From patchwork Mon Feb 8 13:52:54 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?b?SsOpcsO0bWUgUG91aWxsZXI=?= X-Patchwork-Id: 378912 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 12960C433E0 for ; Mon, 8 Feb 2021 13:54:45 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A713F64E05 for ; Mon, 8 Feb 2021 13:54:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231630AbhBHNyV (ORCPT ); Mon, 8 Feb 2021 08:54:21 -0500 Received: from mail-bn8nam11on2085.outbound.protection.outlook.com ([40.107.236.85]:23265 "EHLO NAM11-BN8-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S231316AbhBHNx4 (ORCPT ); Mon, 8 Feb 2021 08:53:56 -0500 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GdigEalrUb3Fa939HUV3ZMgIvOaxiZVNumKH74WjxP910SVakBYplS2Ev8s99+JTXNG0BpwMR1z4Ka7ss8oQ/mr5i2M6qQKcCC+ZGgBxcOq5qXe3FTd0KGCnrofzQGGqNdjHE9+4jfxyBHuPwGTWMYzHmBvkxU0O7e73AcgP6TUEILJqQCxjbJsB7q8l7oGLENz4qFjE1hsye5t3wLmDK5azGzjKbxeZRUqOnctZt2qqW36ja30PkpYHMAfFNP6o1zpMG2N7/qrAJR8zVc/WS0Aa7da+6piNTPmapo7MGF8wGeH30hJ3JbRgJlgfCzDkI0aVRmkvGhfggJZpRQQa7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YYbRvdr9gWXYHoiohk6V7nMzJQcS0YgE93JznW8LOTw=; b=ly3+YDe8UJo2e1/3MGcel/gGp7HPKJQqxnVUf4vn22qbEHzHu9Qz+n/XKQkvTvaQu/jo5kvuFJqLz1AD7/qBqQNySCWkuIN5ITQNURohUmRyzhHRQBvEp8C7SVUL8vzWyhP3h6jfr6mWmMMlHuz6OWwnNSDH5IxI/CgBSCkSbOio/QfaWccFEC+EjmZWJNbaWhr0DWr14E+1mKXrDu2Z38ejPqw2DWCmrDG+I9/0owNjtmRipAUbkKfO/bCb2Z/D1con5oxCMuQbn1D16LHPv7Z12Ev5h7Nmbzbm+t3cyarV/a/n5wr6hpO7G292a466kMBEQZTcS1aTq6OfZ3BuyQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=silabs.com; dmarc=pass action=none header.from=silabs.com; dkim=pass header.d=silabs.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=silabs.onmicrosoft.com; s=selector2-silabs-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YYbRvdr9gWXYHoiohk6V7nMzJQcS0YgE93JznW8LOTw=; b=gZyq66XZl6SZaLhfvhgaZ89+Q3DDRlNpCHTW6ymtRA/4nqfxNtqpSj8Ui+H4Nl8cr7UsghLiCqLiZoO5d9SqsX6/DaWiSLc+42DnU/eLM740nAYOVLW2DOR5ys0rK5BO753nHGfsagAEf7SDt14Ci5Aof3LqFrMUO7Rztdt90mI= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none; vger.kernel.org; dmarc=none action=none header.from=silabs.com; Received: from SN6PR11MB2718.namprd11.prod.outlook.com (2603:10b6:805:63::18) by SA2PR11MB4969.namprd11.prod.outlook.com (2603:10b6:806:111::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3825.20; Mon, 8 Feb 2021 13:53:06 +0000 Received: from SN6PR11MB2718.namprd11.prod.outlook.com ([fe80::a989:f850:6736:97ca]) by SN6PR11MB2718.namprd11.prod.outlook.com ([fe80::a989:f850:6736:97ca%5]) with mapi id 15.20.3825.030; Mon, 8 Feb 2021 13:53:06 +0000 From: Jerome Pouiller To: linux-wireless@vger.kernel.org, netdev@vger.kernel.org Cc: devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org, Greg Kroah-Hartman , Kalle Valo , "David S . Miller" , Jakub Kicinski , =?utf-8?b?SsOpcsO0bWUgUG91aWxsZXI=?