From: greearb@candelatech.com To: ath10k@lists.infradead.org Cc: linux-wireless@vger.kernel.org, Ben Greear <greearb@candelatech.com> Subject: [PATCH v2 2/5] ath10k: Ensure peer_map references are cleaned up. Date: Fri, 1 Apr 2016 14:12:09 -0700 [thread overview] Message-ID: <1459545132-11295-2-git-send-email-greearb@candelatech.com> (raw) In-Reply-To: <1459545132-11295-1-git-send-email-greearb@candelatech.com> From: Ben Greear <greearb@candelatech.com> While debugging OS crashes due to firmware crashes, I enabled kasan, and it noticed that peer objects were being used-after-freed. Looks like there are two places we could be leaving stale references in the peer-map, so clean that up. Signed-off-by: Ben Greear <greearb@candelatech.com> --- drivers/net/wireless/ath/ath10k/mac.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c index 8783119..5e5cc9c 100644 --- a/drivers/net/wireless/ath/ath10k/mac.c +++ b/drivers/net/wireless/ath/ath10k/mac.c @@ -794,6 +794,7 @@ static void ath10k_peer_cleanup(struct ath10k *ar, u32 vdev_id) { struct ath10k_peer *peer, *tmp; int peer_id; + int i; lockdep_assert_held(&ar->conf_mutex); @@ -812,6 +813,17 @@ static void ath10k_peer_cleanup(struct ath10k *ar, u32 vdev_id) ar->peer_map[peer_id] = NULL; } + /* Double check that peer is properly un-referenced from + * the peer_map + */ + for (i = 0; i < ARRAY_SIZE(ar->peer_map); i++) { + if (ar->peer_map[i] == peer) { + ath10k_warn(ar, "removing stale peer_map entry for %pM (ptr %p idx %d)\n", + peer->addr, peer, i); + ar->peer_map[i] = NULL; + } + } + list_del(&peer->list); kfree(peer); ar->num_peers--; @@ -840,6 +852,7 @@ void ath10k_dump_peer_info(struct ath10k *ar) static void ath10k_peer_cleanup_all(struct ath10k *ar) { struct ath10k_peer *peer, *tmp; + int i; lockdep_assert_held(&ar->conf_mutex); @@ -850,6 +863,10 @@ static void ath10k_peer_cleanup_all(struct ath10k *ar) list_del(&peer->list); kfree(peer); } + + for (i = 0; i < ARRAY_SIZE(ar->peer_map); i++) + ar->peer_map[i] = NULL; + spin_unlock_bh(&ar->data_lock); ar->num_peers = 0; -- 2.4.3
WARNING: multiple messages have this Message-ID (diff)
From: greearb@candelatech.com To: ath10k@lists.infradead.org Cc: Ben Greear <greearb@candelatech.com>, linux-wireless@vger.kernel.org Subject: [PATCH v2 2/5] ath10k: Ensure peer_map references are cleaned up. Date: Fri, 1 Apr 2016 14:12:09 -0700 [thread overview] Message-ID: <1459545132-11295-2-git-send-email-greearb@candelatech.com> (raw) In-Reply-To: <1459545132-11295-1-git-send-email-greearb@candelatech.com> From: Ben Greear <greearb@candelatech.com> While debugging OS crashes due to firmware crashes, I enabled kasan, and it noticed that peer objects were being used-after-freed. Looks like there are two places we could be leaving stale references in the peer-map, so clean that up. Signed-off-by: Ben Greear <greearb@candelatech.com> --- drivers/net/wireless/ath/ath10k/mac.