From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Harshitha Prem <quic_hprem@quicinc.com>,
Nagarajan Maran <quic_nmaran@quicinc.com>,
Kalle Valo <quic_kvalo@quicinc.com>,
Sasha Levin <sashal@kernel.org>,
kvalo@kernel.org, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com, ath11k@lists.infradead.org,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 6.2 36/53] wifi: ath11k: Ignore frags from uninitialized peer in dp.
Date: Thu, 4 May 2023 15:43:56 -0400 [thread overview]
Message-ID: <20230504194413.3806354-36-sashal@kernel.org> (raw)
In-Reply-To: <20230504194413.3806354-1-sashal@kernel.org>
From: Harshitha Prem <quic_hprem@quicinc.com>
[ Upstream commit a06bfb3c9f69f303692cdae87bc0899d2ae8b2a6 ]
When max virtual ap interfaces are configured in all the bands with
ACS and hostapd restart is done every 60s, a crash is observed at
random times.
In this certain scenario, a fragmented packet is received for
self peer, for which rx_tid and rx_frags are not initialized in
datapath. While handling this fragment, crash is observed as the
rx_frag list is uninitialised and when we walk in
ath11k_dp_rx_h_sort_frags, skb null leads to exception.
To address this, before processing received fragments we check
dp_setup_done flag is set to ensure that peer has completed its
dp peer setup for fragment queue, else ignore processing the
fragments.
Call trace:
ath11k_dp_process_rx_err+0x550/0x1084 [ath11k]
ath11k_dp_service_srng+0x70/0x370 [ath11k]
0xffffffc009693a04
__napi_poll+0x30/0xa4
net_rx_action+0x118/0x270
__do_softirq+0x10c/0x244
irq_exit+0x64/0xb4
__handle_domain_irq+0x88/0xac
gic_handle_irq+0x74/0xbc
el1_irq+0xf0/0x1c0
arch_cpu_idle+0x10/0x18
do_idle+0x104/0x248
cpu_startup_entry+0x20/0x64
rest_init+0xd0/0xdc
arch_call_rest_init+0xc/0x14
start_kernel+0x480/0x4b8
Code: f9400281 f94066a2 91405021 b94a0023 (f9406401)
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
Signed-off-by: Harshitha Prem <quic_hprem@quicinc.com>
Signed-off-by: Nagarajan Maran <quic_nmaran@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230403184155.8670-2-quic_nmaran@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/dp.c | 4 +++-
drivers/net/wireless/ath/ath11k/dp_rx.c | 8 ++++++++
drivers/net/wireless/ath/ath11k/peer.h | 1 +
3 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath11k/dp.c b/drivers/net/wireless/ath/ath11k/dp.c
index f5156a7fbdd7a..d070bcb3fe247 100644
--- a/drivers/net/wireless/ath/ath11k/dp.c
+++ b/drivers/net/wireless/ath/ath11k/dp.c
@@ -36,6 +36,7 @@ void ath11k_dp_peer_cleanup(struct ath11k *ar, int vdev_id, const u8 *addr)
}
ath11k_peer_rx_tid_cleanup(ar, peer);
+ peer->dp_setup_done = false;
crypto_free_shash(peer->tfm_mmic);
spin_unlock_bh(&ab->base_lock);
}
@@ -72,7 +73,8 @@ int ath11k_dp_peer_setup(struct ath11k *ar, int vdev_id, const u8 *addr)
