SDIO with firmware
WLAN.RMH.4.4.1-00007-QCARMSWP-1.
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Signed-off-by: Wen Gong <wgong@codeaurora.org>
---
v2:no this patch
v2:new added
drivers/net/wireless/ath/ath10k/sdio.c | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c
index 8ed4fbd..1127e44 100644
--- a/drivers/net/wireless/ath/ath10k/sdio.c
+++ b/drivers/net/wireless/ath/ath10k/sdio.c
@@ -381,16 +381,11 @@ static int ath10k_sdio_mbox_rx_process_packet(struct ath10k *ar,
struct ath10k_htc_hdr *htc_hdr = (struct ath10k_htc_hdr *)skb->data;
bool trailer_present = htc_hdr->flags & ATH10K_HTC_FLAG_TRAILER_PRESENT;
enum ath10k_htc_ep_id eid;
- u16 payload_len;
u8 *trailer;
int ret;
- payload_len = le16_to_cpu(htc_hdr->len);
- skb->len = payload_len + sizeof(struct ath10k_htc_hdr);
-
if (trailer_present) {
- trailer = skb->data + sizeof(*htc_hdr) +
- payload_len - htc_hdr->trailer_len;
+ trailer = skb->data + skb->len - htc_hdr->trailer_len;
eid = pipe_id_to_eid(htc_hdr->eid);
@@ -632,13 +627,29 @@ static int ath10k_sdio_mbox_rx_packet(struct ath10k *ar,
{
struct ath10k_sdio *ar_sdio = ath10k_sdio_priv(ar);
struct sk_buff *skb = pkt->skb;
+ struct ath10k_htc_hdr *htc_hdr;
int ret;
ret = ath10k_sdio_readsb(ar, ar_sdio->mbox_info.htc_addr,
skb->data, pkt->alloc_len);
+
+ if (!ret) {
+ /* Update actual length. The original length may be incorrect,
+ * as the FW will bundle multiple packets as long as their sizes
+ * fit within the same aligned length (pkt->alloc_len).
+ */
+ htc_hdr = (struct ath10k_htc_hdr *)skb->data;
+ pkt->act_len = le16_to_cpu(htc_hdr->len) + sizeof(*htc_hdr);
+ if (pkt->act_len <= pkt->alloc_len) {
+ skb_put(skb, pkt->act_len);
+ } else {
+ ath10k_warn(ar, "rx packet too large (%zu > %zu)\n",
+ pkt->act_len, pkt->alloc_len);
+ ret = -EMSGSIZE;
+ }
+ }
+
pkt->status = ret;
- if (!ret)
- skb_put(skb, pkt->act_len);
return ret;
}
--
1.9.1
_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k
next prev parent reply other threads:[~2019-08-28 16:18 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-28 13:16 [PATCH v3 0/8] ath10k: improve throughout of tcp/udp TX/RX of sdio Wen Gong
2019-08-28 13:16 ` Wen Gong
2019-08-28 13:16 ` Wen Gong [this message]
2019-08-28 13:16 ` [PATCH v3 1/8] ath10k: adjust skb length in ath10k_sdio_mbox_rx_packet Wen Gong
2019-08-30 2:53 ` Nicolas Boichat
2019-08-30 2:53 ` Nicolas Boichat
2019-08-30 2:58 ` Nicolas Boichat
2019-08-30 2:58 ` Nicolas Boichat
2019-09-04 2:42 ` Wen Gong
2019-09-04 2:42 ` Wen Gong
2019-08-28 13:16 ` [PATCH v3 2/8] ath10k: enable RX bundle receive for sdio Wen Gong
2019-08-28 13:16 ` Wen Gong
2019-08-30 3:07 ` Nicolas Boichat
2019-08-30 3:07 ` Nicolas Boichat
2019-09-04 2:43 ` Wen Gong
2019-09-04 2:43 ` Wen Gong
2019-09-04 2:48 ` Wen Gong
2019-09-04 2:48 ` Wen Gong
2019-08-28 13:16 ` [PATCH v3 3/8] ath10k: change max RX bundle size from 8 to 32 " Wen Gong
2019-08-28 13:16 ` Wen Gong
2019-08-30 3:11 ` Nicolas Boichat
2019-08-30 3:11 ` Nicolas Boichat
2019-09-04 2:52 ` Wen Gong
2019-09-04 2:52 ` Wen Gong
2019-08-28 13:16 ` [PATCH v3 4/8] ath10k: add workqueue for RX path of sdio Wen Gong
2019-08-28 13:16 ` Wen Gong
2019-09-04 2:53 ` Wen Gong
2019-09-04 2:53 ` Wen Gong
2019-08-28 13:16 ` [PATCH v3 5/8] ath10k: disable TX complete indication of htt for sdio Wen Gong
2019-08-28 13:16 ` Wen Gong
2019-09-04 2:54 ` Wen Gong
2019-09-04 2:54 ` Wen Gong
2019-08-28 13:16 ` [PATCH v3 6/8] ath10k: add htt TX bundle " Wen Gong
2019-08-28 13:16 ` Wen Gong
2019-09-04 2:56 ` Wen Gong
2019-09-04 2:56 ` Wen Gong
2019-08-28 13:16 ` [PATCH v3 7/8] ath10k: enable alt data of TX path " Wen Gong
2019-08-28 13:16 ` Wen Gong
2019-08-30 3:18 ` Nicolas Boichat
2019-08-30 3:18 ` Nicolas Boichat
2019-09-04 2:58 ` Wen Gong
2019-09-04 2:58 ` Wen Gong
2019-08-28 13:16 ` [PATCH v3 8/8] ath10k: enable napi on RX " Wen Gong
2019-08-28 13:16 ` Wen Gong
2019-08-30 3:19 ` Nicolas Boichat
2019-08-30 3:19 ` Nicolas Boichat
2019-09-04 2:59 ` Wen Gong
2019-09-04 2:59 ` Wen Gong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1566998177-2658-2-git-send-email-wgong@codeaurora.org \
--to=wgong@codeaurora.org \
--cc=ath10k@lists.infradead.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.