From patchwork Tue Dec 11 03:08:24 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhi Chen X-Patchwork-Id: 10722987 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 36CD3112E for ; Tue, 11 Dec 2018 03:09:23 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 22F7029B55 for ; Tue, 11 Dec 2018 03:09:23 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 171FC29B70; Tue, 11 Dec 2018 03:09:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=unavailable version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id BD7D229B55 for ; Tue, 11 Dec 2018 03:09:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=t/ErCR0zuldlZuIka4u/YUVaG06WJoFgzqwJvMo5pMs=; b=CQ4 6gDT9V2nGiRmuvAloywEG08y2zBe3QnKEj22eWMNEERW3ipGTDEy68vP1egteu7jg9XXthmBsZB4e Si4lZXgfomqGt240tMkzF7JuGbJOmxtM2CBEKpX5VE9p4XN5sZ/1ys6+T0xeql0ZSrSt9IqKKKxVO MfJgx3MJzX2+RcztbMp8AOvoFdwLWZnKGTeCahKRgl+EzCd5yoPLJlAzvjaFtP44/mafxY89xABgE +yI9G8nXUcFBJpcZD+tauDHMSRDwnNTD7G23Vud6N8PkD5rMLwlxcRdwnJd4kydcUAHR9aqakmIcL wo7LJY5v9+L/w+Uqv/QYLiqdwGNxCnA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1gWYQB-0002kP-OX; Tue, 11 Dec 2018 03:09:19 +0000 Received: from smtp.codeaurora.org ([198.145.29.96]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1gWYQ9-0002ji-BQ for ath10k@lists.infradead.org; Tue, 11 Dec 2018 03:09:18 +0000 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id 6D9BE607DC; Tue, 11 Dec 2018 03:09:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1544497746; bh=7O5HvbkxbhX3Z62u4y7ptdy/N87c753cZ/2fcVwHadQ=; h=From:To:Cc:Subject:Date:From; b=MoTk1Vd0YCi3xLjbrqIeqoe6+Q/KxY1Eoyq4okInl42znYjkYMnIXk0ZPxzVuOJQc dOPoun9TKYxVX6AJ6oqV1nNKYffTVHFTrhABdHQ9hhkerSwDhBKCF+SFqDJOfJ1vNj 9mK5M4iX6FGERS/1N1y/gRXJNi0JXFqvUOGE+RhM= Received: from zhichen.ap.qualcomm.com (unknown [180.166.53.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: zhichen@codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 075376044B; Tue, 11 Dec 2018 03:09:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1544497746; bh=7O5HvbkxbhX3Z62u4y7ptdy/N87c753cZ/2fcVwHadQ=; h=From:To:Cc:Subject:Date:From; b=MoTk1Vd0YCi3xLjbrqIeqoe6+Q/KxY1Eoyq4okInl42znYjkYMnIXk0ZPxzVuOJQc dOPoun9TKYxVX6AJ6oqV1nNKYffTVHFTrhABdHQ9hhkerSwDhBKCF+SFqDJOfJ1vNj 9mK5M4iX6FGERS/1N1y/gRXJNi0JXFqvUOGE+RhM= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 075376044B Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=zhichen@codeaurora.org From: zhichen@codeaurora.org To: ath10k@lists.infradead.org Subject: [PATCH v1 1/2] ath10k: fix peer stats null pointer dereference Date: Tue, 11 Dec 2018 11:08:24 +0800 Message-Id: <1544497705-21593-1-git-send-email-zhichen@codeaurora.org> X-Mailer: git-send-email 2.7.4 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20181210_190917_431298_330B62F4 X-CRM114-Status: GOOD ( 10.68 ) X-BeenThere: ath10k@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Zhi Chen , linux-wireless@vger.kernel.org MIME-Version: 1.0 Sender: "ath10k" Errors-To: ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP From: Zhi Chen There was a race condition in SMP that an ath10k_peer was created but its member sta was null. Following are procedures of ath10k_peer creation and member sta access in peer statistics path. 1. Peer creation: ath10k_peer_create() =>ath10k_wmi_peer_create() =>ath10k_wait_for_peer_created() ... # another kernel path, RX from firmware ath10k_htt_t2h_msg_handler() =>ath10k_peer_map_event() =>wake_up() # ar->peer_map[id] = peer //add peer to map #wake up original path from waiting ... # peer->sta = sta //sta assignment 2. RX path of statistics ath10k_htt_t2h_msg_handler() =>ath10k_update_per_peer_tx_stats() =>ath10k_htt_fetch_peer_stats() # peer->sta //sta accessing Any access of peer->sta after peer was added to peer_map but before sta was assigned could cause a null pointer issue. And because these two steps are asynchronous, no proper lock can protect them. So both peer and sta need to be checked before access. Tested: QCA9984 with firmware ver 10.4-3.9.0.1-00005 Signed-off-by: Zhi Chen --- drivers/net/wireless/ath/ath10k/debugfs_sta.c | 2 +- drivers/net/wireless/ath/ath10k/htt_rx.