* [PATCH] ath10k: fixed scan crash
@ 2018-04-10 7:39 ` zhichen
0 siblings, 0 replies; 10+ messages in thread
From: zhichen @ 2018-04-10 7:39 UTC (permalink / raw)
To: ath10k; +Cc: linux-wireless, kvalo, Zhi Chen
From: Zhi Chen <zhichen@codeaurora.org>
Length of WMI scan message was not calculated correctly. The allocated
buffer was smaller than what we expected. So WMI message corrupted
skb_info, which is at the end of skb->data. This fix takes TLV header
into account even if the element is zero-length.
Crash log:
[49.629986] Unhandled kernel unaligned access[#1]:
[49.634932] CPU: 0 PID: 1176 Comm: logd Not tainted 4.4.60 #180
[49.641040] task: 83051460 ti: 8329c000 task.ti: 8329c000
[49.646608] $ 0 : 00000000 00000001 80984a80 00000000
[49.652038] $ 4 : 45259e89 8046d484 8046df30 8024ba70
[49.657468] $ 8 : 00000000 804cc4c0 00000001 20306320
[49.662898] $12 : 33322037 000110f2 00000000 31203930
[49.668327] $16 : 82792b40 80984a80 00000001 804207fc
[49.673757] $20 : 00000000 0000012c 00000040 80470000
[49.679186] $24 : 00000000 8024af7c
[49.684617] $28 : 8329c000 8329db88 00000001 802c58d0
[49.690046] Hi : 00000000
[49.693022] Lo : 453c0000
[49.696013] epc : 800efae4 put_page+0x0/0x58
[49.700615] ra : 802c58d0 skb_release_data+0x148/0x1d4
[49.706184] Status: 1000fc03 KERNEL EXL IE
[49.710531] Cause : 00800010 (ExcCode 04)
[49.714669] BadVA : 45259e89
[49.717644] PrId : 00019374 (MIPS 24Kc)
Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
---
drivers/net/wireless/ath/ath10k/wmi-tlv.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
index ae77a00..25efbb5 100644
--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
@@ -1515,10 +1515,10 @@ ath10k_wmi_tlv_op_gen_start_scan(struct ath10k *ar,
bssid_len = arg->n_bssids * sizeof(struct wmi_mac_addr);
ie_len = roundup(arg->ie_len, 4);
len = (sizeof(*tlv) + sizeof(*cmd)) +
- (arg->n_channels ? sizeof(*tlv) + chan_len : 0) +
- (arg->n_ssids ? sizeof(*tlv) + ssid_len : 0) +
- (arg->n_bssids ? sizeof(*tlv) + bssid_len : 0) +
- (arg->ie_len ? sizeof(*tlv) + ie_len : 0);
+ sizeof(*tlv) + chan_len +
+ sizeof(*tlv) + ssid_len +
+ sizeof(*tlv) + bssid_len +
+ sizeof(*tlv) + ie_len;
skb = ath10k_wmi_alloc_skb(ar, len);
if (!skb)
--
2.1.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH] ath10k: fixed scan crash
@ 2018-04-10 7:39 ` zhichen
0 siblings, 0 replies; 10+ messages in thread
From: zhichen @ 2018-04-10 7:39 UTC (permalink / raw)
To: ath10k; +Cc: Zhi Chen, kvalo, linux-wireless
From: Zhi Chen <zhichen@codeaurora.org>
Length of WMI scan message was not calculated correctly. The allocated
buffer was smaller than what we expected. So WMI message corrupted
skb_info, which is at the end of skb->data. This fix takes TLV header
into account even if the element is zero-length.
