1 From patchwork Mon Mar 20 13:38:40 2023
2 Content-Type: text/plain; charset="utf-8"
4 Content-Transfer-Encoding: 7bit
5 X-Patchwork-Submitter: Nagarajan Maran <quic_nmaran@quicinc.com>
6 X-Patchwork-Id: 13181272
7 X-Patchwork-Delegate: kvalo@adurom.com
8 Return-Path: <linux-wireless-owner@vger.kernel.org>
9 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
10 aws-us-west-2-korg-lkml-1.web.codeaurora.org
11 Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
12 by smtp.lore.kernel.org (Postfix) with ESMTP id 6F899C6FD1D
13 for <linux-wireless@archiver.kernel.org>;
14 Mon, 20 Mar 2023 13:39:52 +0000 (UTC)
15 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
16 id S231824AbjCTNjm (ORCPT
17 <rfc822;linux-wireless@archiver.kernel.org>);
18 Mon, 20 Mar 2023 09:39:42 -0400
19 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44860 "EHLO
20 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
21 with ESMTP id S231795AbjCTNjT (ORCPT
22 <rfc822;linux-wireless@vger.kernel.org>);
23 Mon, 20 Mar 2023 09:39:19 -0400
24 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com
26 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CD4CC1A66C
27 for <linux-wireless@vger.kernel.org>;
28 Mon, 20 Mar 2023 06:39:10 -0700 (PDT)
29 Received: from pps.filterd (m0279872.ppops.net [127.0.0.1])
30 by mx0a-0031df01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id
32 Mon, 20 Mar 2023 13:39:05 GMT
33 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com;
35 subject : date : message-id : mime-version : content-type; s=qcppdkim1;
36 bh=jMz2u2+gyjJJcj5tuRPYVv0di+sn1S5ni8sqhMu/9Kg=;
37 b=BNz+KGi99iSZhDkes9KWF52w7CzSYjHOAYXTfBPlCQk7pM1ZZAIsxB8H3zGnapUkas/r
38 1FfSr/9GpQ+5F6LsOEhJ4KF4Us8wsGi/jZnw25FoCqH4jPqhHPQzcC4jaVzVtNdjiA/0
39 PlEKhMhP6ULKuRkpbM7RDNigSEYSRmhgqbWkVUL69mwPEJi2oHbhQgxFGFO75Rmfk+Gt
40 8w4fd4JPJXA1PNOxL3X8nGYxxzxTsUvQi80R1Tm683dJg7fwBKlNOyD/BlmnrBGBeIqv
41 CMVmf/KTnEUEFt7WWsvQInmEBZG+JH8TvwUAZ9ndRKqA4kCNXqS5+79KGzUuBP80f3yv ow==
42 Received: from nalasppmta01.qualcomm.com (Global_NAT1.qualcomm.com
44 by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3pen6hrh12-1
45 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
47 Mon, 20 Mar 2023 13:39:05 +0000
48 Received: from nalasex01a.na.qualcomm.com (nalasex01a.na.qualcomm.com
50 by NALASPPMTA01.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id
52 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
54 Mon, 20 Mar 2023 13:39:04 GMT
55 Received: from nmaran-linux.qualcomm.com (10.80.80.8) by
56 nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server
57 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
58 15.2.986.41; Mon, 20 Mar 2023 06:39:02 -0700
59 From: Nagarajan Maran <quic_nmaran@quicinc.com>
60 To: <ath11k@lists.infradead.org>
61 CC: <linux-wireless@vger.kernel.org>,
62 Bhagavathi Perumal S <quic_bperumal@quicinc.com>,
63 Nagarajan Maran <quic_nmaran@quicinc.com>
64 Subject: [PATCH] wifi: ath11k: Fix invalid management rx frame length issue
65 Date: Mon, 20 Mar 2023 19:08:40 +0530
66 Message-ID: <20230320133840.30162-1-quic_nmaran@quicinc.com>
67 X-Mailer: git-send-email 2.17.1
69 X-Originating-IP: [10.80.80.8]
70 X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To
71 nalasex01a.na.qualcomm.com (10.47.209.196)