ret = ath11k_peer_rx_frag_setup(ar, addr, vdev_id);
if (ret) {
ath11k_warn(ab, "failed to setup rx defrag context\n");
- return ret;
+ tid--;
+ goto peer_clean;
}
/* TODO: Setup other peer specific resource used in data path */
diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
index e964e1b722871..1786d83f8f2ed 100644
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -3138,6 +3138,7 @@ int ath11k_peer_rx_frag_setup(struct ath11k *ar, const u8 *peer_mac, int vdev_id
}
peer->tfm_mmic = tfm;
+ peer->dp_setup_done = true;
spin_unlock_bh(&ab->base_lock);
return 0;
@@ -3583,6 +3584,13 @@ static int ath11k_dp_rx_frag_h_mpdu(struct ath11k *ar,
ret = -ENOENT;
goto out_unlock;
}
+ if (!peer->dp_setup_done) {
+ ath11k_warn(ab, "The peer %pM [%d] has uninitialized datapath\n",
+ peer->addr, peer_id);
+ ret = -ENOENT;
+ goto out_unlock;
+ }
+
rx_tid = &peer->rx_tid[tid];
if ((!skb_queue_empty(&rx_tid->rx_frags) && seqno != rx_tid->cur_sn) ||
diff --git a/drivers/net/wireless/ath/ath11k/peer.h b/drivers/net/wireless/ath/ath11k/peer.h
index 6dd17bafe3a0c..9bd385d0a38c9 100644
--- a/drivers/net/wireless/ath/ath11k/peer.h
+++ b/drivers/net/wireless/ath/ath11k/peer.h
@@ -35,6 +35,7 @@ struct ath11k_peer {
u16 sec_type;
u16 sec_type_grp;
bool is_authorized;
+ bool dp_setup_done;
};
void ath11k_peer_unmap_event(struct ath11k_base *ab, u16 peer_id);
--
2.39.2
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Harshitha Prem <quic_hprem@quicinc.com>,
Nagarajan Maran <quic_nmaran@quicinc.com>,
Kalle Valo <quic_kvalo@quicinc.com>,
Sasha Levin <sashal@kernel.org>,
kvalo@kernel.org, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com, ath11k@lists.infradead.org,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 6.2 36/53] wifi: ath11k: Ignore frags from uninitialized peer in dp.
Date: Thu, 4 May 2023 15:43:56 -0400 [thread overview]
Message-ID: <20230504194413.3806354-36-sashal@kernel.org> (raw)
In-Reply-To: <20230504194413.3806354-1-sashal@kernel.org>
From: Harshitha Prem <quic_hprem@quicinc.com>
[ Upstream commit a06bfb3c9f69f303692cdae87bc0899d2ae8b2a6 ]
When max virtual ap interfaces are configured in all the bands with
ACS and hostapd restart is done every 60s, a crash is observed at
random times.
In this certain scenario, a fragmented packet is received for
self peer, for which rx_tid and rx_frags are not initialized in
datapath. While handling this fragment, crash is observed as the
rx_frag list is uninitialised and when we walk in
ath11k_dp_rx_h_sort_frags, skb null leads to exception.
To address this, before processing received fragments we check
dp_setup_done flag is set to ensure that peer has completed its
dp peer setup for fragment queue, else ignore processing the
fragments.
