From: Amit Pundir <amit.pundir@linaro.org>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Stable <stable@vger.kernel.org>,
Vasanthakumar Thiagarajan <vthiagar@qti.qualcomm.com>,
Kalle Valo <kvalo@qca.qualcomm.com>
Subject: [PATCH for-4.9.y 01/10] ath10k: fix kernel panic due to race in accessing arvif list
Date: Wed, 28 Nov 2018 20:09:55 +0530 [thread overview]
Message-ID: <1543416004-1547-2-git-send-email-amit.pundir@linaro.org> (raw)
In-Reply-To: <1543416004-1547-1-git-send-email-amit.pundir@linaro.org>
From: Vasanthakumar Thiagarajan <vthiagar@qti.qualcomm.com>
commit ebaa4b1620bf69f2bc43cb45ea85fbafdaec23c3 upstream.
arvifs list is traversed within data_lock spin_lock in tasklet
context to fill channel information from the corresponding vif.
This means any access to arvifs list for add/del operations
should also be protected with the same spin_lock to avoid the
race. Fix this by performing list add/del on arvfis within the
data_lock. This could fix kernel panic something like the below.
LR is at ath10k_htt_rx_pktlog_completion_handler+0x100/0xb6c [ath10k_core]
PC is at ath10k_htt_rx_pktlog_completion_handler+0x1c0/0xb6c [ath10k_core]
Internal error: Oops: 17 [#1] PREEMPT SMP ARM
[<bf4857f4>] (ath10k_htt_rx_pktlog_completion_handler+0x2f4/0xb6c [ath10k_core])
[<bf487540>] (ath10k_htt_txrx_compl_task+0x8b4/0x1188 [ath10k_core])
[<c00312d4>] (tasklet_action+0x8c/0xec)
[<c00309a8>] (__do_softirq+0xdc/0x208)
[<c0030d6c>] (irq_exit+0x84/0xe0)
[<c005db04>] (__handle_domain_irq+0x80/0xa0)
[<c00085c4>] (gic_handle_irq+0x38/0x5c)
[<c0009640>] (__irq_svc+0x40/0x74)
(gdb) list *(ath10k_htt_rx_pktlog_completion_handler+0x1c0)
0x136c0 is in ath10k_htt_rx_h_channel (drivers/net/wireless/ath/ath10k/htt_rx.c:769)
764 struct cfg80211_chan_def def;
765
766 lockdep_assert_held(&ar->data_lock);
767
768 list_for_each_entry(arvif, &ar->arvifs, list) {
769 if (arvif->vdev_id == vdev_id &&
770 ath10k_mac_vif_chan(arvif->vif, &def) == 0)
771 return def.chan;
772 }
773
Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@qti.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
---
drivers/net/wireless/ath/ath10k/mac.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
index 5fe6841b8889..fb632a454fc2 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -4967,7 +4967,9 @@ static int ath10k_add_interface(struct ieee80211_hw *hw,
}
ar->free_vdev_map &= ~(1LL << arvif->vdev_id);
+ spin_lock_bh(&ar->data_lock);
list_add(&arvif->list, &ar->arvifs);
+ spin_unlock_bh(&ar->data_lock);
/* It makes no sense to have firmware do keepalives. mac80211 already
* takes care of this with idle connection polling.
@@ -5118,7 +5120,9 @@ static int ath10k_add_interface(struct ieee80211_hw *hw,
err_vdev_delete:
ath10k_wmi_vdev_delete(ar, arvif->vdev_id);
ar->free_vdev_map |= 1LL << arvif->vdev_id;
+ spin_lock_bh(&ar->data_lock);
list_del(&arvif->list);
+ spin_unlock_bh(&ar->data_lock);
err:
if (arvif->beacon_buf) {
@@ -5164,7 +5168,9 @@ static void ath10k_remove_interface(struct ieee80211_hw *hw,
arvif->vdev_id, ret);
ar->free_vdev_map |= 1LL << arvif->vdev_id;
+ spin_lock_bh(&ar->data_lock);
list_del(&arvif->list);
+ spin_unlock_bh(&ar->data_lock);
if (arvif->vdev_type == WMI_VDEV_TYPE_AP ||
arvif->vdev_type == WMI_VDEV_TYPE_IBSS) {
--
2.7.4
next prev parent reply other threads:[~2018-11-29 1:42 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-28 14:39 [PATCH for-4.9.y 00/10] Stable candidates for linux-4.9.y Amit Pundir
2018-11-28 14:39 ` Amit Pundir [this message]
2018-11-28 14:39 ` [PATCH for-4.9.y 02/10] cw1200: Don't leak memory if krealloc failes Amit Pundir
2018-11-28 14:39 ` [PATCH for-4.9.y 03/10] mwifiex: prevent register accesses after host is sleeping Amit Pundir
2018-11-28 14:39 ` [PATCH for-4.9.y 04/10] mwifiex: report error to PCIe for suspend failure Amit Pundir
2018-11-28 14:39 ` [PATCH for-4.9.y 05/10] mwifiex: Fix NULL pointer dereference in skb_dequeue() Amit Pundir
2018-11-28 14:40 ` [PATCH for-4.9.y 06/10] mwifiex: fix p2p device doesn't find in scan problem Amit Pundir
2018-11-28 14:40 ` [PATCH for-4.9.y 07/10] scsi: ufs: fix bugs related to null pointer access and array size Amit Pundir
2018-11-28 14:40 ` [PATCH for-4.9.y 08/10] scsi: ufshcd: Fix race between clk scaling and ungate work Amit Pundir
2018-11-28 14:40 ` [PATCH for-4.9.y 09/10] scsi: ufs: fix race between clock gating and devfreq scaling work Amit Pundir
2018-11-28 14:40 ` [PATCH for-4.9.y 10/10] scsi: ufshcd: release resources if probe fails Amit Pundir
2018-11-29 10:12 ` [PATCH for-4.9.y 00/10] Stable candidates for linux-4.9.y Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1543416004-1547-2-git-send-email-amit.pundir@linaro.org \
--to=amit.pundir@linaro.org \
--cc=gregkh@linuxfoundation.org \
--cc=kvalo@qca.qualcomm.com \
--cc=stable@vger.kernel.org \
--cc=vthiagar@qti.qualcomm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.