From patchwork Tue Aug 27 00:33:26 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nicolas Boichat <drinkcat@chromium.org>
X-Patchwork-Id: 11115897
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <SRS0=iaJH=WX=vger.kernel.org=linux-wireless-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B2CDB13B1
	for <patchwork-linux-wireless@patchwork.kernel.org>;
 Tue, 27 Aug 2019 00:34:40 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 8701A2080C
	for <patchwork-linux-wireless@patchwork.kernel.org>;
 Tue, 27 Aug 2019 00:34:40 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org
 header.b="TbRrANRI"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728436AbfH0Aeg (ORCPT
        <rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
        Mon, 26 Aug 2019 20:34:36 -0400
Received: from mail-pf1-f195.google.com ([209.85.210.195]:39388 "EHLO
        mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726596AbfH0Aef (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Mon, 26 Aug 2019 20:34:35 -0400
Received: by mail-pf1-f195.google.com with SMTP id y200so5218881pfb.6
        for <linux-wireless@vger.kernel.org>;
 Mon, 26 Aug 2019 17:34:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=3Vs+TQr7hHy2v8MzMkCOjJVcnNTmLTAgeFS/JpBulfo=;
        b=TbRrANRIH92j2fSmCx5BdSbQOzmBU/XbqoZ7xd1Ww6AaUEz68WzvbdIanurUAl4uCi
         TY5ohivdtzQn+XaVmJg6fPUKxrj24BAg74pSnwI7DkAuOrdvMiXXCrTy2hSlOyRnUj+6
         wtSltIyQcEmY1aect58Y183r1a351O76l3nNE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=3Vs+TQr7hHy2v8MzMkCOjJVcnNTmLTAgeFS/JpBulfo=;
        b=Q3MvVMnChfayL2QvSal+QIyXjy8UxzmnzAeITMuMTXLraX9p0YQ4Gkk11xBX0yBDxb
         qBsBeZ98Q1OhaO83kS0GysIA6mqHMgt01pzrf2ihX/OjRIIGlbJp64ZlH9WkkQYMzYBn
         jEvjNjrgigF+ck7krCf4bWz7K2WEnA7CSjGKvsWd1nKugvKmwVvdSoSpQKH2CuiVjo9n
         5UumhLmyengNn7nzXzPoJtoXVNvortKBleXWv+foMB4eqAkVbWEx3cZkF00CFuN9nFvf
         MaHA0x+5PyunZvk/lZGcpf0HbZu7fyU3ixtPnqvX69eXjOoTb8gq8V/W5u1ZME2ZTmCV
         wvJA==
X-Gm-Message-State: APjAAAUNLo4po2Pv37ds/VdPfeQ9tRYde19OS6SEZ3NNlgmTSmbuNT26
        LyKRqI1Fdg/Q2uz32KymswOeWg==
X-Google-Smtp-Source: 
 APXvYqyXHySgZZYqvzNM28Yd+pRvNdNbnVHxIZpOA4FgrKCaNtwMUDuAlL2eCKLsx6jrUwC8C3dTJQ==
X-Received: by 2002:a05:6a00:8e:: with SMTP id
 c14mr22563388pfj.241.1566866074901;
        Mon, 26 Aug 2019 17:34:34 -0700 (PDT)
Received: from drinkcat2.tpe.corp.google.com
 ([2401:fa00:1:b:d8b7:33af:adcb:b648])
        by smtp.gmail.com with ESMTPSA id
 a23sm9081429pfc.71.2019.08.26.17.34.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 26 Aug 2019 17:34:34 -0700 (PDT)
From: Nicolas Boichat <drinkcat@chromium.org>
To: Kalle Valo <kvalo@codeaurora.org>
Cc: "David S . Miller" <davem@davemloft.net>,
        ath10k@lists.infradead.org, linux-wireless@vger.kernel.org,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        wgong@codeaurora.org, Niklas Cassel <niklas.cassel@linaro.org>,
        Alagu Sankar <alagusankar@silex-india.com>,
        briannorris@chromium.org, tientzu@chromium.org
Subject: [PATCH,RFC] ath10k: Fix skb->len (properly) in
 ath10k_sdio_mbox_rx_packet
Date: Tue, 27 Aug 2019 08:33:26 +0800
Message-Id: <20190827003326.147452-1-drinkcat@chromium.org>
X-Mailer: git-send-email 2.23.0.187.g17f5b7556c-goog
MIME-Version: 1.0
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

