From patchwork Thu May 17 13:09:28 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bob Copeland X-Patchwork-Id: 10406791 X-Patchwork-Delegate: johannes@sipsolutions.net Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id E0F0260155 for ; Thu, 17 May 2018 13:09:56 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CE2CD28A42 for ; Thu, 17 May 2018 13:09:56 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C29E128A7D; Thu, 17 May 2018 13:09:56 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AC60E28A42 for ; Thu, 17 May 2018 13:09:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752259AbeEQNJx (ORCPT ); Thu, 17 May 2018 09:09:53 -0400 Received: from mail-it0-f65.google.com ([209.85.214.65]:52911 "EHLO mail-it0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752020AbeEQNJu (ORCPT ); Thu, 17 May 2018 09:09:50 -0400 Received: by mail-it0-f65.google.com with SMTP id y189-v6so8687373itb.2 for ; Thu, 17 May 2018 06:09:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bobcopeland-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=50qlHN1iYXByRQpWBdpytLkwfo9ZchqYfXl2W9ck5XE=; b=f6V+TV8M6GZacvDv86QUy+iAXG9q2T5eVuuhlfQc7FDXa3JcmotLTJjq5zgEb7X38t uNUB29+oc7vqvMLCByLVtrlbZNBYh9fBCg8yHEGbPh8XsdrQ54zhvMvP/qANjVmL0xhu VCEKP/4Tn7F7V56UPCzNIrLsKVlZK4QD4sxWDQYilsUDjrHp5+KXZnY62m4DR0O3+1TI ktw72VBH98L109yHVUwdJPF62DJTfj55SxSWqEJO0UfkF4P69jUjJCx1fRexIGGhQdT5 rXdVoj1Zbt1npFSe2UxnFq6SILDojByvYqiMAtj26nDEB09uIbObdUGbT4nXtz7CYkXO UlFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=50qlHN1iYXByRQpWBdpytLkwfo9ZchqYfXl2W9ck5XE=; b=r/5quHVKFjhrNFCcD+mRFo8hnZVL6ovXyPVQ13aBVD3tUBAza4FLHJ5Cd8eu8p4zXa zBTlEyXLwjw5Bhu/23ypKG/MIdZMbCUwKZf3NLV57sJ0y/Pz5gYl9zByaalQYBtLOLuV 4nbEKSoW6iHqDHDiVO2BWjl9fcPrRfGYzHQbNHww2BwgIcXW/0fBzrFjeVQHfFUcg3DH E/CVpNycYmL518nViC71kLn2+4pG7+GLO6w7mHE+v6xPsV1+8QIdeY+n+8ArK8kR6xge MIaRn9mnFCSQmQ6IfSgWbfUnXicxPksj/jL2TDl0kjnDFm/kPHlvT2t6LukOWy2/9/FZ sYCQ== X-Gm-Message-State: ALKqPwegfimb0dIIH0mN50amA+v3Wgma8HPmnCRq0XWk8Pd9UPEJXGLI omSVD+EygUWebQlnWWdTZfhS4g== X-Google-Smtp-Source: AB8JxZpLr76O0wpK6wSw/IV+E3Jrgz6fUHtdwACzjXopyq/h8PWG2PVXxWwZ/swkHIUu9Qp/U5RLOw== X-Received: by 2002:a24:2854:: with SMTP id h81-v6mr2529067ith.120.1526562589998; Thu, 17 May 2018 06:09:49 -0700 (PDT) Received: from hash (CPE30b5c2fb365b-CM18593342f28f.cpe.net.cable.rogers.com. [99.232.51.173]) by smtp.gmail.com with ESMTPSA id 13-v6sm3180014ioh.15.2018.05.17.06.09.49 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 17 May 2018 06:09:49 -0700 (PDT) Received: from bob by hash with local (Exim 4.89) (envelope-from ) id 1fJIfE-0001Pj-HC; Thu, 17 May 2018 09:09:48 -0400 From: Bob Copeland To: Johannes Berg Cc: linux-wireless@vger.kernel.org, kernel-team@fb.com, Bob Copeland , Bob Copeland Subject: [PATCH] mac80211: mesh: fix premature update of rc stats Date: Thu, 17 May 2018 09:09:28 -0400 Message-Id: <20180517130928.5397-1-me@bobcopeland.com> X-Mailer: git-send-email 2.9.0 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The mesh_neighbour_update() function, queued via beacon rx, can race with userspace creating the same station. If the station already exists by the time mesh_neighbour_update() is called, the function wrongly assumes rate control has been initialized and calls rate_control_rate_update(), which in turn calls into the driver. Updating the rate control before it has been initialized can cause a crash in some drivers, for example this firmware crash in ath10k due to sta->rx_nss being 0: [ 3078.088247] mesh0: Inserted STA 5c:e2:8c:f1:ab:ba [ 3078.258407] ath10k_pci 