From: Ping-Ke Shih <pkshih@realtek.com>
To: Bitterblue Smith <rtl8821cerfe2@gmail.com>,
Tristan Madani <tristmd@gmail.com>
Cc: Johannes Berg <johannes@sipsolutions.net>,
"linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>
Subject: RE: [PATCH v2] wifi: rtw88: fix OOB read from firmware RX descriptor exceeding DMA buffer
Date: Tue, 21 Apr 2026 01:38:06 +0000 [thread overview]
Message-ID: <1fdd2ad66029409eb719ae984959fbad@realtek.com> (raw)
In-Reply-To: <a5aaf34f-d2ec-40ef-a176-9a921dcf435e@gmail.com>
Bitterblue Smith <rtl8821cerfe2@gmail.com> wrote:
> On 20/04/2026 08:31, Ping-Ke Shih wrote:
> > Bitterblue Smith <rtl8821cerfe2@gmail.com> wrote:
> >>
> >> Well, kind of. Maybe RTK_PCI_RX_BUF_SIZE is too small? 11454 + 24
> >> doesn't take into account the PHY info size.
> >
> > In rtw_pci_sync_rx_desc_device(), driver does
> > buf_desc->buf_size = cpu_to_le16(RTK_PCI_RX_BUF_SIZE);
> >
> > This is to tell hardware the size of RX DMA buffer. I think hardware
> > can't DMA data over this size.
> >
>
> Indeed, I don't think the hardware will write more than
> RTK_PCI_RX_BUF_SIZE bytes. But I wonder if some bytes won't be lost
> (or the entire packet?) if it ever receives a frame of 11454 bytes
> and wants to attach a PHY status? Then it would need a buffer of
> 11454 + 24 + 32 bytes. I don't know if this ever happens.
I think the total size including PHY status must be smaller than
RTK_PCI_RX_BUF_SIZE, otherwise we should enlarge RTK_PCI_RX_BUF_SIZE.
The rtw89 can split a packet into multiple segments if RX buffer is
smaller than a receiving packet, but it has exact overload, so we
enlarge the buffer as large as necessary.
For rtw88, I can't find similar implementation. Maybe we can try to
enlarge the size to see if any improvement.
Ping-Ke
prev parent reply other threads:[~2026-04-21 1:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-15 22:24 [PATCH v2] wifi: rtw88: fix OOB read from firmware RX descriptor exceeding DMA buffer Tristan Madani
2026-04-17 15:14 ` Bitterblue Smith
2026-04-20 5:31 ` Ping-Ke Shih
2026-04-20 22:22 ` Bitterblue Smith
2026-04-21 1:38 ` Ping-Ke Shih [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1fdd2ad66029409eb719ae984959fbad@realtek.com \
--to=pkshih@realtek.com \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=rtl8821cerfe2@gmail.com \
--cc=tristmd@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox