[PATCH 1/2] rsi: fix memory alignment issue in ARM32 platforms

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH 1/2] rsi: fix memory alignment issue in ARM32 platforms
@ 2018-08-27 11:35 Siva Rebbagondla
  2018-08-27 11:35 ` [PATCH 2/2] rsi: improve kernel thread handling to fix kernel panic Siva Rebbagondla
  2018-08-31 15:51 ` [PATCH 1/2] rsi: fix memory alignment issue in ARM32 platforms Kalle Valo
  0 siblings, 2 replies; 3+ messages in thread
From: Siva Rebbagondla @ 2018-08-27 11:35 UTC (permalink / raw)
  To: Kalle Valo
  Cc: linux-wireless, Sasidhar Mudigonda, Siva Rebbagondla,
	Sanjay Konduri

From: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com>

During testing in ARM32 platforms, observed below kernel panic, as driver
accessing data beyond the allocated memory while submitting URB to USB.

Fix: Resolved this by specifying correct length by considering 64 bit
alignment. so that, USB bus driver will access only allocated memory.

Unit-test: Tested and confirm that driver bring up and scanning,
connection and data transfer works fine with this fix.

...skipping...
[   25.389450] Unable to handle kernel paging request at virtual
	       address 5aa11422
[   25.403078] Internal error: Oops: 5 [#1] SMP ARM
[   25.407703] Modules linked in: rsi_usb
[   25.411473] CPU: 1 PID: 317 Comm: RX-Thread Not tainted 4.18.0-rc7 #1
[   25.419221] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
[   25.425764] PC is at skb_release_data+0x90/0x168
[   25.430393] LR is at skb_release_all+0x28/0x2c
[   25.434842] pc : [<807435b0>] lr : [<80742ba0>] psr: 200e0013 5aa1141e
[   25.464633] Flags: nzCv  IRQs on  FIQs on  Mode SVC_32 ISA ARM Segment none
[   25.477524] Process RX-Thread (pid: 317, stack limit = 0x(ptrval))
[   25.483709] Stack: (0xedf69ed8 to 0xedf6a000)
[   25.569907] Backtrace:
[   25.572368] [<80743520>] (skb_release_data) from [<80742ba0>]
	       (skb_release_all+0x28/0x2c)
[   25.580555] r9:7f00258c r8:00000001 r7:ee355000 r6:eddab0d0
	       r5:eddab000 r4:eddbb840
[   25.588308] [<80742b78>] (skb_release_all) from [<807432cc>]
	       (consume_skb+0x30/0x50)
[   25.596055] r5:eddab000 r4:eddbb840
[   25.599648] [<8074329c>] (consume_skb) from [<7f00117c>]
	       (rsi_usb_rx_thread+0x64/0x12c [rsi_usb])
[   25.608524] r5:eddab000 r4:eddbb840
[   25.612116] [<7f001118>] (rsi_usb_rx_thread [rsi_usb]) from
	       [<80142750>] (kthread+0x11c/0x15c)
[   25.620735] r10:ee9ff9e0 r9:edcde3b8 r8:ee355000 r7:edf68000
	       r6:edd3a780 r5:00000000
[   25.628567] r4:edcde380
[   25.631110] [<80142634>] (kthread) from [<801010e8>]
	       (ret_from_fork+0x14/0x2c)
[   25.638336] Exception stack(0xedf69fb0 to 0xedf69ff8)
[   25.682929] ---[ end trace 8236a5496f5b5d3b ]---

Signed-off-by: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com>
---
 drivers/net/wireless/rsi/rsi_91x_usb.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/net/wireless/rsi/rsi_91x_usb.c b/drivers/net/wireless/rsi/rsi_91x_usb.c
index c0a163e..f360690 100644
--- a/drivers/net/wireless/rsi/rsi_91x_usb.c
+++ b/drivers/net/wireless/rsi/rsi_91x_usb.c
@@ -266,15 +266,17 @@ static void rsi_rx_done_handler(struct urb *urb)
 	if (urb->status)
 		goto out;
 