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/ath/ath10k/debugfs_sta.c b/drivers/net/wireless/ath/ath10k/debugfs_sta.c index 0f3fd65..4778a45 100644 --- a/drivers/net/wireless/ath/ath10k/debugfs_sta.c +++ b/drivers/net/wireless/ath/ath10k/debugfs_sta.c @@ -71,7 +71,7 @@ void ath10k_sta_update_rx_tid_stats_ampdu(struct ath10k *ar, u16 peer_id, u8 tid spin_lock_bh(&ar->data_lock); peer = ath10k_peer_find_by_id(ar, peer_id); - if (!peer) + if (!peer || !peer->sta) goto out; arsta = (struct ath10k_sta *)peer->sta->drv_priv; diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c index 984b045..a1552f0 100644 --- a/drivers/net/wireless/ath/ath10k/htt_rx.c +++ b/drivers/net/wireless/ath/ath10k/htt_rx.c @@ -2847,7 +2847,7 @@ static void ath10k_htt_fetch_peer_stats(struct ath10k *ar, rcu_read_lock(); spin_lock_bh(&ar->data_lock); peer = ath10k_peer_find_by_id(ar, peer_id); - if (!peer) { + if (!peer || !peer->sta) { ath10k_warn(ar, "Invalid peer id %d peer stats buffer\n", peer_id); goto out; @@ -2900,7 +2900,7 @@ static void ath10k_fetch_10_2_tx_stats(struct ath10k *ar, u8 *data) rcu_read_lock(); spin_lock_bh(&ar->data_lock); peer = ath10k_peer_find_by_id(ar, peer_id); - if (!peer) { + if (!peer || !peer->sta) { ath10k_warn(ar, "Invalid peer id %d in peer stats buffer\n", peer_id); goto out; From patchwork Tue Dec 11 03:08:25 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhi Chen X-Patchwork-Id: 10722989 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7E5471751 for ; Tue, 11 Dec 2018 03:09:25 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6D24929B55 for ; Tue, 11 Dec 2018 03:09:25 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6145629B70; Tue, 11 Dec 2018 03:09:25 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=unavailable version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 1721E29B55 for ; Tue, 11 Dec 2018 03:09:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:References: In-Reply-To:Message-Id:Date:Subject:To:From:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=w3jj4cjQmueL3tZZSL64JZbJLZzwWKj1M3Y/njK/V6M=; b=JcuDW60gJ6T+rkfkcxzSPhVSAo lhJuWLmryqCdXZrIRNvM7SsVrgUwdUq/740YS17BEXD0oNTEjbUv1ZjY2LmvzZ78ft2SIIZFXP6ql boLwauZBek/gcMHNrFCN5d6lFZ9T0velMgHGXjS6hyVtR6Y1yneH4Rny4HjgYut1wSwdR45uUvCOx OpltTPzKrG6OG/axSxNIjf5wJYQC94wYH+Qq9wo6iMgr1POj8WtkNNkR4B5nCvyGSdsy8pSPPfGh0 /knwrCTLQxQxxacfEKEZ0degeFLKfSCaVWd8S4ahxzrQ0iQh6TolVvYUY2dNE99tAk7KveY7MaEjP LwaOD2+w==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1gWYQD-0002lD-60; Tue, 11 Dec 2018 03:09:21 +0000 Received: from smtp.codeaurora.org ([198.145.29.96]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1gWYQ9-0002jk-CD for ath10k@lists.infradead.org; Tue, 11 Dec 2018 03:09:18 +0000 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id 6484A6044B; Tue, 11 Dec 2018 03:09:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1544497752; bh=eLyORNzALLbEzTKVTMmuLaC4Qt61I+ldcWUrlPe4H/c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gAK6VqBjpGPg154A1IE6UwDqjDv5NWQYtiqpSfmBQrI0V+XKjoaC5sy+vxBqoFPkH vqPdoiu3Oc9AY5UKe2tOfwVmaQ8E+Z9MWgIs3yJieJyJv9srImrSwEdVdDLtPW8oTm VulFau8c/3EHJr6HYwbt4dlgXjVLuD/2ObRsYokw= Received: from zhichen.ap.qualcomm.com (unknown [180.166.53.