From: Michal Kazior <michal.kazior@tieto.com>
To: Kalle Valo <kvalo@qca.qualcomm.com>
Cc: "ath10k@lists.infradead.org" <ath10k@lists.infradead.org>,
Ben Greear <greearb@candelatech.com>,
linux-wireless <linux-wireless@vger.kernel.org>
Subject: Re: [PATCH] ath10k: double check bmi xfer pointers
Date: Fri, 11 Apr 2014 09:58:54 +0200 [thread overview]
Message-ID: <CA+BoTQ=L7Cj5V04RGEFcdGm1rxEO8NOYMEhSRiQNdoBoMTm5Pg@mail.gmail.com> (raw)
In-Reply-To: <CA+BoTQ=gUBsw43M2at0y7iZU3VhwdjH9EBqzdOmKpxLjjqusPw@mail.gmail.com>
On 11 April 2014 07:47, Michal Kazior <michal.kazior@tieto.com> wrote:
> On 11 April 2014 07:40, Kalle Valo <kvalo@qca.qualcomm.com> wrote:
>> Michal Kazior <michal.kazior@tieto.com> writes:
>>
>>> If for some reason copy engine ring buffer became
>>> corrupt ath10k could crash the machine due to
>>> invalid pointer dereference. It's very unlikely
>>> but devices can never be fully trusted so verify
>>> if the bmi xfer pointer read back from copy engine
>>> matches the original pointer.
>>
>> The big question is why does this happen? Does this happen only with
>> Ben's firmware or is it a more generic problem?
>
> I'll look more into this.
Hmm.. After going through the code a few times I think the bug is
actually something else.
If the crash happened in complete() it means the completion structure
wasn't set up properly. However it is always initialized in
ath10k_pci_hif_exchange_bmi_msg() before proceeding. This means xfer
pointer read back from ath10k_ce_completed_send_next() or
ath10k_ce_completed_recv_next() is wrong. Since the pointer to it is
kept on host getting wrong xfer means sw_index must be wrong. If I
assume indexes are managed correctly (i.e. no overflows, locking is
fine) then it is the entry the sw_index points to that is actually
unexpected.
This could happen if concurrent transfers occur on pipe 0 or 1 (used
for bmi communication) during device bootup. This could be either a
concurrent bmi transfer or a non-bmi buffer or an old bmi xfer data.
The latter shouldn't be the case because
ath10k_pci_hif_exchange_bmi_msg() cleans up after itself. Concurrent
access doesn't seem to be the case either.
I conclude the bug is not present in the vanilla ath10k code.
TL;DR drop the patch, please
Michał
WARNING: multiple messages have this Message-ID (diff)
From: Michal Kazior <michal.kazior@tieto.com>
To: Kalle Valo <kvalo@qca.qualcomm.com>
Cc: Ben Greear <greearb@candelatech.com>,
linux-wireless <linux-wireless@vger.kernel.org>,
"ath10k@lists.infradead.org" <ath10k@lists.infradead.org>
Subject: Re: [PATCH] ath10k: double check bmi xfer pointers
Date: Fri, 11 Apr 2014 09:58:54 +0200 [thread overview]
Message-ID: <CA+BoTQ=L7Cj5V04RGEFcdGm1rxEO8NOYMEhSRiQNdoBoMTm5Pg@mail.gmail.com> (raw)
In-Reply-To: <CA+BoTQ=gUBsw43M2at0y7iZU3VhwdjH9EBqzdOmKpxLjjqusPw@mail.gmail.com>
On 11 April 2014 07:47, Michal Kazior <michal.kazior@tieto.com> wrote:
> On 11 April 2014 07:40, Kalle Valo <kvalo@qca.qualcomm.com> wrote:
>> Michal Kazior <michal.kazior@tieto.com> writes:
>>
>>> If for some reason copy engine ring buffer became
>>> corrupt ath10k could crash the machine due to
>>> invalid pointer dereference. It's very unlikely
>>> but devices can never be fully trusted so verify
>>> if the bmi xfer pointer read back from copy engine
>>> matches the original pointer.
