* [PATCH] mac80211: fix memory corruption in minstrel_ht_update_rates()
@ 2022-09-19 15:01 Lech Perczak
2022-09-19 19:31 ` Peter Seiderer
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Lech Perczak @ 2022-09-19 15:01 UTC (permalink / raw)
To: Johannes Berg
Cc: linux-wireless, Paweł Lenkow, Jérôme Pouiller,
Peter Seiderer, Kalle Valo, Krzysztof Drobiński,
Lech Perczak
From: Paweł Lenkow <pawel.lenkow@camlingroup.com>
During our testing of WFM200 module over SDIO on i.MX6Q-based platform,
we discovered a memory corruption on the system, tracing back to the wfx
driver. Using kfence, it was possible to trace it back to the root
cause, which is hw->max_rates set to 8 in wfx_init_common,
while the maximum defined by IEEE80211_TX_TABLE_SIZE is 4.
This causes array out-of-bounds writes during updates of the rate table,
as seen below:
BUG: KFENCE: memory corruption in kfree_rcu_work+0x320/0x36c
Corrupted memory at 0xe0a4ffe0 [ 0x03 0x03 0x03 0x03 0x01 0x00 0x00
0x02 0x02 0x02 0x09 0x00 0x21 0xbb 0xbb 0xbb ] (in kfence-#81):
kfree_rcu_work+0x320/0x36c
process_one_work+0x3ec/0x920
worker_thread+0x60/0x7a4
kthread+0x174/0x1b4
ret_from_fork+0x14/0x2c
0x0
kfence-#81: 0xe0a4ffc0-0xe0a4ffdf, size=32, cache=kmalloc-64
allocated by task 297 on cpu 0 at 631.039555s:
minstrel_ht_update_rates+0x38/0x2b0 [mac80211]
rate_control_tx_status+0xb4/0x148 [mac80211]
ieee80211_tx_status_ext+0x364/0x1030 [mac80211]
ieee80211_tx_status+0xe0/0x118 [mac80211]
ieee80211_tasklet_handler+0xb0/0xe0 [mac80211]
tasklet_action_common.constprop.0+0x11c/0x148
__do_softirq+0x1a4/0x61c
irq_exit+0xcc/0x104
call_with_stack+0x18/0x20
__irq_svc+0x80/0xb0
wq_worker_sleeping+0x10/0x100
wq_worker_sleeping+0x10/0x100
schedule+0x50/0xe0
schedule_timeout+0x2e0/0x474
wait_for_completion+0xdc/0x1ec
mmc_wait_for_req_done+0xc4/0xf8
mmc_io_rw_extended+0x3b4/0x4ec
sdio_io_rw_ext_helper+0x290/0x384
sdio_memcpy_toio+0x30/0x38
wfx_sdio_copy_to_io+0x88/0x108 [wfx]
wfx_data_write+0x88/0x1f0 [wfx]
bh_work+0x1c8/0xcc0 [wfx]
process_one_work+0x3ec/0x920
worker_thread+0x60/0x7a4
kthread+0x174/0x1b4
ret_from_fork+0x14/0x2c 0x0
After discussion on the wireless mailing list it was clarified
that the issue has been introduced by:
commit ee0e16ab756a ("mac80211: minstrel_ht: fill all requested rates")
and fix shall be in minstrel_ht_update_rates in rc80211_minstrel_ht.c.
Fixes: ee0e16ab756a ("mac80211: minstrel_ht: fill all requested rates")
Link: https://lore.kernel.org/all/12e5adcd-8aed-f0f7-70cc-4fb7b656b829@camlingroup.com/
Link: https://lore.kernel.org/linux-wireless/20220915131445.30600-1-lech.perczak@camlingroup.com/
Cc: Jérôme Pouiller <jerome.pouiller@silabs.com>
Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: Peter Seiderer <ps.report@gmx.net>
Cc: Kalle Valo <kvalo@kernel.org>
Cc: Krzysztof Drobiński <krzysztof.drobinski@camlingroup.com>,
Signed-off-by: Paweł Lenkow <pawel.lenkow@camlingroup.com>
Signed-off-by: Lech Perczak <lech.perczak@camlingroup.com>
---
net/mac80211/rc80211_minstrel_ht.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
index 5f27e6746762..788a82f9c74d 100644
--- a/net/mac80211/rc80211_minstrel_ht.c
+++ b/net/mac80211/rc80211_minstrel_ht.c
@@ -10,6 +10,7 @@
#include <linux/random.h>
#include <linux/moduleparam.h>
#include <linux/ieee80211.h>
+#include <linux/minmax.h>
#include <net/mac80211.h>
#include "rate.h"
#include "sta_info.h"
@@ -1550,6 +1551,7 @@ minstrel_ht_update_rates(struct minstrel_priv *mp, struct minstrel_ht_sta *mi)
{
struct ieee80211_sta_rates *rates;
int i = 0;
+ int max_rates = min_t(int, mp->hw->max_rates, IEEE80211_TX_RATE_TABLE_SIZE);
rates = kzalloc(sizeof(*rates), GFP_ATOMIC);
if (!rates)
@@ -1559,10 +1561,10 @@ minstrel_ht_update_rates(struct minstrel_priv *mp, struct minstrel_ht_sta *mi)
minstrel_ht_set_rate(mp, mi, rates, i++, mi->max_tp_rate[0]);
/* Fill up remaining, keep one entry for max_probe_rate */
- for (; i < (mp->hw->max_rates - 1); i++)
+ for (; i < (max_rates - 1); i++)
minstrel_ht_set_rate(mp, mi, rates, i, mi->max_tp_rate[i]);
- if (i < mp->hw->max_rates)
+ if (i < max_rates)
minstrel_ht_set_rate(mp, mi, rates, i++, mi->max_prob_rate);
if (i < IEEE80211_TX_RATE_TABLE_SIZE)
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] mac80211: fix memory corruption in minstrel_ht_update_rates()
2022-09-19 15:01 [PATCH] mac80211: fix memory corruption in minstrel_ht_update_rates() Lech Perczak
@ 2022-09-19 19:31 ` Peter Seiderer
2022-09-20 8:27 ` Jérôme Pouiller
2022-09-20 8:46 ` Felix Fietkau
2 siblings, 0 replies; 4+ messages in thread
From: Peter Seiderer @ 2022-09-19 19:31 UTC (permalink / raw)
To: Lech Perczak
Cc: Johannes Berg, linux-wireless, Paweł Lenkow,
Jérôme Pouiller, Kalle Valo, Krzysztof Drobiński
On Mon, 19 Sep 2022 17:01:35 +0200, Lech Perczak <lech.perczak@camlingroup.com> wrote:
> From: Paweł Lenkow <pawel.lenkow@camlingroup.com>
>
> During our testing of WFM200 module over SDIO on i.MX6Q-based platform,
> we discovered a memory corruption on the system, tracing back to the wfx
> driver. Using kfence, it was possible to trace it back to the root
> cause, which is hw->max_rates set to 8 in wfx_init_common,
> while the maximum defined by IEEE80211_TX_TABLE_SIZE is 4.
>
> This causes array out-of-bounds writes during updates of the rate table,
> as seen below:
>
> BUG: KFENCE: memory corruption in kfree_rcu_work+0x320/0x36c
>
> Corrupted memory at 0xe0a4ffe0 [ 0x03 0x03 0x03 0x03 0x01 0x00 0x00
> 0x02 0x02 0x02 0x09 0x00 0x21 0xbb 0xbb 0xbb ] (in kfence-#81):
> kfree_rcu_work+0x320/0x36c
> process_one_work+0x3ec/0x920
> worker_thread+0x60/0x7a4
> kthread+0x174/0x1b4
> ret_from_fork+0x14/0x2c
> 0x0
>
> kfence-#81: 0xe0a4ffc0-0xe0a4ffdf, size=32, cache=kmalloc-64
>
> allocated by task 297 on cpu 0 at 631.039555s:
> minstrel_ht_update_rates+0x38/0x2b0 [mac80211]
> rate_control_tx_status+0xb4/0x148 [mac80211]
> ieee80211_tx_status_ext+0x364/0x1030 [mac80211]
> ieee80211_tx_status+0xe0/0x118 [mac80211]
> ieee80211_tasklet_handler+0xb0/0xe0 [mac80211]
> tasklet_action_common.constprop.0+0x11c/0x148
> __do_softirq+0x1a4/0x61c
> irq_exit+0xcc/0x104
> call_with_stack+0x18/0x20
> __irq_svc+0x80/0xb0
> wq_worker_sleeping+0x10/0x100
> wq_worker_sleeping+0x10/0x100
> schedule+0x50/0xe0
> schedule_timeout+0x2e0/0x474
> wait_for_completion+0xdc/0x1ec
> mmc_wait_for_req_done+0xc4/0xf8
> mmc_io_rw_extended+0x3b4/0x4ec
> sdio_io_rw_ext_helper+0x290/0x384
> sdio_memcpy_toio+0x30/0x38
> wfx_sdio_copy_to_io+0x88/0x108 [wfx]
> wfx_data_write+0x88/0x1f0 [wfx]
> bh_work+0x1c8/0xcc0 [wfx]
> process_one_work+0x3ec/0x920
> worker_thread+0x60/0x7a4
> kthread+0x174/0x1b4
> ret_from_fork+0x14/0x2c 0x0
>
> After discussion on the wireless mailing list it was clarified
> that the issue has been introduced by:
> commit ee0e16ab756a ("mac80211: minstrel_ht: fill all requested rates")
> and fix shall be in minstrel_ht_update_rates in rc80211_minstrel_ht.c.
>
> Fixes: ee0e16ab756a ("mac80211: minstrel_ht: fill all requested rates")
> Link: https://lore.kernel.org/all/12e5adcd-8aed-f0f7-70cc-4fb7b656b829@camlingroup.com/
> Link: https://lore.kernel.org/linux-wireless/20220915131445.30600-1-lech.perczak@camlingroup.com/
> Cc: Jérôme Pouiller <jerome.pouiller@silabs.com>
> Cc: Johannes Berg <johannes@sipsolutions.net>
> Cc: Peter Seiderer <ps.report@gmx.net>
> Cc: Kalle Valo <kvalo@kernel.org>
> Cc: Krzysztof Drobiński <krzysztof.drobinski@camlingroup.com>,
> Signed-off-by: Paweł Lenkow <pawel.lenkow@camlingroup.com>
> Signed-off-by: Lech Perczak <lech.perczak@camlingroup.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Needs to be applied to 5.19 and 6.0...
Regards,
Peter
> ---
> net/mac80211/rc80211_minstrel_ht.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
> index 5f27e6746762..788a82f9c74d 100644
> --- a/net/mac80211/rc80211_minstrel_ht.c
> +++ b/net/mac80211/rc80211_minstrel_ht.c
> @@ -10,6 +10,7 @@
> #include <linux/random.h>
> #include <linux/moduleparam.h>
> #include <linux/ieee80211.h>
> +#include <linux/minmax.h>
> #include <net/mac80211.h>
> #include "rate.h"
> #include "sta_info.h"
> @@ -1550,6 +1551,7 @@ minstrel_ht_update_rates(struct minstrel_priv *mp, struct minstrel_ht_sta *mi)
> {
> struct ieee80211_sta_rates *rates;
> int i = 0;
> + int max_rates = min_t(int, mp->hw->max_rates, IEEE80211_TX_RATE_TABLE_SIZE);
>
> rates = kzalloc(sizeof(*rates), GFP_ATOMIC);
> if (!rates)
> @@ -1559,10 +1561,10 @@ minstrel_ht_update_rates(struct minstrel_priv *mp, struct minstrel_ht_sta *mi)
> minstrel_ht_set_rate(mp, mi, rates, i++, mi->max_tp_rate[0]);
>
> /* Fill up remaining, keep one entry for max_probe_rate */
> - for (; i < (mp->hw->max_rates - 1); i++)
> + for (; i < (max_rates - 1); i++)
> minstrel_ht_set_rate(mp, mi, rates, i, mi->max_tp_rate[i]);
>
> - if (i < mp->hw->max_rates)
> + if (i < max_rates)
> minstrel_ht_set_rate(mp, mi, rates, i++, mi->max_prob_rate);
>
> if (i < IEEE80211_TX_RATE_TABLE_SIZE)
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] mac80211: fix memory corruption in minstrel_ht_update_rates()
2022-09-19 15:01 [PATCH] mac80211: fix memory corruption in minstrel_ht_update_rates() Lech Perczak
2022-09-19 19:31 ` Peter Seiderer
@ 2022-09-20 8:27 ` Jérôme Pouiller
2022-09-20 8:46 ` Felix Fietkau
2 siblings, 0 replies; 4+ messages in thread
From: Jérôme Pouiller @ 2022-09-20 8:27 UTC (permalink / raw)
To: Johannes Berg, Lech Perczak
Cc: linux-wireless, Paweł Lenkow, Peter Seiderer, Kalle Valo,
Krzysztof Drobiński, Lech Perczak
On Monday 19 September 2022 17:01:35 CEST Lech Perczak wrote:
>
> From: Paweł Lenkow <pawel.lenkow@camlingroup.com>
>
> During our testing of WFM200 module over SDIO on i.MX6Q-based platform,
> we discovered a memory corruption on the system, tracing back to the wfx
> driver. Using kfence, it was possible to trace it back to the root
> cause, which is hw->max_rates set to 8 in wfx_init_common,
> while the maximum defined by IEEE80211_TX_TABLE_SIZE is 4.
