diff mbox series

[08/32] staging: wfx: simplify hif_handle_tx_data()

Message ID 20200401110405.80282-9-Jerome.Pouiller@silabs.com
State Not Applicable
Delegated to: David Miller
Headers show
Series staging: wfx: rework the Tx queue | expand

Commit Message

Jérôme Pouiller April 1, 2020, 11:03 a.m. UTC 
From: Jérôme Pouiller <jerome.pouiller@silabs.com>

The last argument of hif_handle_tx_data() was now unused. In add,
hif_handle_tx_data() has nothing to do with HIF layer and should be
renamed. Finally, it not convenient to pass a wfx_vif as parameter. It
is easier to let hif_handle_tx_data() find the interface itself.

Signed-off-by: Jérôme Pouiller <jerome.pouiller@silabs.com>
---
 drivers/staging/wfx/queue.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

Comments

Dan Carpenter April 2, 2020, 1:13 p.m. UTC | #1 
On Wed, Apr 01, 2020 at 01:03:41PM +0200, Jerome Pouiller wrote:
> From: Jérôme Pouiller <jerome.pouiller@silabs.com>
> 
> The last argument of hif_handle_tx_data() was now unused. In add,
> hif_handle_tx_data() has nothing to do with HIF layer and should be
> renamed. Finally, it not convenient to pass a wfx_vif as parameter. It
> is easier to let hif_handle_tx_data() find the interface itself.
> 
> Signed-off-by: Jérôme Pouiller <jerome.pouiller@silabs.com>
> ---
>  drivers/staging/wfx/queue.c | 19 ++++++++++---------
>  1 file changed, 10 insertions(+), 9 deletions(-)
> 
> diff --git a/drivers/staging/wfx/queue.c b/drivers/staging/wfx/queue.c
> index 2553f77522d9..8647731e02c0 100644
> --- a/drivers/staging/wfx/queue.c
> +++ b/drivers/staging/wfx/queue.c
> @@ -319,13 +319,17 @@ bool wfx_tx_queues_is_empty(struct wfx_dev *wdev)
>  	return ret;
>  }
>  
> -static bool hif_handle_tx_data(struct wfx_vif *wvif, struct sk_buff *skb,
> -			       struct wfx_queue *queue)
> +static bool wfx_handle_tx_data(struct wfx_dev *wdev, struct sk_buff *skb)
>  {
>  	struct hif_req_tx *req = wfx_skb_txreq(skb);
>  	struct ieee80211_key_conf *hw_key = wfx_skb_tx_priv(skb)->hw_key;
>  	struct ieee80211_hdr *frame =
>  		(struct ieee80211_hdr *)(req->frame + req->data_flags.fc_offset);
> +	struct wfx_vif *wvif =
> +		wdev_to_wvif(wdev, ((struct hif_msg *)skb->data)->interface);
                                                      ^^^^^^^^^
This is on the TX side so it's probably okay, but one problem I have
noticed is that we do this on the RX side as well with checking that

	if (skb->len < sizeof(struct hif_msg))
		return -EINVAL;

So we could be reading beyond the end of the skb.  If we got really
unlucky it could lead to an Oops.

regards,
dan carpenter
Jérôme Pouiller April 2, 2020, 2:44 p.m. UTC | #2 
On Thursday 2 April 2020 15:13:39 CEST Dan Carpenter wrote:
> On Wed, Apr 01, 2020 at 01:03:41PM +0200, Jerome Pouiller wrote:
[...]
> This is on the TX side so it's probably okay, but one problem I have
> noticed is that we do this on the RX side as well with checking that
> 
>         if (skb->len < sizeof(struct hif_msg))
>                 return -EINVAL;
> 
> So we could be reading beyond the end of the skb.  If we got really
> unlucky it could lead to an Oops.
> 
> regards,
> dan carpenter
> 
> 
Hello Dan,

The function rx_helper() in bh.c already do some sanity checks received data:

    60          WARN(read_len < 4, "corrupted read");
    [...]
    92          } else {
    93                  computed_len = round_up(hif->len, 2);
    94          }
    95          if (computed_len != read_len) {
    96                  dev_err(wdev->dev, "inconsistent message length: %zu != %zu\n",
    97                          computed_len, read_len);
    98                  print_hex_dump(KERN_INFO, "hif: ", DUMP_PREFIX_OFFSET, 16, 1,
    99                                 hif, read_len, true);
   100                  goto err;
   101          }


However, I can improve this code:
   - "4" should be replaced by "sizeof(struct hif_msg)" for readability 
   - hif->len is tested through computed_len, but I am not sure to be able
     to prove that it covers all cases
   - rx_helper() should recover the error if read_len < 4

I add that on my TODO list.
diff mbox series

Patch

diff --git a/drivers/staging/wfx/queue.c b/drivers/staging/wfx/queue.c
index 2553f77522d9..8647731e02c0 100644
--- a/drivers/staging/wfx/queue.c
+++ b/drivers/staging/wfx/queue.c
@@ -319,13 +319,17 @@  bool wfx_tx_queues_is_empty(struct wfx_dev *wdev)
 	return ret;
 }
 
-static bool hif_handle_tx_data(struct wfx_vif *wvif, struct sk_buff *skb,
-			       struct wfx_queue *queue)
+static bool wfx_handle_tx_data(struct wfx_dev *wdev, struct sk_buff *skb)
 {
 	struct hif_req_tx *req = wfx_skb_txreq(skb);
 	struct ieee80211_key_conf *hw_key = wfx_skb_tx_priv(skb)->hw_key;
 	struct ieee80211_hdr *frame =
 		(struct ieee80211_hdr *)(req->frame + req->data_flags.fc_offset);
+	struct wfx_vif *wvif =
+		wdev_to_wvif(wdev, ((struct hif_msg *)skb->data)->interface);
+
+	if (!wvif)
+		return false;
 
 	// FIXME: mac80211 is smart enough to handle BSS loss. Driver should not
 	// try to do anything about that.
@@ -344,12 +348,12 @@  static bool hif_handle_tx_data(struct wfx_vif *wvif, struct sk_buff *skb,
 	    hw_key && hw_key->keyidx != wvif->wep_default_key_id &&
 	    (hw_key->cipher == WLAN_CIPHER_SUITE_WEP40 ||
 	     hw_key->cipher == WLAN_CIPHER_SUITE_WEP104)) {
-		wfx_tx_lock(wvif->wdev);
+		wfx_tx_lock(wdev);
 		WARN_ON(wvif->wep_pending_skb);
 		wvif->wep_default_key_id = hw_key->keyidx;
 		wvif->wep_pending_skb = skb;
 		if (!schedule_work(&wvif->wep_key_work))
-			wfx_tx_unlock(wvif->wdev);
+			wfx_tx_unlock(wdev);
 		return true;
 	} else {
 		return false;
@@ -496,13 +500,10 @@  struct hif_msg *wfx_tx_queues_get(struct wfx_dev *wdev)
 		skb = wfx_tx_queue_get(wdev, queue, tx_allowed_mask);
 		if (!skb)
 			continue;
-		hif = (struct hif_msg *)skb->data;
-		wvif = wdev_to_wvif(wdev, hif->interface);
-		WARN_ON(!wvif);
 
-		if (hif_handle_tx_data(wvif, skb, queue))
+		if (wfx_handle_tx_data(wdev, skb))
 			continue;  /* Handled by WSM */
 
-		return hif;
+		return (struct hif_msg *)skb->data;
 	}
 }