From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Rakesh Pillai <pillair@codeaurora.org>,
Kalle Valo <kvalo@codeaurora.org>,
Sasha Levin <sashal@kernel.org>,
ath10k@lists.infradead.org, linux-wireless@vger.kernel.org,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 068/106] ath10k: Remove msdu from idr when management pkt send fails
Date: Mon, 8 Jun 2020 19:22:00 -0400 [thread overview]
Message-ID: <20200608232238.3368589-68-sashal@kernel.org> (raw)
In-Reply-To: <20200608232238.3368589-1-sashal@kernel.org>
From: Rakesh Pillai <pillair@codeaurora.org>
[ Upstream commit c730c477176ad4af86d9aae4d360a7ad840b073a ]
Currently when the sending of any management pkt
via wmi command fails, the packet is being unmapped
freed in the error handling. But the idr entry added,
which is used to track these packet is not getting removed.
Hence, during unload, in wmi cleanup, all the entries
in IDR are removed and the corresponding buffer is
attempted to be freed. This can cause a situation where
one packet is attempted to be freed twice.
Fix this error by rmeoving the msdu from the idr
list when the sending of a management packet over
wmi fails.
Tested HW: WCN3990
Tested FW: WLAN.HL.3.1-01040-QCAHLSWMTPLZ-1
Fixes: 1807da49733e ("ath10k: wmi: add management tx by reference support over wmi")
Signed-off-by: Rakesh Pillai <pillair@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1588667015-25490-1-git-send-email-pillair@codeaurora.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath10k/mac.c | 3 +++
drivers/net/wireless/ath/ath10k/wmi-ops.h | 10 ++++++++++
drivers/net/wireless/ath/ath10k/wmi-tlv.c | 15 +++++++++++++++
3 files changed, 28 insertions(+)
diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
index a09d7a07e90a..81af403c19c2 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -3852,6 +3852,9 @@ void ath10k_mgmt_over_wmi_tx_work(struct work_struct *work)
if (ret) {
ath10k_warn(ar, "failed to transmit management frame by ref via WMI: %d\n",
ret);
+ /* remove this msdu from idr tracking */
+ ath10k_wmi_cleanup_mgmt_tx_send(ar, skb);
+
dma_unmap_single(ar->dev, paddr, skb->len,
DMA_TO_DEVICE);
ieee80211_free_txskb(ar->hw, skb);
diff --git a/drivers/net/wireless/ath/ath10k/wmi-ops.h b/drivers/net/wireless/ath/ath10k/wmi-ops.h
index 7fd63bbf8e24..b6cd33fa79f8 100644
--- a/drivers/net/wireless/ath/ath10k/wmi-ops.h
+++ b/drivers/net/wireless/ath/ath10k/wmi-ops.h
@@ -139,6 +139,7 @@ struct wmi_ops {
struct sk_buff *(*gen_mgmt_tx_send)(struct ath10k *ar,
struct sk_buff *skb,
dma_addr_t paddr);
+ int (*cleanup_mgmt_tx_send)(struct ath10k *ar, struct sk_buff *msdu);
struct sk_buff *(*gen_dbglog_cfg)(struct ath10k *ar, u64 module_enable,
u32 log_level);
struct sk_buff *(*gen_pktlog_enable)(struct ath10k *ar, u32 filter);
@@ -431,6 +432,15 @@ ath10k_wmi_get_txbf_conf_scheme(struct ath10k *ar)
return ar->wmi.ops->get_txbf_conf_scheme(ar);
}
+static inline int
+ath10k_wmi_cleanup_mgmt_tx_send(struct ath10k *ar, struct sk_buff *msdu)
+{
+ if (!ar->wmi.ops->cleanup_mgmt_tx_send)
+ return -EOPNOTSUPP;
+
+ return ar->wmi.ops->cleanup_mgmt_tx_send(ar, msdu);
+}
+
static inline int
ath10k_wmi_mgmt_tx_send(struct ath10k *ar, struct sk_buff *msdu,
dma_addr_t paddr)
diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
index 248decb494c2..7f435fa29f75 100644
--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
@@ -2638,6 +2638,18 @@ ath10k_wmi_tlv_op_gen_request_stats(struct ath10k *ar, u32 stats_mask)
return skb;
}
+static int
+ath10k_wmi_tlv_op_cleanup_mgmt_tx_send(struct ath10k *ar,
+ struct sk_buff *msdu)
+{
+ struct ath10k_skb_cb *cb = ATH10K_SKB_CB(msdu);
+ struct ath10k_wmi *wmi = &ar->wmi;
+
+ idr_remove(&wmi->mgmt_pending_tx, cb->msdu_id);
+
+ return 0;
+}
+
static int
ath10k_wmi_mgmt_tx_alloc_msdu_id(struct ath10k *ar, struct sk_buff *skb,
dma_addr_t paddr)
@@ -2710,6 +2722,8 @@ ath10k_wmi_tlv_op_gen_mgmt_tx_send(struct ath10k *ar, struct sk_buff *msdu,
if (desc_id < 0)
goto err_free_skb;
+ cb->msdu_id = desc_id;
+
ptr = (void *)skb->data;
tlv = ptr;
tlv->tag = __cpu_to_le16(WMI_TLV_TAG_STRUCT_MGMT_TX_CMD);
@@ -3949,6 +3963,7 @@ static const struct wmi_ops wmi_tlv_ops = {
.gen_force_fw_hang = ath10k_wmi_tlv_op_gen_force_fw_hang,
/* .gen_mgmt_tx = not implemented; HTT is used */
.gen_mgmt_tx_send = ath10k_wmi_tlv_op_gen_mgmt_tx_send,