>
> This causes array out-of-bounds writes during updates of the rate table,
> as seen below:
>
> BUG: KFENCE: memory corruption in kfree_rcu_work+0x320/0x36c
>
> Corrupted memory at 0xe0a4ffe0 [ 0x03 0x03 0x03 0x03 0x01 0x00 0x00
> 0x02 0x02 0x02 0x09 0x00 0x21 0xbb 0xbb 0xbb ] (in kfence-#81):
> kfree_rcu_work+0x320/0x36c
> process_one_work+0x3ec/0x920
> worker_thread+0x60/0x7a4
> kthread+0x174/0x1b4
> ret_from_fork+0x14/0x2c
> 0x0
>
> kfence-#81: 0xe0a4ffc0-0xe0a4ffdf, size=32, cache=kmalloc-64
>
> allocated by task 297 on cpu 0 at 631.039555s:
> minstrel_ht_update_rates+0x38/0x2b0 [mac80211]
> rate_control_tx_status+0xb4/0x148 [mac80211]
> ieee80211_tx_status_ext+0x364/0x1030 [mac80211]
> ieee80211_tx_status+0xe0/0x118 [mac80211]
> ieee80211_tasklet_handler+0xb0/0xe0 [mac80211]
> tasklet_action_common.constprop.0+0x11c/0x148
> __do_softirq+0x1a4/0x61c
> irq_exit+0xcc/0x104
> call_with_stack+0x18/0x20
> __irq_svc+0x80/0xb0
> wq_worker_sleeping+0x10/0x100
> wq_worker_sleeping+0x10/0x100
> schedule+0x50/0xe0
> schedule_timeout+0x2e0/0x474
> wait_for_completion+0xdc/0x1ec
> mmc_wait_for_req_done+0xc4/0xf8
> mmc_io_rw_extended+0x3b4/0x4ec
> sdio_io_rw_ext_helper+0x290/0x384
> sdio_memcpy_toio+0x30/0x38
> wfx_sdio_copy_to_io+0x88/0x108 [wfx]
> wfx_data_write+0x88/0x1f0 [wfx]
> bh_work+0x1c8/0xcc0 [wfx]
> process_one_work+0x3ec/0x920
> worker_thread+0x60/0x7a4
> kthread+0x174/0x1b4
> ret_from_fork+0x14/0x2c 0x0
>
> After discussion on the wireless mailing list it was clarified
> that the issue has been introduced by:
> commit ee0e16ab756a ("mac80211: minstrel_ht: fill all requested rates")
> and fix shall be in minstrel_ht_update_rates in rc80211_minstrel_ht.c.
>
> Fixes: ee0e16ab756a ("mac80211: minstrel_ht: fill all requested rates")
> Link: https://lore.kernel.org/all/12e5adcd-8aed-f0f7-70cc-4fb7b656b829@camlingroup.com
> Link: https://lore.kernel.org/linux-wireless/20220915131445.30600-1-lech.perczak@camlingroup.com
> Cc: Jérôme Pouiller <jerome.pouiller@silabs.com>
> Cc: Johannes Berg <johannes@sipsolutions.net>
> Cc: Peter Seiderer <ps.report@gmx.net>
> Cc: Kalle Valo <kvalo@kernel.org>
> Cc: Krzysztof Drobiński <krzysztof.drobinski@camlingroup.com>,
> Signed-off-by: Paweł Lenkow <pawel.lenkow@camlingroup.com>
> Signed-off-by: Lech Perczak <lech.perczak@camlingroup.com>
Reviewed-by: Jérôme Pouiller <jerome.pouiller@silabs.com>
[...]
--
Jérôme Pouiller
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] mac80211: fix memory corruption in minstrel_ht_update_rates()
2022-09-19 15:01 [PATCH] mac80211: fix memory corruption in minstrel_ht_update_rates() Lech Perczak
2022-09-19 19:31 ` Peter Seiderer
2022-09-20 8:27 ` Jérôme Pouiller
@ 2022-09-20 8:46 ` Felix Fietkau
2 siblings, 0 replies; 4+ messages in thread
From: Felix Fietkau @ 2022-09-20 8:46 UTC (permalink / raw)
To: Lech Perczak, Johannes Berg
Cc: linux-wireless, Paweł Lenkow, Jérôme Pouiller,
Peter Seiderer, Kalle Valo, Krzysztof Drobiński
On 19.09.22 17:01, Lech Perczak wrote:
> From: Paweł Lenkow <pawel.lenkow@camlingroup.com>
>
> During our testing of WFM200 module over SDIO on i.MX6Q-based platform,
> we discovered a memory corruption on the system, tracing back to the wfx
> driver. Using kfence, it was possible to trace it back to the root
> cause, which is hw->max_rates set to 8 in wfx_init_common,
> while the maximum defined by IEEE80211_TX_TABLE_SIZE is 4.
