Message ID | 20200401110405.80282-9-Jerome.Pouiller@silabs.com |
---|---|
State | Not Applicable |
Delegated to: | David Miller |
Headers | show |
Series | staging: wfx: rework the Tx queue | expand |
On Wed, Apr 01, 2020 at 01:03:41PM +0200, Jerome Pouiller wrote: > From: Jérôme Pouiller <jerome.pouiller@silabs.com> > > The last argument of hif_handle_tx_data() was now unused. In add, > hif_handle_tx_data() has nothing to do with HIF layer and should be > renamed. Finally, it not convenient to pass a wfx_vif as parameter. It > is easier to let hif_handle_tx_data() find the interface itself. > > Signed-off-by: Jérôme Pouiller <jerome.pouiller@silabs.com> > --- > drivers/staging/wfx/queue.c | 19 ++++++++++--------- > 1 file changed, 10 insertions(+), 9 deletions(-) > > diff --git a/drivers/staging/wfx/queue.c b/drivers/staging/wfx/queue.c > index 2553f77522d9..8647731e02c0 100644 > --- a/drivers/staging/wfx/queue.c > +++ b/drivers/staging/wfx/queue.c > @@ -319,13 +319,17 @@ bool wfx_tx_queues_is_empty(struct wfx_dev *wdev) > return ret; > } > > -static bool hif_handle_tx_data(struct wfx_vif *wvif, struct sk_buff *skb, > - struct wfx_queue *queue) > +static bool wfx_handle_tx_data(struct wfx_dev *wdev, struct sk_buff *skb) > { > struct hif_req_tx *req = wfx_skb_txreq(skb); > struct ieee80211_key_conf *hw_key = wfx_skb_tx_priv(skb)->hw_key; > struct ieee80211_hdr *frame = > (struct ieee80211_hdr *)(req->frame + req->data_flags.fc_offset); > + struct wfx_vif *wvif = > + wdev_to_wvif(wdev, ((struct hif_msg *)skb->data)->interface); ^^^^^^^^^ This is on the TX side so it's probably okay, but one problem I have noticed is that we do this on the RX side as well with checking that if (skb->len < sizeof(struct hif_msg)) return -EINVAL; So we could be reading beyond the end of the skb. If we got really unlucky it could lead to an Oops. regards, dan carpenter
On Thursday 2 April 2020 15:13:39 CEST Dan Carpenter wrote: > On Wed, Apr 01, 2020 at 01:03:41PM +0200, Jerome Pouiller wrote: [...] > This is on the TX side so it's probably okay, but one problem I have > noticed is that we do this on the RX side as well with checking that > > if (skb->len < sizeof(struct hif_msg)) > return -EINVAL; > > So we could be reading beyond the end of the skb. If we got really > unlucky it could lead to an Oops. > > regards, > dan carpenter > > Hello Dan, The function rx_helper() in bh.c already do some sanity checks received data: 60 WARN(read_len < 4, "corrupted read"); [...] 92 } else { 93 computed_len = round_up(hif->len, 2); 94 } 95 if (computed_len != read_len) { 96 dev_err(wdev->dev, "inconsistent message length: %zu != %zu\n", 97 computed_len, read_len); 98 print_hex_dump(KERN_INFO, "hif: ", DUMP_PREFIX_OFFSET, 16, 1, 99 hif, read_len, true); 100 goto err; 101 } However, I can improve this code: - "4" should be replaced by "sizeof(struct hif_msg)" for readability - hif->len is tested through computed_len, but I am not sure to be able to prove that it covers all cases - rx_helper() should recover the error if read_len < 4 I add that on my TODO list.
diff --git a/drivers/staging/wfx/queue.c b/drivers/staging/wfx/queue.c index 2553f77522d9..8647731e02c0 100644 --- a/drivers/staging/wfx/queue.c +++ b/drivers/staging/wfx/queue.c @@ -319,13 +319,17 @@ bool wfx_tx_queues_is_empty(struct wfx_dev *wdev) return ret; } -static bool hif_handle_tx_data(struct wfx_vif *wvif, struct sk_buff *skb, - struct wfx_queue *queue) +static bool wfx_handle_tx_data(struct wfx_dev *wdev, struct sk_buff *skb) { struct hif_req_tx *req = wfx_skb_txreq(skb); struct ieee80211_key_conf *hw_key = wfx_skb_tx_priv(skb)->hw_key; struct ieee80211_hdr *frame = (struct ieee80211_hdr *)(req->frame + req->data_flags.fc_offset); + struct wfx_vif *wvif = + wdev_to_wvif(wdev, ((struct hif_msg *)skb->data)->interface); + + if (!wvif) + return false; // FIXME: mac80211 is smart enough to handle BSS loss. Driver should not // try to do anything about that. @@ -344,12 +348,12 @@ static bool hif_handle_tx_data(struct wfx_vif *wvif, struct sk_buff *skb, hw_key && hw_key->keyidx != wvif->wep_default_key_id && (hw_key->cipher == WLAN_CIPHER_SUITE_WEP40 || hw_key->cipher == WLAN_CIPHER_SUITE_WEP104)) { - wfx_tx_lock(wvif->wdev); + wfx_tx_lock(wdev); WARN_ON(wvif->wep_pending_skb); wvif->wep_default_key_id = hw_key->keyidx; wvif->wep_pending_skb = skb; if (!schedule_work(&wvif->wep_key_work)) - wfx_tx_unlock(wvif->wdev); + wfx_tx_unlock(wdev); return true; } else { return false; @@ -496,13 +500,10 @@ struct hif_msg *wfx_tx_queues_get(struct wfx_dev *wdev) skb = wfx_tx_queue_get(wdev, queue, tx_allowed_mask); if (!skb) continue; - hif = (struct hif_msg *)skb->data; - wvif = wdev_to_wvif(wdev, hif->interface); - WARN_ON(!wvif); - if (hif_handle_tx_data(wvif, skb, queue)) + if (wfx_handle_tx_data(wdev, skb)) continue; /* Handled by WSM */ - return hif; + return (struct hif_msg *)skb->data; } }