Crash log:
[49.629986] Unhandled kernel unaligned access[#1]:
[49.634932] CPU: 0 PID: 1176 Comm: logd Not tainted 4.4.60 #180
[49.641040] task: 83051460 ti: 8329c000 task.ti: 8329c000
[49.646608] $ 0 : 00000000 00000001 80984a80 00000000
[49.652038] $ 4 : 45259e89 8046d484 8046df30 8024ba70
[49.657468] $ 8 : 00000000 804cc4c0 00000001 20306320
[49.662898] $12 : 33322037 000110f2 00000000 31203930
[49.668327] $16 : 82792b40 80984a80 00000001 804207fc
[49.673757] $20 : 00000000 0000012c 00000040 80470000
[49.679186] $24 : 00000000 8024af7c
[49.684617] $28 : 8329c000 8329db88 00000001 802c58d0
[49.690046] Hi : 00000000
[49.693022] Lo : 453c0000
[49.696013] epc : 800efae4 put_page+0x0/0x58
[49.700615] ra : 802c58d0 skb_release_data+0x148/0x1d4
[49.706184] Status: 1000fc03 KERNEL EXL IE
[49.710531] Cause : 00800010 (ExcCode 04)
[49.714669] BadVA : 45259e89
[49.717644] PrId : 00019374 (MIPS 24Kc)
Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
---
drivers/net/wireless/ath/ath10k/wmi-tlv.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
index ae77a00..25efbb5 100644
--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
@@ -1515,10 +1515,10 @@ ath10k_wmi_tlv_op_gen_start_scan(struct ath10k *ar,
bssid_len = arg->n_bssids * sizeof(struct wmi_mac_addr);
ie_len = roundup(arg->ie_len, 4);
len = (sizeof(*tlv) + sizeof(*cmd)) +
- (arg->n_channels ? sizeof(*tlv) + chan_len : 0) +
- (arg->n_ssids ? sizeof(*tlv) + ssid_len : 0) +
- (arg->n_bssids ? sizeof(*tlv) + bssid_len : 0) +
- (arg->ie_len ? sizeof(*tlv) + ie_len : 0);
+ sizeof(*tlv) + chan_len +
+ sizeof(*tlv) + ssid_len +
+ sizeof(*tlv) + bssid_len +
+ sizeof(*tlv) + ie_len;
skb = ath10k_wmi_alloc_skb(ar, len);
if (!skb)
--
2.1.4
_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH] ath10k: fix tlv 5ghz channel missing issue
2018-04-10 7:39 ` zhichen
@ 2018-04-10 7:39 ` zhichen
-1 siblings, 0 replies; 10+ messages in thread
From: zhichen @ 2018-04-10 7:39 UTC (permalink / raw)
To: ath10k; +Cc: linux-wireless, kvalo, Zhi Chen
From: Zhi Chen <zhichen@codeaurora.org>
The 5ghz channel parameters of TLV target wasn't passed to host, it caused
host can only use lower channels from 36 to 64.
Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
---
drivers/net/wireless/ath/ath10k/wmi-tlv.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
index 25efbb5..b8985ce 100644
--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
@@ -1010,6 +1010,8 @@ static int ath10k_wmi_tlv_op_pull_svc_rdy_ev(struct ath10k *ar,
arg->phy_capab = ev->phy_capability;
arg->num_rf_chains = ev->num_rf_chains;
arg->eeprom_rd = reg->eeprom_rd;
+ arg->low_5ghz_chan = reg->low_5ghz_chan;
+ arg->high_5ghz_chan = reg->high_5ghz_chan;
arg->num_mem_reqs = ev->num_mem_reqs;
arg->service_map = svc_bmap;
arg->service_map_len = ath10k_wmi_tlv_len(svc_bmap);
--
2.1.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH] ath10k: fix tlv 5ghz channel missing issue
@ 2018-04-10 7:39 ` zhichen
0 siblings, 0 replies; 10+ messages in thread
From: zhichen @ 2018-04-10 7:39 UTC (permalink / raw)
To: ath10k; +Cc: Zhi Chen, kvalo, linux-wireless
From: Zhi Chen <zhichen@codeaurora.org>
The 5ghz channel parameters of TLV target wasn't passed to host, it caused
host can only use lower channels from 36 to 64.
Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
---
drivers/net/wireless/ath/ath10k/wmi-tlv.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
index 25efbb5..b8985ce 100644
--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
@@ -1010,6 +1010,8 @@ static int ath10k_wmi_tlv_op_pull_svc_rdy_ev(struct ath10k *ar,
arg->phy_capab = ev->phy_capability;
arg->num_rf_chains = ev->num_rf_chains;
arg->eeprom_rd = reg->eeprom_rd;
+ arg->low_5ghz_chan = reg->low_5ghz_chan;
+ arg->high_5ghz_chan = reg->high_5ghz_chan;
arg->num_mem_reqs = ev->num_mem_reqs;
arg->service_map = svc_bmap;
arg->service_map_len = ath10k_wmi_tlv_len(svc_bmap);
--
2.1.4
_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH] ath10k: fixed scan crash
2018-04-10 7:39 ` zhichen
@ 2018-04-24 8:08 ` Kalle Valo
-1 siblings, 0 replies; 10+ messages in thread
From: Kalle Valo @ 2018-04-24 8:08 UTC (permalink / raw)
To: zhichen; +Cc: ath10k, linux-wireless
zhichen@codeaurora.org writes:
> From: Zhi Chen <zhichen@codeaurora.org>
>
> Length of WMI scan message was not calculated correctly. The allocated
> buffer was smaller than what we expected. So WMI message corrupted
> skb_info, which is at the end of skb->data. This fix takes TLV header
> into account even if the element is zero-length.
> Crash log:
> [49.629986] Unhandled kernel unaligned access[#1]:
> [49.634932] CPU: 0 PID: 1176 Comm: logd Not tainted 4.4.60 #180
> [49.641040] task: 83051460 ti: 8329c000 task.ti: 8329c000
> [49.646608] $ 0 : 00000000 00000001 80984a80 00000000
> [49.652038] $ 4 : 45259e89 8046d484 8046df30 8024ba70
> [49.657468] $ 8 : 00000000 804cc4c0 00000001 20306320
> [49.662898] $12 : 33322037 000110f2 00000000 31203930
> [49.668327] $16 : 82792b40 80984a80 00000001 804207fc
> [49.673757] $20 : 00000000 0000012c 00000040 80470000
> [49.679186] $24 : 00000000 8024af7c
> [49.684617] $28 : 8329c000 8329db88 00000001 802c58d0
> [49.690046] Hi : 00000000
> [49.693022] Lo : 453c0000
> [49.696013] epc : 800efae4 put_page+0x0/0x58
> [49.700615] ra : 802c58d0 skb_release_data+0x148/0x1d4
> [49.706184] Status: 1000fc03 KERNEL EXL IE
> [49.710531] Cause : 00800010 (ExcCode 04)
> [49.714669] BadVA : 45259e89
> [49.717644] PrId : 00019374 (MIPS 24Kc)
>
> Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
Your name in patchwork is wrong and hence my script uses the wrong
name. Please fix it by registering to patchwork[1] where it's possible
to change your name during registration, but only one time. If that
doesn't work then send a request to helpdesk@kernel.org and the admins
can fix it.
[1] https://patchwork.kernel.org/register/
--
Kalle Valo
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] ath10k: fixed scan crash
@ 2018-04-24 8:08 ` Kalle Valo
0 siblings, 0 replies; 10+ messages in thread
From: Kalle Valo @ 2018-04-24 8:08 UTC (permalink / raw)
To: zhichen; +Cc: linux-wireless, ath10k
zhichen@codeaurora.org writes:
> From: Zhi Chen <zhichen@codeaurora.org>
>
> Length of WMI scan message was not calculated correctly. The allocated
> buffer was smaller than what we expected. So WMI message corrupted
> skb_info, which is at the end of skb->data. This fix takes TLV header
> into account even if the element is zero-length.