Call trace:
ath11k_dp_process_rx_err+0x550/0x1084 [ath11k]
ath11k_dp_service_srng+0x70/0x370 [ath11k]
0xffffffc009693a04
__napi_poll+0x30/0xa4
net_rx_action+0x118/0x270
__do_softirq+0x10c/0x244
irq_exit+0x64/0xb4
__handle_domain_irq+0x88/0xac
gic_handle_irq+0x74/0xbc
el1_irq+0xf0/0x1c0
arch_cpu_idle+0x10/0x18
do_idle+0x104/0x248
cpu_startup_entry+0x20/0x64
rest_init+0xd0/0xdc
arch_call_rest_init+0xc/0x14
start_kernel+0x480/0x4b8
Code: f9400281 f94066a2 91405021 b94a0023 (f9406401)
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
Signed-off-by: Harshitha Prem <quic_hprem@quicinc.com>
Signed-off-by: Nagarajan Maran <quic_nmaran@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230403184155.8670-2-quic_nmaran@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/dp.c | 4 +++-
drivers/net/wireless/ath/ath11k/dp_rx.c | 8 ++++++++
drivers/net/wireless/ath/ath11k/peer.h | 1 +
3 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath11k/dp.c b/drivers/net/wireless/ath/ath11k/dp.c
index f5156a7fbdd7a..d070bcb3fe247 100644
--- a/drivers/net/wireless/ath/ath11k/dp.c
+++ b/drivers/net/wireless/ath/ath11k/dp.c
@@ -36,6 +36,7 @@ void ath11k_dp_peer_cleanup(struct ath11k *ar, int vdev_id, const u8 *addr)
}
ath11k_peer_rx_tid_cleanup(ar, peer);
+ peer->dp_setup_done = false;
crypto_free_shash(peer->tfm_mmic);
spin_unlock_bh(&ab->base_lock);
}
@@ -72,7 +73,8 @@ int ath11k_dp_peer_setup(struct ath11k *ar, int vdev_id, const u8 *addr)
ret = ath11k_peer_rx_frag_setup(ar, addr, vdev_id);
if (ret) {
ath11k_warn(ab, "failed to setup rx defrag context\n");
- return ret;
+ tid--;
+ goto peer_clean;
}
/* TODO: Setup other peer specific resource used in data path */
diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
index e964e1b722871..1786d83f8f2ed 100644
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -3138,6 +3138,7 @@ int ath11k_peer_rx_frag_setup(struct ath11k *ar, const u8 *peer_mac, int vdev_id
}
peer->tfm_mmic = tfm;
+ peer->dp_setup_done = true;
spin_unlock_bh(&ab->base_lock);
return 0;
@@ -3583,6 +3584,13 @@ static int ath11k_dp_rx_frag_h_mpdu(struct ath11k *ar,
ret = -ENOENT;
goto out_unlock;
}
+ if (!peer->dp_setup_done) {
+ ath11k_warn(ab, "The peer %pM [%d] has uninitialized datapath\n",
+ peer->addr, peer_id);
+ ret = -ENOENT;
+ goto out_unlock;
+ }
+
rx_tid = &peer->rx_tid[tid];
if ((!skb_queue_empty(&rx_tid->rx_frags) && seqno != rx_tid->cur_sn) ||
diff --git a/drivers/net/wireless/ath/ath11k/peer.h b/drivers/net/wireless/ath/ath11k/peer.h
index 6dd17bafe3a0c..9bd385d0a38c9 100644
--- a/drivers/net/wireless/ath/ath11k/peer.h
+++ b/drivers/net/wireless/ath/ath11k/peer.h
@@ -35,6 +35,7 @@ struct ath11k_peer {
u16 sec_type;
u16 sec_type_grp;
bool is_authorized;
+ bool dp_setup_done;
};
void ath11k_peer_unmap_event(struct ath11k_base *ab, u16 peer_id);
--
2.39.2
--
ath11k mailing list
ath11k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath11k
next prev parent reply other threads:[~2023-05-04 19:50 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-04 19:43 [PATCH AUTOSEL 6.2 01/53] wifi: ath: Silence memcpy run-time false positive warning Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 02/53] bpf: Annotate data races in bpf_local_storage Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 03/53] wifi: brcmfmac: pcie: Provide a buffer of random bytes to the device Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 04/53] wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 05/53] wifi: brcmfmac: pcie: Add IDs/properties for BCM4387 Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 06/53] bpf, mips: Implement DADDI workarounds for JIT Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 07/53] ext2: Check block size validity during mount Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 08/53] scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 09/53] scsi: lpfc: Correct used_rpi count when devloss tmo fires with no recovery Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 10/53] wifi: rtw88: fix memory leak in rtw_usb_probe() Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 11/53] wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 12/53] bnxt: avoid overflow in bnxt_get_nvram_directory() Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 13/53] net: pasemi: Fix return type of pasemi_mac_start_tx() Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 14/53] net: Catch invalid index in XPS mapping Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 15/53] netdev: Enforce index cap in netdev_get_tx_queue Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 16/53] scsi: target: iscsit: Free cmds before session free Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 17/53] lib: cpu_rmap: Avoid use after free on rmap->obj array entries Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 18/53] scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 19/53] gfs2: Fix inode height consistency check Sasha Levin
