* [PATCH] ath10k: add missing error handling
@ 2019-05-23 7:15 ` Claire Chang
0 siblings, 0 replies; 8+ messages in thread
From: Claire Chang @ 2019-05-23 7:15 UTC (permalink / raw)
To: kvalo; +Cc: ath10k, linux-wireless, wgong, Claire Chang
In function ath10k_sdio_mbox_rx_alloc() [sdio.c],
ath10k_sdio_mbox_alloc_rx_pkt() is called without handling the error cases.
This will make the driver think the allocation for skb is successful and
try to access the skb. If we enable failslab, system will easily crash with
NULL pointer dereferencing.
Call trace of CONFIG_FAILSLAB:
ath10k_sdio_irq_handler+0x570/0xa88 [ath10k_sdio]
process_sdio_pending_irqs+0x4c/0x174
sdio_run_irqs+0x3c/0x64
sdio_irq_work+0x1c/0x28
Fixes: d96db25d2025 ("ath10k: add initial SDIO support")
Signed-off-by: Claire Chang <tientzu@chromium.org>
---
drivers/net/wireless/ath/ath10k/sdio.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c
index 9bbd5b54b8ca..4b7f1c6f13e2 100644
--- a/drivers/net/wireless/ath/ath10k/sdio.c
+++ b/drivers/net/wireless/ath/ath10k/sdio.c
@@ -607,6 +607,10 @@ static int ath10k_sdio_mbox_rx_alloc(struct ath10k *ar,
full_len,
last_in_bundle,
last_in_bundle);
+ if (ret) {
+ ath10k_warn(ar, "alloc_rx_pkt error %d\n", ret);
+ goto err;
+ }
}
ar_sdio->n_rx_pkts = i;
--
2.21.0.1020.gf2820cf01a-goog
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH] ath10k: add missing error handling
@ 2019-05-23 7:15 ` Claire Chang
0 siblings, 0 replies; 8+ messages in thread
From: Claire Chang @ 2019-05-23 7:15 UTC (permalink / raw)
To: kvalo; +Cc: Claire Chang, linux-wireless, ath10k, wgong
In function ath10k_sdio_mbox_rx_alloc() [sdio.c],
ath10k_sdio_mbox_alloc_rx_pkt() is called without handling the error cases.
This will make the driver think the allocation for skb is successful and
try to access the skb. If we enable failslab, system will easily crash with
NULL pointer dereferencing.
Call trace of CONFIG_FAILSLAB:
ath10k_sdio_irq_handler+0x570/0xa88 [ath10k_sdio]
process_sdio_pending_irqs+0x4c/0x174
sdio_run_irqs+0x3c/0x64
sdio_irq_work+0x1c/0x28
Fixes: d96db25d2025 ("ath10k: add initial SDIO support")
Signed-off-by: Claire Chang <tientzu@chromium.org>
---
drivers/net/wireless/ath/ath10k/sdio.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c
index 9bbd5b54b8ca..4b7f1c6f13e2 100644
--- a/drivers/net/wireless/ath/ath10k/sdio.c
+++ b/drivers/net/wireless/ath/ath10k/sdio.c
@@ -607,6 +607,10 @@ static int ath10k_sdio_mbox_rx_alloc(struct ath10k *ar,
full_len,
last_in_bundle,
last_in_bundle);
+ if (ret) {
+ ath10k_warn(ar, "alloc_rx_pkt error %d\n", ret);
+ goto err;
+ }
}
ar_sdio->n_rx_pkts = i;
--
2.21.0.1020.gf2820cf01a-goog
_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] ath10k: add missing error handling
2019-05-23 7:15 ` Claire Chang
@ 2019-05-23 16:42 ` Brian Norris
-1 siblings, 0 replies; 8+ messages in thread
From: Brian Norris @ 2019-05-23 16:42 UTC (permalink / raw)
To: Claire Chang; +Cc: Kalle Valo, ath10k, linux-wireless, Wen Gong
On Thu, May 23, 2019 at 12:15 AM Claire Chang <tientzu@chromium.org> wrote:
> --- a/drivers/net/wireless/ath/ath10k/sdio.c
> +++ b/drivers/net/wireless/ath/ath10k/sdio.c
> @@ -607,6 +607,10 @@ static int ath10k_sdio_mbox_rx_alloc(struct ath10k *ar,
> full_len,
> last_in_bundle,
> last_in_bundle);
> + if (ret) {
IIUC, you have basically the same failure case a few lines up, where
ath10k_sdio_mbox_alloc_pkt_bundle() may fail. Do the same there?
This (including the error label to which it's jumping) looks fine to me though:
Reviewed-by: Brian Norris <briannorris@chromium.org>
> + ath10k_warn(ar, "alloc_rx_pkt error %d\n", ret);
> + goto err;
> + }
> }
>
> ar_sdio->n_rx_pkts = i;
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ath10k: add missing error handling
@ 2019-05-23 16:42 ` Brian Norris
0 siblings, 0 replies; 8+ messages in thread
From: Brian Norris @ 2019-05-23 16:42 UTC (permalink / raw)
To: Claire Chang; +Cc: linux-wireless, ath10k, Kalle Valo, Wen Gong
On Thu, May 23, 2019 at 12:15 AM Claire Chang <tientzu@chromium.org> wrote:
> --- a/drivers/net/wireless/ath/ath10k/sdio.c
> +++ b/drivers/net/wireless/ath/ath10k/sdio.c
> @@ -607,6 +607,10 @@ static int ath10k_sdio_mbox_rx_alloc(struct ath10k *ar,
> full_len,
> last_in_bundle,
> last_in_bundle);
> + if (ret) {
IIUC, you have basically the same failure case a few lines up, where
ath10k_sdio_mbox_alloc_pkt_bundle() may fail. Do the same there?
