* [PATCH] ath10k: prevent debugfs mmio access crash kernel
@ 2015-06-11 7:43 ` Michal Kazior
0 siblings, 0 replies; 6+ messages in thread
From: Michal Kazior @ 2015-06-11 7:43 UTC (permalink / raw)
To: ath10k; +Cc: linux-wireless, Michal Kazior
It was possible to force an out of bounds MMIO
read/write via debugfs. E.g. on QCA988X this could
be triggered with:
echo 0x2080e0 | tee /sys/kernel/debug/ieee80211/*/ath10k/reg_addr
cat /sys/kernel/debug/ieee80211/*/ath10k/reg_value
BUG: unable to handle kernel paging request at ffffc90001e080e0
IP: [<ffffffff8135c860>] ioread32+0x40/0x50
...
Call Trace:
[<ffffffffa00d0c7f>] ? ath10k_pci_read32+0x4f/0x70 [ath10k_pci]
[<ffffffffa0080f50>] ath10k_reg_value_read+0x90/0xf0 [ath10k_core]
[<ffffffff8115c2c1>] ? handle_mm_fault+0xa91/0x1050
[<ffffffff81189758>] __vfs_read+0x28/0xe0
[<ffffffff812e4694>] ? security_file_permission+0x84/0xa0
[<ffffffff81189ce3>] ? rw_verify_area+0x53/0x100
[<ffffffff81189e1a>] vfs_read+0x8a/0x140
[<ffffffff8118acb9>] SyS_read+0x49/0xb0
[<ffffffff8104e39c>] ? trace_do_page_fault+0x3c/0xc0
[<ffffffff8196596e>] system_call_fastpath+0x12/0x71
Reported-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
---
drivers/net/wireless/ath/ath10k/pci.c | 13 +++++++++++++
drivers/net/wireless/ath/ath10k/pci.h | 1 +
2 files changed, 14 insertions(+)
diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c
index 9da36c764d3b..1843d31fbda7 100644
--- a/drivers/net/wireless/ath/ath10k/pci.c
+++ b/drivers/net/wireless/ath/ath10k/pci.c
@@ -479,6 +479,12 @@ void ath10k_pci_write32(struct ath10k *ar, u32 offset, u32 value)
struct ath10k_pci *ar_pci = ath10k_pci_priv(ar);
int ret;
+ if (unlikely(offset + sizeof(value) > ar_pci->mem_len)) {
+ ath10k_warn(ar, "refusing to write mmio out of bounds at 0x%08x - 0x%08zx (max 0x%08zx)\n",
+ offset, offset + sizeof(value), ar_pci->mem_len);
+ return;
+ }
+
ret = ath10k_pci_wake(ar);
if (ret) {
ath10k_warn(ar, "failed to wake target for write32 of 0x%08x at 0x%08x: %d\n",
@@ -496,6 +502,12 @@ u32 ath10k_pci_read32(struct ath10k *ar, u32 offset)
u32 val;
int ret;
+ if (unlikely(offset + sizeof(val) > ar_pci->mem_len)) {
+ ath10k_warn(ar, "refusing to read mmio out of bounds at 0x%08x - 0x%08zx (max 0x%08zx)\n",
+ offset, offset + sizeof(val), ar_pci->mem_len);
+ return 0;
+ }
+
ret = ath10k_pci_wake(ar);
if (ret) {
ath10k_warn(ar, "failed to wake target for read32 at 0x%08x: %d\n",
@@ -2682,6 +2694,7 @@ static int ath10k_pci_claim(struct ath10k *ar)
pci_set_master(pdev);
/* Arrange for access to Target SoC registers. */
+ ar_pci->mem_len = pci_resource_len(pdev, BAR_NUM);
ar_pci->mem = pci_iomap(pdev, BAR_NUM, 0);
if (!ar_pci->mem) {
ath10k_err(ar, "failed to iomap BAR%d\n", BAR_NUM);
diff --git a/drivers/net/wireless/ath/ath10k/pci.h b/drivers/net/wireless/ath/ath10k/pci.h
index d7696ddc03c4..eea0a0170b00 100644
--- a/drivers/net/wireless/ath/ath10k/pci.h
+++ b/drivers/net/wireless/ath/ath10k/pci.h
@@ -162,6 +162,7 @@ struct ath10k_pci {
struct device *dev;
struct ath10k *ar;
void __iomem *mem;
+ size_t mem_len;
/*
* Number of MSI interrupts granted, 0 --> using legacy PCI line
--
2.1.4
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH] ath10k: prevent debugfs mmio access crash kernel
@ 2015-06-11 7:43 ` Michal Kazior
0 siblings, 0 replies; 6+ messages in thread
From: Michal Kazior @ 2015-06-11 7:43 UTC (permalink / raw)
To: ath10k; +Cc: linux-wireless, Michal Kazior
It was possible to force an out of bounds MMIO
read/write via debugfs. E.g. on QCA988X this could
be triggered with:
echo 0x2080e0 | tee /sys/kernel/debug/ieee80211/*/ath10k/reg_addr
cat /sys/kernel/debug/ieee80211/*/ath10k/reg_value
BUG: unable to handle kernel paging request at ffffc90001e080e0
IP: [<ffffffff8135c860>] ioread32+0x40/0x50
...
