From patchwork Thu Mar 22 17:23:14 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tamizh chelvam X-Patchwork-Id: 10302023 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 787B360386 for ; Thu, 22 Mar 2018 17:26:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 697C92621B for ; Thu, 22 Mar 2018 17:26:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5DFA228756; Thu, 22 Mar 2018 17:26:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AE1B12621B for ; Thu, 22 Mar 2018 17:26:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751812AbeCVR0W (ORCPT ); Thu, 22 Mar 2018 13:26:22 -0400 Received: from smtp.codeaurora.org ([198.145.29.96]:52746 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751691AbeCVR0T (ORCPT ); Thu, 22 Mar 2018 13:26:19 -0400 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id 497C260F5C; Thu, 22 Mar 2018 17:26:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1521739579; bh=QBCFvGQj3jRAu9ekgW5cF/SoouKK6/0SHDpRFle2wm4=; h=From:To:Cc:Subject:Date:From; b=F7wo4ZpAhUO8yGFUpWPxH44xcikaVVaKqJMTC2VPHeJYq2C5bHFDHHBStQldQInBP fj9xBYctsEjQIDC5gNIPPLPcVUR4jbViFp/oRsU0ubB9k+m5WG6kZj0dJCgj9PQan9 kh9VTw/HiuI76tEIUjULLbcjkhueFCthep0IF5+4= Received: from cheath10p342229-lin.qca.qualcomm.com (blr-c-bdr-fw-01_globalnat_allzones-outside.qualcomm.com [103.229.19.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: tamizhr@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 986F7603AF; Thu, 22 Mar 2018 17:26:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1521739578; bh=QBCFvGQj3jRAu9ekgW5cF/SoouKK6/0SHDpRFle2wm4=; h=From:To:Cc:Subject:Date:From; b=L77pnZRGpIDRoiokmFN/HHcFtuyKA4E181HBAyQ+X7eccteACDmdc3lhqv0ueVvwk /Y2TT7ONHjy3SKYyWWyqJOwXvKRQCfGQz+l3lqsCnhT6cKu6kDuxrR1MheDroA8jsl RHEbXsOzimv4TxiM40J0gu8gOvouTnkPjKTLTMlQ= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 986F7603AF Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=tamizhr@codeaurora.org From: Tamizh chelvam To: ath10k@lists.infradead.org Cc: linux-wireless@vger.kernel.org, Tamizh chelvam Subject: [PATCH] ath10k: fix kernel panic while reading tpc_stats Date: Thu, 22 Mar 2018 22:53:14 +0530 Message-Id: <1521739394-15218-1-git-send-email-tamizhr@codeaurora.org> X-Mailer: git-send-email 1.9.1 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP When attempt to read tpc_stats for the chipsets which support more than 3 tx chain will trigger kernel panic(kernel stack is corrupted) due to writing values on rate_code array out of range. This patch changes the array size depends on the WMI_TPC_TX_N_CHAIN and added check to avoid write values on the array if the num tx chain get in tpc config event is greater than WMI_TPC_TX_N_CHAIN. Tested on QCA9984 with firmware-5.bin_10.4-3.5.3-00057 Kernel panic log : [ 323.510944] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: bf90c654 [ 323.510944] [ 323.524390] CPU: 0 PID: 1908 Comm: cat Not tainted 3.14.77 #31 [ 323.530224] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [ 323.537941] [] (show_stack) from [] (dump_stack+0x80/0xa0) [ 323.545146] [] (dump_stack) from [] (panic+0x84/0x1e4) [ 323.552000] [] (panic) from [] (__stack_chk_fail+0x10/0x14) [ 