Message ID | 7bb006bb88e280c596d0e86ece7d251a21b8ed1f.1653168225.git.paskripkin@gmail.com (mailing list archive) |
---|---|
State | Changes Requested |
Delegated to: | Toke Høiland-Jørgensen |
Headers | show |
Series | [v5,1/2] ath9k: fix use-after-free in ath9k_hif_usb_rx_cb | expand |
Hi Pavel, Thank you for the patch! Yet something to improve: [auto build test ERROR on wireless-next/main] [also build test ERROR on next-20220520] [cannot apply to wireless/main linus/master v5.18-rc7] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch] url: https://github.com/intel-lab-lkp/linux/commits/Pavel-Skripkin/ath9k-fix-use-after-free-in-ath9k_hif_usb_rx_cb/20220522-053020 base: https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main config: alpha-allyesconfig (https://download.01.org/0day-ci/archive/20220522/202205220831.I9Nd8bqU-lkp@intel.com/config) compiler: alpha-linux-gcc (GCC) 11.3.0 reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://github.com/intel-lab-lkp/linux/commit/712472af928db8726d53f2c63ea05430e57f4727 git remote add linux-review https://github.com/intel-lab-lkp/linux git fetch --no-tags linux-review Pavel-Skripkin/ath9k-fix-use-after-free-in-ath9k_hif_usb_rx_cb/20220522-053020 git checkout 712472af928db8726d53f2c63ea05430e57f4727 # save the config file mkdir build_dir && cp config build_dir/.config COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.3.0 make.cross W=1 O=build_dir ARCH=alpha SHELL=/bin/bash If you fix the issue, kindly add following tag where applicable Reported-by: kernel test robot <lkp@intel.com> All errors (new ones prefixed by >>): In file included from drivers/net/wireless/ath/ath9k/hif_usb.c:18: drivers/net/wireless/ath/ath9k/hif_usb.c: In function '__hif_usb_tx': >> drivers/net/wireless/ath/ath9k/hif_usb.c:372:29: error: 'hiv_dev' undeclared (first use in this function); did you mean 'hif_dev'? 372 | TX_STAT_INC(hiv_dev, buf_queued); | ^~~~~~~ drivers/net/wireless/ath/ath9k/htc.h:330:43: note: in definition of macro '__STAT_SAFE' 330 | #define __STAT_SAFE(hif_dev, expr) ((hif_dev)->htc_handle->drv_priv ? (expr) : 0) | ^~~~~~~ drivers/net/wireless/ath/ath9k/hif_usb.c:372:17: note: in expansion of macro 'TX_STAT_INC' 372 | TX_STAT_INC(hiv_dev, buf_queued); | ^~~~~~~~~~~ drivers/net/wireless/ath/ath9k/hif_usb.c:372:29: note: each undeclared identifier is reported only once for each function it appears in 372 | TX_STAT_INC(hiv_dev, buf_queued); | ^~~~~~~ drivers/net/wireless/ath/ath9k/htc.h:330:43: note: in definition of macro '__STAT_SAFE' 330 | #define __STAT_SAFE(hif_dev, expr) ((hif_dev)->htc_handle->drv_priv ? (expr) : 0) | ^~~~~~~ drivers/net/wireless/ath/ath9k/hif_usb.c:372:17: note: in expansion of macro 'TX_STAT_INC' 372 | TX_STAT_INC(hiv_dev, buf_queued); | ^~~~~~~~~~~ vim +372 drivers/net/wireless/ath/ath9k/hif_usb.c 308 309 /* TX lock has to