>>
>> The big question is why does this happen? Does this happen only with
>> Ben's firmware or is it a more generic problem?
>
> I'll look more into this.
Hmm.. After going through the code a few times I think the bug is
actually something else.
If the crash happened in complete() it means the completion structure
wasn't set up properly. However it is always initialized in
ath10k_pci_hif_exchange_bmi_msg() before proceeding. This means xfer
pointer read back from ath10k_ce_completed_send_next() or
ath10k_ce_completed_recv_next() is wrong. Since the pointer to it is
kept on host getting wrong xfer means sw_index must be wrong. If I
assume indexes are managed correctly (i.e. no overflows, locking is
fine) then it is the entry the sw_index points to that is actually
unexpected.
This could happen if concurrent transfers occur on pipe 0 or 1 (used
for bmi communication) during device bootup. This could be either a
concurrent bmi transfer or a non-bmi buffer or an old bmi xfer data.
The latter shouldn't be the case because
ath10k_pci_hif_exchange_bmi_msg() cleans up after itself. Concurrent
access doesn't seem to be the case either.
I conclude the bug is not present in the vanilla ath10k code.
TL;DR drop the patch, please
Michał
_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k
next prev parent reply other threads:[~2014-04-11 7:58 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-10 4:14 Crash during driver startup Ben Greear
2014-04-10 10:05 ` [PATCH] ath10k: double check bmi xfer pointers Michal Kazior
2014-04-10 10:05 ` Michal Kazior
2014-04-10 13:42 ` Ben Greear
2014-04-10 13:42 ` Ben Greear
2014-04-11 5:40 ` Kalle Valo
2014-04-11 5:40 ` Kalle Valo
2014-04-11 5:47 ` Michal Kazior
2014-04-11 5:47 ` Michal Kazior
2014-04-11 7:58 ` Michal Kazior [this message]
2014-04-11 7:58 ` Michal Kazior
2014-04-11 15:09 ` load module ath10k: ieee80211 phy0: Failed to initialize wep: -2 Vu Hai NGUYEN
2014-04-14 6:39 ` Michal Kazior
2014-04-14 8:10 ` Kalle Valo
2014-04-14 15:49 ` RE : " Vu Hai NGUYEN
2014-04-15 8:20 ` Report Firmware firmware-2.bin_10.1.467.2-1 Error Vu Hai NGUYEN
2014-04-15 11:02 ` Kalle Valo
2014-04-16 11:51 ` RE : " Vu Hai NGUYEN
2014-04-16 11:51 ` Vu Hai NGUYEN
2014-04-24 6:35 ` Kalle Valo
2014-04-24 9:03 ` RE : " Vu Hai NGUYEN
2014-04-24 9:41 ` Michal Kazior
2014-04-24 10:18 ` Yeoh Chun-Yeow
2014-04-30 12:39 ` RE : " Vu Hai NGUYEN
2014-05-07 7:36 ` ath10k does not support selection antenna yet? Vu Hai NGUYEN
2014-05-07 7:48 ` Michal Kazior
2014-05-07 8:16 ` Yeoh Chun-Yeow
2014-05-07 8:16 ` RE : " Vu Hai NGUYEN
2014-05-07 9:26 ` Janusz Dziedzic
2014-05-07 14:11 ` Ben Greear
2014-05-07 14:21 ` Adrian Chadd
2014-05-07 14:33 ` Ben Greear
2014-05-07 14:50 ` Adrian Chadd
2014-05-07 15:09 ` Ben Greear
2014-04-14 8:05 ` [PATCH] ath10k: double check bmi xfer pointers Kalle Valo
2014-04-14 8:05 ` Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CA+BoTQ=L7Cj5V04RGEFcdGm1rxEO8NOYMEhSRiQNdoBoMTm5Pg@mail.gmail.com' \
--to=michal.kazior@tieto.com \
--cc=ath10k@lists.infradead.org \
--cc=greearb@candelatech.com \
--cc=kvalo@qca.qualcomm.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.