323.559350] [] (__stack_chk_fail) from [] (ath10k_wmi_event_pdev_tpc_config+0x424/0x438 [ath10k_core]) [ 323.570471] [] (ath10k_wmi_event_pdev_tpc_config [ath10k_core]) from [] (ath10k_wmi_10_4_op_rx+0x2f0/0x39c [ath10k_core]) [ 323.583047] [] (ath10k_wmi_10_4_op_rx [ath10k_core]) from [] (ath10k_htc_rx_completion_handler+0x170/0x1a0 [ath10k_core]) [ 323.595702] [] (ath10k_htc_rx_completion_handler [ath10k_core]) from [] (ath10k_pci_hif_send_complete_check+0x1f0/0x220 [ath10k_pci]) [ 323.609421] [] (ath10k_pci_hif_send_complete_check [ath10k_pci]) from [] (ath10k_ce_per_engine_service+0x74/0xc4 [ath10k_pci]) [ 323.622490] [] (ath10k_ce_per_engine_service [ath10k_pci]) from [] (ath10k_ce_per_engine_service_any+0x74/0x80 [ath10k_pci]) [ 323.635423] [] (ath10k_ce_per_engine_service_any [ath10k_pci]) from [] (ath10k_pci_napi_poll+0x44/0xe8 [ath10k_pci]) [ 323.647665] [] (ath10k_pci_napi_poll [ath10k_pci]) from [] (net_rx_action+0xac/0x160) [ 323.657208] [] (net_rx_action) from [] (__do_softirq+0x104/0x294) [ 323.665017] [] (__do_softirq) from [] (irq_exit+0x9c/0x11c) [ 323.672314] [] (irq_exit) from [] (handle_IRQ+0x6c/0x90) [ 323.679341] [] (handle_IRQ) from [] (gic_handle_irq+0x3c/0x60) [ 323.686893] [] (gic_handle_irq) from [] (__irq_svc+0x40/0x70) [ 323.694349] Exception stack(0xdd489c58 to 0xdd489ca0) [ 323.699384] 9c40: 00000000 a0000013 [ 323.707547] 9c60: 00000000 dc4bce40 60000013 ddc1d800 dd488000 00000990 00000000 c085c800 [ 323.715707] 9c80: 00000000 dd489d44 0000092d dd489ca0 c026e664 c026e668 60000013 ffffffff [ 323.723877] [] (__irq_svc) from [] (rcu_note_context_switch+0x170/0x184) [ 323.732298] [] (rcu_note_context_switch) from [] (__schedule+0x50/0x4d4) [ 323.740716] [] (__schedule) from [] (schedule_timeout+0x148/0x178) [ 323.748611] [] (schedule_timeout) from [] (wait_for_common+0x114/0x154) [ 323.756972] [] (wait_for_common) from [] (ath10k_tpc_stats_open+0xc8/0x340 [ath10k_core]) [ 323.766873] [] (ath10k_tpc_stats_open [ath10k_core]) from [] (do_dentry_open+0x1ac/0x274) [ 323.776741] [] (do_dentry_open) from [] (do_last+0x8c0/0xb08) [ 323.784201] [] (do_last) from [] (path_openat+0x210/0x598) [ 323.791408] [] (path_openat) from [] (do_filp_open+0x2c/0x78) [ 323.798873] [] (do_filp_open) from [] (do_sys_open+0x114/0x1b4) [ 323.806509] [] (do_sys_open) from [] (ret_fast_syscall+0x0/0x44) [ 323.814241] CPU1: stopping [ 323.816927] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 3.14.77 #31 [ 323.823008] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [ 323.830731] [] (show_stack) from [] (dump_stack+0x80/0xa0) [ 323.837934] [] (dump_stack) from [] (handle_IPI+0xb8/0x140) [ 323.845224] [] (handle_IPI) from [] (gic_handle_irq+0x58/0x60) [ 323.852774] [] (gic_handle_irq) from [] (__irq_svc+0x40/0x70) [ 323.860233] Exception stack(0xdd499fa0 to 0xdd499fe8) [ 323.865273] 9fa0: ffffffed 00000000 1d3c9000 00000000 dd498000 dd498030 10c0387d c08b62c8 [ 323.873432] 9fc0: 4220406a 512f04d0 00000000 00000000 00000001 dd499fe8 c021838c c0218390 [ 323.881588] 9fe0: 60000013 ffffffff [ 323.885070] [] (__irq_svc) from [] (arch_cpu_idle+0x30/0x50) [ 