From: Michal Kazior <michal.kazior@tieto.com> To: ath10k@lists.infradead.org Cc: linux-wireless@vger.kernel.org, greearb@candelatech.com, Michal Kazior <michal.kazior@tieto.com> Subject: [PATCH] ath10k: double check bmi xfer pointers Date: Thu, 10 Apr 2014 12:05:55 +0200 [thread overview] Message-ID: <1397124355-6321-1-git-send-email-michal.kazior@tieto.com> (raw) In-Reply-To: <53461A8A.4030209@candelatech.com> If for some reason copy engine ring buffer became corrupt ath10k could crash the machine due to invalid pointer dereference. It's very unlikely but devices can never be fully trusted so verify if the bmi xfer pointer read back from copy engine matches the original pointer. The bug looked as follows: BUG: unable to handle kernel paging request at ffffffff815d6133 ... Call Trace: [<ffffffff810fdaf4>] ? mark_held_locks+0x71/0x99 [<ffffffff810c6b6d>] ? __local_bh_enable_ip+0xaa/0xd9 [<ffffffff810fd7eb>] lock_acquire+0x82/0x9d [<ffffffff810f5999>] ? complete+0x19/0x45 [<ffffffff810c6b72>] ? __local_bh_enable_ip+0xaf/0xd9 [<ffffffff815d5f9b>] _raw_spin_lock_irqsave+0x47/0x5a [<ffffffff810f5999>] ? complete+0x19/0x45 [<ffffffff810f5999>] complete+0x19/0x45 [<ffffffffa056d977>] ath10k_pci_hif_exchange_bmi_msg+0x267/0x3f4 [ath10k_pci] [<ffffffffa0471b42>] ath10k_hif_exchange_bmi_msg+0xe/0x10 [ath10k_core] [<ffffffffa0471f01>] ath10k_bmi_write_memory+0xc4/0x12d [ath10k_core] [<ffffffffa046877f>] ath10k_core_start+0x207/0x828 [ath10k_core] [<ffffffffa0469723>] ath10k_core_register+0x5ca/0x77f [ath10k_core] ... Reported-By: Ben Greear <greearb@candelatech.com> Signed-off-by: Michal Kazior <michal.kazior@tieto.com> --- drivers/net/wireless/ath/ath10k/pci.c | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c index bf1083d..85e84c9 100644 --- a/drivers/net/wireless/ath/ath10k/pci.c +++ b/drivers/net/wireless/ath/ath10k/pci.c @@ -1390,35 +1390,49 @@ err_dma: return ret; } -static void ath10k_pci_bmi_send_done(struct ath10k_ce_pipe *ce_state) +static void ath10k_pci_bmi_send_done(struct ath10k_ce_pipe *ce_state, + struct bmi_xfer *xfer) { - struct bmi_xfer *xfer; + void *ptr; u32 ce_data; unsigned int nbytes; unsigned int transfer_id; - if (ath10k_ce_completed_send_next(ce_state, (void **)&xfer, &ce_data, + if (ath10k_ce_completed_send_next(ce_state, (void **)&ptr, &ce_data, &nbytes, &transfer_id)) return; + if (xfer != ptr) { + ath10k_warn("failed to verify bmi xfer tx pointer (got %p expected %p)\n", + ptr, xfer); + return; + } + if (xfer->wait_for_resp) return; complete(&xfer->done); } -static void ath10k_pci_bmi_recv_data(struct ath10k_ce_pipe *ce_state) +static void ath10k_pci_bmi_recv_data(struct ath10k_ce_pipe *ce_state, + struct bmi_xfer *xfer) { - struct bmi_xfer *xfer; + void *ptr; u32 ce_data; unsigned int nbytes; unsigned int transfer_id; unsigned int flags; - if (ath10k_ce_completed_recv_next(ce_state, (void **)&xfer, &ce_data, + if (ath10k_ce_completed_recv_next(ce_state, (void **)&ptr, &ce_data, &nbytes, &transfer_id, &flags)) return; + if (xfer != ptr) { + ath10k_warn("failed to verify bmi xfer rx pointer (got %p expected %p)\n", + ptr, xfer); + return; + } + if (!xfer->wait_for_resp) { ath10k_warn("unexpected: BMI data received; ignoring\n"); return; @@ -1435,8 +1449,8 @@ static int ath10k_pci_bmi_wait(struct ath10k_ce_pipe *tx_pipe, unsigned long timeout = jiffies + BMI_COMMUNICATION_TIMEOUT_HZ; while (time_before_eq(jiffies, timeout)) { - ath10k_pci_bmi_send_done(tx_pipe); - ath10k_pci_bmi_recv_data(rx_pipe); + ath10k_pci_bmi_send_done(tx_pipe, xfer); + ath10k_pci_bmi_recv_data(rx_pipe, xfer); if (completion_done(&xfer->done)) return 0; -- 1.8.5.3
WARNING: multiple messages have this Message-ID (diff)
From: Michal Kazior <michal.kazior@tieto.com> To: ath10k@lists.infradead.org Cc: greearb@candelatech.com, linux-wireless@vger.kernel.org, Michal Kazior <michal.kazior@tieto.com> Subject: [PATCH] ath10k: double check bmi xfer pointers Date: Thu, 10 Apr 2014 12:05:55 +0200 [thread overview] Message-ID: <1397124355-6321-1-git-send-email-michal.kazior@tieto.com> (raw) In-Reply-To: <53461A8A.4030209@candelatech.com> If for some reason copy engine ring buffer became corrupt ath10k could crash the machine due to invalid pointer dereference. It's very unlikely but devices can never be fully trusted so verify if the bmi xfer pointer read back from copy engine matches the original pointer. The bug looked as follows: BUG: unable to handle kernel paging request at ffffffff815d6133 ... Call Trace: [<ffffffff810fdaf4>] ? mark_held_locks+0x71/0x99 [<ffffffff810c6b6d>] ? __local_bh_enable_ip+0xaa/0xd9 [<ffffffff810fd7eb>] lock_acquire+0x82/0x9d [<ffffffff810f5999>] ? complete+0x19/0x45 [<ffffffff810c6b72>] ? __local_bh_enable_ip+0xaf/0xd9 [<ffffffff815d5f9b>] _raw_spin_lock_irqsave+0x47/0x5a [<ffffffff810f5999>] ? complete+0x19/0x45 [<ffffffff810f5999>] complete+0x19/0x45 [<ffffffffa056d977>] ath10k_pci_hif_exchange_bmi_msg+0x267/0x3f4 [ath10k_pci] [<ffffffffa0471b42>] ath10k_hif_exchange_bmi_msg+0xe/0x10 [ath10k_core] [<ffffffffa0471f01>] ath10k_bmi_write_memory+0xc4/0x12d [ath10k_core] [<ffffffffa046877f>] ath10k_core_start+0x207/0x828 [ath10k_core] [<ffffffffa0469723>] ath10k_core_register+0x5ca/0x77f [ath10k_core] ... Reported-By: Ben Greear <greearb@candelatech.com> Signed-off-by: Michal Kazior <michal.kazior@tieto.com> --- drivers/net/wireless/ath/ath10k/pci.c | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c index bf1083d..85e84c9 100644 --- a/drivers/net/wireless/ath/ath10k/pci.c +++ b/drivers/net/wireless/ath/ath10k/pci.c @@ -1390,35 +1390,49 @@ err_dma: return ret; } -static void ath10k_pci_bmi_send_done(struct ath10k_ce_pipe *ce_state) +static void ath10k_pci_bmi_send_done(struct ath10k_ce_pipe *ce_state, + struct bmi_xfer *xfer) { - struct bmi_xfer *xfer; + void *ptr; u32 ce_data; unsigned int nbytes; unsigned int transfer_id; - if (ath10k_ce_completed_send_next(ce_state, (void **)&xfer, &ce_data, + if (ath10k_ce_completed_send_next(ce_state, (void **)&ptr, &ce_data, &nbytes, &transfer_id)) return; + if (xfer != ptr) { + ath10k_warn("failed to verify bmi xfer tx pointer (got %p expected %p)\n", + ptr, xfer); + return; + } + if (xfer->wait_for_resp) return; complete(&xfer->done); } -static