-	if (urb->actual_length <= 0) {
-		rsi_dbg(INFO_ZONE, "%s: Zero length packet\n", __func__);
+	if (urb->actual_length <= 0 ||
+	    urb->actual_length > rx_cb->rx_skb->len) {
+		rsi_dbg(INFO_ZONE, "%s: Invalid packet length = %d\n",
+			__func__, urb->actual_length);
 		goto out;
 	}
 	if (skb_queue_len(&dev->rx_q) >= RSI_MAX_RX_PKTS) {
 		rsi_dbg(INFO_ZONE, "Max RX packets reached\n");
 		goto out;
 	}
-	skb_put(rx_cb->rx_skb, urb->actual_length);
+	skb_trim(rx_cb->rx_skb, urb->actual_length);
 	skb_queue_tail(&dev->rx_q, rx_cb->rx_skb);
 
 	rsi_set_event(&dev->rx_thread.event);
@@ -308,6 +310,7 @@ static int rsi_rx_urb_submit(struct rsi_hw *adapter, u8 ep_num)
 	if (!skb)
 		return -ENOMEM;
 	skb_reserve(skb, MAX_DWORD_ALIGN_BYTES);
+	skb_put(skb, RSI_MAX_RX_USB_PKT_SIZE - MAX_DWORD_ALIGN_BYTES);
 	dword_align_bytes = (unsigned long)skb->data & 0x3f;
 	if (dword_align_bytes > 0)
 		skb_push(skb, dword_align_bytes);
@@ -319,7 +322,7 @@ static int rsi_rx_urb_submit(struct rsi_hw *adapter, u8 ep_num)
 			  usb_rcvbulkpipe(dev->usbdev,
 			  dev->bulkin_endpoint_addr[ep_num - 1]),
 			  urb->transfer_buffer,
-			  RSI_MAX_RX_USB_PKT_SIZE,
+			  skb->len,
 			  rsi_rx_done_handler,
 			  rx_cb);
 
-- 
2.5.5

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [PATCH 2/2] rsi: improve kernel thread handling to fix kernel panic
  2018-08-27 11:35 [PATCH 1/2] rsi: fix memory alignment issue in ARM32 platforms Siva Rebbagondla
@ 2018-08-27 11:35 ` Siva Rebbagondla
  2018-08-31 15:51 ` [PATCH 1/2] rsi: fix memory alignment issue in ARM32 platforms Kalle Valo
  1 sibling, 0 replies; 3+ messages in thread
From: Siva Rebbagondla @ 2018-08-27 11:35 UTC (permalink / raw)
  To: Kalle Valo
  Cc: linux-wireless, Sasidhar Mudigonda, Siva Rebbagondla,
	Sanjay Konduri

From: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com>

While running regressions, observed below kernel panic when sdio disconnect
called. This is because of, kthread_stop() is taking care of
wait_for_completion() by default. When wait_for_completion triggered
in kthread_stop and as it was done already, giving kernel panic.
Hence, removing redundant wait_for_completion() from rsi_kill_thread().

... skipping ...
BUG: unable to handle kernel NULL pointer dereference at           (null)
IP: [<ffffffff810a63df>] exit_creds+0x1f/0x50
PGD 0
Oops: 0002 [#1] SMP
CPU: 0 PID: 6502 Comm: rmmod Tainted: G  OE   4.15.9-Generic #154-Ubuntu
Hardware name: Dell Inc. Edge Gateway 3003/ , BIOS 01.00.00 04/17/2017
Stack:
ffff88007392e600 ffff880075847dc0 ffffffff8108160a 0000000000000000
ffff88007392e600 ffff880075847de8 ffffffff810a484b ffff880076127000
ffff88003cd3a800 ffff880074f12a00 ffff880075847e28 ffffffffc09bed15
Call Trace:
[<ffffffff8108160a>] __put_task_struct+0x5a/0x140
[<ffffffff810a484b>] kthread_stop+0x10b/0x110
[<ffffffffc09bed15>] rsi_disconnect+0x2f5/0x300 [ven_rsi_sdio]
[<ffffffff81578bcb>] ? __pm_runtime_resume+0x5b/0x80
[<ffffffff816f0918>] sdio_bus_remove+0x38/0x100
[<ffffffff8156cc64>] __device_release_driver+0xa4/0x150
[<ffffffff8156d7a5>] driver_detach+0xb5/0xc0
[<ffffffff8156c6c5>] bus_remove_driver+0x55/0xd0
[<ffffffff8156dfbc>] driver_unregister+0x2c/0x50
[<ffffffff816f0b8a>] sdio_unregister_driver+0x1a/0x20
[<ffffffffc09bf0f5>] rsi_module_exit+0x15/0x30 [ven_rsi_sdio]
[<ffffffff8110cad8>] SyS_delete_module+0x1b8/0x210
[<ffffffff81851dc8>] entry_SYSCALL_64_fastpath+0x1c/0xbb

Signed-off-by: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com>
---
 drivers/net/wireless/rsi/rsi_common.h | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/net/wireless/rsi/rsi_common.h b/drivers/net/wireless/rsi/rsi_common.h
index d9ff3b8..60f1f28 100644
--- a/drivers/net/wireless/rsi/rsi_common.h
+++ b/drivers/net/wireless/rsi/rsi_common.h
@@ -75,7 +75,6 @@ static inline int rsi_kill_thread(struct rsi_thread *handle)
 	atomic_inc(&handle->thread_done);
 	rsi_set_event(&handle->event);
 
