diff mbox

Regression in ath10k

Message ID CAHbf0-Eb3=OgpDLhgacYP4hcffh_9Y-iUj0GQAbzj2O9ag=z0A@mail.gmail.com (mailing list archive)
State RFC
Delegated to: Kalle Valo
Headers show

Commit Message

Mike Lothian Feb. 5, 2018, 10:38 p.m. UTC 
Hi

Since the merge window opened I've been unable to see any wireless
networks or join my usual access point

I bisected this to:

9ed4f91628737c820af6a1815b65bc06bd31518f is the first bad commit
commit 9ed4f91628737c820af6a1815b65bc06bd31518f
Author: Ryan Hsu <ryanhsu@codeaurora.org>
Date:   Tue Jan 16 11:43:49 2018 +0200

   ath10k: add sanity check to ie_len before parsing fw/board ie

   Validate ie_len after the alignment padding before access the buffer
   to avoid potential overflow.

   Signed-off-by: Ryan Hsu <ryanhsu@codeaurora.org>
   Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

And I can confirm that reverting the patch makes things work again (attached)

Device:

3c:00.0 Network controller [0280]: Qualcomm Atheros QCA6174 802.11ac
Wireless Network Adapter [168c:003e] (rev 32)

Firmware:

https://github.com/kvalo/ath10k-firmware

ath10k-firmware/QCA6174/hw3.0/4.4.1.c1

There was nothing obvious in the dmesg

Regards

Mike

Comments

Mike Lothian Feb. 6, 2018, 1:13 p.m. UTC | #1 
On 5 February 2018 at 22:38, Mike Lothian <mike@fireburn.co.uk> wrote:
> Hi
>
> Since the merge window opened I've been unable to see any wireless
> networks or join my usual access point
>
> I bisected this to:
>
> 9ed4f91628737c820af6a1815b65bc06bd31518f is the first bad commit
> commit 9ed4f91628737c820af6a1815b65bc06bd31518f
> Author: Ryan Hsu <ryanhsu@codeaurora.org>
> Date:   Tue Jan 16 11:43:49 2018 +0200
>
>    ath10k: add sanity check to ie_len before parsing fw/board ie
>
>    Validate ie_len after the alignment padding before access the buffer
>    to avoid potential overflow.
>
>    Signed-off-by: Ryan Hsu <ryanhsu@codeaurora.org>
>    Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
>
> And I can confirm that reverting the patch makes things work again (attached)
>
> Device:
>
> 3c:00.0 Network controller [0280]: Qualcomm Atheros QCA6174 802.11ac
> Wireless Network Adapter [168c:003e] (rev 32)
>
> Firmware:
>
> https://github.com/kvalo/ath10k-firmware
>
> ath10k-firmware/QCA6174/hw3.0/4.4.1.c1
>
> There was nothing obvious in the dmesg
>
> Regards
>
> Mike

Adding in the ath10k list and another email address for Kalle
diff mbox

Patch

commit 95f211b87b23a2586ea5cb01f61e8f7945b7804e
Author: Mike Lothian <mike@fireburn.co.uk>
Date:   Mon Feb 5 22:16:41 2018 +0000

    Revert "ath10k: add sanity check to ie_len before parsing fw/board ie"
    
    This reverts commit 9ed4f91628737c820af6a1815b65bc06bd31518f.

diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c
index b0fdc1023619..e89a7846dddb 100644
--- a/drivers/net/wireless/ath/ath10k/core.c
+++ b/drivers/net/wireless/ath/ath10k/core.c
@@ -1276,10 +1276,7 @@  static int ath10k_core_fetch_board_data_api_n(struct ath10k *ar,
 		len -= sizeof(*hdr);
 		data = hdr->data;
 
-		/* jump over the padding */
-		ie_len = ALIGN(ie_len, 4);
-
-		if (len < ie_len) {
+		if (len < ALIGN(ie_len, 4)) {
 			ath10k_err(ar, "invalid length for board ie_id %d ie_len %zu len %zu\n",
 				   ie_id, ie_len, len);
 			ret = -EINVAL;
@@ -1318,6 +1315,8 @@  static int ath10k_core_fetch_board_data_api_n(struct ath10k *ar,
 			goto out;
 		}
 
+		/* jump over the padding */
+		ie_len = ALIGN(ie_len, 4);
 		len -= ie_len;
 		data += ie_len;
 	}
@@ -1448,9 +1447,6 @@  int ath10k_core_fetch_firmware_api_n(struct ath10k *ar, const char *name,
 		len -= sizeof(*hdr);
 		data += sizeof(*hdr);
 
-		/* jump over the padding */
-		ie_len = ALIGN(ie_len, 4);
-
 		if (len < ie_len) {
 			ath10k_err(ar, "invalid length for FW IE %d (%zu < %zu)\n",
 				   ie_id, len, ie_len);
@@ -1556,6 +1552,9 @@  int ath10k_core_fetch_firmware_api_n(struct ath10k *ar, const char *name,
 			break;
 		}
 
+		/* jump over the padding */
+		ie_len = ALIGN(ie_len, 4);
+
 		len -= ie_len;
 		data += ie_len;
 	}