From: Sasha Levin <sashal@kernel.org> To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Harshitha Prem <quic_hprem@quicinc.com>, Nagarajan Maran <quic_nmaran@quicinc.com>, Kalle Valo <quic_kvalo@quicinc.com>, Sasha Levin <sashal@kernel.org>, kvalo@kernel.org, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, ath11k@lists.infradead.org, linux-wireless@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 6.2 36/53] wifi: ath11k: Ignore frags from uninitialized peer in dp. Date: Thu, 4 May 2023 15:43:56 -0400 [thread overview] Message-ID: <20230504194413.3806354-36-sashal@kernel.org> (raw) In-Reply-To: <20230504194413.3806354-1-sashal@kernel.org> From: Harshitha Prem <quic_hprem@quicinc.com> [ Upstream commit a06bfb3c9f69f303692cdae87bc0899d2ae8b2a6 ] When max virtual ap interfaces are configured in all the bands with ACS and hostapd restart is done every 60s, a crash is observed at random times. In this certain scenario, a fragmented packet is received for self peer, for which rx_tid and rx_frags are not initialized in datapath. While handling this fragment, crash is observed as the rx_frag list is uninitialised and when we walk in ath11k_dp_rx_h_sort_frags, skb null leads to exception. To address this, before processing received fragments we check dp_setup_done flag is set to ensure that peer has completed its dp peer setup for fragment queue, else ignore processing the fragments. Call trace: ath11k_dp_process_rx_err+0x550/0x1084 [ath11k] ath11k_dp_service_srng+0x70/0x370 [ath11k] 0xffffffc009693a04 __napi_poll+0x30/0xa4 net_rx_action+0x118/0x270 __do_softirq+0x10c/0x244 irq_exit+0x64/0xb4 __handle_domain_irq+0x88/0xac gic_handle_irq+0x74/0xbc el1_irq+0xf0/0x1c0 arch_cpu_idle+0x10/0x18 do_idle+0x104/0x248 cpu_startup_entry+0x20/0x64 rest_init+0xd0/0xdc arch_call_rest_init+0xc/0x14 start_kernel+0x480/0x4b8 Code: f9400281 f94066a2 91405021 b94a0023 (f9406401) Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 Signed-off-by: Harshitha Prem <quic_hprem@quicinc.com> Signed-off-by: Nagarajan Maran <quic_nmaran@quicinc.com> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> Link: https://lore.kernel.org/r/20230403184155.8670-2-quic_nmaran@quicinc.com Signed-off-by: Sasha Levin <sashal@kernel.org> --- drivers/net/wireless/ath/ath11k/dp.c | 4 +++- drivers/net/wireless/ath/ath11k/dp_rx.c | 8 ++++++++ drivers/net/wireless/ath/ath11k/peer.h | 1 + 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath11k/dp.c b/drivers/net/wireless/ath/ath11k/dp.c index f5156a7fbdd7a..d070bcb3fe247 100644 --- a/drivers/net/wireless/ath/ath11k/dp.c +++ b/drivers/net/wireless/ath/ath11k/dp.c @@ -36,6 +36,7 @@ void ath11k_dp_peer_cleanup(struct ath11k *ar, int vdev_id, const u8 *addr) } ath11k_peer_rx_tid_cleanup(ar, peer); + peer->dp_setup_done = false; crypto_free_shash(peer->tfm_mmic); spin_unlock_bh(&ab->base_lock); } @@ -72,7 +73,8 @@ int ath11k_dp_peer_setup(struct ath11k *ar, int vdev_id, const u8 *addr) ret = ath11k_peer_rx_frag_setup(ar, addr, vdev_id); if (ret) { ath11k_warn(ab, "failed to setup rx defrag context\n"); - return ret; + tid--; + goto peer_clean; } /* TODO: Setup other peer specific resource used in data path */ diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c index e964e1b722871..1786d83f8f2ed 100644 --- a/drivers/net/wireless/ath/ath11k/dp_rx.c +++ b/drivers/net/wireless/ath/ath11k/dp_rx.c @@ -3138,6 +3138,7 @@ int ath11k_peer_rx_frag_setup(struct ath11k *ar, const u8 *peer_mac, int vdev_id } peer->tfm_mmic = tfm; + peer->dp_setup_done = true; spin_unlock_bh(&ab->base_lock); return 0; @@ -3583,6 +3584,13 @@ static int ath11k_dp_rx_frag_h_mpdu(struct ath11k *ar, ret = -ENOENT; goto out_unlock; } + if (!peer->dp_setup_done) { + ath11k_warn(ab, "The peer %pM [%d] has uninitialized datapath\n", + peer->addr, peer_id); + ret = -ENOENT; + goto out_unlock; + } + rx_tid = &peer->rx_tid[tid]; if ((!skb_queue_empty(&rx_tid->rx_frags) && seqno != rx_tid->cur_sn) || diff --git a/drivers/net/wireless/ath/ath11k/peer.h b/drivers/net/wireless/ath/ath11k/peer.h index 6dd17bafe3a0c..9bd385d0a38c9 100644 --- a/drivers/net/wireless/ath/ath11k/peer.h +++ b/drivers/net/wireless/ath/ath11k/peer.h @@ -35,6 +35,7 @@ struct ath11k_peer { u16 sec_type; u16 sec_type_grp; bool is_authorized; + bool dp_setup_done; }; void ath11k_peer_unmap_event(struct ath11k_base *ab, u16 peer_id); -- 2.39.2
