From: Ben Greear <greearb@candelatech.com>
To: "Korenblit, Miriam Rachel" <miriam.rachel.korenblit@intel.com>,
Cole Leavitt <cole@unwrap.rs>,
"linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>
Cc: "johannes@sipsolutions.net" <johannes@sipsolutions.net>
Subject: Re: [PATCH 2/3] wifi: iwlwifi: mld: fix TSO segmentation explosion when AMSDU is disabled
Date: Sun, 12 Apr 2026 07:03:49 -0700 [thread overview]
Message-ID: <d74eb2fd-5698-425b-8650-f136c9442155@candelatech.com> (raw)
In-Reply-To: <DS0PR11MB788029013A25A284B0907D01A3272@DS0PR11MB7880.namprd11.prod.outlook.com>
On 4/11/26 8:47 PM, Korenblit, Miriam Rachel wrote:
>
>
>> -----Original Message-----
>> From: Cole Leavitt <cole@unwrap.rs>
>> Sent: Sunday, April 5, 2026 8:42 AM
>> To: linux-wireless@vger.kernel.org
>> Cc: greearb@candelatech.com; Korenblit, Miriam Rachel
>> <miriam.rachel.korenblit@intel.com>; johannes@sipsolutions.net;
>> cole@unwrap.rs
>> Subject: [PATCH 2/3] wifi: iwlwifi: mld: fix TSO segmentation explosion when
>> AMSDU is disabled
>>
>> When the TLC notification disables AMSDU for a TID, the MLD driver sets
>> max_tid_amsdu_len to the sentinel value 1. The TSO segmentation path in
>> iwl_mld_tx_tso_segment() checks for zero but not for this sentinel, allowing it to
>> reach the num_subframes calculation:
>>
>> num_subframes = (max_tid_amsdu_len + pad) / (subf_len + pad)
>> = (1 + 2) / (1534 + 2) = 0
>>
>> This zero propagates to iwl_tx_tso_segment() which sets:
>>
>> gso_size = num_subframes * mss = 0
>>
>> Calling skb_gso_segment() with gso_size=0 creates over 32000 tiny segments
>> from a single GSO skb. This floods the TX ring with ~1024 micro-frames (the rest
>> are purged), creating a massive burst of TX completion events that can lead to
>> memory corruption and a subsequent use-after-free in TCP's retransmit queue
>> (refcount underflow in tcp_shifted_skb, NULL deref in tcp_rack_detect_loss).
>
> And why not fixing this issue?
We have been running with this patch. It doesn't seem to cause harm,
but also, we still saw at least a few warnings about 32k spins in GSO logic.
I am pretty sure the 32k GSO spin we see is due to some skb memory corruption of some kind,
and I don't know root cause.
Maybe this patch is still worth having, but the description about lots of tx completion events
causing mem corruption seems unfounded to me, and while I have no proof, this sort of
over-confidence in cause vs affect appears similar to some other AI generated patches I've seen.
Thanks,
Ben
--
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc http://www.candelatech.com
next prev parent reply other threads:[~2026-04-12 14:04 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-05 5:41 [PATCH v2 0/3] wifi: iwlwifi: mld: fix UAF and soft lockup on firmware error Cole Leavitt
2026-04-05 5:41 ` [PATCH 1/3] wifi: iwlwifi: prevent NAPI processing after " Cole Leavitt
2026-04-05 5:41 ` [PATCH 2/3] wifi: iwlwifi: mld: fix TSO segmentation explosion when AMSDU is disabled Cole Leavitt
2026-04-12 3:47 ` Korenblit, Miriam Rachel
2026-04-12 14:03 ` Ben Greear [this message]
2026-04-05 5:41 ` [PATCH 3/3] wifi: iwlwifi: mld: skip TX when firmware is dead Cole Leavitt
2026-04-14 3:51 ` [PATCH v2 0/3] wifi: iwlwifi: mld: fix UAF and soft lockup on firmware error Korenblit, Miriam Rachel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d74eb2fd-5698-425b-8650-f136c9442155@candelatech.com \
--to=greearb@candelatech.com \
--cc=cole@unwrap.rs \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=miriam.rachel.korenblit@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox