From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Vikas Patel <vikpatel@codeaurora.org>,
Venkateswara Naralasetty <vnaralas@codeaurora.org>,
Kalle Valo <kvalo@codeaurora.org>,
Sasha Levin <sashal@kernel.org>,
ath11k@lists.infradead.org, linux-wireless@vger.kernel.org,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.6 079/149] ath11k: Fixing dangling pointer issue upon peer delete failure
Date: Sat, 11 Apr 2020 19:02:36 -0400 [thread overview]
Message-ID: <20200411230347.22371-79-sashal@kernel.org> (raw)
In-Reply-To: <20200411230347.22371-1-sashal@kernel.org>
From: Vikas Patel <vikpatel@codeaurora.org>
[ Upstream commit 58595c9874c625ceb7004960d8e53b9226abdc92 ]
When there is WMI command failure, 'peer->sta' was not getting
cleaned up, and mac80211 frees the 'sta' memory, which is causing
the below page fault.
Cleaning up the sta pointer in ath11k whenever peer delete command
is sent.
Unable to handle kernel paging request at virtual address 200080000006a
pgd = ffffffc02a774000
[200080000006a] *pgd=0000000000000000, *pud=0000000000000000
Internal error: Oops: 96000004 [#1] PREEMPT SMP
.
.
.
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 4.4.60 #1
Hardware name: Qualcomm Technologies, Inc. IPQ807x/AP-HK01-C1 (DT)
task: ffffffc00083c6d0 ti: ffffffc00083c6d0 task.ti: ffffffc00083c6d0
PC is at ath11k_dp_rx_process_mon_status+0x114/0x4e0 [ath11k]
LR is at ath11k_dp_rx_process_mon_status+0xe8/0x4e0 [ath11k]
pc : [<ffffffbffcf8e544>] lr : [<ffffffbffcf8e518>] pstate: 60000145
sp : ffffffc000833a30
Signed-off-by: Vikas Patel <vikpatel@codeaurora.org>
Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/mac.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
index 78f20ba47b37e..e89790a01c48b 100644
--- a/drivers/net/wireless/ath/ath11k/mac.c
+++ b/drivers/net/wireless/ath/ath11k/mac.c
@@ -2786,6 +2786,7 @@ static int ath11k_mac_op_sta_state(struct ieee80211_hw *hw,
struct ath11k *ar = hw->priv;
struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif);
struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
+ struct ath11k_peer *peer;
int ret = 0;
/* cancel must be done outside the mutex to avoid deadlock */
@@ -2818,6 +2819,17 @@ static int ath11k_mac_op_sta_state(struct ieee80211_hw *hw,
sta->addr, arvif->vdev_id);
ath11k_mac_dec_num_stations(arvif, sta);
+ spin_lock_bh(&ar->ab->base_lock);
+ peer = ath11k_peer_find(ar->ab, arvif->vdev_id, sta->addr);
+ if (peer && peer->sta == sta) {
+ ath11k_warn(ar->ab, "Found peer entry %pM n vdev %i after it was supposedly removed\n",
+ vif->addr, arvif->vdev_id);
+ peer->sta = NULL;
+ list_del(&peer->list);
+ kfree(peer);
+ ar->num_peers--;
+ }
+ spin_unlock_bh(&ar->ab->base_lock);
kfree(arsta->tx_stats);
arsta->tx_stats = NULL;
--
2.20.1
next prev parent reply other threads:[~2020-04-11 23:46 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200411230347.22371-1-sashal@kernel.org>
2020-04-11 23:01 ` [PATCH AUTOSEL 5.6 017/149] ath11k: Adding proper validation before accessing tx_stats Sasha Levin
2020-04-11 23:01 ` [PATCH AUTOSEL 5.6 028/149] ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read Sasha Levin
2020-04-11 23:01 ` [PATCH AUTOSEL 5.6 029/149] mwifiex: set needed_headroom, not hard_header_len Sasha Levin
2020-04-11 23:01 ` [PATCH AUTOSEL 5.6 032/149] ath10k: fix not registering airtime of 11a station with WMM disable Sasha Levin
2020-04-11 23:02 ` [PATCH AUTOSEL 5.6 060/149] mt76: mt7615: disable 5 GHz on MT7622 Sasha Levin
2020-04-11 23:02 ` [PATCH AUTOSEL 5.6 061/149] mt76: fix handling full tx queues in mt76_dma_tx_queue_skb_raw Sasha Levin
2020-04-11 23:02 ` [PATCH AUTOSEL 5.6 062/149] rtw88: Fix incorrect beamformee role setting Sasha Levin
2020-04-11 23:02 ` [PATCH AUTOSEL 5.6 067/149] rtw88: 8822c: update power sequence to v16 Sasha Levin
2020-04-11 23:02 ` [PATCH AUTOSEL 5.6 078/149] ath11k: fix warn-on in disassociation Sasha Levin
2020-04-11 23:02 ` Sasha Levin [this message]
2020-04-11 23:02 ` [PATCH AUTOSEL 5.6 080/149] rsi: fix null pointer dereference during rsi_shutdown() Sasha Levin
2020-04-11 23:02 ` [PATCH AUTOSEL 5.6 084/149] mt76: mt7603: fix input validation issues for powersave-filtered frames Sasha Levin
2020-04-11 23:02 ` [PATCH AUTOSEL 5.6 098/149] ath10k: start recovery process when read int status fail for sdio Sasha Levin
2020-04-11 23:03 ` [PATCH AUTOSEL 5.6 111/149] brcmfmac: Fix driver crash on USB control transfer timeout Sasha Levin
2020-04-11 23:03 ` [PATCH AUTOSEL 5.6 112/149] brcmfmac: Fix double freeing in the fmac usb data path Sasha Levin
2020-04-11 23:03 ` [PATCH AUTOSEL 5.6 113/149] brcmfmac: fix the incorrect return value in brcmf_inform_single_bss() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200411230347.22371-79-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ath11k@lists.infradead.org \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=vikpatel@codeaurora.org \
--cc=vnaralas@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).