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org> To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Harshitha Prem <quic_hprem@quicinc.com>, Nagarajan Maran <quic_nmaran@quicinc.com>, Kalle Valo <quic_kvalo@quicinc.com>, Sasha Levin <sashal@kernel.org>, kvalo@kernel.org, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, ath11k@lists.infradead.org, linux-wireless@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 6.2 36/53] wifi: ath11k: Ignore frags from uninitialized peer in dp. Date: Thu, 4 May 2023 15:43:56 -0400 [thread overview] Message-ID: <20230504194413.3806354-36-sashal@kernel.org> (raw) In-Reply-To: <20230504194413.3806354-1-sashal@kernel.org> From: Harshitha Prem <quic_hprem@quicinc.com> [ Upstream commit a06bfb3c9f69f303692cdae87bc0899d2ae8b2a6 ] When max virtual ap interfaces are configured in all the bands with ACS and hostapd restart is done every 60s, a crash is observed at random times. In this certain scenario, a fragmented packet is received for self peer, for which rx_tid and rx_frags are not initialized in datapath. While handling this fragment, crash is observed as the rx_frag list is uninitialised and when we walk in ath11k_dp_rx_h_sort_frags, skb null leads to exception. To address this, before processing received fragments we check dp_setup_done flag is set to ensure that peer has completed its dp peer setup for fragment queue, else ignore processing the fragments. Call trace: ath11k_dp_process_rx_err+0x550/0x1084 [ath11k] ath11k_dp_service_srng+0x70/0x370 [ath11k] 0xffffffc009693a04 __napi_poll+0x30/0xa4 net_rx_action+0x118/0x270 __do_softirq+0x10c/0x244 irq_exit+0x64/0xb4 __handle_domain_irq+0x88/0xac gic_handle_irq+0x74/0xbc el1_irq+0xf0/0x1c0 arch_cpu_idle+0x10/0x18 do_idle+0x104/0x248 cpu_startup_entry+0x20/0x64 rest_init+0xd0/0xdc arch_call_rest_init+0xc/0x14 start_kernel+0x480/0x4b8 Code: f9400281 f94066a2 91405021 b94a0023 (f9406401) Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 Signed-off-by: Harshitha Prem <quic_hprem@quicinc.com> Signed-off-by: Nagarajan Maran <quic_nmaran@quicinc.com> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> Link: https://lore.kernel.org/r/20230403184155.8670-2-quic_nmaran@quicinc.com Signed-off-by: Sasha Levin <sashal@kernel.org> --- drivers/net/wireless/ath/ath11k/dp.c | 4 +++- drivers/net/wireless/ath/ath11k/dp_rx.c | 8 ++++++++ drivers/net/wireless/ath/ath11k/peer.h | 1 + 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath11k/dp.c b/drivers/net/wireless/ath/ath11k/dp.c index f5156a7fbdd7a..d070bcb3fe247 100644 --- a/drivers/net/wireless/ath/ath11k/dp.c +++ b/drivers/net/wireless/ath/ath11k/dp.c @@ -36,6 +36,7 @@ void ath11k_dp_peer_cleanup(struct ath11k *ar, int vdev_id, const u8 *addr) } ath11k_peer_rx_tid_cleanup(ar, peer); + peer->dp_setup_done = false; crypto_free_shash(peer->tfm_mmic); spin_unlock_bh(&ab->base_lock); } @@ -72,7 +73,8 @@ int ath11k_dp_peer_setup(struct ath11k *ar, int vdev_id, const u8 *addr) ret = ath11k_peer_rx_frag_setup(ar, addr, vdev_id); if (ret) { ath11k_warn(ab, "failed to setup rx defrag context\n"); - return ret; + tid--; + goto peer_clean; } /* TODO: Setup other peer specific resource used in data path */ diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c index e964e1b722871..1786d83f8f2ed 100644 --- a/drivers/net/wireless/ath/ath11k/dp_rx.c +++ b/drivers/net/wireless/ath/ath11k/dp_rx.c @@ -3138,6 +3138,7 @@ int ath11k_peer_rx_frag_setup(struct ath11k *ar, const u8 *peer_mac, int vdev_id } peer->tfm_mmic = tfm; + peer->dp_setup_done = true; spin_unlock_bh(&ab->base_lock); return 0; @@ -3583,6 +3584,13 @@ static int ath11k_dp_rx_frag_h_mpdu(struct ath11k *ar, ret = -ENOENT; goto out_unlock; } + if (!peer->dp_setup_done) { + ath11k_warn(ab, "The peer %pM [%d] has uninitialized datapath\n", + peer->addr, peer_id); + ret = -ENOENT; + goto out_unlock; + } + rx_tid = &peer->rx_tid[tid]; if ((!skb_queue_empty(&rx_tid->rx_frags) && seqno != rx_tid->cur_sn) || diff --git a/drivers/net/wireless/ath/ath11k/peer.h b/drivers/net/wireless/ath/ath11k/peer.h index 6dd17bafe3a0c..9bd385d0a38c9 100644 --- a/drivers/net/wireless/ath/ath11k/peer.h +++ b/drivers/net/wireless/ath/ath11k/peer.h @@ -35,6 +35,7 @@ struct ath11k_peer { u16 sec_type; u16 sec_type_grp; bool is_authorized; + bool dp_setup_done; }; void ath11k_peer_unmap_event(struct ath11k_base *ab, u16 peer_id); -- 2.39.2 -- ath11k mailing list ath11k@lists.infradead.org http://lists.infradead.org/mailman/listinfo/ath11k
next prev parent reply other threads:[~2023-05-04 19:50 UTC|newest] Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-05-04 19:43 [PATCH AUTOSEL 6.2 01/53] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 02/53] bpf: Annotate data races in bpf_local_storage Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 03/53] wifi: brcmfmac: pcie: Provide a buffer of random bytes to the device Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 04/53] wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 05/53] wifi: brcmfmac: pcie: Add IDs/properties for BCM4387 Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 06/53] bpf, mips: Implement DADDI workarounds for JIT Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 07/53] ext2: Check block size validity during mount Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 08/53] scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 09/53] scsi: lpfc: Correct used_rpi count when devloss tmo fires with no recovery Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 10/53] wifi: rtw88: fix memory leak in rtw_usb_probe() Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 11/53] wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 12/53] bnxt: avoid overflow in bnxt_get_nvram_directory() Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 13/53] net: pasemi: Fix return type of pasemi_mac_start_tx() Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 14/53] net: Catch invalid index in XPS mapping Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 15/53] netdev: Enforce index cap in netdev_get_tx_queue Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 16/53] scsi: target: iscsit: Free cmds before session free Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 17/53] lib: cpu_rmap: Avoid use after free on rmap->obj array entries Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 18/53] scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 19/53] gfs2: Fix inode height consistency check Sasha Levin 2023-05-04 19:43 ` [Cluster-devel] " Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 20/53] scsi: ufs: ufs-pci: Add support for Intel Lunar Lake Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 21/53] scsi: hisi_sas: Grab sas_dev lock when traversing the members of sas_dev.list Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 22/53] ext4: set goal start correctly in ext4_mb_normalize_request Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 23/53] ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa() Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 24/53] crypto: jitter - permanent and intermittent health errors Sasha Levin 2023-05-04 19:43 ` [f2fs-dev] [PATCH AUTOSEL 6.2 25/53] f2fs: Fix system crash due to lack of free space in LFS Sasha Levin 2023-05-04 19:43 ` Sasha Levin 2023-05-04 19:43 ` [f2fs-dev] [PATCH AUTOSEL 6.2 26/53] f2fs: fix to drop all dirty pages during umount() if cp_error is set Sasha