From patchwork Mon Oct 10 14:21:18 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vasanthakumar Thiagarajan X-Patchwork-Id: 9369571 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 15460607D2 for ; Mon, 10 Oct 2016 14:21:44 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 060DB299FC for ; Mon, 10 Oct 2016 14:21:44 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id ED12D299FE; Mon, 10 Oct 2016 14:21:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B22BD299FC for ; Mon, 10 Oct 2016 14:21:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752843AbcJJOVl (ORCPT ); Mon, 10 Oct 2016 10:21:41 -0400 Received: from wolverine01.qualcomm.com ([199.106.114.254]:18200 "EHLO wolverine01.qualcomm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752522AbcJJOVk (ORCPT ); Mon, 10 Oct 2016 10:21:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qti.qualcomm.com; i=@qti.qualcomm.com; q=dns/txt; s=qcdkim; t=1476109300; x=1507645300; h=from:to:cc:subject:date:message-id:mime-version; bh=Raea9HeHYbOWFs1ZgWsGj2enn45xjFCWf1HWTLipwlo=; b=h2CaEBIzQaVEKqjzBr7dTgDOA2PBxpHnnZOiqoa2/2EacIw2qVfIScuW BDafBUXacziaTMQDDhcrOubgaZ0gdOpTvAch7eU8E+IEvt9uwi50prj8A jY6ARXt1yg7rB/wyfG9XAgNa/2u3jVRclOsYktrylqhzAOyWwNUQjbgoe E=; X-IronPort-AV: E=Sophos;i="5.31,324,1473145200"; d="scan'208";a="230567783" Received: from unknown (HELO Ironmsg04-R.qualcomm.com) ([10.53.140.108]) by wolverine01.qualcomm.com with ESMTP; 10 Oct 2016 07:21:39 -0700 X-IronPort-AV: E=McAfee;i="5700,7163,8313"; a="1289268757" Received: from nasanexm02c.na.qualcomm.com ([10.85.0.43]) by Ironmsg04-R.qualcomm.com with ESMTP/TLS/RC4-SHA; 10 Oct 2016 07:21:39 -0700 Received: from aphydexm01f.ap.qualcomm.com (10.252.127.15) by NASANEXM02C.na.qualcomm.com (10.85.0.43) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 10 Oct 2016 07:21:38 -0700 Received: from qcmail1.qualcomm.com (10.80.80.8) by aphydexm01f.ap.qualcomm.com (10.252.127.15) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 10 Oct 2016 19:51:30 +0530 Received: by qcmail1.qualcomm.com (sSMTP sendmail emulation); Mon, 10 Oct 2016 19:51:19 +0530 From: Vasanthakumar Thiagarajan To: CC: , Vasanthakumar Thiagarajan Subject: [PATCH] ath10k: Fix kernel panic due to race in accessing arvif list Date: Mon, 10 Oct 2016 19:51:18 +0530 Message-ID: <1476109278-7957-1-git-send-email-vthiagar@qti.qualcomm.com> X-Mailer: git-send-email 1.9.1 MIME-Version: 1.0 X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: NASANEXM01B.na.qualcomm.com (10.85.0.82) To aphydexm01f.ap.qualcomm.com (10.252.127.15) Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP arvifs list is traversed within data_lock spin_lock in tasklet context to fill channel information from the corresponding vif. This means any access to arvifs list for add/del operations should also be protected with the same spin_lock to avoid the race. Fix this by performing list add/del on arvfis within the data_lock. This could fix kernel panic something like the below. LR is at ath10k_htt_rx_pktlog_completion_handler+0x100/0xb6c [ath10k_core] PC is at ath10k_htt_rx_pktlog_completion_handler+0x1c0/0xb6c [ath10k_core] Internal error: Oops: 17 [#1] PREEMPT SMP ARM [] (ath10k_htt_rx_pktlog_completion_handler+0x2f4/0xb6c [ath10k_core]) [] (ath10k_htt_txrx_compl_task+0x8b4/0x1188 [ath10k_core]) [] (tasklet_action+0x8c/0xec) [] (__do_softirq+0xdc/0x208) [] (irq_exit+0x84/0xe0) [] (__handle_domain_irq+0x80/0xa0) [] (gic_handle_irq+0x38/0x5c) [] (__irq_svc+0x40/0x74) (gdb) list *(ath10k_htt_rx_pktlog_completion_handler+0x1c0) 0x136c0 is in ath10k_htt_rx_h_channel (drivers/net/wireless/ath/ath10k/htt_rx.c:769) 764 struct cfg80211_chan_def def; 765 766 lockdep_assert_held(&ar->data_lock); 767 768 list_for_each_entry(arvif, &ar->arvifs, list) { 769 if (arvif->vdev_id == vdev_id && 770 ath10k_mac_vif_chan(arvif->vif, &def) == 0) 771 return def.chan; 772 } 773 Signed-off-by: Vasanthakumar Thiagarajan --- drivers/net/wireless/ath/ath10k/mac.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c index 2e5d2ca..691b7b5 100644 --- a/drivers/net/wireless/ath/ath10k/mac.c +++ b/drivers/net/wireless/ath/ath10k/mac.c @@ -4931,7 +4931,9 @@ static int ath10k_add_interface(struct ieee80211_hw *hw, } ar->free_vdev_map &= ~(1LL << arvif->vdev_id); + spin_lock_bh(&ar->data_lock); list_add(&arvif->list, &ar->arvifs); + spin_unlock_bh(&ar->data_lock); /* It makes no sense to have firmware do keepalives. mac80211 already * takes care of this with idle connection polling. @@ -5082,7 +5084,9 @@ err_peer_delete: err_vdev_delete: ath10k_wmi_vdev_delete(ar, arvif->vdev_id); ar->free_vdev_map |= 1LL << arvif->vdev_id; + spin_lock_bh(&ar->data_lock); list_del(&arvif->list); + spin_unlock_bh(&ar->data_lock); err: if (arvif->beacon_buf) { @@ -5128,7 +5132,9 @@ static void ath10k_remove_interface(struct ieee80211_hw *hw, arvif->vdev_id, ret); ar->free_vdev_map |= 1LL << arvif->vdev_id; + spin_lock_bh(&ar->data_lock); list_del(&arvif->list); + spin_unlock_bh(&ar->data_lock); if (arvif->vdev_type == WMI_VDEV_TYPE_AP || arvif->vdev_type == WMI_VDEV_TYPE_IBSS) {