| Message ID | 1518011483-7704-1-git-send-email-kvalo@codeaurora.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 7 February 2018 at 13:51, Kalle Valo <kvalo@codeaurora.org> wrote: > From: Ryan Hsu <ryanhsu@codeaurora.org> > > This reverts commit 9ed4f91628737c820af6a1815b65bc06bd31518f. > > The commit introduced a regression that over read the ie with > the padding. > > - the expected IE information > > ath10k_pci 0000:03:00.0: found firmware features ie (1 B) > ath10k_pci 0000:03:00.0: Enabling feature bit: 6 > ath10k_pci 0000:03:00.0: Enabling feature bit: 7 > ath10k_pci 0000:03:00.0: features > ath10k_pci 0000:03:00.0: 00000000: c0 00 00 00 00 00 00 00 > > - the wrong IE with padding is read (0x77) > > ath10k_pci 0000:03:00.0: found firmware features ie (4 B) > ath10k_pci 0000:03:00.0: Enabling feature bit: 6 > ath10k_pci 0000:03:00.0: Enabling feature bit: 7 > ath10k_pci 0000:03:00.0: Enabling feature bit: 8 > ath10k_pci 0000:03:00.0: Enabling feature bit: 9 > ath10k_pci 0000:03:00.0: Enabling feature bit: 10 > ath10k_pci 0000:03:00.0: Enabling feature bit: 12 > ath10k_pci 0000:03:00.0: Enabling feature bit: 13 > ath10k_pci 0000:03:00.0: Enabling feature bit: 14 > ath10k_pci 0000:03:00.0: Enabling feature bit: 16 > ath10k_pci 0000:03:00.0: Enabling feature bit: 17 > ath10k_pci 0000:03:00.0: Enabling feature bit: 18 > ath10k_pci 0000:03:00.0: features > ath10k_pci 0000:03:00.0: 00000000: c0 77 07 00 00 00 00 00 > > Signed-off-by: Ryan Hsu <ryanhsu@codeaurora.org> > Signed-off-by: Kalle Valo <kvalo@codeaurora.org> > --- > drivers/net/wireless/ath/ath10k/core.c | 14 +++++++------- > 1 file changed, 7 insertions(+), 7 deletions(-) > > diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c > index b0fdc1023619..fe9341c97f31 100644 > --- a/drivers/net/wireless/ath/ath10k/core.c > +++ b/drivers/net/wireless/ath/ath10k/core.c > @@ -1276,10 +1276,7 @@ static int ath10k_core_fetch_board_data_api_n(struct ath10k *ar, > len -= sizeof(*hdr); > data = hdr->data; > > - /* jump over the padding */ > - ie_len = ALIGN(ie_len, 4); > - > - if (len < ie_len) { > + if (len < ALIGN(ie_len, 4)) { > ath10k_err(ar, "invalid length for board ie_id %d ie_len %zu len %zu\n", > ie_id, ie_len, len); > ret = -EINVAL; > @@ -1318,6 +1315,9 @@ static int ath10k_core_fetch_board_data_api_n(struct ath10k *ar, > goto out; > } > > + /* jump over the padding */ > + ie_len = ALIGN(ie_len, 4); > + > len -= ie_len; > data += ie_len; > } > @@ -1448,9 +1448,6 @@ int ath10k_core_fetch_firmware_api_n(struct ath10k *ar, const char *name, > len -= sizeof(*hdr); > data += sizeof(*hdr); > > - /* jump over the padding */ > - ie_len = ALIGN(ie_len, 4); > - > if (len < ie_len) { > ath10k_err(ar, "invalid length for FW IE %d (%zu < %zu)\n", > ie_id, len, ie_len); > @@ -1556,6 +1553,9 @@ int ath10k_core_fetch_firmware_api_n(struct ath10k *ar, const char *name, > break; > } > > + /* jump over the padding */ > + ie_len = ALIGN(ie_len, 4); > + > len -= ie_len; > data += ie_len; > } > -- > 2.7.4 > Tested-by: Mike Lothian <mike@fireburn.co.uk> Sent at HTML the first time sorry