2023-05-04 19:43 ` [Cluster-devel] " Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 20/53] scsi: ufs: ufs-pci: Add support for Intel Lunar Lake Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 21/53] scsi: hisi_sas: Grab sas_dev lock when traversing the members of sas_dev.list Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 22/53] ext4: set goal start correctly in ext4_mb_normalize_request Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 23/53] ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa() Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 24/53] crypto: jitter - permanent and intermittent health errors Sasha Levin
2023-05-04 19:43 ` [f2fs-dev] [PATCH AUTOSEL 6.2 25/53] f2fs: Fix system crash due to lack of free space in LFS Sasha Levin
2023-05-04 19:43 ` Sasha Levin
2023-05-04 19:43 ` [f2fs-dev] [PATCH AUTOSEL 6.2 26/53] f2fs: fix to drop all dirty pages during umount() if cp_error is set Sasha Levin
2023-05-04 19:43 ` Sasha Levin
2023-05-04 19:43 ` [f2fs-dev] [PATCH AUTOSEL 6.2 27/53] f2fs: fix to check readonly condition correctly Sasha Levin
2023-05-04 19:43 ` Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 28/53] samples/bpf: Fix fout leak in hbm's run_bpf_prog Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 29/53] bpf: Add preempt_count_{sub,add} into btf id deny list Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 30/53] md: fix soft lockup in status_resync Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 31/53] wifi: iwlwifi: pcie: fix possible NULL pointer dereference Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 32/53] wifi: iwlwifi: add a new PCI device ID for BZ device Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 33/53] wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 34/53] wifi: iwlwifi: mvm: fix ptk_pn memory leak Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 35/53] block, bfq: Fix division by zero error on zero wsum Sasha Levin
2023-05-04 19:43 ` Sasha Levin [this message]
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 36/53] wifi: ath11k: Ignore frags from uninitialized peer in dp Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 37/53] wifi: iwlwifi: fix iwl_mvm_max_amsdu_size() for MLO Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 38/53] null_blk: Always check queue mode setting from configfs Sasha Levin
2023-05-04 19:43 ` [PATCH AUTOSEL 6.2 39/53] wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 40/53] wifi: ath11k: Fix SKB corruption in REO destination ring Sasha Levin
2023-05-04 19:44 ` Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 41/53] wifi: rtw88: Fix memory leak in rtw88_usb Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 42/53] nbd: fix incomplete validation of ioctl arg Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 43/53] ipvs: Update width of source for ip_vs_sync_conn_options Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 44/53] Bluetooth: btusb: Add new PID/VID 04ca:3801 for MT7663 Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 45/53] Bluetooth: Add new quirk for broken local ext features page 2 Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 46/53] Bluetooth: btrtl: add support for the RTL8723CS Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 47/53] Bluetooth: Improve support for Actions Semi ATS2851 based devices Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 48/53] Bluetooth: btrtl: check for NULL in btrtl_set_quirks() Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 49/53] Bluetooth: btintel: Add LE States quirk support Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 50/53] Bluetooth: hci_bcm: Fall back to getting bdaddr from EFI if not set Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 51/53] Bluetooth: Add new quirk for broken set random RPA timeout for ATS2851 Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 52/53] Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp Sasha Levin
2023-05-04 19:44 ` [PATCH AUTOSEL 6.2 53/53] Bluetooth: btrtl: Add the support for RTL8851B Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230504194413.3806354-36-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ath11k@lists.infradead.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=quic_hprem@quicinc.com \
--cc=quic_kvalo@quicinc.com \
--cc=quic_nmaran@quicinc.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.