[PATCH] staging: rtl8723bs: don't drop short TX frames in _rtw_pktfile_read()

[PATCH] staging: rtl8723bs: don't drop short TX frames in _rtw_pktfile_read()

[Christopher Mackle]

Commit bc4df274dca6 ("staging: rtl8723bs: update _rtw_pktfile_read() to
return error codes") changed _rtw_pktfile_read() to fail when the caller
asks for more bytes than remain in the packet:

	if (rtw_remainder_len(pfile) < rlen)
		return -EINVAL;

That breaks the assumption made by the data TX path.  In
rtw_xmitframe_coalesce() (core/rtw_xmit.c) the per-fragment copy is
issued with the full fragment length, mpdu_len, which is derived from
pxmitpriv->frag_len (~2300 bytes), and the code relies on the historical
behaviour of copying only what is left and returning the number of bytes
actually copied:

	mem_sz = _rtw_pktfile_read(&pktfile, pframe, mpdu_len);
	if (mem_sz < 0)
		return mem_sz;

So for every outbound packet smaller than the fragmentation threshold -
i.e. essentially all normal traffic, including the EAPOL frames of the
WPA 4-way handshake and DHCP - rlen is larger than the bytes remaining,
_rtw_pktfile_read() returns -EINVAL, rtw_xmitframe_coalesce() aborts, and
the frame is dropped before it is queued to the hardware.  The driver
floods the log with:

	rtl8723bs ...: xmit_xmitframes: coalesce failed with error -22

Management frames (authentication/association) use a different path and
still go out, so the interface scans and associates, but no data frame is
ever transmitted.  The 4-way handshake therefore never completes and
wpa_supplicant misreports it as:

	WPA: 4-Way Handshake failed - pre-shared key may be incorrect

AP mode is unaffected.  The net effect is that the chip is unusable in
station mode on any kernel carrying the offending commit.

This was confirmed with a wpa_supplicant -dd trace on an RTL8723BS SDIO
adapter (Bay Trail): message 1/4 is received and the PTK is derived, but
each "Sending EAPOL-Key 2/4" coincides 1:1 with a "coalesce failed with
error -22", so message 2/4 never reaches the AP, which keeps retrying
message 1/4 until the handshake times out.

Restore the original semantics: clamp the requested length to the bytes
remaining in the packet and return that length.  The skb_copy_bits()
error path is kept, so genuine copy failures are still propagated.

Fixes: bc4df274dca6 ("staging: rtl8723bs: update _rtw_pktfile_read() to return error codes")
Cc: stable@vger.kernel.org
Tested-by: Christopher Mackle <christophermackle01@gmail.com>
Signed-off-by: Christopher Mackle <christophermackle01@gmail.com>
---
 drivers/staging/rtl8723bs/os_dep/xmit_linux.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/rtl8723bs/os_dep/xmit_linux.c b/drivers/staging/rtl8723bs/os_dep/xmit_linux.c
index dc0b77f38..9bdb67a8a 100644
--- a/drivers/staging/rtl8723bs/os_dep/xmit_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/xmit_linux.c
@@ -24,9 +24,11 @@ void _rtw_open_pktfile(struct sk_buff *pktptr, struct pkt_file *pfile)
 int _rtw_pktfile_read(struct pkt_file *pfile, u8 *rmem, unsigned int rlen)
 {
 	int ret;
+	unsigned int remain = rtw_remainder_len(pfile);
 
-	if (rtw_remainder_len(pfile) < rlen)
-		return -EINVAL;
+	/* clamp to bytes remaining; the coalesce loop relies on short reads */
+	if (rlen > remain)
+		rlen = remain;
 
 	if (rmem) {
 		ret = skb_copy_bits(pfile->pkt, pfile->buf_len - pfile->pkt_len, rmem, rlen);
-- 
2.53.0