[PATCH ath-next 2/2] wifi: ath11k: fix HTC rx insufficient length

Miaoqing Pan quic_miaoqing at quicinc.com
Fri Mar 7 03:08:16 PST 2025 


On 3/7/2025 4:51 PM, Johan Hovold wrote:
> Hi Miaoqing,
> 
> and thanks a lot for looking into this.
> 
> On Fri, Mar 07, 2025 at 12:08:48PM +0800, Miaoqing Pan wrote:
>> A relatively unusual race condition occurs between host software
>> and hardware, where the host sees the updated destination ring head
>> pointer before the hardware updates the corresponding descriptor.
>> When this situation occurs, the length of the descriptor returns 0.
> 
> Can you explain how this race comes about?
> 
> I worry that you may just be papering over a driver or firmware bug here
> so it would be good to understand how the host can see the updated
> pointer before the descriptor.
> 
The entire process is handled by hardware, and host software just to 
read the status, so it should be a limitation of the hardware.

> Also do you have any suggestions for how to reproduce this more easily?
> Some users of the X13s (aarch64) hit this very frequently, while I've
> only seen it a few times. At least one user hit this consistently when
> roaming, and another mentioned seeing this while driving his car with
> the laptop on (and presumably seeing a lot of APs go by).
> 

We reproduced with below setup on IoT device, usually takes a few hours 
to several days to reproduce it.
  - Run TCP downlink traffic (iperf)
  - Run bluetooth bredr scan (bluetoothctl/power on/scan bredr)


>> The current error handling method is to increment descriptor tail
>> pointer by 1, but 'sw_index' is not updated, causing descriptor and
>> skb to not correspond one-to-one, resulting in the following error:
>>
>> ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1488, expected 1492
>> ath11k_pci 0006:01:00.0: HTC Rx: insufficient length, got 1460, expected 1484
>>
>> To address this problem, temporarily skip processing the current
>> descriptor and handle it again next time. However, to prevent this
>> descriptor from continuously returning 0, use skb cb to set a flag.
>> If the length returns 0 again, this descriptor will be discarded.
>>
>> Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04546-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1
> 
> Please also include:
> 
> Reported-by: Johan Hovold <johan+linaro at kernel.org>
> 
>> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218623
>> Signed-off-by: Miaoqing Pan <quic_miaoqing at quicinc.com>
> 
> Johan

Thanks for reporting, will update in next version.

More information about the ath11k mailing list