From: greearb@candelatech.com
To: linux-wireless@vger.kernel.org
Cc: ath10k@lists.infradead.org, Ben Greear <greearb@candelatech.com>
Subject: [PATCH 2/3] ath10k: Ensure peer_map references are cleaned up.
Date: Thu, 31 Mar 2016 13:59:45 -0700 [thread overview]
Message-ID: <1459457986-29222-2-git-send-email-greearb@candelatech.com> (raw)
In-Reply-To: <1459457986-29222-1-git-send-email-greearb@candelatech.com>
From: Ben Greear <greearb@candelatech.com>
While debugging OS crashes due to firmware crashes, I enabled
kasan, and it noticed that peer objects were being used-after-freed.
Looks like there are two places we could be leaving stale references
in the peer-map, so clean that up.
Signed-off-by: Ben Greear <greearb@candelatech.com>
---
drivers/net/wireless/ath/ath10k/mac.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
index 0a81ca2..07b155d 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -794,6 +794,7 @@ static void ath10k_peer_cleanup(struct ath10k *ar, u32 vdev_id)
{
struct ath10k_peer *peer, *tmp;
int peer_id;
+ int i;
lockdep_assert_held(&ar->conf_mutex);
@@ -812,6 +813,15 @@ static void ath10k_peer_cleanup(struct ath10k *ar, u32 vdev_id)
ar->peer_map[peer_id] = NULL;
}
+ /* Double check that peer is properly un-referenced from the peer_map */
+ for (i = 0; i < ARRAY_SIZE(ar->peer_map); i++) {
+ if (ar->peer_map[i] == peer) {
+ ath10k_warn(ar, "ERROR: Faile to properly clean up peer: %p %pM, idx: %d, will fix.\n",
+ peer, peer->addr, i);
+ ar->peer_map[i] = NULL;
+ }
+ }
+
list_del(&peer->list);
kfree(peer);
ar->num_peers--;
@@ -840,6 +850,7 @@ void ath10k_dump_peer_info(struct ath10k *ar)
static void ath10k_peer_cleanup_all(struct ath10k *ar)
{
struct ath10k_peer *peer, *tmp;
+ int i;
lockdep_assert_held(&ar->conf_mutex);
@@ -850,6 +861,11 @@ static void ath10k_peer_cleanup_all(struct ath10k *ar)
list_del(&peer->list);
kfree(peer);
}
+
+ /* Clean up peer-map */
+ for (i = 0; i < ARRAY_SIZE(ar->peer_map); i++)
+ ar->peer_map[i] = NULL;
+
spin_unlock_bh(&ar->data_lock);
ar->num_peers = 0;
--
2.4.3
WARNING: multiple messages have this Message-ID (diff)
From: greearb@candelatech.com
To: linux-wireless@vger.kernel.org
Cc: Ben Greear <greearb@candelatech.com>, ath10k@lists.infradead.org
Subject: [PATCH 2/3] ath10k: Ensure peer_map references are cleaned up.
Date: Thu, 31 Mar 2016 13:59:45 -0700 [thread overview]
Message-ID: <1459457986-29222-2-git-send-email-greearb@candelatech.com> (raw)
In-Reply-To: <1459457986-29222-1-git-send-email-greearb@candelatech.com>
From: Ben Greear <greearb@candelatech.com>
While debugging OS crashes due to firmware crashes, I enabled
kasan, and it noticed that peer objects were being used-after-freed.
Looks like there are two places we could be leaving stale references
in the peer-map, so clean that up.
Signed-off-by: Ben Greear <greearb@candelatech.com>
---
drivers/net/wireless/ath/ath10k/mac.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
index 0a81ca2..07b155d 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -794,6 +794,7 @@ static void ath10k_peer_cleanup(struct ath10k *ar, u32 vdev_id)
{
struct ath10k_peer *peer, *tmp;
int peer_id;
+ int i;
lockdep_assert_held(&ar->conf_mutex);
@@ -812,6 +813,15 @@ static void ath10k_peer_cleanup(struct ath10k *ar, u32 vdev_id)
ar->peer_map[peer_id] = NULL;
}
+ /* Double check that peer is properly un-referenced from the peer_map */
+ for (i = 0; i < ARRAY_SIZE(ar->peer_map); i++) {
+ if (ar->peer_map[i] == peer) {
+ ath10k_warn(ar, "ERROR: Faile to properly clean up peer: %p %pM, idx: %d, will fix.\n",
+ peer, peer->addr, i);
+ ar->peer_map[i] = NULL;
+ }
+ }
+
list_del(&peer->list);
kfree(peer);
ar->num_peers--;
@@ -840,6 +850,7 @@ void ath10k_dump_peer_info(struct ath10k *ar)
static void ath10k_peer_cleanup_all(struct ath10k *ar)
{
struct ath10k_peer *peer, *tmp;
+ int i;
lockdep_assert_held(&ar->conf_mutex);
@@ -850,6 +861,11 @@ static void ath10k_peer_cleanup_all(struct ath10k *ar)
list_del(&peer->list);
kfree(peer);
}
+
+ /* Clean up peer-map */
+ for (i = 0; i < ARRAY_SIZE(ar->peer_map); i++)
+ ar->peer_map[i] = NULL;
+
spin_unlock_bh(&ar->data_lock);
ar->num_peers = 0;
--
2.4.3
_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k
next prev parent reply other threads:[~2016-03-31 20:59 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-31 20:59 [PATCH 1/3] ath10k: Ensure txrx-compl-task is stopped when cleaning htt-tx greearb
2016-03-31 20:59 ` greearb
2016-03-31 20:59 ` greearb [this message]
2016-03-31 20:59 ` [PATCH 2/3] ath10k: Ensure peer_map references are cleaned up greearb
2016-04-01 6:18 ` Michal Kazior
2016-04-01 6:18 ` Michal Kazior
2016-03-31 20:59 ` [PATCH 3/3] ath10k: Add BUG_ON if we over-write peer-map pointer greearb
2016-03-31 20:59 ` greearb
2016-04-01 6:09 ` Michal Kazior
2016-04-01 6:09 ` Michal Kazior
2016-04-01 14:04 ` Ben Greear
2016-04-01 14:04 ` Ben Greear
2016-04-01 6:12 ` [PATCH 1/3] ath10k: Ensure txrx-compl-task is stopped when cleaning htt-tx Michal Kazior
2016-04-01 6:12 ` Michal Kazior
2016-04-01 20:36 ` Ben Greear
2016-04-01 20:36 ` Ben Greear
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1459457986-29222-2-git-send-email-greearb@candelatech.com \
--to=greearb@candelatech.com \
--cc=ath10k@lists.infradead.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.