From patchwork Mon Oct 10 14:21:18 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vasanthakumar Thiagarajan X-Patchwork-Id: 9369573 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 0421E607D2 for ; Mon, 10 Oct 2016 14:22:25 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E888F299FC for ; Mon, 10 Oct 2016 14:22:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DD766299FE; Mon, 10 Oct 2016 14:22:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED, T_DKIM_INVALID autolearn=unavailable version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.9]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id F4097299FC for ; Mon, 10 Oct 2016 14:22:23 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.85_2 #1 (Red Hat Linux)) id 1btbSt-0008Pd-AP; Mon, 10 Oct 2016 14:22:03 +0000 Received: from wolverine02.qualcomm.com ([199.106.114.251]) by bombadil.infradead.org with esmtps (Exim 4.85_2 #1 (Red Hat Linux)) id 1btbSq-0008KI-KP for ath10k@lists.infradead.org; Mon, 10 Oct 2016 14:22:01 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qti.qualcomm.com; i=@qti.qualcomm.com; q=dns/txt; s=qcdkim; t=1476109320; x=1507645320; h=from:to:cc:subject:date:message-id:mime-version; bh=Raea9HeHYbOWFs1ZgWsGj2enn45xjFCWf1HWTLipwlo=; b=a+nIj/kJR0gpuY0cZKQ/y4HAoBQmVIW57/CGfue0vFPmC+QLyDEJ1ce3 pdGHICQcCjMle06mVO09K1tL4q+qL87QIdNfXAxx38k8VQFEgzP36apDE ZKw6uLqnU/Ym2LooSwTfa24Drar2QHm1DmshwdWS40aRf04vCIotgwN+5 8=; X-IronPort-AV: E=Sophos;i="5.31,324,1473145200"; d="scan'208";a="325781835" Received: from unknown (HELO Ironmsg04-R.qualcomm.com) ([10.53.140.108]) by wolverine02.qualcomm.com with ESMTP; 10 Oct 2016 07:21:39 -0700 X-IronPort-AV: E=McAfee;i="5700,7163,8313"; a="1289268757" Received: from nasanexm02c.na.qualcomm.com ([10.85.0.43]) by Ironmsg04-R.qualcomm.com with ESMTP/TLS/RC4-SHA; 10 Oct 2016 07:21:39 -0700 Received: from aphydexm01f.ap.qualcomm.com (10.252.127.15) by NASANEXM02C.na.qualcomm.com (10.85.0.43) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 10 Oct 2016 07:21:38 -0700 Received: from qcmail1.qualcomm.com (10.80.80.8) by aphydexm01f.ap.qualcomm.com (10.252.127.15) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 10 Oct 2016 19:51:30 +0530 Received: by qcmail1.qualcomm.com (sSMTP sendmail emulation); Mon, 10 Oct 2016 19:51:19 +0530 From: Vasanthakumar Thiagarajan To: Subject: [PATCH] ath10k: Fix kernel panic due to race in accessing arvif list Date: Mon, 10 Oct 2016 19:51:18 +0530 Message-ID: <1476109278-7957-1-git-send-email-vthiagar@qti.qualcomm.com> X-Mailer: git-send-email 1.9.1 MIME-Version: 1.0 X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: NASANEXM01B.na.qualcomm.com (10.85.0.82) To aphydexm01f.ap.qualcomm.com (10.252.127.15) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20161010_072200_755953_8E4EED19 X-CRM114-Status: UNSURE ( 8.82 ) X-CRM114-Notice: Please train this message. X-BeenThere: ath10k@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Vasanthakumar Thiagarajan , linux-wireless@vger.kernel.org Sender: "ath10k" Errors-To: ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP arvifs list is traversed within data_lock spin_lock in tasklet context to fill channel information from the corresponding vif. This means any access to arvifs list for add/del operations should also be protected with the same spin_lock to avoid the race. Fix this by performing list add/del on arvfis within the data_lock. This could fix kernel panic something like the below. LR is at ath10k_htt_rx_pktlog_completion_handler+0x100/0xb6c [ath10k_core] PC is at ath10k_htt_rx_pktlog_completion_handler+0x1c0/0xb6c [ath10k_core] Internal error: Oops: 17 [#1] PREEMPT SMP ARM [] (ath10k_htt_rx_pktlog_completion_handler+0x2f4/0xb6c [ath10k_core]) [] (ath10k_htt_txrx_compl_task+0x8b4/0x1188 [ath10k_core]) [] (tasklet_action+0x8c/0xec) [] (__do_softirq+0xdc/0x208) [] (irq_exit+0x84/0xe0) [] (__handle_domain_irq+0x80/0xa0) [] (gic_handle_irq+0x38/0x5c) [] (__irq_svc+0x40/0x74) (gdb) list *(ath10k_htt_rx_pktlog_completion_handler+0x1c0) 0x136c0 is in ath10k_htt_rx_h_channel (drivers/net/wireless/ath/ath10k/htt_rx.c:769) 764 struct cfg80211_chan_def def; 765 766 lockdep_assert_held(&ar->data_lock); 767 768 list_for_each_entry(arvif, &ar->arvifs, list) { 769 if (arvif->vdev_id == vdev_id && 770 ath10k_mac_vif_chan(arvif->vif, &def) == 0) 771 return def.chan; 772 } 773 Signed-off-by: Vasanthakumar Thiagarajan --- drivers/net/wireless/ath/ath10k/mac.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c index 2e5d2ca..691b7b5 100644 --- a/drivers/net/wireless/ath/ath10k/mac.c +++ b/drivers/net/wireless/ath/ath10k/mac.c @@ -4931,7 +4931,9 @@ static int ath10k_add_interface(struct ieee80211_hw *hw, } ar->free_vdev_map &= ~(1LL << arvif->vdev_id); + spin_lock_bh(&ar->data_lock); list_add(&arvif->list, &ar->arvifs); + spin_unlock_bh(&ar->data_lock); /* It makes no sense to have firmware do keepalives. mac80211 already * takes care of this with idle connection polling. @@ -5082,7 +5084,9 @@ err_peer_delete: err_vdev_delete: ath10k_wmi_vdev_delete(ar, arvif->vdev_id); ar->free_vdev_map |= 1LL << arvif->vdev_id; + spin_lock_bh(&ar->data_lock); list_del(&arvif->list); + spin_unlock_bh(&ar->data_lock); err: if (arvif->beacon_buf) { @@ -5128,7 +5132,9 @@ static void ath10k_remove_interface(struct ieee80211_hw *hw, arvif->vdev_id, ret); ar->free_vdev_map |= 1LL << arvif->vdev_id; + spin_lock_bh(&ar->data_lock); list_del(&arvif->list); + spin_unlock_bh(&ar->data_lock); if (arvif->vdev_type == WMI_VDEV_TYPE_AP || arvif->vdev_type == WMI_VDEV_TYPE_IBSS) {