72 X-QCInternal: smtphost
73 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800
75 X-Proofpoint-ORIG-GUID: 8NkXcGNm6eXVpjTaeMT1e0VxZ9FeT59R
76 X-Proofpoint-GUID: 8NkXcGNm6eXVpjTaeMT1e0VxZ9FeT59R
77 X-Proofpoint-Virus-Version: vendor=baseguard
78 engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22
79 definitions=2023-03-20_09,2023-03-20_02,2023-02-09_01
80 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
82 malwarescore=0 priorityscore=1501 mlxscore=0 bulkscore=0 adultscore=0
83 spamscore=0 impostorscore=0 phishscore=0 clxscore=1011 suspectscore=0
84 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1
85 engine=8.12.0-2303150002 definitions=main-2303200115
87 List-ID: <linux-wireless.vger.kernel.org>
88 X-Mailing-List: linux-wireless@vger.kernel.org
90 From: Bhagavathi Perumal S <quic_bperumal@quicinc.com>
92 The WMI management rx event has multiple arrays of TLVs, however the common
93 WMI TLV parser won't handle multiple TLV tags of same type.
94 So the multiple array tags of WMI management rx TLV is parsed incorrectly
95 and the length calculated becomes wrong when the target sends multiple
98 Add separate TLV parser to handle multiple arrays for WMI management rx
99 TLV. This fixes invalid length issue when the target sends multiple array
102 Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
104 Signed-off-by: Bhagavathi Perumal S <quic_bperumal@quicinc.com>
105 Co-developed-by: Nagarajan Maran <quic_nmaran@quicinc.com>
106 Signed-off-by: Nagarajan Maran <quic_nmaran@quicinc.com>
108 drivers/net/wireless/ath/ath11k/wmi.c | 45 +++++++++++++++++++++------
109 1 file changed, 35 insertions(+), 10 deletions(-)
112 base-commit: 3df3715e556027e94246b2cb30986563362a65f4
114 --- a/drivers/net/wireless/ath/ath11k/wmi.c
115 +++ b/drivers/net/wireless/ath/ath11k/wmi.c
116 @@ -82,6 +82,12 @@ struct wmi_tlv_fw_stats_parse {
117 bool chain_rssi_done;
120 +struct wmi_tlv_mgmt_rx_parse {
121 + const struct wmi_mgmt_rx_hdr *fixed;
122 + const u8 *frame_buf;
123 + bool frame_buf_done;
126 static const struct wmi_tlv_policy wmi_tlv_policies[] = {
129 @@ -5633,28 +5639,49 @@ static int ath11k_pull_vdev_stopped_para
133 +static int ath11k_wmi_tlv_mgmt_rx_parse(struct ath11k_base *ab,
135 + const void *ptr, void *data)
137 + struct wmi_tlv_mgmt_rx_parse *parse = data;
140 + case WMI_TAG_MGMT_RX_HDR:
141 + parse->fixed = ptr;
143 + case WMI_TAG_ARRAY_BYTE:
144 + if (!parse->frame_buf_done) {
145 + parse->frame_buf = ptr;
146 + parse->frame_buf_done = true;
153 static int ath11k_pull_mgmt_rx_params_tlv(struct ath11k_base *ab,
155 struct mgmt_rx_event_params *hdr)
158 + struct wmi_tlv_mgmt_rx_parse parse = { };
159 const struct wmi_mgmt_rx_hdr *ev;
163 - tb = ath11k_wmi_tlv_parse_alloc(ab, skb->data, skb->len, GFP_ATOMIC);
166 - ath11k_warn(ab, "failed to parse tlv: %d\n", ret);
167 + ret = ath11k_wmi_tlv_iter(ab, skb->data, skb->len,
168 + ath11k_wmi_tlv_mgmt_rx_parse,
171 + ath11k_warn(ab, "failed to parse mgmt rx tlv %d\n",
176 - ev = tb[WMI_TAG_MGMT_RX_HDR];
177 - frame = tb[WMI_TAG_ARRAY_BYTE];
179 + frame = parse.frame_buf;
182 ath11k_warn(ab, "failed to fetch mgmt rx hdr");
187 @@ -5673,7 +5700,6 @@ static int ath11k_pull_mgmt_rx_params_tl
189 if (skb->len < (frame - skb->data) + hdr->buf_len) {
190 ath11k_warn(ab, "invalid length in mgmt rx hdr ev");
195 @@ -5685,7 +5711,6 @@ static int ath11k_pull_mgmt_rx_params_tl
197 ath11k_ce_byte_swap(skb->data, hdr->buf_len);