> Crash log:
> [49.629986] Unhandled kernel unaligned access[#1]:
> [49.634932] CPU: 0 PID: 1176 Comm: logd Not tainted 4.4.60 #180
> [49.641040] task: 83051460 ti: 8329c000 task.ti: 8329c000
> [49.646608] $ 0 : 00000000 00000001 80984a80 00000000
> [49.652038] $ 4 : 45259e89 8046d484 8046df30 8024ba70
> [49.657468] $ 8 : 00000000 804cc4c0 00000001 20306320
> [49.662898] $12 : 33322037 000110f2 00000000 31203930
> [49.668327] $16 : 82792b40 80984a80 00000001 804207fc
> [49.673757] $20 : 00000000 0000012c 00000040 80470000
> [49.679186] $24 : 00000000 8024af7c
> [49.684617] $28 : 8329c000 8329db88 00000001 802c58d0
> [49.690046] Hi : 00000000
> [49.693022] Lo : 453c0000
> [49.696013] epc : 800efae4 put_page+0x0/0x58
> [49.700615] ra : 802c58d0 skb_release_data+0x148/0x1d4
> [49.706184] Status: 1000fc03 KERNEL EXL IE
> [49.710531] Cause : 00800010 (ExcCode 04)
> [49.714669] BadVA : 45259e89
> [49.717644] PrId : 00019374 (MIPS 24Kc)
>
> Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
Your name in patchwork is wrong and hence my script uses the wrong
name. Please fix it by registering to patchwork[1] where it's possible
to change your name during registration, but only one time. If that
doesn't work then send a request to helpdesk@kernel.org and the admins
can fix it.
[1] https://patchwork.kernel.org/register/
--
Kalle Valo
_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: ath10k: fixed scan crash
2018-04-10 7:39 ` zhichen
` (2 preceding siblings ...)
(?)
@ 2018-06-28 9:35 ` Kalle Valo
-1 siblings, 0 replies; 10+ messages in thread
From: Kalle Valo @ 2018-06-28 9:35 UTC (permalink / raw)
To: zhichen; +Cc: kvalo, linux-wireless, ath10k
zhichen@codeaurora.org wrote:
> Length of WMI scan message was not calculated correctly. The allocated
> buffer was smaller than what we expected. So WMI message corrupted
> skb_info, which is at the end of skb->data. This fix takes TLV header
> into account even if the element is zero-length.
>
> Crash log:
> [49.629986] Unhandled kernel unaligned access[#1]:
> [49.634932] CPU: 0 PID: 1176 Comm: logd Not tainted 4.4.60 #180
> [49.641040] task: 83051460 ti: 8329c000 task.ti: 8329c000
> [49.646608] $ 0 : 00000000 00000001 80984a80 00000000
> [49.652038] $ 4 : 45259e89 8046d484 8046df30 8024ba70
> [49.657468] $ 8 : 00000000 804cc4c0 00000001 20306320
> [49.662898] $12 : 33322037 000110f2 00000000 31203930
> [49.668327] $16 : 82792b40 80984a80 00000001 804207fc
> [49.673757] $20 : 00000000 0000012c 00000040 80470000
> [49.679186] $24 : 00000000 8024af7c
> [49.684617] $28 : 8329c000 8329db88 00000001 802c58d0
> [49.690046] Hi : 00000000
> [49.693022] Lo : 453c0000
> [49.696013] epc : 800efae4 put_page+0x0/0x58
> [49.700615] ra : 802c58d0 skb_release_data+0x148/0x1d4
> [49.706184] Status: 1000fc03 KERNEL EXL IE
> [49.710531] Cause : 00800010 (ExcCode 04)
> [49.714669] BadVA : 45259e89
> [49.717644] PrId : 00019374 (MIPS 24Kc)
>
> Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Patch applied to ath-next branch of ath.git, thanks.
c82919888064 ath10k: fix scan crash due to incorrect length calculation
--
https://patchwork.kernel.org/patch/10332445/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: ath10k: fixed scan crash
2018-04-10 7:39 ` zhichen
` (3 preceding siblings ...)
(?)
@ 2018-06-28 9:35 ` Kalle Valo
-1 siblings, 0 replies; 10+ messages in thread
From: Kalle Valo @ 2018-06-28 9:35 UTC (permalink / raw)
To: zhichen; +Cc: ath10k, linux-wireless, kvalo, Zhi Chen
zhichen@codeaurora.org wrote:
> Length of WMI scan message was not calculated correctly. The allocated
> buffer was smaller than what we expected. So WMI message corrupted
> skb_info, which is at the end of skb->data. This fix takes TLV header
> into account even if the element is zero-length.