-	wait_for_completion(&handle->completion);
 	return kthread_stop(handle->task);
 }
 
-- 
2.5.5

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH 1/2] rsi: fix memory alignment issue in ARM32 platforms
  2018-08-27 11:35 [PATCH 1/2] rsi: fix memory alignment issue in ARM32 platforms Siva Rebbagondla
  2018-08-27 11:35 ` [PATCH 2/2] rsi: improve kernel thread handling to fix kernel panic Siva Rebbagondla
@ 2018-08-31 15:51 ` Kalle Valo
  1 sibling, 0 replies; 3+ messages in thread
From: Kalle Valo @ 2018-08-31 15:51 UTC (permalink / raw)
  To: Siva Rebbagondla
  Cc: linux-wireless, Sasidhar Mudigonda, Siva Rebbagondla,
	Sanjay Konduri

Siva Rebbagondla <siva8118@gmail.com> wrote:

> From: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com>
> 
> During testing in ARM32 platforms, observed below kernel panic, as driver
> accessing data beyond the allocated memory while submitting URB to USB.
> 
> Fix: Resolved this by specifying correct length by considering 64 bit
> alignment. so that, USB bus driver will access only allocated memory.
> 
> Unit-test: Tested and confirm that driver bring up and scanning,
> connection and data transfer works fine with this fix.
> 
> ...skipping...
> [   25.389450] Unable to handle kernel paging request at virtual
> 	       address 5aa11422
> [   25.403078] Internal error: Oops: 5 [#1] SMP ARM
> [   25.407703] Modules linked in: rsi_usb
> [   25.411473] CPU: 1 PID: 317 Comm: RX-Thread Not tainted 4.18.0-rc7 #1
> [   25.419221] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
> [   25.425764] PC is at skb_release_data+0x90/0x168
> [   25.430393] LR is at skb_release_all+0x28/0x2c
> [   25.434842] pc : [<807435b0>] lr : [<80742ba0>] psr: 200e0013 5aa1141e
> [   25.464633] Flags: nzCv  IRQs on  FIQs on  Mode SVC_32 ISA ARM Segment none
> [   25.477524] Process RX-Thread (pid: 317, stack limit = 0x(ptrval))
> [   25.483709] Stack: (0xedf69ed8 to 0xedf6a000)
> [   25.569907] Backtrace:
> [   25.572368] [<80743520>] (skb_release_data) from [<80742ba0>]
> 	       (skb_release_all+0x28/0x2c)
> [   25.580555] r9:7f00258c r8:00000001 r7:ee355000 r6:eddab0d0
> 	       r5:eddab000 r4:eddbb840
> [   25.588308] [<80742b78>] (skb_release_all) from [<807432cc>]
> 	       (consume_skb+0x30/0x50)
> [   25.596055] r5:eddab000 r4:eddbb840
> [   25.599648] [<8074329c>] (consume_skb) from [<7f00117c>]
> 	       (rsi_usb_rx_thread+0x64/0x12c [rsi_usb])
> [   25.608524] r5:eddab000 r4:eddbb840
> [   25.612116] [<7f001118>] (rsi_usb_rx_thread [rsi_usb]) from
> 	       [<80142750>] (kthread+0x11c/0x15c)
> [   25.620735] r10:ee9ff9e0 r9:edcde3b8 r8:ee355000 r7:edf68000
> 	       r6:edd3a780 r5:00000000
> [   25.628567] r4:edcde380
> [   25.631110] [<80142634>] (kthread) from [<801010e8>]
> 	       (ret_from_fork+0x14/0x2c)
> [   25.638336] Exception stack(0xedf69fb0 to 0xedf69ff8)
> [   25.682929] ---[ end trace 8236a5496f5b5d3b ]---
> 
> Signed-off-by: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com>

2 patches applied to wireless-drivers-next.git, thanks.

baa8caf4ab7a rsi: fix memory alignment issue in ARM32 platforms
4c62764d0fc2 rsi: improve kernel thread handling to fix kernel panic

-- 
https://patchwork.kernel.org/patch/10577019/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2018-08-31 20:00 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-08-27 11:35 [PATCH 1/2] rsi: fix memory alignment issue in ARM32 platforms Siva Rebbagondla
2018-08-27 11:35 ` [PATCH 2/2] rsi: improve kernel thread handling to fix kernel panic Siva Rebbagondla
2018-08-31 15:51 ` [PATCH 1/2] rsi: fix memory alignment issue in ARM32 platforms Kalle Valo

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.