Call Trace:
[<ffffffffa00d0c7f>] ? ath10k_pci_read32+0x4f/0x70 [ath10k_pci]
[<ffffffffa0080f50>] ath10k_reg_value_read+0x90/0xf0 [ath10k_core]
[<ffffffff8115c2c1>] ? handle_mm_fault+0xa91/0x1050
[<ffffffff81189758>] __vfs_read+0x28/0xe0
[<ffffffff812e4694>] ? security_file_permission+0x84/0xa0
[<ffffffff81189ce3>] ? rw_verify_area+0x53/0x100
[<ffffffff81189e1a>] vfs_read+0x8a/0x140
[<ffffffff8118acb9>] SyS_read+0x49/0xb0
[<ffffffff8104e39c>] ? trace_do_page_fault+0x3c/0xc0
[<ffffffff8196596e>] system_call_fastpath+0x12/0x71
Reported-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
---
drivers/net/wireless/ath/ath10k/pci.c | 13 +++++++++++++
drivers/net/wireless/ath/ath10k/pci.h | 1 +
2 files changed, 14 insertions(+)
diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c
index 9da36c764d3b..1843d31fbda7 100644
--- a/drivers/net/wireless/ath/ath10k/pci.c
+++ b/drivers/net/wireless/ath/ath10k/pci.c
@@ -479,6 +479,12 @@ void ath10k_pci_write32(struct ath10k *ar, u32 offset, u32 value)
struct ath10k_pci *ar_pci = ath10k_pci_priv(ar);
int ret;
+ if (unlikely(offset + sizeof(value) > ar_pci->mem_len)) {
+ ath10k_warn(ar, "refusing to write mmio out of bounds at 0x%08x - 0x%08zx (max 0x%08zx)\n",
+ offset, offset + sizeof(value), ar_pci->mem_len);
+ return;
+ }
+
ret = ath10k_pci_wake(ar);
if (ret) {
ath10k_warn(ar, "failed to wake target for write32 of 0x%08x at 0x%08x: %d\n",
@@ -496,6 +502,12 @@ u32 ath10k_pci_read32(struct ath10k *ar, u32 offset)
u32 val;
int ret;
+ if (unlikely(offset + sizeof(val) > ar_pci->mem_len)) {
+ ath10k_warn(ar, "refusing to read mmio out of bounds at 0x%08x - 0x%08zx (max 0x%08zx)\n",
+ offset, offset + sizeof(val), ar_pci->mem_len);
+ return 0;
+ }
+
ret = ath10k_pci_wake(ar);
if (ret) {
ath10k_warn(ar, "failed to wake target for read32 at 0x%08x: %d\n",
@@ -2682,6 +2694,7 @@ static int ath10k_pci_claim(struct ath10k *ar)
pci_set_master(pdev);
/* Arrange for access to Target SoC registers. */
+ ar_pci->mem_len = pci_resource_len(pdev, BAR_NUM);
ar_pci->mem = pci_iomap(pdev, BAR_NUM, 0);
if (!ar_pci->mem) {
ath10k_err(ar, "failed to iomap BAR%d\n", BAR_NUM);
diff --git a/drivers/net/wireless/ath/ath10k/pci.h b/drivers/net/wireless/ath/ath10k/pci.h
index d7696ddc03c4..eea0a0170b00 100644
--- a/drivers/net/wireless/ath/ath10k/pci.h
+++ b/drivers/net/wireless/ath/ath10k/pci.h
@@ -162,6 +162,7 @@ struct ath10k_pci {
struct device *dev;
struct ath10k *ar;
void __iomem *mem;
+ size_t mem_len;
/*
* Number of MSI interrupts granted, 0 --> using legacy PCI line
--
2.1.4
_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] ath10k: prevent debugfs mmio access crash kernel
2015-06-11 7:43 ` Michal Kazior
@ 2015-06-16 10:11 ` Kalle Valo
-1 siblings, 0 replies; 6+ messages in thread
From: Kalle Valo @ 2015-06-16 10:11 UTC (permalink / raw)
To: Michal Kazior; +Cc: ath10k, linux-wireless
Michal Kazior <michal.kazior@tieto.com> writes:
> It was possible to force an out of bounds MMIO
> read/write via debugfs. E.g. on QCA988X this could
> be triggered with:
>
> echo 0x2080e0 | tee /sys/kernel/debug/ieee80211/*/ath10k/reg_addr
> cat /sys/kernel/debug/ieee80211/*/ath10k/reg_value
>
> BUG: unable to handle kernel paging request at ffffc90001e080e0
> IP: [<ffffffff8135c860>] ioread32+0x40/0x50
> ...