(not a formal patch, take this as a bug report for now, I can clean
up depending on the feedback I get here)

There's at least 3 issues here, and the patch fixes 2/3 only, I'm not sure
how/if 1 should be handled.
 1. ath10k_sdio_mbox_rx_alloc allocating skb of a incorrect size (too
    small)
 2. ath10k_sdio_mbox_rx_packet calling skb_put with that incorrect size.
 3. ath10k_sdio_mbox_rx_process_packet attempts to fixup the size, but
    does not use proper skb_put commands to do so, so we end up with
    a mismatch between skb->head + skb->tail and skb->data + skb->len.

Let's start with 3, this is quite serious as this and causes corruptions
in the TCP stack, as the stack tries to coalesce packets, and relies on
skb->tail being correct (that is, skb_tail_pointer must point to the
first byte _after_ the data): one must never manipulate skb->len
directly.

Instead, we need to use skb_put to allocate more space (which updates
skb->len and skb->tail). But it seems odd to do that in
ath10k_sdio_mbox_rx_process_packet, so I move the code to
ath10k_sdio_mbox_rx_packet (point 2 above).

However, there is still something strange (point 1 above), why is
ath10k_sdio_mbox_rx_alloc allocating packets of the incorrect
(too small?) size? What happens if the packet is bigger than alloc_len?
Does this lead to corruption/lost data?

Fixes: 8530b4e7b22bc3b ("ath10k: sdio: set skb len for all rx packets")
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
---

One simple way to test this is this scriplet, that sends a lot of
small packets over SSH:
(for i in `seq 1 300`; do echo $i; sleep 0.1; done) | ssh $IP cat

In my testing it rarely ever reach 300 without failure.

 drivers/net/wireless/ath/ath10k/sdio.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c
index 8ed4fbd8d6c3888..a9f5002863ee7bb 100644
--- a/drivers/net/wireless/ath/ath10k/sdio.c
+++ b/drivers/net/wireless/ath/ath10k/sdio.c
@@ -381,16 +381,14 @@ static int ath10k_sdio_mbox_rx_process_packet(struct ath10k *ar,
 	struct ath10k_htc_hdr *htc_hdr = (struct ath10k_htc_hdr *)skb->data;
 	bool trailer_present = htc_hdr->flags & ATH10K_HTC_FLAG_TRAILER_PRESENT;
 	enum ath10k_htc_ep_id eid;
-	u16 payload_len;
 	u8 *trailer;
 	int ret;
 
-	payload_len = le16_to_cpu(htc_hdr->len);
-	skb->len = payload_len + sizeof(struct ath10k_htc_hdr);
+	/* TODO: Remove this? */
+	WARN_ON(skb->len != le16_to_cpu(htc_hdr->len) + sizeof(*htc_hdr));
 
 	if (trailer_present) {
-		trailer = skb->data + sizeof(*htc_hdr) +
-			  payload_len - htc_hdr->trailer_len;
+		trailer = skb->data + skb->len - htc_hdr->trailer_len;
 
 		eid = pipe_id_to_eid(htc_hdr->eid);
 
@@ -637,8 +635,16 @@ static int ath10k_sdio_mbox_rx_packet(struct ath10k *ar,
 	ret = ath10k_sdio_readsb(ar, ar_sdio->mbox_info.htc_addr,
 				 skb->data, pkt->alloc_len);
 	pkt->status = ret;
-	if (!ret)
+	if (!ret) {
+		/* Update actual length. */
+		/* FIXME: This looks quite wrong, why is pkt->act_len not
+		 * correct in the first place?
+		 */
+		struct ath10k_htc_hdr *htc_hdr =
+			(struct ath10k_htc_hdr *)skb->data;
+		pkt->act_len = le16_to_cpu(htc_hdr->len) + sizeof(*htc_hdr);
 		skb_put(skb, pkt->act_len);
+	}
 
 	return ret;
 }