= Subject: [PATCH] staging: wfx: fix possible panic with re-queued frames Date: Mon, 8 Feb 2021 14:52:54 +0100 Message-Id: <20210208135254.399964-1-Jerome.Pouiller@silabs.com> X-Mailer: git-send-email 2.30.0 X-Originating-IP: [2a01:e35:2435:66a0:544b:f17b:7ae8:fb7] X-ClientProxiedBy: SN7PR04CA0072.namprd04.prod.outlook.com (2603:10b6:806:121::17) To SN6PR11MB2718.namprd11.prod.outlook.com (2603:10b6:805:63::18) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from pc-42.silabs.com (2a01:e35:2435:66a0:544b:f17b:7ae8:fb7) by SN7PR04CA0072.namprd04.prod.outlook.com (2603:10b6:806:121::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3825.17 via Frontend Transport; Mon, 8 Feb 2021 13:53:04 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 65b6141d-5834-4223-dffa-08d8cc38dc76 X-MS-TrafficTypeDiagnostic: SA2PR11MB4969: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:3276; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: cVeBZjP0o4r9SJGtvz8ZKCvy0olOWhzvidJ7D9p2l3m2Tqk2V052eHuDXAbffgbBKdH4d8kVomnCM+h37l1ivKuv4cNooA3B3mX19Wp6Cst1ArUFeEh0KqZptQoIidOn4Ksyw3QnIKBmikijkh1pUwinrGzxLIB6LcUMZ8j34pfH4oX23JECZaPwBFEtSjzSxEOcslY4DZW6WKkXMZ6wiKohNC5yYdABN+SxDcVDotj6ZNWeHXKg9S1Czibw1DVX/NN/lrryRugzZ5w4GfrT/+jwAiYVTJI4eD+Wver37GR5jv8z9iJXLn1f5O2xulaWmiRaz+MSGj3vRMdcwGqZlOq8m242NQLQ0JGY1y22YPOlt3tx6t8y3oCFud//dXT82cNkLd7zI216mS1pY5fOOl4eczZQCRs3abrFjqCxvYaSZML6CbYp+/0t0DfnaUCqGqse9FAOSCzS0LalETKAY3D9wjNRf9xa8gqAzfFYMA4EVW3kUCUoRtP8IJxUIeeIaE1+Hh0lbeUrSUFaSl29Qw== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR11MB2718.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(376002)(39850400004)(136003)(346002)(396003)(66476007)(66946007)(66556008)(186003)(2616005)(52116002)(86362001)(16526019)(2906002)(4326008)(66574015)(6666004)(5660300002)(1076003)(54906003)(478600001)(7696005)(6486002)(107886003)(8936002)(8676002)(83380400001)(316002)(36756003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData: =?utf-8?q?D5kMtT6CnB892zhl1DUoDE507Zv?= =?utf-8?q?Lj6Siq73QkcQPTEPyJUkPzZXvixpaIgAEgvARaQ1j99af4By1w723svT?= =?utf-8?q?Jkf8ou66Xp95zSzB8HGHfvgSrmM9URud/61KkO7FO2Q9qY/E4MsAHtAv?= =?utf-8?q?Pc2RKeB20wZWszPrlZkSu+8YQLeeeYoYCVbmq0FcjT1sK714x5sL8pMa?= =?utf-8?q?r8jGNuj+RV1PsP73YVABC6Ex6//GERQvejUockUwVgbgueeD3m+kwS5B?= =?utf-8?q?ALAaAkzOgOJ0QrUrv/dotC4yDjD3fQtboC1jG7vmyRI7jYtd7saCUze3?= =?utf-8?q?QOOt2fl6IBu+7gNVG2NGT/kxzOa+NRiTMtuoOfY/GNh+hkpGgOMe37kB?