From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Harshitha Prem <quic_hprem@quicinc.com>,
Kalle Valo <quic_kvalo@quicinc.com>,
Sasha Levin <sashal@kernel.org>,
kvalo@kernel.org, quic_jjohnson@quicinc.com,
ath12k@lists.infradead.org, linux-wireless@vger.kernel.org
Subject: [PATCH AUTOSEL 6.6 02/31] wifi: ath12k: Ignore fragments from uninitialized peer in dp
Date: Tue, 7 Nov 2023 07:05:49 -0500 [thread overview]
Message-ID: <20231107120704.3756327-2-sashal@kernel.org> (raw)
In-Reply-To: <20231107120704.3756327-1-sashal@kernel.org>
From: Harshitha Prem <quic_hprem@quicinc.com>
[ Upstream commit bbc86757ca62423c3b6bd8f7176da1ff43450769 ]
When max virtual ap interfaces are configured in all the bands with
ACS and hostapd restart is done every 60s, a crash is observed at
random times.
In the above scenario, a fragmented packet is received for self peer,
for which rx_tid and rx_frags are not initialized in datapath.
While handling this fragment, crash is observed as the rx_frag list
is uninitialized and when we walk in ath12k_dp_rx_h_sort_frags,
skb null leads to exception.
To address this, before processing received fragments we check
dp_setup_done flag is set to ensure that peer has completed its
dp peer setup for fragment queue, else ignore processing the
fragments.
Call trace:
PC points to "ath12k_dp_process_rx_err+0x4e8/0xfcc [ath12k]"
LR points to "ath12k_dp_process_rx_err+0x480/0xfcc [ath12k]".
The Backtrace obtained is as follows:
ath12k_dp_process_rx_err+0x4e8/0xfcc [ath12k]
ath12k_dp_service_srng+0x78/0x260 [ath12k]
ath12k_pci_write32+0x990/0xb0c [ath12k]
__napi_poll+0x30/0xa4
net_rx_action+0x118/0x270
__do_softirq+0x10c/0x244
irq_exit+0x64/0xb4
__handle_domain_irq+0x88/0xac
gic_handle_irq+0x74/0xbc
el1_irq+0xf0/0x1c0
arch_cpu_idle+0x10/0x18
do_idle+0x104/0x248
cpu_startup_entry+0x20/0x64
rest_init+0xd0/0xdc
arch_call_rest_init+0xc/0x14
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1
Signed-off-by: Harshitha Prem <quic_hprem@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230821130343.29495-2-quic_hprem@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath12k/dp.c | 1 +
drivers/net/wireless/ath/ath12k/dp_rx.c | 9 +++++++++
drivers/net/wireless/ath/ath12k/peer.h | 3 +++
3 files changed, 13 insertions(+)
diff --git a/drivers/net/wireless/ath/ath12k/dp.c b/drivers/net/wireless/ath/ath12k/dp.c
index f933896f2a68d..6893466f61f04 100644
--- a/drivers/net/wireless/ath/ath12k/dp.c
+++ b/drivers/net/wireless/ath/ath12k/dp.c
@@ -38,6 +38,7 @@ void ath12k_dp_peer_cleanup(struct ath12k *ar, int vdev_id, const u8 *addr)
ath12k_dp_rx_peer_tid_cleanup(ar, peer);
crypto_free_shash(peer->tfm_mmic);
+ peer->dp_setup_done = false;
spin_unlock_bh(&ab->base_lock);
}
diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c
index e6e64d437c47a..100390fdc735f 100644
--- a/drivers/net/wireless/ath/ath12k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath12k/dp_rx.c
@@ -2748,6 +2748,7 @@ int ath12k_dp_rx_peer_frag_setup(struct ath12k *ar, const u8 *peer_mac, int vdev
}
peer->tfm_mmic = tfm;
+ peer->dp_setup_done = true;
spin_unlock_bh(&ab->base_lock);
return 0;
@@ -3214,6 +3215,14 @@ static int ath12k_dp_rx_frag_h_mpdu(struct ath12k *ar,
ret = -ENOENT;
goto out_unlock;
}
+
+ if (!peer->dp_setup_done) {
+ ath12k_warn(ab, "The peer %pM [%d] has uninitialized datapath\n",
+ peer->addr, peer_id);
+ ret = -ENOENT;
+ goto out_unlock;
+ }
+
rx_tid = &peer->rx_tid[tid];
if ((!skb_queue_empty(&rx_tid->rx_frags) && seqno != rx_tid->cur_sn) ||
diff --git a/drivers/net/wireless/ath/ath12k/peer.h b/drivers/net/wireless/ath/ath12k/peer.h
index b296dc0e2f671..c6edb24cbedd8 100644
--- a/drivers/net/wireless/ath/ath12k/peer.h
+++ b/drivers/net/wireless/ath/ath12k/peer.h
@@ -44,6 +44,9 @@ struct ath12k_peer {
struct ppdu_user_delayba ppdu_stats_delayba;
bool delayba_flag;
bool is_authorized;
+
+ /* protected by ab->data_lock */
+ bool dp_setup_done;
};
void ath12k_peer_unmap_event(struct ath12k_base *ab, u16 peer_id);
--
2.42.0
--
ath12k mailing list
ath12k@lists.infradead.org
https://lists.infradead.org/mailman/listinfo/ath12k
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Harshitha Prem <quic_hprem@quicinc.com>,
Kalle Valo <quic_kvalo@quicinc.com>,
Sasha Levin <sashal@kernel.org>,
kvalo@kernel.org, quic_jjohnson@quicinc.com,
ath12k@lists.infradead.org, linux-wireless@vger.kernel.org
Subject: [PATCH AUTOSEL 6.6 02/31] wifi: ath12k: Ignore fragments from uninitialized peer in dp
Date: Tue, 7 Nov 2023 07:05:49 -0500 [thread overview]
Message-ID: <20231107120704.3756327-2-sashal@kernel.org> (raw)
In-Reply-To: <20231107120704.3756327-1-sashal@kernel.org>
From: Harshitha Prem <quic_hprem@quicinc.com>
[ Upstream commit bbc86757ca62423c3b6bd8f7176da1ff43450769 ]
When max virtual ap interfaces are configured in all the bands with
ACS and hostapd restart is done every 60s, a crash is observed at
random times.
In the above scenario, a fragmented packet is received for self peer,
for which rx_tid and rx_frags are not initialized in datapath.
While handling this fragment, crash is observed as the rx_frag list
is uninitialized and when we walk in ath12k_dp_rx_h_sort_frags,
skb null leads to exception.
To address this, before processing received fragments we check
dp_setup_done flag is set to ensure that peer has completed its
dp peer setup for fragment queue, else ignore processing the
fragments.
Call trace:
PC points to "ath12k_dp_process_rx_err+0x4e8/0xfcc [ath12k]"
LR points to "ath12k_dp_process_rx_err+0x480/0xfcc [ath12k]".
The Backtrace obtained is as follows:
ath12k_dp_process_rx_err+0x4e8/0xfcc [ath12k]
ath12k_dp_service_srng+0x78/0x260 [ath12k]
ath12k_pci_write32+0x990/0xb0c [ath12k]
__napi_poll+0x30/0xa4
net_rx_action+0x118/0x270
__do_softirq+0x10c/0x244
irq_exit+0x64/0xb4
__handle_domain_irq+0x88/0xac
gic_handle_irq+0x74/0xbc
el1_irq+0xf0/0x1c0
arch_cpu_idle+0x10/0x18
do_idle+0x104/0x248
cpu_startup_entry+0x20/0x64
rest_init+0xd0/0xdc
arch_call_rest_init+0xc/0x14
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1
Signed-off-by: Harshitha Prem <quic_hprem@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230821130343.29495-2-quic_hprem@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath12k/dp.c | 1 +
drivers/net/wireless/ath/ath12k/dp_rx.c | 9 +++++++++
drivers/net/wireless/ath/ath12k/peer.h | 3 +++
3 files changed, 13 insertions(+)
diff --git a/drivers/net/wireless/ath/ath12k/dp.c b/drivers/net/wireless/ath/ath12k/dp.c
index f933896f2a68d..6893466f61f04 100644
--- a/drivers/net/wireless/ath/ath12k/dp.c
+++ b/drivers/net/wireless/ath/ath12k/dp.c
@@ -38,6 +38,7 @@ void ath12k_dp_peer_cleanup(struct ath12k *ar, int vdev_id, const u8 *addr)
ath12k_dp_rx_peer_tid_cleanup(ar, peer);
crypto_free_shash(peer->tfm_mmic);
+ peer->dp_setup_done = false;
spin_unlock_bh(&ab->base_lock);
}
diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c
index e6e64d437c47a..100390fdc735f 100644
--- a/drivers/net/wireless/ath/ath12k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath12k/dp_rx.c
@@ -2748,6 +2748,7 @@ int ath12k_dp_rx_peer_frag_setup(struct ath12k *ar, const u8 *peer_mac, int vdev
}
peer->tfm_mmic = tfm;
+ peer->dp_setup_done = true;
spin_unlock_bh(&ab->base_lock);
return 0;
@@ -3214,6 +3215,14 @@ static int ath12k_dp_rx_frag_h_mpdu(struct ath12k *ar,
ret = -ENOENT;
goto out_unlock;
}
+
+ if (!peer->dp_setup_done) {
+ ath12k_warn(ab, "The peer %pM [%d] has uninitialized datapath\n",
+ peer->addr, peer_id);
+ ret = -ENOENT;
+ goto out_unlock;
+ }
+
rx_tid = &peer->rx_tid[tid];
if ((!skb_queue_empty(&rx_tid->rx_frags) && seqno != rx_tid->cur_sn) ||
diff --git a/drivers/net/wireless/ath/ath12k/peer.h b/drivers/net/wireless/ath/ath12k/peer.h
index b296dc0e2f671..c6edb24cbedd8 100644
--- a/drivers/net/wireless/ath/ath12k/peer.h
+++ b/drivers/net/wireless/ath/ath12k/peer.h
@@ -44,6 +44,9 @@ struct ath12k_peer {
struct ppdu_user_delayba ppdu_stats_delayba;
bool delayba_flag;
bool is_authorized;
+
+ /* protected by ab->data_lock */
+ bool dp_setup_done;
};
void ath12k_peer_unmap_event(struct ath12k_base *ab, u16 peer_id);
--
2.42.0
next prev parent reply other threads:[~2023-11-07 12:07 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-07 12:05 [PATCH AUTOSEL 6.6 01/31] wifi: plfxlc: fix clang-specific fortify warning Sasha Levin
2023-11-07 12:05 ` Sasha Levin [this message]
2023-11-07 12:05 ` [PATCH AUTOSEL 6.6 02/31] wifi: ath12k: Ignore fragments from uninitialized peer in dp Sasha Levin
2023-11-07 12:05 ` [PATCH AUTOSEL 6.6 03/31] wifi: mac80211_hwsim: fix clang-specific fortify warning Sasha Levin
2023-11-07 12:05 ` [PATCH AUTOSEL 6.6 04/31] wifi: mac80211: don't return unset power in ieee80211_get_tx_power() Sasha Levin
2023-11-07 12:05 ` [PATCH AUTOSEL 6.6 05/31] atl1c: Work around the DMA RX overflow issue Sasha Levin
2023-11-07 12:05 ` [PATCH AUTOSEL 6.6 06/31] bpf: Detect IP == ksym.end as part of BPF program Sasha Levin
2023-11-07 12:05 ` [PATCH AUTOSEL 6.6 07/31] wifi: ath9k: fix clang-specific fortify warnings Sasha Levin
2023-11-07 12:05 ` [PATCH AUTOSEL 6.6 08/31] wifi: ath12k: fix possible out-of-bound read in ath12k_htt_pull_ppdu_stats() Sasha Levin
2023-11-07 12:05 ` Sasha Levin
2023-11-07 12:05 ` [PATCH AUTOSEL 6.6 09/31] wifi: ath10k: fix clang-specific fortify warning Sasha Levin
2023-11-07 12:05 ` Sasha Levin
2023-11-07 12:05 ` [PATCH AUTOSEL 6.6 10/31] wifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps() Sasha Levin
2023-11-07 12:05 ` Sasha Levin
2023-11-07 12:05 ` [PATCH AUTOSEL 6.6 11/31] ACPI: APEI: Fix AER info corruption when error status data has multiple sections Sasha Levin
2023-11-07 12:05 ` Sasha Levin
2023-11-07 12:05 ` [PATCH AUTOSEL 6.6 12/31] net: sfp: add quirk for Fiberstone GPON-ONU-34-20BI Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 13/31] wifi: mt76: mt7921e: Support MT7992 IP in Xiaomi Redmibook 15 Pro (2023) Sasha Levin
2023-11-07 12:06 ` Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 14/31] wifi: mt76: fix clang-specific fortify warnings Sasha Levin
2023-11-07 12:06 ` Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 15/31] wifi: mt76: get rid of false alamrs of tx emission issues Sasha Levin
2023-11-07 12:06 ` Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 16/31] net: annotate data-races around sk->sk_tx_queue_mapping Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 17/31] net: annotate data-races around sk->sk_dst_pending_confirm Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 18/31] wifi: ath12k: mhi: fix potential memory leak in ath12k_mhi_register() Sasha Levin
2023-11-07 12:06 ` Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 19/31] wifi: ath10k: Don't touch the CE interrupt registers after power up Sasha Levin
2023-11-07 12:06 ` Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 20/31] net: sfp: add quirk for FS's 2.5G copper SFP Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 21/31] vsock: read from socket's error queue Sasha Levin
2023-11-07 12:06 ` Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 22/31] bpf: Ensure proper register state printing for cond jumps Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 23/31] wifi: iwlwifi: mvm: fix size check for fw_link_id Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 24/31] Bluetooth: btusb: Add date->evt_skb is NULL check Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 25/31] Bluetooth: Fix double free in hci_conn_cleanup Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 26/31] ACPI: EC: Add quirk for HP 250 G7 Notebook PC Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 27/31] tsnep: Fix tsnep_request_irq() format-overflow warning Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 28/31] gpiolib: acpi: Add a ignore interrupt quirk for Peaq C1010 Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 29/31] platform/chrome: kunit: initialize lock for fake ec_dev Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 30/31] of: address: Fix address translation when address-size is greater than 2 Sasha Levin
2023-11-07 12:06 ` [PATCH AUTOSEL 6.6 31/31] platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231107120704.3756327-2-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ath12k@lists.infradead.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=quic_hprem@quicinc.com \
--cc=quic_jjohnson@quicinc.com \
--cc=quic_kvalo@quicinc.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.