Kalle Valo <kvalo@codeaurora.org> wrote: > This reverts commit 9ed4f91628737c820af6a1815b65bc06bd31518f. > > The commit introduced a regression that over read the ie with > the padding. > > - the expected IE information > > ath10k_pci 0000:03:00.0: found firmware features ie (1 B) > ath10k_pci 0000:03:00.0: Enabling feature bit: 6 > ath10k_pci 0000:03:00.0: Enabling feature bit: 7 > ath10k_pci 0000:03:00.0: features > ath10k_pci 0000:03:00.0: 00000000: c0 00 00 00 00 00 00 00 > > - the wrong IE with padding is read (0x77) > > ath10k_pci 0000:03:00.0: found firmware features ie (4 B) > ath10k_pci 0000:03:00.0: Enabling feature bit: 6 > ath10k_pci 0000:03:00.0: Enabling feature bit: 7 > ath10k_pci 0000:03:00.0: Enabling feature bit: 8 > ath10k_pci 0000:03:00.0: Enabling feature bit: 9 > ath10k_pci 0000:03:00.0: Enabling feature bit: 10 > ath10k_pci 0000:03:00.0: Enabling feature bit: 12 > ath10k_pci 0000:03:00.0: Enabling feature bit: 13 > ath10k_pci 0000:03:00.0: Enabling feature bit: 14 > ath10k_pci 0000:03:00.0: Enabling feature bit: 16 > ath10k_pci 0000:03:00.0: Enabling feature bit: 17 > ath10k_pci 0000:03:00.0: Enabling feature bit: 18 > ath10k_pci 0000:03:00.0: features > ath10k_pci 0000:03:00.0: 00000000: c0 77 07 00 00 00 00 00 > > Tested-by: Mike Lothian <mike@fireburn.co.uk> > Signed-off-by: Ryan Hsu <ryanhsu@codeaurora.org> > Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Patch applied to ath-current branch of ath.git, thanks. 9ce8b24aa96e Revert "ath10k: add sanity check to ie_len before parsing fw/board ie"
diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c index b0fdc1023619..fe9341c97f31 100644 --- a/drivers/net/wireless/ath/ath10k/core.c +++ b/drivers/net/wireless/ath/ath10k/core.c @@ -1276,10 +1276,7 @@ static int ath10k_core_fetch_board_data_api_n(struct ath10k *ar, len -= sizeof(*hdr); data = hdr->data; - /* jump over the padding */ - ie_len = ALIGN(ie_len, 4); - - if (len < ie_len) { + if (len < ALIGN(ie_len, 4)) { ath10k_err(ar, "invalid length for board ie_id %d ie_len %zu len %zu\n", ie_id, ie_len, len); ret = -EINVAL; @@ -1318,6 +1315,9 @@ static int ath10k_core_fetch_board_data_api_n(struct ath10k *ar, goto out; } + /* jump over the padding */ + ie_len = ALIGN(ie_len, 4); + len -= ie_len; data += ie_len; } @@ -1448,9 +1448,6 @@ int ath10k_core_fetch_firmware_api_n(struct ath10k *ar, const char *name, len -= sizeof(*hdr); data += sizeof(*hdr); - /* jump over the padding */ - ie_len = ALIGN(ie_len, 4); - if (len < ie_len) { ath10k_err(ar, "invalid length for FW IE %d (%zu < %zu)\n", ie_id, len, ie_len); @@ -1556,6 +1553,9 @@ int ath10k_core_fetch_firmware_api_n(struct ath10k *ar, const char *name, break; } + /* jump over the padding */ + ie_len = ALIGN(ie_len, 4); + len -= ie_len; data += ie_len; }