be taken */ 310 static int __hif_usb_tx(struct hif_device_usb *hif_dev) 311 { 312 struct tx_buf *tx_buf = NULL; 313 struct sk_buff *nskb = NULL; 314 int ret = 0, i; 315 u16 tx_skb_cnt = 0; 316 u8 *buf; 317 __le16 *hdr; 318 319 if (hif_dev->tx.tx_skb_cnt == 0) 320 return 0; 321 322 /* Check if a free TX buffer is available */ 323 if (list_empty(&hif_dev->tx.tx_buf)) 324 return 0; 325 326 tx_buf = list_first_entry(&hif_dev->tx.tx_buf, struct tx_buf, list); 327 list_move_tail(&tx_buf->list, &hif_dev->tx.tx_pending); 328 hif_dev->tx.tx_buf_cnt--; 329 330 tx_skb_cnt = min_t(u16, hif_dev->tx.tx_skb_cnt, MAX_TX_AGGR_NUM); 331 332 for (i = 0; i < tx_skb_cnt; i++) { 333 nskb = __skb_dequeue(&hif_dev->tx.tx_skb_queue); 334 335 /* Should never be NULL */ 336 BUG_ON(!nskb); 337 338 hif_dev->tx.tx_skb_cnt--; 339 340 buf = tx_buf->buf; 341 buf += tx_buf->offset; 342 hdr = (__le16 *)buf; 343 *hdr++ = cpu_to_le16(nskb->len); 344 *hdr++ = cpu_to_le16(ATH_USB_TX_STREAM_MODE_TAG); 345 buf += 4; 346 memcpy(buf, nskb->data, nskb->len); 347 tx_buf->len = nskb->len + 4; 348 349 if (i < (tx_skb_cnt - 1)) 350 tx_buf->offset += (((tx_buf->len - 1) / 4) + 1) * 4; 351 352 if (i == (tx_skb_cnt - 1)) 353 tx_buf->len += tx_buf->offset; 354 355 __skb_queue_tail(&tx_buf->skb_queue, nskb); 356 TX_STAT_INC(hif_dev, skb_queued); 357 } 358 359 usb_fill_bulk_urb(tx_buf->urb, hif_dev->udev, 360 usb_sndbulkpipe(hif_dev->udev, USB_WLAN_TX_PIPE), 361 tx_buf->buf, tx_buf->len, 362 hif_usb_tx_cb, tx_buf); 363 364 ret = usb_submit_urb(tx_buf->urb, GFP_ATOMIC); 365 if (ret) { 366 tx_buf->len = tx_buf->offset = 0; 367 ath9k_skb_queue_complete(hif_dev, &tx_buf->skb_queue, false); 368 __skb_queue_head_init(&tx_buf->skb_queue); 369 list_move_tail(&tx_buf->list, &hif_dev->tx.tx_buf); 370 hif_dev->tx.tx_buf_cnt++; 371 } else { > 372 TX_STAT_INC(hiv_dev, buf_queued); 373 } 374 375 return ret; 376 } 377
Hi Pavel, Thank you for the patch! Yet something to improve: [auto build test ERROR on wireless-next/main] [also build test ERROR on next-20220520] [cannot apply to wireless/main linus/master v5.18-rc7] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch] url: https://github.com/intel-lab-lkp/linux/commits/Pavel-Skripkin/ath9k-fix-use-after-free-in-ath9k_hif_usb_rx_cb/20220522-053020 base: https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main config: arm64-allmodconfig (https://download.01.org/0day-ci/archive/20220522/202205221713.VsmyJA1I-lkp@intel.com/config) compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project 1443dbaba6f0e57be066995db9164f89fb57b413) reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # install arm64 cross compiling tool for clang build # apt-get install binutils-aarch64-linux-gnu # https://github.com/intel-lab-lkp/linux/commit/712472af928db8726d53f2c63ea05430e57f4727 git remote add linux-review