+ .cleanup_mgmt_tx_send = ath10k_wmi_tlv_op_cleanup_mgmt_tx_send,
.gen_dbglog_cfg = ath10k_wmi_tlv_op_gen_dbglog_cfg,
.gen_pktlog_enable = ath10k_wmi_tlv_op_gen_pktlog_enable,
.gen_pktlog_disable = ath10k_wmi_tlv_op_gen_pktlog_disable,
--
2.25.1
next prev parent reply other threads:[~2020-06-08 23:24 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-08 23:20 [PATCH AUTOSEL 4.19 001/106] ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb Sasha Levin
2020-06-08 23:20 ` [PATCH AUTOSEL 4.19 002/106] ath9k: Fix use-after-free Write in ath9k_htc_rx_msg Sasha Levin
2020-06-08 23:21 ` [PATCH AUTOSEL 4.19 008/106] net: atlantic: make hw_get_regs optional Sasha Levin
2020-06-08 23:21 ` [PATCH AUTOSEL 4.19 009/106] net: ena: fix error returning in ena_com_get_hash_function() Sasha Levin
2020-06-08 23:21 ` [PATCH AUTOSEL 4.19 015/106] ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K Sasha Levin
2020-06-08 23:21 ` [PATCH AUTOSEL 4.19 017/106] Bluetooth: Add SCO fallback for invalid LMP parameters error Sasha Levin
2020-06-08 23:21 ` [PATCH AUTOSEL 4.19 025/106] batman-adv: Revert "disable ethtool link speed detection when auto negotiation off" Sasha Levin
2020-06-08 23:21 ` [PATCH AUTOSEL 4.19 029/106] net: vmxnet3: fix possible buffer overflow caused by bad DMA value in vmxnet3_get_rss() Sasha Levin
2020-06-08 23:21 ` [PATCH AUTOSEL 4.19 031/106] ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx Sasha Levin
2020-06-08 23:21 ` [PATCH AUTOSEL 4.19 032/106] ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb Sasha Levin
2020-06-08 23:21 ` [PATCH AUTOSEL 4.19 033/106] brcmfmac: fix wrong location to get firmware feature Sasha Levin
2020-06-08 23:21 ` [PATCH AUTOSEL 4.19 035/106] e1000: Distribute switch variables for initialization Sasha Levin
2020-06-08 23:21 ` [PATCH AUTOSEL 4.19 043/106] netfilter: nft_nat: return EOPNOTSUPP if type or flags are not supported Sasha Levin
2020-06-08 23:21 ` [PATCH AUTOSEL 4.19 044/106] selftests/bpf: Fix memory leak in extract_build_id() Sasha Levin
2020-06-08 23:21 ` [PATCH AUTOSEL 4.19 045/106] net: bcmgenet: set Rx mode before starting netif Sasha Levin
2020-06-08 23:21 ` [PATCH AUTOSEL 4.19 051/106] net: lpc-enet: fix error return code in lpc_mii_init() Sasha Levin
2020-06-08 23:21 ` [PATCH AUTOSEL 4.19 053/106] net: allwinner: Fix use correct return type for ndo_start_xmit() Sasha Levin
2020-06-08 23:21 ` [PATCH AUTOSEL 4.19 055/106] ath9k_htc: Silence undersized packet warnings Sasha Levin
2020-06-08 23:22 ` Sasha Levin [this message]
2020-06-08 23:22 ` [PATCH AUTOSEL 4.19 069/106] wcn36xx: Fix error handling path in 'wcn36xx_probe()' Sasha Levin
2020-06-08 23:22 ` [PATCH AUTOSEL 4.19 070/106] net: qed*: Reduce RX and TX default ring count when running inside kdump kernel Sasha Levin
2020-06-08 23:22 ` [PATCH AUTOSEL 4.19 071/106] mt76: avoid rx reorder buffer overflow Sasha Levin
2020-06-08 23:22 ` [PATCH AUTOSEL 4.19 073/106] net: dsa: mt7530: set CPU port to fallback mode Sasha Levin
2020-06-08 23:22 ` [PATCH AUTOSEL 4.19 074/106] veth: Adjust hard_start offset on redirect XDP frames Sasha Levin
2020-06-08 23:22 ` [PATCH AUTOSEL 4.19 075/106] net/mlx5e: IPoIB, Drop multicast packets that this interface sent Sasha Levin
2020-06-08 23:22 ` [PATCH AUTOSEL 4.19 076/106] rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() Sasha Levin
2020-06-08 23:22 ` [PATCH AUTOSEL 4.19 077/106] mwifiex: Fix memory corruption in dump_station Sasha Levin
2020-06-08 23:22 ` [PATCH AUTOSEL 4.19 087/106] net: ethernet: fec: move GPR register offset and bit into DT Sasha Levin
2020-06-08 23:22 ` [PATCH AUTOSEL 4.19 088/106] macvlan: Skip loopback packets in RX handler Sasha Levin
2020-06-08 23:22 ` [PATCH AUTOSEL 4.19 097/106] ixgbe: fix signed-integer-overflow warning Sasha Levin
2020-06-08 23:22 ` [PATCH AUTOSEL 4.19 104/106] vxlan: Avoid infinite loop when suppressing NS messages with invalid options Sasha Levin
2020-06-08 23:22 ` [PATCH AUTOSEL 4.19 105/106] net_failover: fixed rollback in net_failover_open() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200608232238.3368589-68-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ath10k@lists.infradead.org \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pillair@codeaurora.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).