From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.3 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,UNWANTED_LANGUAGE_BODY,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 95C00C433E1 for ; Tue, 9 Jun 2020 00:53:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7140B20760 for ; Tue, 9 Jun 2020 00:53:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591664008; bh=b8sF3nzdbNYI7vM2opADzKQK1kEfaHKTQBe+5In3VHI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=k3PgRP4V0pMAmP/Vcw++GI3cYiA1xuspjOIOArEilRXANuiOZGB7eoOOlIdqbaBVw cE9LGAefZvXzjbBPqPl1p5N52LpmfoQYuTJ52BJgcsrnvtutmMOYg8+zUzhKEZUsC6 +/Lsw1ZCqwnx1iTVFA3HjJPyMXRNvr3RD5vW2s4M= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728503AbgFHXJp (ORCPT ); Mon, 8 Jun 2020 19:09:45 -0400 Received: from mail.kernel.org ([198.145.29.99]:55476 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728472AbgFHXJk (ORCPT ); Mon, 8 Jun 2020 19:09:40 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9A180208FE; Mon, 8 Jun 2020 23:09:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591657780; bh=b8sF3nzdbNYI7vM2opADzKQK1kEfaHKTQBe+5In3VHI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JFTDTcU7Ygj5En4fIVpl2rsFlvk/UtkG6RAoa6Ql6oznxpzDHfCr9+sCeBzW9gZD6 JZ2cysQxKEM9AwGYkN728Zvg96MX/wJ6CUSaOTUDZv4fkfrcn5iQHuLBOUyA9sGz4z tDyrS3bA7B5iBp+LtTCiDZ9Ots5SB8hpJqQvwGgc= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Tamizh Chelvam , Kalle Valo , Sasha Levin , ath11k@lists.infradead.org, linux-wireless@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 5.7 162/274] ath11k: fix kernel panic by freeing the msdu received with invalid length Date: Mon, 8 Jun 2020 19:04:15 -0400 Message-Id: <20200608230607.3361041-162-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200608230607.3361041-1-sashal@kernel.org> References: <20200608230607.3361041-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Tamizh Chelvam [ Upstream commit d7d43782d541edb8596d2f4fc7f41b0734948ec5 ] In certain scenario host receives the packets with invalid length which causes below kernel panic. Free up those msdus to avoid this kernel panic. 2270.028121: <6> task: ffffffc0008306d0 ti: ffffffc0008306d0 task.ti: ffffffc0008306d0 2270.035247: <2> PC is at skb_panic+0x40/0x44 2270.042784: <2> LR is at skb_panic+0x40/0x44 2270.521775: <2> [] skb_panic+0x40/0x44 2270.524039: <2> [] skb_put+0x54/0x5c 2270.529264: <2> [] ath11k_dp_process_rx_err+0x320/0x5b0 [ath11k] 2270.533860: <2> [] ath11k_dp_service_srng+0x80/0x268 [ath11k] 2270.541063: <2> [] ath11k_hal_rx_reo_ent_buf_paddr_get+0x200/0xb64 [ath11k] 2270.547917: <2> [] net_rx_action+0xf8/0x274 2270.556247: <2> [] __do_softirq+0x128/0x228 2270.561625: <2> [] irq_exit+0x84/0xcc 2270.567008: <2> [] __handle_domain_irq+0x8c/0xb0 2270.571695: <2> [] gic_handle_irq+0x6c/0xbc Signed-off-by: Tamizh Chelvam Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/1588611568-20791-1-git-send-email-tamizhr@codeaurora.org Signed-off-by: Sasha Levin --- drivers/net/wireless/ath/ath11k/dp_rx.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c index 34b1e8e6a7fb..007bb73d6c61 100644 --- a/drivers/net/wireless/ath/ath11k/dp_rx.c +++ b/drivers/net/wireless/ath/ath11k/dp_rx.c @@ -2265,6 +2265,7 @@ static int ath11k_dp_rx_process_msdu(struct ath11k *ar, struct ieee80211_hdr *hdr; struct sk_buff *last_buf; u8 l3_pad_bytes; + u8 *hdr_status; u16 msdu_len; int ret; @@ -2293,8 +2294,13 @@ static int ath11k_dp_rx_process_msdu(struct ath11k *ar, skb_pull(msdu, HAL_RX_DESC_SIZE); } else if (!rxcb->is_continuation) { if ((msdu_len + HAL_RX_DESC_SIZE) > DP_RX_BUFFER_SIZE) { + hdr_status = ath11k_dp_rx_h_80211_hdr(rx_desc); ret = -EINVAL; ath11k_warn(ar->ab, "invalid msdu len %u\n", msdu_len); + ath11k_dbg_dump(ar->ab, ATH11K_DBG_DATA, NULL, "", hdr_status, + sizeof(struct ieee80211_hdr)); + ath11k_dbg_dump(ar->ab, ATH11K_DBG_DATA, NULL, "", rx_desc, + sizeof(struct hal_rx_desc)); goto free_out; } skb_put(msdu, HAL_RX_DESC_SIZE + l3_pad_bytes + msdu_len); @@ -3389,6 +3395,7 @@ ath11k_dp_process_rx_err_buf(struct ath11k *ar, u32 *ring_desc, int buf_id, bool struct sk_buff *msdu; struct ath11k_skb_rxcb *rxcb; struct hal_rx_desc *rx_desc; + u8 *hdr_status; u16 msdu_len; spin_lock_bh(&rx_ring->idr_lock); @@ -3426,6 +3433,17 @@ ath11k_dp_process_rx_err_buf(struct ath11k *ar, u32 *ring_desc, int buf_id, bool rx_desc = (struct hal_rx_desc *)msdu->data; msdu_len = ath11k_dp_rx_h_msdu_start_msdu_len(rx_desc); + if ((msdu_len + HAL_RX_DESC_SIZE) > DP_RX_BUFFER_SIZE) { + hdr_status = ath11k_dp_rx_h_80211_hdr(rx_desc); + ath11k_warn(ar->ab, "invalid msdu leng %u", msdu_len); + ath11k_dbg_dump(ar->ab, ATH11K_DBG_DATA, NULL, "", hdr_status, + sizeof(struct ieee80211_hdr)); + ath11k_dbg_dump(ar->ab, ATH11K_DBG_DATA, NULL, "", rx_desc, + sizeof(struct hal_rx_desc)); + dev_kfree_skb_any(msdu); + goto exit; + } + skb_put(msdu, HAL_RX_DESC_SIZE + msdu_len); if (ath11k_dp_rx_frag_h_mpdu(ar, msdu, ring_desc)) { -- 2.25.1