>
> Crash log:
> [49.629986] Unhandled kernel unaligned access[#1]:
> [49.634932] CPU: 0 PID: 1176 Comm: logd Not tainted 4.4.60 #180
> [49.641040] task: 83051460 ti: 8329c000 task.ti: 8329c000
> [49.646608] $ 0 : 00000000 00000001 80984a80 00000000
> [49.652038] $ 4 : 45259e89 8046d484 8046df30 8024ba70
> [49.657468] $ 8 : 00000000 804cc4c0 00000001 20306320
> [49.662898] $12 : 33322037 000110f2 00000000 31203930
> [49.668327] $16 : 82792b40 80984a80 00000001 804207fc
> [49.673757] $20 : 00000000 0000012c 00000040 80470000
> [49.679186] $24 : 00000000 8024af7c
> [49.684617] $28 : 8329c000 8329db88 00000001 802c58d0
> [49.690046] Hi : 00000000
> [49.693022] Lo : 453c0000
> [49.696013] epc : 800efae4 put_page+0x0/0x58
> [49.700615] ra : 802c58d0 skb_release_data+0x148/0x1d4
> [49.706184] Status: 1000fc03 KERNEL EXL IE
> [49.710531] Cause : 00800010 (ExcCode 04)
> [49.714669] BadVA : 45259e89
> [49.717644] PrId : 00019374 (MIPS 24Kc)
>
> Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Patch applied to ath-next branch of ath.git, thanks.
c82919888064 ath10k: fix scan crash due to incorrect length calculation
--
https://patchwork.kernel.org/patch/10332445/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: ath10k: fix tlv 5ghz channel missing issue
2018-04-10 7:39 ` zhichen
(?)
(?)
@ 2018-06-28 9:38 ` Kalle Valo
-1 siblings, 0 replies; 10+ messages in thread
From: Kalle Valo @ 2018-06-28 9:38 UTC (permalink / raw)
To: zhichen; +Cc: ath10k, linux-wireless, kvalo, Zhi Chen
zhichen@codeaurora.org wrote:
> The 5ghz channel parameters of TLV target wasn't passed to host, it caused
> host can only use lower channels from 36 to 64.
>
> Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Patch applied to ath-next branch of ath.git, thanks.
98dc04ba60b9 ath10k: fix tlv 5ghz channel missing issue
--
https://patchwork.kernel.org/patch/10332449/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: ath10k: fix tlv 5ghz channel missing issue
2018-04-10 7:39 ` zhichen
(?)
@ 2018-06-28 9:38 ` Kalle Valo
-1 siblings, 0 replies; 10+ messages in thread
From: Kalle Valo @ 2018-06-28 9:38 UTC (permalink / raw)
To: zhichen; +Cc: kvalo, linux-wireless, ath10k
zhichen@codeaurora.org wrote:
> The 5ghz channel parameters of TLV target wasn't passed to host, it caused
> host can only use lower channels from 36 to 64.
>
> Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Patch applied to ath-next branch of ath.git, thanks.
98dc04ba60b9 ath10k: fix tlv 5ghz channel missing issue
--
https://patchwork.kernel.org/patch/10332449/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2018-06-28 9:38 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-10 7:39 [PATCH] ath10k: fixed scan crash zhichen
2018-04-10 7:39 ` zhichen
2018-04-10 7:39 ` [PATCH] ath10k: fix tlv 5ghz channel missing issue zhichen
2018-04-10 7:39 ` zhichen
2018-06-28 9:38 ` Kalle Valo
2018-06-28 9:38 ` Kalle Valo
2018-04-24 8:08 ` [PATCH] ath10k: fixed scan crash Kalle Valo
2018-04-24 8:08 ` Kalle Valo
2018-06-28 9:35 ` Kalle Valo
2018-06-28 9:35 ` Kalle Valo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.