>
> This causes array out-of-bounds writes during updates of the rate table,
> as seen below:
>
> BUG: KFENCE: memory corruption in kfree_rcu_work+0x320/0x36c
>
> Corrupted memory at 0xe0a4ffe0 [ 0x03 0x03 0x03 0x03 0x01 0x00 0x00
> 0x02 0x02 0x02 0x09 0x00 0x21 0xbb 0xbb 0xbb ] (in kfence-#81):
> kfree_rcu_work+0x320/0x36c
> process_one_work+0x3ec/0x920
> worker_thread+0x60/0x7a4
> kthread+0x174/0x1b4
> ret_from_fork+0x14/0x2c
> 0x0
>
> kfence-#81: 0xe0a4ffc0-0xe0a4ffdf, size=32, cache=kmalloc-64
>
> allocated by task 297 on cpu 0 at 631.039555s:
> minstrel_ht_update_rates+0x38/0x2b0 [mac80211]
> rate_control_tx_status+0xb4/0x148 [mac80211]
> ieee80211_tx_status_ext+0x364/0x1030 [mac80211]
> ieee80211_tx_status+0xe0/0x118 [mac80211]
> ieee80211_tasklet_handler+0xb0/0xe0 [mac80211]
> tasklet_action_common.constprop.0+0x11c/0x148
> __do_softirq+0x1a4/0x61c
> irq_exit+0xcc/0x104
> call_with_stack+0x18/0x20
> __irq_svc+0x80/0xb0
> wq_worker_sleeping+0x10/0x100
> wq_worker_sleeping+0x10/0x100
> schedule+0x50/0xe0
> schedule_timeout+0x2e0/0x474
> wait_for_completion+0xdc/0x1ec
> mmc_wait_for_req_done+0xc4/0xf8
> mmc_io_rw_extended+0x3b4/0x4ec
> sdio_io_rw_ext_helper+0x290/0x384
> sdio_memcpy_toio+0x30/0x38
> wfx_sdio_copy_to_io+0x88/0x108 [wfx]
> wfx_data_write+0x88/0x1f0 [wfx]
> bh_work+0x1c8/0xcc0 [wfx]
> process_one_work+0x3ec/0x920
> worker_thread+0x60/0x7a4
> kthread+0x174/0x1b4
> ret_from_fork+0x14/0x2c 0x0
>
> After discussion on the wireless mailing list it was clarified
> that the issue has been introduced by:
> commit ee0e16ab756a ("mac80211: minstrel_ht: fill all requested rates")
> and fix shall be in minstrel_ht_update_rates in rc80211_minstrel_ht.c.
>
> Fixes: ee0e16ab756a ("mac80211: minstrel_ht: fill all requested rates")
> Link: https://lore.kernel.org/all/12e5adcd-8aed-f0f7-70cc-4fb7b656b829@camlingroup.com/
> Link: https://lore.kernel.org/linux-wireless/20220915131445.30600-1-lech.perczak@camlingroup.com/
> Cc: Jérôme Pouiller <jerome.pouiller@silabs.com>
> Cc: Johannes Berg <johannes@sipsolutions.net>
> Cc: Peter Seiderer <ps.report@gmx.net>
> Cc: Kalle Valo <kvalo@kernel.org>
> Cc: Krzysztof Drobiński <krzysztof.drobinski@camlingroup.com>,
> Signed-off-by: Paweł Lenkow <pawel.lenkow@camlingroup.com>
> Signed-off-by: Lech Perczak <lech.perczak@camlingroup.com>
Acked-by: Felix Fietkau <nbd@nbd.name>
Thanks,
- Felix
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-09-20 8:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-19 15:01 [PATCH] mac80211: fix memory corruption in minstrel_ht_update_rates() Lech Perczak
2022-09-19 19:31 ` Peter Seiderer
2022-09-20 8:27 ` Jérôme Pouiller
2022-09-20 8:46 ` Felix Fietkau
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).