Levin 2023-05-04 19:43 ` Sasha Levin 2023-05-04 19:43 ` [f2fs-dev] [PATCH AUTOSEL 6.2 27/53] f2fs: fix to check readonly condition correctly Sasha Levin 2023-05-04 19:43 ` Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 28/53] samples/bpf: Fix fout leak in hbm's run_bpf_prog Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 29/53] bpf: Add preempt_count_{sub,add} into btf id deny list Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 30/53] md: fix soft lockup in status_resync Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 31/53] wifi: iwlwifi: pcie: fix possible NULL pointer dereference Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 32/53] wifi: iwlwifi: add a new PCI device ID for BZ device Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 33/53] wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 34/53] wifi: iwlwifi: mvm: fix ptk_pn memory leak Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 35/53] block, bfq: Fix division by zero error on zero wsum Sasha Levin 2023-05-04 19:43 ` Sasha Levin [this message] 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 36/53] wifi: ath11k: Ignore frags from uninitialized peer in dp Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 37/53] wifi: iwlwifi: fix iwl_mvm_max_amsdu_size() for MLO Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 38/53] null_blk: Always check queue mode setting from configfs Sasha Levin 2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 39/53] wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace Sasha Levin 2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 40/53] wifi: ath11k: Fix SKB corruption in REO destination ring Sasha Levin 2023-05-04 19:44 ` Sasha Levin 2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 41/53] wifi: rtw88: Fix memory leak in rtw88_usb Sasha Levin 2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 42/53] nbd: fix incomplete validation of ioctl arg Sasha Levin 2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 43/53] ipvs: Update width of source for ip_vs_sync_conn_options Sasha Levin 2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 44/53] Bluetooth: btusb: Add new PID/VID 04ca:3801 for MT7663 Sasha Levin 2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 45/53] Bluetooth: Add new quirk for broken local ext features page 2 Sasha Levin 2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 46/53] Bluetooth: btrtl: add support for the RTL8723CS Sasha Levin 2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 47/53] Bluetooth: Improve support for Actions Semi ATS2851 based devices Sasha Levin 2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 48/53] Bluetooth: btrtl: check for NULL in btrtl_set_quirks() Sasha Levin 2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 49/53] Bluetooth: btintel: Add LE States quirk support Sasha Levin 2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 50/53] Bluetooth: hci_bcm: Fall back to getting bdaddr from EFI if not set Sasha Levin 2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 51/53] Bluetooth: Add new quirk for broken set random RPA timeout for ATS2851 Sasha Levin 2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 52/53] Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp Sasha Levin 2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 53/53] Bluetooth: btrtl: Add the support for RTL8851B Sasha Levin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20230504194413.3806354-36-sashal@kernel.org \ --to=sashal@kernel.org \ --cc=ath11k@lists.infradead.org \ --cc=davem@davemloft.net \ --cc=edumazet@google.com \ --cc=kuba@kernel.org \ --cc=kvalo@kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-wireless@vger.kernel.org \ --cc=netdev@vger.kernel.org \ --cc=pabeni@redhat.com \ --cc=quic_hprem@quicinc.com \ --cc=quic_kvalo@quicinc.com \ --cc=quic_nmaran@quicinc.com \ --cc=stable@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.