From: Ping-Ke Shih <pkshih@realtek.com>
To: Bitterblue Smith <rtl8821cerfe2@gmail.com>,
Tristan Madani <tristmd@gmail.com>
Cc: Johannes Berg <johannes@sipsolutions.net>,
"linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>
Subject: RE: [PATCH v2] wifi: rtw88: fix OOB read from firmware RX descriptor exceeding DMA buffer
Date: Tue, 21 Apr 2026 01:38:06 +0000 [thread overview]
Message-ID: <1fdd2ad66029409eb719ae984959fbad@realtek.com> (raw)
In-Reply-To: <a5aaf34f-d2ec-40ef-a176-9a921dcf435e@gmail.com>
Bitterblue Smith <rtl8821cerfe2@gmail.com> wrote:
> On 20/04/2026 08:31, Ping-Ke Shih wrote:
> > Bitterblue Smith <rtl8821cerfe2@gmail.com> wrote:
> >>
> >> Well, kind of. Maybe RTK_PCI_RX_BUF_SIZE is too small? 11454 + 24
> >> doesn't take into account the PHY info size.
> >
> > In rtw_pci_sync_rx_desc_device(), driver does
> > buf_desc->buf_size = cpu_to_le16(RTK_PCI_RX_BUF_SIZE);
> >
> > This is to tell hardware the size of RX DMA buffer. I think hardware
> > can't DMA data over this size.
> >
>
> Indeed, I don't think the hardware will write more than
> RTK_PCI_RX_BUF_SIZE bytes. But I wonder if some bytes won't be lost
> (or the entire packet?) if it ever receives a frame of 11454 bytes
> and wants to attach a PHY status? Then it would need a buffer of
> 11454 + 24 + 32 bytes. I don't know if this ever happens.
I think the total size including PHY status must be smaller than
RTK_PCI_RX_BUF_SIZE, otherwise we should enlarge RTK_PCI_RX_BUF_SIZE.
The rtw89 can split a packet into multiple segments if RX buffer is
smaller than a receiving packet, but it has exact overload, so we
enlarge the buffer as large as necessary.
For rtw88, I can't find similar implementation. Maybe we can try to
enlarge the size to see if any improvement.
Ping-Ke
prev parent reply other threads:[~2026-04-21 1:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-15 22:24 [PATCH v2] wifi: rtw88: fix OOB read from firmware RX descriptor exceeding DMA buffer Tristan Madani
2026-04-17 15:14 ` Bitterblue Smith
2026-04-20 5:31 ` Ping-Ke Shih
2026-04-20 22:22 ` Bitterblue Smith
2026-04-21 1:38 ` Ping-Ke Shih [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1fdd2ad66029409eb719ae984959fbad@realtek.com \
--to=pkshih@realtek.com \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=rtl8821cerfe2@gmail.com \
--cc=tristmd@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.