> Call Trace:
> [<ffffffffa00d0c7f>] ? ath10k_pci_read32+0x4f/0x70 [ath10k_pci]
> [<ffffffffa0080f50>] ath10k_reg_value_read+0x90/0xf0 [ath10k_core]
> [<ffffffff8115c2c1>] ? handle_mm_fault+0xa91/0x1050
> [<ffffffff81189758>] __vfs_read+0x28/0xe0
> [<ffffffff812e4694>] ? security_file_permission+0x84/0xa0
> [<ffffffff81189ce3>] ? rw_verify_area+0x53/0x100
> [<ffffffff81189e1a>] vfs_read+0x8a/0x140
> [<ffffffff8118acb9>] SyS_read+0x49/0xb0
> [<ffffffff8104e39c>] ? trace_do_page_fault+0x3c/0xc0
> [<ffffffff8196596e>] system_call_fastpath+0x12/0x71
>
> Reported-by: Ben Greear <greearb@candelatech.com>
> Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Thanks, applied.
--
Kalle Valo
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] ath10k: prevent debugfs mmio access crash kernel
@ 2015-06-16 10:11 ` Kalle Valo
0 siblings, 0 replies; 6+ messages in thread
From: Kalle Valo @ 2015-06-16 10:11 UTC (permalink / raw)
To: Michal Kazior; +Cc: linux-wireless, ath10k
Michal Kazior <michal.kazior@tieto.com> writes:
> It was possible to force an out of bounds MMIO
> read/write via debugfs. E.g. on QCA988X this could
> be triggered with:
>
> echo 0x2080e0 | tee /sys/kernel/debug/ieee80211/*/ath10k/reg_addr
> cat /sys/kernel/debug/ieee80211/*/ath10k/reg_value
>
> BUG: unable to handle kernel paging request at ffffc90001e080e0
> IP: [<ffffffff8135c860>] ioread32+0x40/0x50
> ...
> Call Trace:
> [<ffffffffa00d0c7f>] ? ath10k_pci_read32+0x4f/0x70 [ath10k_pci]
> [<ffffffffa0080f50>] ath10k_reg_value_read+0x90/0xf0 [ath10k_core]
> [<ffffffff8115c2c1>] ? handle_mm_fault+0xa91/0x1050
> [<ffffffff81189758>] __vfs_read+0x28/0xe0
> [<ffffffff812e4694>] ? security_file_permission+0x84/0xa0
> [<ffffffff81189ce3>] ? rw_verify_area+0x53/0x100
> [<ffffffff81189e1a>] vfs_read+0x8a/0x140
> [<ffffffff8118acb9>] SyS_read+0x49/0xb0
> [<ffffffff8104e39c>] ? trace_do_page_fault+0x3c/0xc0
> [<ffffffff8196596e>] system_call_fastpath+0x12/0x71
>
> Reported-by: Ben Greear <greearb@candelatech.com>
> Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Thanks, applied.
--
Kalle Valo
_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k
^ permalink raw reply [flat|nested] 6+ messages in thread
* repeater mode not working
2015-06-16 10:11 ` Kalle Valo
(?)
@ 2015-06-16 11:26 ` Sebastian Gottschall
2015-06-17 5:26 ` Michal Kazior
-1 siblings, 1 reply; 6+ messages in thread
From: Sebastian Gottschall @ 2015-06-16 11:26 UTC (permalink / raw)
To: ath10k
Hello
did someone notice that configurations like
sta + vap do not work with ath10k? is there a fix expected for that problem?
Sebastian
_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: repeater mode not working
2015-06-16 11:26 ` repeater mode not working Sebastian Gottschall
@ 2015-06-17 5:26 ` Michal Kazior
0 siblings, 0 replies; 6+ messages in thread
From: Michal Kazior @ 2015-06-17 5:26 UTC (permalink / raw)
To: Sebastian Gottschall; +Cc: ath10k
On 16 June 2015 at 13:26, Sebastian Gottschall <s.gottschall@dd-wrt.com> wrote:
> Hello
Hello,
> did someone notice that configurations like
> sta + vap do not work with ath10k? is there a fix expected for that problem?
I'm guessing you're using firmware 10.x on QCA988X. This firmware
branch has multi-vif enabled only for multi-bss AP. You could hack up
ath10k to allow more and run some tests. If it works for you reliably
you can try submitting a patch changing the current interface
combinations.
In the meantime - firmware 999.999.0.636 does support ap+sta but this
is a pretty old firmware with other quirks so YMMV.
Michał
_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-06-17 5:26 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-06-11 7:43 [PATCH] ath10k: prevent debugfs mmio access crash kernel Michal Kazior
2015-06-11 7:43 ` Michal Kazior
2015-06-16 10:11 ` Kalle Valo
2015-06-16 10:11 ` Kalle Valo
2015-06-16 11:26 ` repeater mode not working Sebastian Gottschall
2015-06-17 5:26 ` Michal Kazior
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.