Message ID | 1521739394-15218-1-git-send-email-tamizhr@codeaurora.org (mailing list archive) |
---|---|
State | Changes Requested |
Delegated to: | Kalle Valo |
Headers | show |
Hi Tamizh, Thank you for the patch! Yet something to improve: [auto build test ERROR on ath6kl/ath-next] [also build test ERROR on v4.16-rc6 next-20180323] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Tamizh-chelvam/ath10k-fix-kernel-panic-while-reading-tpc_stats/20180325-093724 base: https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git ath-next config: i386-randconfig-h0-03251902 (attached as .config) compiler: gcc-4.9 (Debian 4.9.4-2) 4.9.4 reproduce: # save the attached .config to linux build tree make ARCH=i386 All errors (new ones prefixed by >>): drivers/net/wireless/ath/ath10k/wmi.c: In function 'ath10k_wmi_event_pdev_tpc_config': >> drivers/net/wireless/ath/ath10k/wmi.c:4465:14: error: 'struct ath10k' has no member named 'debug' complete(&ar->debug.tpc_complete); ^ vim +4465 drivers/net/wireless/ath/ath10k/wmi.c 4315 4316 void ath10k_wmi_event_pdev_tpc_config(struct ath10k *ar, struct sk_buff *skb) 4317 { 4318 u32 i, j, pream_idx, num_tx_chain; 4319 u8 rate_code[WMI_TPC_RATE_MAX], rate_idx; 4320 u16 pream_table[WMI_TPC_PREAM_TABLE_MAX]; 4321 struct wmi_pdev_tpc_config_event *ev; 4322 struct ath10k_tpc_stats *tpc_stats; 4323 4324 ev = (struct wmi_pdev_tpc_config_event *)skb->data; 4325 4326 tpc_stats = kzalloc(sizeof(*tpc_stats), GFP_ATOMIC); 4327 if (!tpc_stats) 4328 goto exit; 4329 4330 /* Create the rate code table based on the chains supported */ 4331 rate_idx = 0; 4332 pream_idx = 0; 4333 4334 /* Fill CCK rate code */ 4335 for (i = 0; i < 4; i++) { 4336 rate_code[rate_idx] = 4337 ATH10K_HW_RATECODE(i, 0, WMI_RATE_PREAMBLE_CCK); 4338 rate_idx++; 4339 } 4340 pream_table[pream_idx] = rate_idx; 4341 pream_idx++; 4342 4343 /* Fill OFDM rate code */ 4344 for (i = 0; i < 8; i++) { 4345 rate_code[rate_idx] = 4346 ATH10K_HW_RATECODE(i, 0, WMI_RATE_PREAMBLE_OFDM); 4347 rate_idx++; 4348 } 4349 pream_table[pream_idx] = rate_idx; 4350 pream_idx++; 4351 4352 num_tx_chain = __le32_to_cpu(ev->num_tx_chain); 4353 4354 if (num_tx_chain > WMI_TPC_TX_N_CHAIN) { 4355 ath10k_warn(ar, "number of tx chain is %d greater than TPC configured tx chain %d\n", 4356 num_tx_chain, WMI_TPC_TX_N_CHAIN); 4357 goto exit; 4358 } 4359 4360 /* Fill HT20 rate code */ 4361 for (i = 0; i < num_tx_chain; i++) { 4362 for (j = 0; j < 8; j++) { 4363 rate_code[rate_idx] = 4364 ATH10K_HW_RATECODE(j, i, WMI_RATE_PREAMBLE_HT); 4365 rate_idx++; 4366 } 4367 } 4368 pream_table[pream_idx] = rate_idx; 4369 pream_idx++; 4370 4371 /* Fill HT40 rate code */ 4372 for (i = 0; i < num_tx_chain; i++) { 4373 for (j = 0; j < 8; j++) { 4374 rate_code[rate_idx] = 4375 ATH10K_HW_RATECODE(j, i, WMI_RATE_PREAMBLE_HT); 4376 rate_idx++; 4377 } 4378 } 4379 pream_table[pream_idx] = rate_idx; 4380 pream_idx++; 4381 4382 /* Fill VHT20 rate code */ 4383 for (i = 0; i < __le32_to_cpu(ev->num_tx_chain); i++) { 4384 for (j = 0; j < 10; j++) { 4385 rate_code[rate_idx] = 4386 ATH10K_HW_RATECODE(j, i, WMI_RATE_PREAMBLE_VHT); 4387 rate_idx++; 4388 } 4389 } 4390 pream_table[pream_idx] = rate_idx; 4391 pream_idx++; 4392 4393 /* Fill VHT40 rate code */ 4394 for (i = 0; i < num_tx_chain; i++) { 4395 for (j = 0; j < 10; j++) { 4396 rate_code[rate_idx] = 4397 ATH10K_HW_RATECODE(j, i, WMI_RATE_PREAMBLE_VHT); 4398 rate_idx++; 4399 } 4400 } 4401 pream_table[pream_idx] = rate_idx; 4402 pream_idx++; 4403 4404 /* Fill VHT80 rate code */ 4405 for (i = 0; i < num_tx_chain; i++) { 4406 for (j = 0; j < 10; j++) { 4407 rate_code[rate_idx] = 4408 ATH10K_HW_RATECODE(j, i, WMI_RATE_PREAMBLE_VHT); 4409 rate_idx++; 4410 } 4411 } 4412 pream_table[pream_idx] = rate_idx; 4413 pream_idx++; 4414 4415 rate_code[rate_idx++] = 4416 ATH10K_HW_RATECODE(0, 0, WMI_RATE_PREAMBLE_CCK); 4417 rate_code[rate_idx++] = 4418 ATH10K_HW_RATECODE(0, 0, WMI_RATE_PREAMBLE_OFDM); 4419 rate_code[rate_idx++] = 4420 ATH10K_HW_RATECODE(0, 0, WMI_RATE_PREAMBLE_CCK); 4421 rate_code[rate_idx++] = 4422 ATH10K_HW_RATECODE(0, 0, WMI_RATE_PREAMBLE_OFDM); 4423 rate_code[rate_idx++] = 4424 ATH10K_HW_RATECODE(0, 0, WMI_RATE_PREAMBLE_OFDM); 4425 4426 pream_table[pream_idx] = ATH10K_TPC_PREAM_TABLE_END; 4427 4428 tpc_stats->chan_freq = __le32_to_cpu(ev->chan_freq); 4429 tpc_stats->phy_mode = __le32_to_cpu(ev->phy_mode); 4430 tpc_stats->ctl = __le32_to_cpu(ev->ctl); 4431 tpc_stats->reg_domain = __le32_to_cpu(ev->reg_domain); 4432 tpc_stats->twice_antenna_gain = a_sle32_to_cpu(ev->twice_antenna_gain); 4433 tpc_stats->twice_antenna_reduction = 4434 __le32_to_cpu(ev->twice_antenna_reduction); 4435 tpc_stats->power_limit = __le32_to_cpu(ev->power_limit); 4436 tpc_stats->twice_max_rd_power = __le32_to_cpu(ev->twice_max_rd_power); 4437 tpc_stats->num_tx_chain = __le32_to_cpu(ev->num_tx_chain); 4438 tpc_stats->rate_max = __le32_to_cpu(ev->rate_max); 4439 4440 ath10k_tpc_config_disp_tables(ar, ev, tpc_stats, 4441 rate_code, pream_table, 4442 WMI_TPC_TABLE_TYPE_CDD); 4443 ath10k_tpc_config_disp_tables(ar, ev, tpc_stats, 4444 rate_code, pream_table, 4445 WMI_TPC_TABLE_TYPE_STBC); 4446 ath10k_tpc_config_disp_tables(ar, ev, tpc_stats, 4447 rate_code, pream_table, 4448 WMI_TPC_TABLE_TYPE_TXBF); 4449 4450 ath10k_debug_tpc_stats_process(ar, tpc_stats); 4451 4452 ath10k_dbg(ar, ATH10K_DBG_WMI, 4453 "wmi event tpc config channel %d mode %d ctl %d regd %d gain %d %d limit %d max_power %d tx_chanins %d rates %d\n", 4454 __le32_to_cpu(ev->chan_freq), 4455 __le32_to_cpu(ev->phy_mode), 4456 __le32_to_cpu(ev->ctl), 4457 __le32_to_cpu(ev->reg_domain), 4458 a_sle32_to_cpu(ev->twice_antenna_gain), 4459 __le32_to_cpu(ev->twice_antenna_reduction), 4460 __le32_to_cpu(ev->power_limit), 4461 __le32_to_cpu(ev->twice_max_rd_power) / 2, 4462 __le32_to_cpu(ev->num_tx_chain), 4463 __le32_to_cpu(ev->rate_max)); 4464 exit: > 4465 complete(&ar->debug.tpc_complete); 4466 } 4467 --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation
diff --git a/drivers/net/wireless/ath/ath10k/debug.c b/drivers/net/wireless/ath/ath10k/debug.c index 554cd78..8c41c81 100644 --- a/drivers/net/wireless/ath/ath10k/debug.c +++ b/drivers/net/wireless/ath/ath10k/debug.c @@ -1506,18 +1506,24 @@ static void ath10k_tpc_stats_print(struct ath10k_tpc_stats *tpc_stats, *len += scnprintf(buf + *len, buf_len - *len, "********************************\n"); *len += scnprintf(buf + *len, buf_len - *len, - "No. Preamble Rate_code tpc_value1 tpc_value2 tpc_value3\n"); + "No. Preamble Rate_code "); + + for (i = 0; i < WMI_TPC_TX_N_CHAIN; i++) + *len += scnprintf(buf + *len, buf_len - *len, + "tpc_value%d ", i); + + *len += scnprintf(buf + *len, buf_len - *len, "\n"); for (i = 0; i < tpc_stats->rate_max; i++) { *len += scnprintf(buf + *len, buf_len - *len, - "%8d %s 0x%2x %s\n", i, + "%8d %s 0x%2x %s", i, pream_str[tpc_stats->tpc_table[j].pream_idx[i]], tpc_stats->tpc_table[j].rate_code[i], tpc_stats->tpc_table[j].tpc_value[i]); } *len += scnprintf(buf + *len, buf_len - *len, - "***********************************\n"); + "\n***********************************\n"); } static void ath10k_tpc_stats_fill(struct ath10k *ar, diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c index 58dc218..ac9f6a5 100644 --- a/drivers/net/wireless/ath/ath10k/wmi.c +++ b/drivers/net/wireless/ath/ath10k/wmi.c @@ -4325,7 +4325,7 @@ void ath10k_wmi_event_pdev_tpc_config(struct ath10k *ar, struct sk_buff *skb) tpc_stats = kzalloc(sizeof(*tpc_stats), GFP_ATOMIC); if (!tpc_stats) - return; + goto exit; /* Create the rate code table based on the chains supported */ rate_idx = 0; @@ -4351,6 +4351,12 @@ void ath10k_wmi_event_pdev_tpc_config(struct ath10k *ar, struct sk_buff *skb) num_tx_chain = __le32_to_cpu(ev->num_tx_chain); + if (num_tx_chain > WMI_TPC_TX_N_CHAIN) { + ath10k_warn(ar, "number of tx chain is %d greater than TPC configured tx chain %d\n", + num_tx_chain, WMI_TPC_TX_N_CHAIN); + goto exit; + } + /* Fill HT20 rate code */ for (i = 0; i < num_tx_chain; i++) { for (j = 0; j < 8; j++) { @@ -4455,6 +4461,8 @@ void ath10k_wmi_event_pdev_tpc_config(struct ath10k *ar, struct sk_buff *skb) __le32_to_cpu(ev->twice_max_rd_power) / 2, __le32_to_cpu(ev->num_tx_chain), __le32_to_cpu(ev->rate_max)); +exit: + complete(&ar->debug.tpc_complete); } static void diff --git a/drivers/net/wireless/ath/ath10k/wmi.h b/drivers/net/wireless/ath/ath10k/wmi.h index c7b30ed..5646ea0 100644 --- a/drivers/net/wireless/ath/ath10k/wmi.h +++ b/drivers/net/wireless/ath/ath10k/wmi.h @@ -3992,8 +3992,8 @@ struct wmi_pdev_get_tpc_config_cmd { } __packed; #define WMI_TPC_CONFIG_PARAM 1 -#define WMI_TPC_RATE_MAX 160 #define WMI_TPC_TX_N_CHAIN 4 +#define WMI_TPC_RATE_MAX (WMI_TPC_TX_N_CHAIN * 65) #define WMI_TPC_PREAM_TABLE_MAX 10 #define WMI_TPC_FLAG 3 #define WMI_TPC_BUF_SIZE 10
When attempt to read tpc_stats for the chipsets which support more than 3 tx chain will trigger kernel panic(kernel stack is corrupted) due to writing values on rate_code array out of range. This patch changes the array size depends on the WMI_TPC_TX_N_CHAIN and added check to avoid write values on the array if the num tx chain get in tpc config event is greater than WMI_TPC_TX_N_CHAIN. Tested on QCA9984 with firmware-5.bin_10.4-3.5.3-00057 Kernel panic log : [ 323.510944] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: bf90c654 [ 323.510944] [ 323.524390] CPU: 0 PID: 1908 Comm: cat Not tainted 3.14.77 #31 [ 323.530224] [<c021db48>] (unwind_backtrace) from [<c021ac08>] (show_stack+0x10/0x14) [ 323.537941] [<c021ac08>] (show_stack) from [<c03c53c0>] (dump_stack+0x80/0xa0) [ 323.545146] [<c03c53c0>] (dump_stack) from [<c022e4ac>] (panic+0x84/0x1e4) [ 323.552000] [<c022e4ac>] (panic) from [<c022e61c>] (__stack_chk_fail+0x10/0x14) [ 323.559350] [<c022e61c>] (__stack_chk_fail) from [<bf90c654>] (ath10k_wmi_event_pdev_tpc_config+0x424/0x438 [ath10k_core]) [ 323.570471] [<bf90c654>] (ath10k_wmi_event_pdev_tpc_config [ath10k_core]) from [<bf90d800>] (ath10k_wmi_10_4_op_rx+0x2f0/0x39c [ath10k_core]) [ 323.583047] [<bf90d800>] (ath10k_wmi_10_4_op_rx [ath10k_core]) from [<bf8fcc18>] (ath10k_htc_rx_completion_handler+0x170/0x1a0 [ath10k_core]) [ 323.595702] [<bf8fcc18>] (ath10k_htc_rx_completion_handler [ath10k_core]) from [<bf961f44>] (ath10k_pci_hif_send_complete_check+0x1f0/0x220 [ath10k_pci]) [ 323.609421] [<bf961f44>] (ath10k_pci_hif_send_complete_check [ath10k_pci]) from [<bf96562c>] (ath10k_ce_per_engine_service+0x74/0xc4 [ath10k_pci]) [ 323.622490] [<bf96562c>] (ath10k_ce_per_engine_service [ath10k_pci]) from [<bf9656f0>] (ath10k_ce_per_engine_service_any+0x74/0x80 [ath10k_pci]) [ 323.635423] [<bf9656f0>] (ath10k_ce_per_engine_service_any [ath10k_pci]) from [<bf96365c>] (ath10k_pci_napi_poll+0x44/0xe8 [ath10k_pci]) [ 323.647665] [<bf96365c>] (ath10k_pci_napi_poll [ath10k_pci]) from [<c0599994>] (net_rx_action+0xac/0x160) [ 323.657208] [<c0599994>] (net_rx_action) from [<c02324a4>] (__do_softirq+0x104/0x294) [ 323.665017] [<c02324a4>] (__do_softirq) from [<c0232920>] (irq_exit+0x9c/0x11c) [ 323.672314] [<c0232920>] (irq_exit) from [<c0217fc0>] (handle_IRQ+0x6c/0x90) [ 