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c index 8783119..5e5cc9c 100644 --- a/drivers/net/wireless/ath/ath10k/mac.c +++ b/drivers/net/wireless/ath/ath10k/mac.c @@ -794,6 +794,7 @@ static void ath10k_peer_cleanup(struct ath10k *ar, u32 vdev_id) { struct ath10k_peer *peer, *tmp; int peer_id; + int i; lockdep_assert_held(&ar->conf_mutex); @@ -812,6 +813,17 @@ static void ath10k_peer_cleanup(struct ath10k *ar, u32 vdev_id) ar->peer_map[peer_id] = NULL; } + /* Double check that peer is properly un-referenced from + * the peer_map + */ + for (i = 0; i < ARRAY_SIZE(ar->peer_map); i++) { + if (ar->peer_map[i] == peer) { + ath10k_warn(ar, "removing stale peer_map entry for %pM (ptr %p idx %d)\n", + peer->addr, peer, i); + ar->peer_map[i] = NULL; + } + } + list_del(&peer->list); kfree(peer); ar->num_peers--; @@ -840,6 +852,7 @@ void ath10k_dump_peer_info(struct ath10k *ar) static void ath10k_peer_cleanup_all(struct ath10k *ar) { struct ath10k_peer *peer, *tmp; + int i; lockdep_assert_held(&ar->conf_mutex); @@ -850,6 +863,10 @@ static void ath10k_peer_cleanup_all(struct ath10k *ar) list_del(&peer->list); kfree(peer); } + + for (i = 0; i < ARRAY_SIZE(ar->peer_map); i++) + ar->peer_map[i] = NULL; + spin_unlock_bh(&ar->data_lock); ar->num_peers = 0; -- 2.4.3 _______________________________________________ ath10k mailing list ath10k@lists.infradead.org http://lists.infradead.org/mailman/listinfo/ath10k
next prev parent reply other threads:[~2016-04-01 21:12 UTC|newest] Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-04-01 21:12 [PATCH v2 1/5] ath10k: Ensure txrx-compl-task is stopped when cleaning htt-tx greearb 2016-04-01 21:12 ` greearb 2016-04-01 21:12 ` greearb [this message] 2016-04-01 21:12 ` [PATCH v2 2/5] ath10k: Ensure peer_map references are cleaned up greearb 2016-04-01 21:12 ` [PATCH v2 3/5] ath10k: Add WARN_ON if we over-write peer-map pointer greearb 2016-04-01 21:12 ` greearb 2016-05-10 7:12 ` Mohammed Shafi Shajakhan 2016-05-10 7:12 ` Mohammed Shafi Shajakhan 2016-05-10 14:41 ` Ben Greear 2016-05-10 14:41 ` Ben Greear 2016-05-10 16:38 ` Mohammed Shafi Shajakhan 2016-05-10 16:38 ` Mohammed Shafi Shajakhan 2016-07-08 6:48 ` [v2,3/5] " Kalle Valo 2016-07-08 6:48 ` Kalle Valo 2016-04-01 21:12 ` [PATCH v2 4/5] ath10k: Clean up peer when sta goes away greearb 2016-04-01 21:12 ` greearb 2016-04-01 21:12 ` [PATCH v2 5/5] ath10k: Fix deadlock when peer cannot be created greearb 2016-04-01 21:12 ` greearb 2016-05-09 17:19 ` Ben Greear 2016-05-09 17:19 ` Ben Greear 2016-05-09 17:54 ` Manoharan, Rajkumar 2016-05-09 17:54 ` Manoharan, Rajkumar 2016-05-09 17:58 ` Ben Greear 2016-05-09 17:58 ` Ben Greear 2016-05-13 14:07 ` Valo, Kalle 2016-05-13 14:07 ` Valo, Kalle 2016-06-06 17:24 ` [v2,5/5] " Kalle Valo 2016-06-06 17:24 ` Kalle Valo 2016-05-10 6:48 ` [PATCH v2 1/5] ath10k: Ensure txrx-compl-task is stopped when cleaning htt-tx Mohammed Shafi Shajakhan 2016-05-10 6:48 ` Mohammed Shafi Shajakhan 2016-05-10 14:39 ` Ben Greear 2016-05-10 14:39 ` Ben Greear 2016-05-10 16:36 ` Mohammed Shafi Shajakhan 2016-05-10 16:36 ` Mohammed Shafi Shajakhan 2016-07-08 6:43 ` [v2, " Kalle Valo 2016-07-08 6:43 ` Kalle Valo
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1459545132-11295-2-git-send-email-greearb@candelatech.com \ --to=greearb@candelatech.com \ --cc=ath10k@lists.infradead.org \ --cc=linux-wireless@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.