This (including the error label to which it's jumping) looks fine to me though:
Reviewed-by: Brian Norris <briannorris@chromium.org>
> + ath10k_warn(ar, "alloc_rx_pkt error %d\n", ret);
> + goto err;
> + }
> }
>
> ar_sdio->n_rx_pkts = i;
_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ath10k: add missing error handling
2019-05-23 16:42 ` Brian Norris
@ 2019-05-23 23:18 ` Brian Norris
-1 siblings, 0 replies; 8+ messages in thread
From: Brian Norris @ 2019-05-23 23:18 UTC (permalink / raw)
To: Claire Chang; +Cc: Kalle Valo, ath10k, linux-wireless, Wen Gong, Erik Stromdahl
On Thu, May 23, 2019 at 9:42 AM Brian Norris <briannorris@chromium.org> wrote:
> IIUC, you have basically the same failure case a few lines up, where
> ath10k_sdio_mbox_alloc_pkt_bundle() may fail. Do the same there?
Oh, I see Erik Stromdahl already got that one:
ath10k: sdio: add missing error check
https://patchwork.kernel.org/patch/10906009/
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ath10k: add missing error handling
@ 2019-05-23 23:18 ` Brian Norris
0 siblings, 0 replies; 8+ messages in thread
From: Brian Norris @ 2019-05-23 23:18 UTC (permalink / raw)
To: Claire Chang; +Cc: Erik Stromdahl, linux-wireless, ath10k, Kalle Valo, Wen Gong
On Thu, May 23, 2019 at 9:42 AM Brian Norris <briannorris@chromium.org> wrote:
> IIUC, you have basically the same failure case a few lines up, where
> ath10k_sdio_mbox_alloc_pkt_bundle() may fail. Do the same there?
Oh, I see Erik Stromdahl already got that one:
ath10k: sdio: add missing error check
https://patchwork.kernel.org/patch/10906009/
_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ath10k: add missing error handling
2019-05-23 7:15 ` Claire Chang
(?)
(?)
@ 2019-06-25 12:58 ` Kalle Valo
-1 siblings, 0 replies; 8+ messages in thread
From: Kalle Valo @ 2019-06-25 12:58 UTC (permalink / raw)
To: Claire Chang; +Cc: ath10k, linux-wireless, wgong, Claire Chang
Claire Chang <tientzu@chromium.org> wrote:
> In function ath10k_sdio_mbox_rx_alloc() [sdio.c],
> ath10k_sdio_mbox_alloc_rx_pkt() is called without handling the error cases.
> This will make the driver think the allocation for skb is successful and
> try to access the skb. If we enable failslab, system will easily crash with
> NULL pointer dereferencing.
>
> Call trace of CONFIG_FAILSLAB:
> ath10k_sdio_irq_handler+0x570/0xa88 [ath10k_sdio]
> process_sdio_pending_irqs+0x4c/0x174
> sdio_run_irqs+0x3c/0x64
> sdio_irq_work+0x1c/0x28
>
> Fixes: d96db25d2025 ("ath10k: add initial SDIO support")
> Signed-off-by: Claire Chang <tientzu@chromium.org>
> Reviewed-by: Brian Norris <briannorris@chromium.org>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Patch applied to ath-next branch of ath.git, thanks.
4b553f3ca4cb ath10k: add missing error handling
--
https://patchwork.kernel.org/patch/10957013/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ath10k: add missing error handling
2019-05-23 7:15 ` Claire Chang
` (2 preceding siblings ...)
(?)
@ 2019-06-25 12:58 ` Kalle Valo
-1 siblings, 0 replies; 8+ messages in thread
From: Kalle Valo @ 2019-06-25 12:58 UTC (permalink / raw)
To: Claire Chang; +Cc: linux-wireless, ath10k, wgong
Claire Chang <tientzu@chromium.org> wrote:
> In function ath10k_sdio_mbox_rx_alloc() [sdio.c],
> ath10k_sdio_mbox_alloc_rx_pkt() is called without handling the error cases.
> This will make the driver think the allocation for skb is successful and
> try to access the skb. If we enable failslab, system will easily crash with
> NULL pointer dereferencing.
>
> Call trace of CONFIG_FAILSLAB:
> ath10k_sdio_irq_handler+0x570/0xa88 [ath10k_sdio]
> process_sdio_pending_irqs+0x4c/0x174
> sdio_run_irqs+0x3c/0x64
> sdio_irq_work+0x1c/0x28
>
> Fixes: d96db25d2025 ("ath10k: add initial SDIO support")
> Signed-off-by: Claire Chang <tientzu@chromium.org>
> Reviewed-by: Brian Norris <briannorris@chromium.org>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Patch applied to ath-next branch of ath.git, thanks.
4b553f3ca4cb ath10k: add missing error handling
--
https://patchwork.kernel.org/patch/10957013/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2019-06-25 12:58 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-23 7:15 [PATCH] ath10k: add missing error handling Claire Chang
2019-05-23 7:15 ` Claire Chang
2019-05-23 16:42 ` Brian Norris
2019-05-23 16:42 ` Brian Norris
2019-05-23 23:18 ` Brian Norris
2019-05-23 23:18 ` Brian Norris
2019-06-25 12:58 ` Kalle Valo
2019-06-25 12:58 ` Kalle Valo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.