323.679341] [<c0217fc0>] (handle_IRQ) from [<c02084e0>] (gic_handle_irq+0x3c/0x60) [ 323.686893] [<c02084e0>] (gic_handle_irq) from [<c02095c0>] (__irq_svc+0x40/0x70) [ 323.694349] Exception stack(0xdd489c58 to 0xdd489ca0) [ 323.699384] 9c40: 00000000 a0000013 [ 323.707547] 9c60: 00000000 dc4bce40 60000013 ddc1d800 dd488000 00000990 00000000 c085c800 [ 323.715707] 9c80: 00000000 dd489d44 0000092d dd489ca0 c026e664 c026e668 60000013 ffffffff [ 323.723877] [<c02095c0>] (__irq_svc) from [<c026e668>] (rcu_note_context_switch+0x170/0x184) [ 323.732298] [<c026e668>] (rcu_note_context_switch) from [<c020e928>] (__schedule+0x50/0x4d4) [ 323.740716] [<c020e928>] (__schedule) from [<c020e490>] (schedule_timeout+0x148/0x178) [ 323.748611] [<c020e490>] (schedule_timeout) from [<c020f804>] (wait_for_common+0x114/0x154) [ 323.756972] [<c020f804>] (wait_for_common) from [<bf8f6ef0>] (ath10k_tpc_stats_open+0xc8/0x340 [ath10k_core]) [ 323.766873] [<bf8f6ef0>] (ath10k_tpc_stats_open [ath10k_core]) from [<c02bb598>] (do_dentry_open+0x1ac/0x274) [ 323.776741] [<c02bb598>] (do_dentry_open) from [<c02c838c>] (do_last+0x8c0/0xb08) [ 323.784201] [<c02c838c>] (do_last) from [<c02c87e4>] (path_openat+0x210/0x598) [ 323.791408] [<c02c87e4>] (path_openat) from [<c02c9d1c>] (do_filp_open+0x2c/0x78) [ 323.798873] [<c02c9d1c>] (do_filp_open) from [<c02bc85c>] (do_sys_open+0x114/0x1b4) [ 323.806509] [<c02bc85c>] (do_sys_open) from [<c0208c80>] (ret_fast_syscall+0x0/0x44) [ 323.814241] CPU1: stopping [ 323.816927] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 3.14.77 #31 [ 323.823008] [<c021db48>] (unwind_backtrace) from [<c021ac08>] (show_stack+0x10/0x14) [ 323.830731] [<c021ac08>] (show_stack) from [<c03c53c0>] (dump_stack+0x80/0xa0) [ 323.837934] [<c03c53c0>] (dump_stack) from [<c021cfac>] (handle_IPI+0xb8/0x140) [ 323.845224] [<c021cfac>] (handle_IPI) from [<c02084fc>] (gic_handle_irq+0x58/0x60) [ 323.852774] [<c02084fc>] (gic_handle_irq) from [<c02095c0>] (__irq_svc+0x40/0x70) [ 323.860233] Exception stack(0xdd499fa0 to 0xdd499fe8) [ 323.865273] 9fa0: ffffffed 00000000 1d3c9000 00000000 dd498000 dd498030 10c0387d c08b62c8 [ 323.873432] 9fc0: 4220406a 512f04d0 00000000 00000000 00000001 dd499fe8 c021838c c0218390 [ 323.881588] 9fe0: 60000013 ffffffff [ 323.885070] [<c02095c0>] (__irq_svc) from [<c0218390>] (arch_cpu_idle+0x30/0x50) [ 323.892454] [<c0218390>] (arch_cpu_idle) from [<c026500c>] (cpu_startup_entry+0xa4/0x108) [ 323.900690] [<c026500c>] (cpu_startup_entry) from [<422085a4>] (0x422085a4) Signed-off-by: Tamizh chelvam <tamizhr@codeaurora.org> --- drivers/net/wireless/ath/ath10k/debug.c | 12 +++++++++--- drivers/net/wireless/ath/ath10k/wmi.c | 10 +++++++++- drivers/net/wireless/ath/ath10k/wmi.h | 2 +- 3 files changed, 19 insertions(+), 5 deletions(-)