Message ID | 1535369715-14254-1-git-send-email-siva8118@gmail.com (mailing list archive) |
---|---|
State | Accepted |
Commit | baa8caf4ab7af2d9e84b566b99fe919a4e9e7562 |
Delegated to: | Kalle Valo |
Headers | show |
Series | [1/2] rsi: fix memory alignment issue in ARM32 platforms | expand |
Siva Rebbagondla <siva8118@gmail.com> wrote: > From: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com> > > During testing in ARM32 platforms, observed below kernel panic, as driver > accessing data beyond the allocated memory while submitting URB to USB. > > Fix: Resolved this by specifying correct length by considering 64 bit > alignment. so that, USB bus driver will access only allocated memory. > > Unit-test: Tested and confirm that driver bring up and scanning, > connection and data transfer works fine with this fix. > > ...skipping... > [ 25.389450] Unable to handle kernel paging request at virtual > address 5aa11422 > [ 25.403078] Internal error: Oops: 5 [#1] SMP ARM > [ 25.407703] Modules linked in: rsi_usb > [ 25.411473] CPU: 1 PID: 317 Comm: RX-Thread Not tainted 4.18.0-rc7 #1 > [ 25.419221] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) > [ 25.425764] PC is at skb_release_data+0x90/0x168 > [ 25.430393] LR is at skb_release_all+0x28/0x2c > [ 25.434842] pc : [<807435b0>] lr : [<80742ba0>] psr: 200e0013 5aa1141e > [ 25.464633] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none > [ 25.477524] Process RX-Thread (pid: 317, stack limit = 0x(ptrval)) > [ 25.483709] Stack: (0xedf69ed8 to 0xedf6a000) > [ 25.569907] Backtrace: > [ 25.572368] [<80743520>] (skb_release_data) from [<80742ba0>] > (skb_release_all+0x28/0x2c) > [ 25.580555] r9:7f00258c r8:00000001 r7:ee355000 r6:eddab0d0 > r5:eddab000 r4:eddbb840 > [ 25.588308] [<80742b78>] (skb_release_all) from [<807432cc>] > (consume_skb+0x30/0x50) > [ 25.596055] r5:eddab000 r4:eddbb840 > [ 25.599648] [<8074329c>] (consume_skb) from [<7f00117c>] > (rsi_usb_rx_thread+0x64/0x12c [rsi_usb]) > [ 25.608524] r5:eddab000 r4:eddbb840 > [ 25.612116] [<7f001118>] (rsi_usb_rx_thread [rsi_usb]) from > [<80142750>] (kthread+0x11c/0x15c) > [ 25.620735] r10:ee9ff9e0 r9:edcde3b8 r8:ee355000 r7:edf68000 > r6:edd3a780 r5:00000000 > [ 25.628567] r4:edcde380 > [ 25.631110] [<80142634>] (kthread) from [<801010e8>] > (ret_from_fork+0x14/0x2c) > [ 25.638336] Exception stack(0xedf69fb0 to 0xedf69ff8) > [ 25.682929] ---[ end trace 8236a5496f5b5d3b ]--- > > Signed-off-by: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com> 2 patches applied to wireless-drivers-next.git, thanks. baa8caf4ab7a rsi: fix memory alignment issue in ARM32 platforms 4c62764d0fc2 rsi: improve kernel thread handling to fix kernel panic
diff --git a/drivers/net/wireless/rsi/rsi_91x_usb.c b/drivers/net/wireless/rsi/rsi_91x_usb.c index c0a163e..f360690 100644 --- a/drivers/net/wireless/rsi/rsi_91x_usb.c +++ b/drivers/net/wireless/rsi/rsi_91x_usb.c @@ -266,15 +266,17 @@ static void rsi_rx_done_handler(struct urb *urb) if (urb->status) goto out; - if (urb->actual_length <= 0) { - rsi_dbg(INFO_ZONE, "%s: Zero length packet\n", __func__); + if (urb->actual_length <= 0 || + urb->actual_length > rx_cb->rx_skb->len) { + rsi_dbg(INFO_ZONE, "%s: Invalid packet length = %d\n", + __func__, urb->actual_length); goto out; } if (skb_queue_len(&dev->rx_q) >= RSI_MAX_RX_PKTS) { rsi_dbg(INFO_ZONE, "Max RX packets reached\n"); goto out; } - skb_put(rx_cb->rx_skb, urb->actual_length); + skb_trim(rx_cb->rx_skb, urb->actual_length); skb_queue_tail(&dev->rx_q, rx_cb->rx_skb); rsi_set_event(&dev->rx_thread.event); @@ -308,6 +310,7 @@ static int rsi_rx_urb_submit(struct rsi_hw *adapter, u8 ep_num) if (!skb) return -ENOMEM; skb_reserve(skb, MAX_DWORD_ALIGN_BYTES); + skb_put(skb, RSI_MAX_RX_USB_PKT_SIZE - MAX_DWORD_ALIGN_BYTES); dword_align_bytes = (unsigned long)skb->data & 0x3f; if (dword_align_bytes > 0) skb_push(skb, dword_align_bytes); @@ -319,7 +322,7 @@ static int rsi_rx_urb_submit(struct rsi_hw *adapter, u8 ep_num) usb_rcvbulkpipe(dev->usbdev, dev->bulkin_endpoint_addr[ep_num - 1]), urb->transfer_buffer, - RSI_MAX_RX_USB_PKT_SIZE, + skb->len, rsi_rx_done_handler, rx_cb);