From patchwork Mon Aug 27 11:35:14 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siva Rebbagondla X-Patchwork-Id: 10577019 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4512617DB for ; Mon, 27 Aug 2018 11:31:27 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 34953298A5 for ; Mon, 27 Aug 2018 11:31:27 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2756D298CF; Mon, 27 Aug 2018 11:31:27 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9C51D298A5 for ; Mon, 27 Aug 2018 11:31:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726947AbeH0PRm (ORCPT ); Mon, 27 Aug 2018 11:17:42 -0400 Received: from mail-pf1-f196.google.com ([209.85.210.196]:39700 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726825AbeH0PRl (ORCPT ); Mon, 27 Aug 2018 11:17:41 -0400 Received: by mail-pf1-f196.google.com with SMTP id j8-v6so7616345pff.6 for ; Mon, 27 Aug 2018 04:31:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=pWMhg35VRq0IMzGGu8tXGIgFNvf+CI5MEmxZXP0q+g8=; b=AnC9ZqouO1B7gAsklYF0YhUY5e9X5eanPYRPtSDw0EKUFkM2oa3tfNLBU2FK3qHI0/ hiH1ekVt6AU8wFc0J5nzFUzkNaPMtuwjK4pBC4iSX05iqoMXC0OK23pqCfGEVwvXbb8d ZB7Va4ARddwH679TM6W2jBwRQelAQtyx9K0gN1htekpq+7l7OvxSjtv1UKZ0xefrq7en voawDXV7UhPqLJSjaW8YTPpcXhV0G/lnaHe614AI6iPXmosZ44PvR9LX+ATiOT3RBLMH ShVztIlZL4j27AepqGzfoOSMgH5YY0xuPeLA++tvL4W9NTb/aq4bROqyC9jU10ugmYeq cisw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=pWMhg35VRq0IMzGGu8tXGIgFNvf+CI5MEmxZXP0q+g8=; b=cEaH3/QAVO9Y3eMqJg0tB2cGiFrqHLFxzxn61UIzuSuxz0zQHBKtLy9nHlbKRBOHjd hglNRpxxbK9v2cd/tsNHlrXC0gkpNOVVtSc8cogZgWgpBNulSIQcoa2y65lY6wGVCndE D9/+8OxSUehQY850Rgys377ao/vy/ke/iphMsW4w/UzZ5HxjvtSLSJeivpRQL08u1nEL QHXksAKE1fxFRg4DElVR6xcJDLk1hegl3Y3sCYrByFBkGsebBN5euNj3UiSciasuuvQj ryQe2DBcp95zJ7KTpb9OkZp2Cjf21HZKgtXpcM0KffnMWgtrDE2P2fYeK2b0HlDwUR1g xTJw== X-Gm-Message-State: APzg51D4NaBwexWGQC2hrgIzB7Xve9kRrClM7aZtm7qRJrfLaSYh2IKe i7XlE71r3hn2R3zlybi2kAs= X-Google-Smtp-Source: ANB0VdZjfgCWepsDFmxRrlGSNIrmHk2mqnf5qW3FvBootD1YAZ7AfjqbKItwcODZ1dhiWiSuMHRDlg== X-Received: by 2002:a63:4f64:: with SMTP id p36-v6mr3221721pgl.210.1535369484526; Mon, 27 Aug 2018 04:31:24 -0700 (PDT) Received: from cpu459.localdomain ([27.59.166.244]) by smtp.gmail.com with ESMTPSA id e202-v6sm23696375pfh.16.2018.08.27.04.31.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 Aug 2018 04:31:23 -0700 (PDT) From: Siva Rebbagondla To: Kalle Valo Cc: linux-wireless@vger.kernel.org, Sasidhar Mudigonda , Siva Rebbagondla , Sanjay Konduri Subject: [PATCH 1/2] rsi: fix memory alignment issue in ARM32 platforms Date: Mon, 27 Aug 2018 17:05:14 +0530 Message-Id: <1535369715-14254-1-git-send-email-siva8118@gmail.com> X-Mailer: git-send-email 2.5.5 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Siva Rebbagondla During testing in ARM32 platforms, observed below kernel panic, as driver accessing data beyond the allocated memory while submitting URB to USB. Fix: Resolved this by specifying correct length by considering 64 bit alignment. so that, USB bus driver will access only allocated memory. Unit-test: Tested and confirm that driver bring up and scanning, connection and