diff options
| author | Christopher Mackle <christophermackle01@gmail.com> | 2026-06-20 01:39:16 +0000 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-07-07 13:41:04 +0200 |
| commit | 252f8c681adc8614b70f844ba3de3a138c33a783 (patch) | |
| tree | c113e863fba184e8b5beb9211bb15e4d7e0b6142 /rust/zerocopy/src/git@git.tavy.me:linux-stable.git | |
| parent | 8cdeaa50eae8dad34885515f62559ee83e7e8dda (diff) | |
staging: rtl8723bs: don't drop short TX frames in _rtw_pktfile_read()
Commit bc4df274dca6 ("staging: rtl8723bs: update _rtw_pktfile_read() to
return error codes") changed _rtw_pktfile_read() to fail when the caller
asks for more bytes than remain in the packet:
if (rtw_remainder_len(pfile) < rlen)
return -EINVAL;
That breaks the assumption made by the data TX path. In
rtw_xmitframe_coalesce() (core/rtw_xmit.c) the per-fragment copy is
issued with the full fragment length, mpdu_len, which is derived from
pxmitpriv->frag_len (~2300 bytes), and the code relies on the historical
behaviour of copying only what is left and returning the number of bytes
actually copied:
mem_sz = _rtw_pktfile_read(&pktfile, pframe, mpdu_len);
if (mem_sz < 0)
return mem_sz;
So for every outbound packet smaller than the fragmentation threshold -
i.e. essentially all normal traffic, including the EAPOL frames of the
WPA 4-way handshake and DHCP - rlen is larger than the bytes remaining,
_rtw_pktfile_read() returns -EINVAL, rtw_xmitframe_coalesce() aborts, and
the frame is dropped before it is queued to the hardware. The driver
floods the log with:
rtl8723bs ...: xmit_xmitframes: coalesce failed with error -22
Management frames (authentication/association) use a different path and
still go out, so the interface scans and associates, but no data frame is
ever transmitted. The 4-way handshake therefore never completes and
wpa_supplicant misreports it as:
WPA: 4-Way Handshake failed - pre-shared key may be incorrect
AP mode is unaffected. The net effect is that the chip is unusable in
station mode on any kernel carrying the offending commit.
This was confirmed with a wpa_supplicant -dd trace on an RTL8723BS SDIO
adapter (Bay Trail): message 1/4 is received and the PTK is derived, but
each "Sending EAPOL-Key 2/4" coincides 1:1 with a "coalesce failed with
error -22", so message 2/4 never reaches the AP, which keeps retrying
message 1/4 until the handshake times out.
Restore the original semantics: clamp the requested length to the bytes
remaining in the packet and return that length. The skb_copy_bits()
error path is kept, so genuine copy failures are still propagated.
Fixes: bc4df274dca6 ("staging: rtl8723bs: update _rtw_pktfile_read() to return error codes")
Cc: stable <stable@kernel.org>
Tested-by: Christopher Mackle <christophermackle01@gmail.com>
Signed-off-by: Christopher Mackle <christophermackle01@gmail.com>
Link: https://patch.msgid.link/20260620013916.7148-1-christophermackle01@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'rust/zerocopy/src/git@git.tavy.me:linux-stable.git')
0 files changed, 0 insertions, 0 deletions