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: zhichen@codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id DD6AD606DD; Tue, 11 Dec 2018 03:09:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1544497752; bh=eLyORNzALLbEzTKVTMmuLaC4Qt61I+ldcWUrlPe4H/c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gAK6VqBjpGPg154A1IE6UwDqjDv5NWQYtiqpSfmBQrI0V+XKjoaC5sy+vxBqoFPkH vqPdoiu3Oc9AY5UKe2tOfwVmaQ8E+Z9MWgIs3yJieJyJv9srImrSwEdVdDLtPW8oTm VulFau8c/3EHJr6HYwbt4dlgXjVLuD/2ObRsYokw= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org DD6AD606DD Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=zhichen@codeaurora.org From: zhichen@codeaurora.org To: ath10k@lists.infradead.org Subject: [PATCH v1 2/2] ath10k: fix tx_stats memory leak Date: Tue, 11 Dec 2018 11:08:25 +0800 Message-Id: <1544497705-21593-2-git-send-email-zhichen@codeaurora.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1544497705-21593-1-git-send-email-zhichen@codeaurora.org> References: <1544497705-21593-1-git-send-email-zhichen@codeaurora.org> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20181210_190917_450059_2FAF174C X-CRM114-Status: GOOD ( 11.72 ) X-BeenThere: ath10k@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Zhi Chen , linux-wireless@vger.kernel.org MIME-Version: 1.0 Sender: "ath10k" Errors-To: ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP From: Zhi Chen Memory of tx_stats was allocated when a STA was added. But it's not freed if the STA failed to be added to driver. This issue could be seen in MDK3 attack case when STA number reached the limit. Tested: QCA9984 with firmware ver 10.4-3.9.0.1-00005 Signed-off-by: Zhi Chen --- drivers/net/wireless/ath/ath10k/mac.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c index 1db2a30..001cf31 100644 --- a/drivers/net/wireless/ath/ath10k/mac.c +++ b/drivers/net/wireless/ath/ath10k/mac.c @@ -6293,15 +6293,6 @@ static int ath10k_sta_state(struct ieee80211_hw *hw, ar->num_stations + 1, ar->max_num_stations, ar->num_peers + 1, ar->max_num_peers); - if (ath10k_debug_is_extd_tx_stats_enabled(ar)) { - arsta->tx_stats = kzalloc(sizeof(*arsta->tx_stats), - GFP_KERNEL); - if (!arsta->tx_stats) { - ret = -ENOMEM; - goto exit; - } - } - num_tdls_stations = ath10k_mac_tdls_vif_stations_count(hw, vif); num_tdls_vifs = ath10k_mac_tdls_vifs_count(hw); @@ -6323,12 +6314,22 @@ static int ath10k_sta_state(struct ieee80211_hw *hw, goto exit; } + if (ath10k_debug_is_extd_tx_stats_enabled(ar)) { + arsta->tx_stats = kzalloc(sizeof(*arsta->tx_stats), + GFP_KERNEL); + if (!arsta->tx_stats) { + ret = -ENOMEM; + goto exit; + } + } + ret = ath10k_peer_create(ar, vif, sta, arvif->vdev_id, sta->addr, peer_type); if (ret) { ath10k_warn(ar, "failed to add peer %pM for vdev %d when adding a new sta: %i\n", sta->addr, arvif->vdev_id, ret); ath10k_mac_dec_num_stations(arvif, sta); + kfree(arsta->tx_stats); goto exit; } @@ -6341,6 +6342,7 @@ static int ath10k_sta_state(struct ieee80211_hw *hw, spin_unlock_bh(&ar->data_lock); ath10k_peer_delete(ar, arvif->vdev_id, sta->addr); ath10k_mac_dec_num_stations(arvif, sta); + kfree(arsta->tx_stats); ret = -ENOENT; goto exit; } @@ -6361,6 +6363,7 @@ static int ath10k_sta_state(struct ieee80211_hw *hw, ath10k_peer_delete(ar, arvif->vdev_id, sta->addr); ath10k_mac_dec_num_stations(arvif, sta); + kfree(arsta->tx_stats); goto exit; } @@ -6372,6 +6375,7 @@ static int ath10k_sta_state(struct ieee80211_hw *hw, sta->addr, arvif->vdev_id, ret); ath10k_peer_delete(ar, arvif->vdev_id, sta->addr); ath10k_mac_dec_num_stations(arvif, sta); + kfree(arsta->tx_stats); if (num_tdls_stations != 0) goto exit;