data transfer works fine with this fix. ...skipping... [ 25.389450] Unable to handle kernel paging request at virtual address 5aa11422 [ 25.403078] Internal error: Oops: 5 [#1] SMP ARM [ 25.407703] Modules linked in: rsi_usb [ 25.411473] CPU: 1 PID: 317 Comm: RX-Thread Not tainted 4.18.0-rc7 #1 [ 25.419221] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) [ 25.425764] PC is at skb_release_data+0x90/0x168 [ 25.430393] LR is at skb_release_all+0x28/0x2c [ 25.434842] pc : [<807435b0>] lr : [<80742ba0>] psr: 200e0013 5aa1141e [ 25.464633] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none [ 25.477524] Process RX-Thread (pid: 317, stack limit = 0x(ptrval)) [ 25.483709] Stack: (0xedf69ed8 to 0xedf6a000) [ 25.569907] Backtrace: [ 25.572368] [<80743520>] (skb_release_data) from [<80742ba0>] (skb_release_all+0x28/0x2c) [ 25.580555] r9:7f00258c r8:00000001 r7:ee355000 r6:eddab0d0 r5:eddab000 r4:eddbb840 [ 25.588308] [<80742b78>] (skb_release_all) from [<807432cc>] (consume_skb+0x30/0x50) [ 25.596055] r5:eddab000 r4:eddbb840 [ 25.599648] [<8074329c>] (consume_skb) from [<7f00117c>] (rsi_usb_rx_thread+0x64/0x12c [rsi_usb]) [ 25.608524] r5:eddab000 r4:eddbb840 [ 25.612116] [<7f001118>] (rsi_usb_rx_thread [rsi_usb]) from [<80142750>] (kthread+0x11c/0x15c) [ 25.620735] r10:ee9ff9e0 r9:edcde3b8 r8:ee355000 r7:edf68000 r6:edd3a780 r5:00000000 [ 25.628567] r4:edcde380 [ 25.631110] [<80142634>] (kthread) from [<801010e8>] (ret_from_fork+0x14/0x2c) [ 25.638336] Exception stack(0xedf69fb0 to 0xedf69ff8) [ 25.682929] ---[ end trace 8236a5496f5b5d3b ]--- Signed-off-by: Siva Rebbagondla --- drivers/net/wireless/rsi/rsi_91x_usb.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/rsi/rsi_91x_usb.c b/drivers/net/wireless/rsi/rsi_91x_usb.c index c0a163e..f360690 100644 --- a/drivers/net/wireless/rsi/rsi_91x_usb.c +++ b/drivers/net/wireless/rsi/rsi_91x_usb.c @@ -266,15 +266,17 @@ static void rsi_rx_done_handler(struct urb *urb) if (urb->status) goto out; - if (urb->actual_length <= 0) { - rsi_dbg(INFO_ZONE, "%s: Zero length packet\n", __func__); + if (urb->actual_length <= 0 || + urb->actual_length > rx_cb->rx_skb->len) { + rsi_dbg(INFO_ZONE, "%s: Invalid packet length = %d\n", + __func__, urb->actual_length); goto out; } if (skb_queue_len(&dev->rx_q) >= RSI_MAX_RX_PKTS) { rsi_dbg(INFO_ZONE, "Max RX packets reached\n"); goto out; } - skb_put(rx_cb->rx_skb, urb->actual_length); + skb_trim(rx_cb->rx_skb, urb->actual_length); skb_queue_tail(&dev->rx_q, rx_cb->rx_skb); rsi_set_event(&dev->rx_thread.event); @@ -308,6 +310,7 @@ static int rsi_rx_urb_submit(struct rsi_hw *adapter, u8 ep_num) if (!skb) return -ENOMEM; skb_reserve(skb, MAX_DWORD_ALIGN_BYTES); + skb_put(skb, RSI_MAX_RX_USB_PKT_SIZE - MAX_DWORD_ALIGN_BYTES); dword_align_bytes = (unsigned long)skb->data & 0x3f; if (dword_align_bytes > 0) skb_push(skb, dword_align_bytes); @@ -319,7 +322,7 @@ static int rsi_rx_urb_submit(struct rsi_hw *adapter, u8 ep_num) usb_rcvbulkpipe(dev->usbdev, dev->bulkin_endpoint_addr[ep_num - 1]), urb->transfer_buffer, - RSI_MAX_RX_USB_PKT_SIZE, + skb->len, rsi_rx_done_handler, rx_cb);