= =?utf-8?q?gN3aZBkGjOrV+epGKByz+UtKBpBLnjr8Op1SmBBcu8YDdJo4AsXRPQhi?= =?utf-8?q?O1dH4+dUtKdwHzHhY3/oqK0xLbGHBDsRfS/FEP/g6VG0QEURzcaUFRKg?= =?utf-8?q?m3tW51gD2p0kg1LXhihmXUfdJFwPrHC7LrzjqfCgjDs6BLmpbLDP0upD?= =?utf-8?q?ndCXYiE+Bzu8bwAXSPQAb+ckDnNNPew1p12xdCFK5KEzTz0U+pIfipVP?= =?utf-8?q?DPAfAMUTxs7dWXoGyfEgohC/IQSMyOLbjS/slATnyRJhVKIdMnOTw6gl?= =?utf-8?q?9Zi4Vonad8+ptJWifg/7TgfiFLABbXRWTCIPYhwBoM4ng+SGytDYFDMP?= =?utf-8?q?eeRgrRuDFo1bCWTKbSHgfXuFNdGKCR06Tp0rLtkZLVLjup1DUpis1ED8?= =?utf-8?q?j7JEci1zLXiAhavPqsXXO5tcqvnTYB2loPbOT55aWNz1etsltbR0Jrb/?= =?utf-8?q?yVK7bFJzkmKiCWqma734xjohImAHa8n8cxeVVQT1vrscug9VfGXRbUj8?= =?utf-8?q?GhsPtOmjJVUJtqW7lgLD3ApCTOtv7VXeBQwgnPG9CVEKUMDNfCsGnoYQ?= =?utf-8?q?mP7oNWo+fW4niefQVqysHZC+qbCQJbLHBV+3r8P6d/b/j6FjPHq5cQJt?= =?utf-8?q?NWGRBDpAGM4EamwTzJu7vJyS8VePZdPQ+vRloMl6Bhl6OTT0wfDTRba0?= =?utf-8?q?97aAdncVq1/3trtw0vGFlCs9ZPNBPe6grjy/hXuCLkMrOpPCnv15WdZN?= =?utf-8?q?B+59WIqa+zQ5ty7GZJA68sbewnanuLcRi/bEFq6oGmiiACvd43XgY4GS?= =?utf-8?q?ZX/etAnrMo9D6U5BawuAKFG7oBElFZpKmtYtT6wMYC2PpRTw/73AesIv?= =?utf-8?q?N+RQt4jD8+2zQDSq1eWXQpF8W67/0uAJd2NqUPoipY4X0TeZZ2y4jbYd?= =?utf-8?q?rl70k8l5h0h4fa4jaftdpF1KU+GiNIib8nTrVR98a9fSxB5J4YMN1yRL?= =?utf-8?q?RdTd9uPip6y1itST3icOAiE4287DoZkjL3ic73GB7BqTZbwBH7/dvW2b?= =?utf-8?q?UISyhTJroPfeXrcSQ8qdvTSxIHJx58zslYKj6?= X-OriginatorOrg: silabs.com X-MS-Exchange-CrossTenant-Network-Message-Id: 65b6141d-5834-4223-dffa-08d8cc38dc76 X-MS-Exchange-CrossTenant-AuthSource: SN6PR11MB2718.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Feb 2021 13:53:06.4526 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 54dbd822-5231-4b20-944d-6f4abcd541fb X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: rTGgHWGlWZZmaUv6WbSdL+HX2v44kPUnCUuu2/jCWQ/GyAcenODH5JlExshl6TmVKvtvv6t0qrDoiggrU1d5XQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR11MB4969 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Jérôme Pouiller When the firmware rejects a frame (because station become asleep or disconnected), the frame is re-queued in mac80211. However, the re-queued frame was 8 bytes longer than the original one (the size of the ICV for the encryption). So, when mac80211 try to send this frame again, it is a little bigger than expected. If the frame is re-queued secveral time it end with a skb_over_panic because the skb buffer is not large enough. Note it only happens when device acts as an AP and encryption is enabled. This patch more or less reverts the commit 049fde130419 ("staging: wfx: drop useless field from struct wfx_tx_priv"). Fixes: 049fde130419 ("staging: wfx: drop useless field from struct wfx_tx_priv") Signed-off-by: Jérôme Pouiller --- drivers/staging/wfx/data_tx.c | 10 +++++++++- drivers/staging/wfx/data_tx.h | 1 + 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/staging/wfx/data_tx.c b/drivers/staging/wfx/data_tx.c index 36b36ef39d05..77fb104efdec 100644 --- a/drivers/staging/wfx/data_tx.c +++ b/drivers/staging/wfx/data_tx.c @@ -331,6 +331,7 @@ static int wfx_tx_inner(struct wfx_vif *wvif, struct ieee80211_sta *sta, { struct hif_msg *hif_msg; struct hif_req_tx *req; + struct wfx_tx_priv *tx_priv; struct ieee80211_tx_info *tx_info = IEEE80211_SKB_CB(skb); struct ieee80211_key_conf *hw_key = tx_info->control.hw_key; struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; @@ -344,11 +345,14 @@ static int wfx_tx_inner(struct wfx_vif *wvif, struct ieee80211_sta *sta, // From now tx_info->control is unusable memset(tx_info->rate_driver_data, 0, sizeof(struct wfx_tx_priv)); + // Fill tx_priv + tx_priv = (struct wfx_tx_priv *)tx_info->rate_driver_data; + tx_priv->icv_size = wfx_tx_get_icv_len(hw_key); // Fill hif_msg WARN(skb_headroom(skb) < wmsg_len, "not enough space in skb"); WARN(offset & 1, "attempt to transmit an unaligned frame"); - skb_put(skb, wfx_tx_get_icv_len(hw_key)); + skb_put(skb, tx_priv->icv_size); skb_push(skb, wmsg_len); memset(skb->data, 0, wmsg_len); hif_msg = (struct hif_msg *)skb->data; @@ -484,6 +488,7 @@ static void wfx_tx_fill_rates(struct wfx_dev *wdev, void wfx_tx_confirm_cb(struct wfx_dev *wdev, const struct hif_cnf_tx *arg) { + const struct wfx_tx_priv *tx_priv; struct ieee80211_tx_info *tx_info; struct wfx_vif *wvif; struct sk_buff *skb; @@ -495,6 +500,7 @@ void wfx_tx_confirm_cb(struct wfx_dev *wdev, const struct hif_cnf_tx *arg) return; } tx_info = IEEE80211_SKB_CB(skb); + tx_priv = wfx_skb_tx_priv(skb); wvif = wdev_to_wvif(wdev, ((struct hif_msg *)skb->data)->interface); WARN_ON(!wvif); if (!wvif) @@ -503,6 +509,8 @@ void wfx_tx_confirm_cb(struct wfx_dev *wdev, const struct hif_cnf_tx *arg) // Note that wfx_pending_get_pkt_us_delay() get data from tx_info _trace_tx_stats(arg, skb, wfx_pending_get_pkt_us_delay(wdev, skb)); wfx_tx_fill_rates(wdev, tx_info, arg); + skb_trim(skb, skb->len - tx_priv->icv_size); + // From now, you can touch to tx_info->status, but do not touch to // tx_priv anymore // FIXME: use ieee80211_tx_info_clear_status() diff --git a/drivers/staging/wfx/data_tx.h b/drivers/staging/wfx/data_tx.h index 46c9fff7a870..401363d6b563 100644 --- a/drivers/staging/wfx/data_tx.h +++ b/drivers/staging/wfx/data_tx.h @@ -35,6 +35,7 @@ struct tx_policy_cache { struct wfx_tx_priv { ktime_t xmit_timestamp; + unsigned char icv_size; }; void wfx_tx_policy_init(struct wfx_vif *wvif);