From: greearb@candelatech.com
To: ath10k@lists.infradead.org
Cc: linux-wireless@vger.kernel.org, Ben Greear <greearb@candelatech.com>
Subject: [PATCH v2 2/5] ath10k: Ensure peer_map references are cleaned up.
Date: Fri, 1 Apr 2016 14:12:09 -0700 [thread overview]
Message-ID: <1459545132-11295-2-git-send-email-greearb@candelatech.com> (raw)
In-Reply-To: <1459545132-11295-1-git-send-email-greearb@candelatech.com>
From: Ben Greear <greearb@candelatech.com>
While debugging OS crashes due to firmware crashes, I enabled
kasan, and it noticed that peer objects were being used-after-freed.
Looks like there are two places we could be leaving stale references
in the peer-map, so clean that up.
Signed-off-by: Ben Greear <greearb@candelatech.com>
---
drivers/net/wireless/ath/ath10k/mac.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
index 8783119..5e5cc9c 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -794,6 +794,7 @@ static void ath10k_peer_cleanup(struct ath10k *ar, u32 vdev_id)
{
struct ath10k_peer *peer, *tmp;
int peer_id;
+ int i;
lockdep_assert_held(&ar->conf_mutex);
@@ -812,6 +813,17 @@ static void ath10k_peer_cleanup(struct ath10k *ar, u32 vdev_id)
ar->peer_map[peer_id] = NULL;
}
+ /* Double check that peer is properly un-referenced from
+ * the peer_map
+ */
+ for (i = 0; i < ARRAY_SIZE(ar->peer_map); i++) {
+ if (ar->peer_map[i] == peer) {
+ ath10k_warn(ar, "removing stale peer_map entry for %pM (ptr %p idx %d)\n",
+ peer->addr, peer, i);
+ ar->peer_map[i] = NULL;
+ }
+ }
+
list_del(&peer->list);
kfree(peer);
ar->num_peers--;
@@ -840,6 +852,7 @@ void ath10k_dump_peer_info(struct ath10k *ar)
static void ath10k_peer_cleanup_all(struct ath10k *ar)
{
struct ath10k_peer *peer, *tmp;
+ int i;
lockdep_assert_held(&ar->conf_mutex);
@@ -850,6 +863,10 @@ static void ath10k_peer_cleanup_all(struct ath10k *ar)
list_del(&peer->list);
kfree(peer);
}
+
+ for (i = 0; i < ARRAY_SIZE(ar->peer_map); i++)
+ ar->peer_map[i] = NULL;
+
spin_unlock_bh(&ar->data_lock);
ar->num_peers = 0;
--
2.4.3
WARNING: multiple messages have this Message-ID (diff)
From: greearb@candelatech.com
To: ath10k@lists.infradead.org
Cc: Ben Greear <greearb@candelatech.com>, linux-wireless@vger.kernel.org
Subject: [PATCH v2 2/5] ath10k: Ensure peer_map references are cleaned up.
Date: Fri, 1 Apr 2016 14:12:09 -0700 [thread overview]
Message-ID: <1459545132-11295-2-git-send-email-greearb@candelatech.com> (raw)
In-Reply-To: <1459545132-11295-1-git-send-email-greearb@candelatech.com>
From: Ben Greear <greearb@candelatech.com>
While debugging OS crashes due to firmware crashes, I enabled
kasan, and it noticed that peer objects were being used-after-freed.
Looks like there are two places we could be leaving stale references
in the peer-map, so clean that up.