0000:0d:00.0: firmware crashed! (uuid d6ed5961-93cc-4d61-803f-5eda55bb8643) [ 3078.258421] ath10k_pci 0000:0d:00.0: qca988x hw2.0 target 0x4100016c chip_id 0x043202ff sub 0000:0000 [ 3078.258426] ath10k_pci 0000:0d:00.0: kconfig debug 1 debugfs 1 tracing 1 dfs 0 testmode 0 [ 3078.258608] ath10k_pci 0000:0d:00.0: firmware ver 10.2.4.70.59-2 api 5 features no-p2p,raw-mode,mfp crc32 4159f498 [ 3078.258613] ath10k_pci 0000:0d:00.0: board_file api 1 bmi_id N/A crc32 bebc7c08 [ 3078.258617] ath10k_pci 0000:0d:00.0: htt-ver 2.1 wmi-op 5 htt-op 2 cal otp max-sta 128 raw 0 hwcrypto 1 [ 3078.260627] ath10k_pci 0000:0d:00.0: firmware register dump: [ 3078.260640] ath10k_pci 0000:0d:00.0: [00]: 0x4100016C 0x000015B3 0x009A31BB 0x00955B31 [ 3078.260647] ath10k_pci 0000:0d:00.0: [04]: 0x009A31BB 0x00060130 0x00000008 0x00000007 [ 3078.260652] ath10k_pci 0000:0d:00.0: [08]: 0x00000000 0x00955B31 0x00000000 0x0040F89E [ 3078.260656] ath10k_pci 0000:0d:00.0: [12]: 0x00000009 0xFFFFFFFF 0x009580F5 0x00958117 [ 3078.260660] ath10k_pci 0000:0d:00.0: [16]: 0x00958080 0x0094085D 0x00000000 0x00000000 [ 3078.260664] ath10k_pci 0000:0d:00.0: [20]: 0x409A31BB 0x0040AA84 0x00000002 0x00000001 [ 3078.260669] ath10k_pci 0000:0d:00.0: [24]: 0x809A2B8D 0x0040AAE4 0x00000088 0xC09A31BB [ 3078.260673] ath10k_pci 0000:0d:00.0: [28]: 0x809898C8 0x0040AB04 0x0043F91C 0x009C6458 [ 3078.260677] ath10k_pci 0000:0d:00.0: [32]: 0x809B66AC 0x0040AB34 0x009C6458 0x0043F91C [ 3078.260686] ath10k_pci 0000:0d:00.0: [36]: 0x809B2824 0x0040ADA4 0x00400000 0x00416EB4 [ 3078.260692] ath10k_pci 0000:0d:00.0: [40]: 0x809C07D9 0x0040ADE4 0x0040AE08 0x00412028 [ 3078.260696] ath10k_pci 0000:0d:00.0: [44]: 0x809486FA 0x0040AE04 0x00000001 0x00000000 [ 3078.260700] ath10k_pci 0000:0d:00.0: [48]: 0x80948E2C 0x0040AEA4 0x0041F4F0 0x00412634 [ 3078.260704] ath10k_pci 0000:0d:00.0: [52]: 0x809BFC39 0x0040AEC4 0x0041F4F0 0x00000001 [ 3078.260709] ath10k_pci 0000:0d:00.0: [56]: 0x80940F18 0x0040AF14 0x00000010 0x00403AC0 [ 3078.284130] ath10k_pci 0000:0d:00.0: failed to to request monitor vdev 1 stop: -108 Fix this by checking whether the sta has already initialized rate control using the flag for that purpose. We can also drop the unnecessary insert parameter here. Signed-off-by: Bob Copeland --- net/mac80211/mesh_plink.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c index 0f6c9ca..5b5b0f9 100644 --- a/net/mac80211/mesh_plink.c +++ b/net/mac80211/mesh_plink.c @@ -401,7 +401,7 @@ u32 mesh_plink_deactivate(struct sta_info *sta) static void mesh_sta_info_init(struct ieee80211_sub_if_data *sdata, struct sta_info *sta, - struct ieee802_11_elems *elems, bool insert) + struct ieee802_11_elems *elems) { struct ieee80211_local *local = sdata->local; struct ieee80211_supported_band *sband; @@ -447,7 +447,7 @@ static void mesh_sta_info_init(struct ieee80211_sub_if_data *sdata, sta->sta.bandwidth = IEEE80211_STA_RX_BW_20; } - if (insert) + if (!test_sta_flag(sta, WLAN_STA_RATE_CONTROL)) rate_control_rate_init(sta); else rate_control_rate_update(local, sband, sta, changed); @@ -551,7 +551,7 @@ mesh_sta_info_get(struct ieee80211_sub_if_data *sdata, rcu_read_lock(); sta = sta_info_get(sdata, addr); if (sta) { - mesh_sta_info_init(sdata, sta, elems, false); + mesh_sta_info_init(sdata, sta, elems); } else { rcu_read_unlock(); /* can't run atomic */ @@ -561,7 +561,7 @@ mesh_sta_info_get(struct ieee80211_sub_if_data *sdata, return NULL; } - mesh_sta_info_init(sdata, sta, elems, true); + mesh_sta_info_init(sdata, sta, elems); if (sta_info_insert_rcu(sta)) return NULL;