323.892454] [] (arch_cpu_idle) from [] (cpu_startup_entry+0xa4/0x108) [ 323.900690] [] (cpu_startup_entry) from [<422085a4>] (0x422085a4) Signed-off-by: Tamizh chelvam --- drivers/net/wireless/ath/ath10k/debug.c | 12 +++++++++--- drivers/net/wireless/ath/ath10k/wmi.c | 10 +++++++++- drivers/net/wireless/ath/ath10k/wmi.h | 2 +- 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/ath/ath10k/debug.c b/drivers/net/wireless/ath/ath10k/debug.c index 554cd78..8c41c81 100644 --- a/drivers/net/wireless/ath/ath10k/debug.c +++ b/drivers/net/wireless/ath/ath10k/debug.c @@ -1506,18 +1506,24 @@ static void ath10k_tpc_stats_print(struct ath10k_tpc_stats *tpc_stats, *len += scnprintf(buf + *len, buf_len - *len, "********************************\n"); *len += scnprintf(buf + *len, buf_len - *len, - "No. Preamble Rate_code tpc_value1 tpc_value2 tpc_value3\n"); + "No. Preamble Rate_code "); + + for (i = 0; i < WMI_TPC_TX_N_CHAIN; i++) + *len += scnprintf(buf + *len, buf_len - *len, + "tpc_value%d ", i); + + *len += scnprintf(buf + *len, buf_len - *len, "\n"); for (i = 0; i < tpc_stats->rate_max; i++) { *len += scnprintf(buf + *len, buf_len - *len, - "%8d %s 0x%2x %s\n", i, + "%8d %s 0x%2x %s", i, pream_str[tpc_stats->tpc_table[j].pream_idx[i]], tpc_stats->tpc_table[j].rate_code[i], tpc_stats->tpc_table[j].tpc_value[i]); } *len += scnprintf(buf + *len, buf_len - *len, - "***********************************\n"); + "\n***********************************\n"); } static void ath10k_tpc_stats_fill(struct ath10k *ar, diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c index 58dc218..ac9f6a5 100644 --- a/drivers/net/wireless/ath/ath10k/wmi.c +++ b/drivers/net/wireless/ath/ath10k/wmi.c @@ -4325,7 +4325,7 @@ void ath10k_wmi_event_pdev_tpc_config(struct ath10k *ar, struct sk_buff *skb) tpc_stats = kzalloc(sizeof(*tpc_stats), GFP_ATOMIC); if (!tpc_stats) - return; + goto exit; /* Create the rate code table based on the chains supported */ rate_idx = 0; @@ -4351,6 +4351,12 @@ void ath10k_wmi_event_pdev_tpc_config(struct ath10k *ar, struct sk_buff *skb) num_tx_chain = __le32_to_cpu(ev->num_tx_chain); + if (num_tx_chain > WMI_TPC_TX_N_CHAIN) { + ath10k_warn(ar, "number of tx chain is %d greater than TPC configured tx chain %d\n", + num_tx_chain, WMI_TPC_TX_N_CHAIN); + goto exit; + } + /* Fill HT20 rate code */ for (i = 0; i < num_tx_chain; i++) { for (j = 0; j < 8; j++) { @@ -4455,6 +4461,8 @@ void ath10k_wmi_event_pdev_tpc_config(struct ath10k *ar, struct sk_buff *skb) __le32_to_cpu(ev->twice_max_rd_power) / 2, __le32_to_cpu(ev->num_tx_chain), __le32_to_cpu(ev->rate_max)); +exit: + complete(&ar->debug.tpc_complete); } static void diff --git a/drivers/net/wireless/ath/ath10k/wmi.h b/drivers/net/wireless/ath/ath10k/wmi.h index c7b30ed..5646ea0 100644 --- a/drivers/net/wireless/ath/ath10k/wmi.h +++ b/drivers/net/wireless/ath/ath10k/wmi.h @@ -3992,8 +3992,8 @@ struct wmi_pdev_get_tpc_config_cmd { } __packed; #define WMI_TPC_CONFIG_PARAM 1 -#define WMI_TPC_RATE_MAX 160 #define WMI_TPC_TX_N_CHAIN 4 +#define WMI_TPC_RATE_MAX (WMI_TPC_TX_N_CHAIN * 65) #define WMI_TPC_PREAM_TABLE_MAX 10 #define WMI_TPC_FLAG 3 #define WMI_TPC_BUF_SIZE 10