void ath10k_pci_bmi_recv_data(struct ath10k_ce_pipe *ce_state) +static void ath10k_pci_bmi_recv_data(struct ath10k_ce_pipe *ce_state, + struct bmi_xfer *xfer) { - struct bmi_xfer *xfer; + void *ptr; u32 ce_data; unsigned int nbytes; unsigned int transfer_id; unsigned int flags; - if (ath10k_ce_completed_recv_next(ce_state, (void **)&xfer, &ce_data, + if (ath10k_ce_completed_recv_next(ce_state, (void **)&ptr, &ce_data, &nbytes, &transfer_id, &flags)) return; + if (xfer != ptr) { + ath10k_warn("failed to verify bmi xfer rx pointer (got %p expected %p)\n", + ptr, xfer); + return; + } + if (!xfer->wait_for_resp) { ath10k_warn("unexpected: BMI data received; ignoring\n"); return; @@ -1435,8 +1449,8 @@ static int ath10k_pci_bmi_wait(struct ath10k_ce_pipe *tx_pipe, unsigned long timeout = jiffies + BMI_COMMUNICATION_TIMEOUT_HZ; while (time_before_eq(jiffies, timeout)) { - ath10k_pci_bmi_send_done(tx_pipe); - ath10k_pci_bmi_recv_data(rx_pipe); + ath10k_pci_bmi_send_done(tx_pipe, xfer); + ath10k_pci_bmi_recv_data(rx_pipe, xfer); if (completion_done(&xfer->done)) return 0; -- 1.8.5.3 _______________________________________________ ath10k mailing list ath10k@lists.infradead.org http://lists.infradead.org/mailman/listinfo/ath10k
next prev parent reply other threads:[~2014-04-10 10:17 UTC|newest] Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top 2014-04-10 4:14 Crash during driver startup Ben Greear 2014-04-10 10:05 ` Michal Kazior [this message] 2014-04-10 10:05 ` [PATCH] ath10k: double check bmi xfer pointers Michal Kazior 2014-04-10 13:42 ` Ben Greear 2014-04-10 13:42 ` Ben Greear 2014-04-11 5:40 ` Kalle Valo 2014-04-11 5:40 ` Kalle Valo 2014-04-11 5:47 ` Michal Kazior 2014-04-11 5:47 ` Michal Kazior 2014-04-11 7:58 ` Michal Kazior 2014-04-11 7:58 ` Michal Kazior 2014-04-11 15:09 ` load module ath10k: ieee80211 phy0: Failed to initialize wep: -2 Vu Hai NGUYEN 2014-04-14 6:39 ` Michal Kazior 2014-04-14 8:10 ` Kalle Valo 2014-04-14 15:49 ` RE : " Vu Hai NGUYEN 2014-04-15 8:20 ` Report Firmware firmware-2.bin_10.1.467.2-1 Error Vu Hai NGUYEN 2014-04-15 11:02 ` Kalle Valo 2014-04-16 11:51 ` RE : " Vu Hai NGUYEN 2014-04-16 11:51 ` Vu Hai NGUYEN 2014-04-24 6:35 ` Kalle Valo 2014-04-24 9:03 ` RE : " Vu Hai NGUYEN 2014-04-24 9:41 ` Michal Kazior 2014-04-24 10:18 ` Yeoh Chun-Yeow 2014-04-30 12:39 ` RE : " Vu Hai NGUYEN 2014-05-07 7:36 ` ath10k does not support selection antenna yet? Vu Hai NGUYEN 2014-05-07 7:48 ` Michal Kazior 2014-05-07 8:16 ` Yeoh Chun-Yeow 2014-05-07 8:16 ` RE : " Vu Hai NGUYEN 2014-05-07 9:26 ` Janusz Dziedzic 2014-05-07 14:11 ` Ben Greear 2014-05-07 14:21 ` Adrian Chadd 2014-05-07 14:33 ` Ben Greear 2014-05-07 14:50 ` Adrian Chadd 2014-05-07 15:09 ` Ben Greear 2014-04-14 8:05 ` [PATCH] ath10k: double check bmi xfer pointers Kalle Valo 2014-04-14 8:05 ` Kalle Valo
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1397124355-6321-1-git-send-email-michal.kazior@tieto.com \ --to=michal.kazior@tieto.com \ --cc=ath10k@lists.infradead.org \ --cc=greearb@candelatech.com \ --cc=linux-wireless@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.