Signed-off-by: Ben Greear <greearb@candelatech.com>
---
drivers/net/wireless/ath/ath10k/mac.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
index 8783119..5e5cc9c 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -794,6 +794,7 @@ static void ath10k_peer_cleanup(struct ath10k *ar, u32 vdev_id)
{
struct ath10k_peer *peer, *tmp;
int peer_id;
+ int i;
lockdep_assert_held(&ar->conf_mutex);
@@ -812,6 +813,17 @@ static void ath10k_peer_cleanup(struct ath10k *ar, u32 vdev_id)
ar->peer_map[peer_id] = NULL;
}
+ /* Double check that peer is properly un-referenced from
+ * the peer_map
+ */
+ for (i = 0; i < ARRAY_SIZE(ar->peer_map); i++) {
+ if (ar->peer_map[i] == peer) {
+ ath10k_warn(ar, "removing stale peer_map entry for %pM (ptr %p idx %d)\n",
+ peer->addr, peer, i);
+ ar->peer_map[i] = NULL;
+ }
+ }
+
list_del(&peer->list);
kfree(peer);
ar->num_peers--;
@@ -840,6 +852,7 @@ void ath10k_dump_peer_info(struct ath10k *ar)
static void ath10k_peer_cleanup_all(struct ath10k *ar)
{
struct ath10k_peer *peer, *tmp;
+ int i;
lockdep_assert_held(&ar->conf_mutex);
@@ -850,6 +863,10 @@ static void ath10k_peer_cleanup_all(struct ath10k *ar)
list_del(&peer->list);
kfree(peer);
}
+
+ for (i = 0; i < ARRAY_SIZE(ar->peer_map); i++)
+ ar->peer_map[i] = NULL;
+
spin_unlock_bh(&ar->data_lock);
ar->num_peers = 0;
--
2.4.3
_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k
next prev parent reply other threads:[~2016-04-01 21:12 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-01 21:12 [PATCH v2 1/5] ath10k: Ensure txrx-compl-task is stopped when cleaning htt-tx greearb
2016-04-01 21:12 ` greearb
2016-04-01 21:12 ` greearb [this message]
2016-04-01 21:12 ` [PATCH v2 2/5] ath10k: Ensure peer_map references are cleaned up greearb
2016-04-01 21:12 ` [PATCH v2 3/5] ath10k: Add WARN_ON if we over-write peer-map pointer greearb
2016-04-01 21:12 ` greearb
2016-05-10 7:12 ` Mohammed Shafi Shajakhan
2016-05-10 7:12 ` Mohammed Shafi Shajakhan
2016-05-10 14:41 ` Ben Greear
2016-05-10 14:41 ` Ben Greear
2016-05-10 16:38 ` Mohammed Shafi Shajakhan
2016-05-10 16:38 ` Mohammed Shafi Shajakhan
2016-07-08 6:48 ` [v2,3/5] " Kalle Valo
2016-07-08 6:48 ` Kalle Valo
2016-04-01 21:12 ` [PATCH v2 4/5] ath10k: Clean up peer when sta goes away greearb
2016-04-01 21:12 ` greearb
2016-04-01 21:12 ` [PATCH v2 5/5] ath10k: Fix deadlock when peer cannot be created greearb
2016-04-01 21:12 ` greearb
2016-05-09 17:19 ` Ben Greear
2016-05-09 17:19 ` Ben Greear
2016-05-09 17:54 ` Manoharan, Rajkumar
2016-05-09 17:54 ` Manoharan, Rajkumar
2016-05-09 17:58 ` Ben Greear
2016-05-09 17:58 ` Ben Greear
2016-05-13 14:07 ` Valo, Kalle
2016-05-13 14:07 ` Valo, Kalle
2016-06-06 17:24 ` [v2,5/5] " Kalle Valo
2016-06-06 17:24 ` Kalle Valo
2016-05-10 6:48 ` [PATCH v2 1/5] ath10k: Ensure txrx-compl-task is stopped when cleaning htt-tx Mohammed Shafi Shajakhan
2016-05-10 6:48 ` Mohammed Shafi Shajakhan
2016-05-10 14:39 ` Ben Greear
2016-05-10 14:39 ` Ben Greear
2016-05-10 16:36 ` Mohammed Shafi Shajakhan
2016-05-10 16:36 ` Mohammed Shafi Shajakhan
2016-07-08 6:43 ` [v2, " Kalle Valo
2016-07-08 6:43 ` Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1459545132-11295-2-git-send-email-greearb@candelatech.com \
--to=greearb@candelatech.com \
--cc=ath10k@lists.infradead.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.