https://github.com/intel-lab-lkp/linux git fetch --no-tags linux-review Pavel-Skripkin/ath9k-fix-use-after-free-in-ath9k_hif_usb_rx_cb/20220522-053020 git checkout 712472af928db8726d53f2c63ea05430e57f4727 # save the config file mkdir build_dir && cp config build_dir/.config COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=arm64 SHELL=/bin/bash drivers/net/wireless/ath/ath9k/ If you fix the issue, kindly add following tag where applicable Reported-by: kernel test robot <lkp@intel.com> All errors (new ones prefixed by >>): >> drivers/net/wireless/ath/ath9k/hif_usb.c:372:15: error: use of undeclared identifier 'hiv_dev'; did you mean 'hif_dev'? TX_STAT_INC(hiv_dev, buf_queued); ^~~~~~~ hif_dev drivers/net/wireless/ath/ath9k/htc.h:335:16: note: expanded from macro 'TX_STAT_INC' __STAT_SAFE((hif_dev), (hif_dev)->htc_handle->drv_priv->debug.tx_stats.c++) ^ drivers/net/wireless/ath/ath9k/htc.h:330:38: note: expanded from macro '__STAT_SAFE' #define __STAT_SAFE(hif_dev, expr) ((hif_dev)->htc_handle->drv_priv ? (expr) : 0) ^ drivers/net/wireless/ath/ath9k/hif_usb.c:310:48: note: 'hif_dev' declared here static int __hif_usb_tx(struct hif_device_usb *hif_dev) ^ >> drivers/net/wireless/ath/ath9k/hif_usb.c:372:15: error: use of undeclared identifier 'hiv_dev'; did you mean 'hif_dev'? TX_STAT_INC(hiv_dev, buf_queued); ^~~~~~~ hif_dev drivers/net/wireless/ath/ath9k/htc.h:335:27: note: expanded from macro 'TX_STAT_INC' __STAT_SAFE((hif_dev), (hif_dev)->htc_handle->drv_priv->debug.tx_stats.c++) ^ drivers/net/wireless/ath/ath9k/htc.h:330:72: note: expanded from macro '__STAT_SAFE' #define __STAT_SAFE(hif_dev, expr) ((hif_dev)->htc_handle->drv_priv ? (expr) : 0) ^ drivers/net/wireless/ath/ath9k/hif_usb.c:310:48: note: 'hif_dev' declared here static int __hif_usb_tx(struct hif_device_usb *hif_dev) ^ 2 errors generated. vim +372 drivers/net/wireless/ath/ath9k/hif_usb.c 308 309 /* TX lock has to be taken */ 310 static int __hif_usb_tx(struct hif_device_usb *hif_dev) 311 { 312 struct tx_buf *tx_buf = NULL; 313 struct sk_buff *nskb = NULL; 314 int ret = 0, i; 315 u16 tx_skb_cnt = 0; 316 u8 *buf; 317 __le16 *hdr; 318 319 if (hif_dev->tx.tx_skb_cnt == 0) 320 return 0; 321 322 /* Check if a free TX buffer is available */ 323 if (list_empty(&hif_dev->tx.tx_buf)) 324 return 0; 325 326 tx_buf = list_first_entry(&hif_dev->tx.tx_buf, struct tx_buf, list); 327 list_move_tail(&tx_buf->list, &hif_dev->tx.tx_pending); 328 hif_dev->tx.tx_buf_cnt--; 329 330 tx_skb_cnt = min_t(u16, hif_dev->tx.tx_skb_cnt, MAX_TX_AGGR_NUM); 331 332 for (i = 0; i < tx_skb_cnt; i++) { 333 nskb = __skb_dequeue(&hif_dev->tx.tx_skb_queue); 334 335 /* Should never be NULL */ 336 BUG_ON(!nskb); 337 338 hif_dev->tx.tx_skb_cnt--; 339 340 buf = tx_buf->buf; 341 buf += tx_buf->offset; 342 hdr = (__le16 *)buf; 343 *hdr++ = cpu_to_le16(nskb->len); 344 *hdr++ = cpu_to_le16(ATH_USB_TX_STREAM_MODE_TAG); 345 buf += 4; 346 memcpy(buf, nskb->data, nskb->len); 347 tx_buf->len = nskb->len + 4; 348 349 if (i < (tx_skb_cnt - 1)) 350 tx_buf->offset += (((tx_buf->len - 1) / 4) + 1) * 4; 351 352 if (i == (tx_skb_cnt - 1)) 353 tx_buf->len += tx_buf->offset; 354 355 __skb_queue_tail(&tx_buf->skb_queue, nskb); 356 TX_STAT_INC(hif_dev, skb_queued); 357 } 358 359 usb_fill_bulk_urb(tx_buf->urb, hif_dev->udev, 360 usb_sndbulkpipe(hif_dev->udev, USB_WLAN_TX_PIPE), 361 tx_buf->buf, tx_buf->len, 362 hif_usb_tx_cb, tx_buf); 363 364 ret = usb_submit_urb(tx_buf->urb, GFP_ATOMIC); 365 if (ret) { 366 tx_buf->len = tx_buf->offset = 0; 367 ath9k_skb_queue_complete(hif_dev, &tx_buf->skb_queue, false); 368 __skb_queue_head_init(&tx_buf->skb_queue); 369 list_move_tail(&tx_buf->list, &hif_dev->tx.tx_buf); 370 hif_dev->tx.tx_buf_cnt++; 371 } else { > 372 TX_STAT_INC(hiv_dev, buf_queued); 373 } 374 375 return ret; 376 } 377
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c index 518deb5098a2..7f220a245985 100644 --- a/drivers/net/wireless/ath/ath9k/hif_usb.c +++ b/drivers/net/wireless/ath/ath9k/hif_usb.c @@ -244,11 +244,11 @@ static inline void ath9k_skb_queue_complete(struct hif_device_usb *hif_dev, ath9k_htc_txcompletion_cb(hif_dev->htc_handle, skb, txok); if (txok) { - TX_STAT_INC(skb_success); - TX_STAT_ADD(skb_success_bytes, ln); + TX_STAT_INC(hif_dev, skb_success); + TX_STAT_ADD(hif_dev, skb_success_bytes, ln); } else - TX_STAT_INC(skb_failed); + TX_STAT_INC(hif_dev, skb_failed); } } @@ -302,7 +302,7 @@ static void hif_usb_tx_cb(struct urb *urb) hif_dev->tx.tx_buf_cnt++; if (!(hif_dev->tx.flags & HIF_USB_TX_STOP)) __hif_usb_tx(hif_dev); /* Check for pending SKBs */ - TX_STAT_INC(buf_completed); + TX_STAT_INC(hif_dev, buf_completed); spin_unlock(&hif_dev->tx.tx_lock); } @@ -353,7 +353,7 @@ static int __hif_usb_tx(struct hif_device_usb *hif_dev) tx_buf->len += tx_buf->offset; __skb_queue_tail(&tx_buf->skb_queue, nskb); - TX_STAT_INC(skb_queued); + TX_STAT_INC(hif_dev, skb_queued); } usb_fill_bulk_urb(tx_buf->urb, hif_dev->udev, @@ -369,7 +369,7 @@ static int __hif_usb_tx(struct hif_device_usb *hif_dev) list_move_tail(&tx_buf->list, &hif_dev->tx.tx_buf); hif_dev->tx.tx_buf_cnt++; } else { - TX_STAT_INC(buf_queued); + TX_STAT_INC(hiv_dev, buf_queued); } return ret; @@ -514,7 +514,7 @@ static void hif_usb_sta_drain(void *hif_handle, u8 idx) ath9k_htc_txcompletion_cb(hif_dev->htc_handle, skb, false); hif_dev->tx.tx_skb_cnt--; - TX_STAT_INC(skb_failed); + TX_STAT_INC(hif_dev, skb_failed); } } @@ -585,14 +585,14 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, pkt_tag = get_unaligned_le16(ptr + index + 2); if (pkt_tag != ATH_USB_RX_STREAM_MODE_TAG) { - RX_STAT_INC(skb_dropped); + RX_STAT_INC(hif_dev, skb_dropped); return; } if (pkt_len > 2 * MAX_RX_BUF_SIZE) { dev_err(&hif_dev->udev->dev, "ath9k_htc: invalid pkt_len (%x)\n", pkt_len); - RX_STAT_INC(skb_dropped); + RX_STAT_INC(hif_dev, skb_dropped); return; } @@ -618,7 +618,7 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, goto err; } skb_reserve(nskb, 32); - RX_STAT_INC(skb_allocated); + RX_STAT_INC(hif_dev, skb_allocated); memcpy(nskb->data, &(skb->data[chk_idx+4]), hif_dev->rx_transfer_len); @@ -639,7 +639,7 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, goto err; } skb_reserve(nskb, 32); - RX_STAT_INC(skb_allocated); + RX_STAT_INC(hif_dev, skb_allocated); memcpy(nskb->data, &(skb->data[chk_idx+4]), pkt_len); skb_put(nskb, pkt_len); @@ -649,10 +649,10 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, err: for (i = 0; i < pool_index; i++) { - RX_STAT_ADD(skb_completed_bytes, skb_pool[i]->len); + RX_STAT_ADD(hif_dev, skb_completed_bytes, skb_pool[i]->len); ath9k_htc_rx_msg(hif_dev->htc_handle, skb_pool[i], skb_pool[i]->len, USB_WLAN_RX_PIPE); - RX_STAT_INC(skb_completed); + RX_STAT_INC(hif_dev, skb_completed); } } diff --git a/drivers/net/wireless/ath/ath9k/htc.h b/drivers/net/wireless/ath/ath9k/htc.h index e3d546ef71dd..30f0765fb9fd 100644 --- a/drivers/net/wireless/ath/ath9k/htc.h +++ b/drivers/net/wireless/ath/ath9k/htc.h @@ -327,14 +327,18 @@ static inline struct ath9k_htc_tx_ctl *HTC_SKB_CB(struct sk_buff *skb) } #ifdef CONFIG_ATH9K_HTC_DEBUGFS -#define __STAT_SAFE(expr) (hif_dev->htc_handle->drv_priv ? (expr) : 0) -#define TX_STAT_INC(c) __STAT_SAFE(hif_dev->htc_handle->drv_priv->debug.tx_stats.c++) -#define TX_STAT_ADD(c, a) __STAT_SAFE(hif_dev->htc_handle->drv_priv->debug.tx_stats.c += a) -#define RX_STAT_INC(c) __STAT_SAFE(hif_dev->htc_handle->drv_priv->debug.skbrx_stats.c++) -#define RX_STAT_ADD(c, a) __STAT_SAFE(hif_dev->htc_handle->drv_priv->debug.skbrx_stats.c += a) -#define CAB_STAT_INC priv->debug.tx_stats.cab_queued++ - -#define TX_QSTAT_INC(q) (priv->debug.tx_stats.queue_stats[q]++) +#define __STAT_SAFE(hif_dev, expr) ((hif_dev)->htc_handle->drv_priv ? (expr) : 0) +#define CAB_STAT_INC(priv) ((priv)->debug.tx_stats.cab_queued++) +#define TX_QSTAT_INC(priv, q) ((priv)->debug.tx_stats.queue_stats[q]++) + +#define TX_STAT_INC(hif_dev, c) \ + __STAT_SAFE((hif_dev), (hif_dev)->htc_handle->drv_priv->debug.tx_stats.c++) +#define TX_STAT_ADD(hif_dev, c, a) \ + __STAT_SAFE((hif_dev), (hif_dev)->htc_handle->drv_priv->debug.tx_stats.c += a) +#define RX_STAT_INC(hif_dev, c) \ + __STAT_SAFE((hif_dev), (hif_dev)->htc_handle->drv_priv->debug.skbrx_stats.c++) +#define RX_STAT_ADD(hif_dev, c, a) \ + __STAT_SAFE((hif_dev), (hif_dev)->htc_handle->drv_priv->debug.skbrx_stats.c += a) void ath9k_htc_err_stat_rx(struct ath9k_htc_priv *priv, struct ath_rx_status *rs); @@ -374,13 +378,13 @@ void ath9k_htc_get_et_stats(struct ieee80211_hw *hw, struct ethtool_stats *stats, u64 *data); #else -#define TX_STAT_INC(c) do { } while (0) -#define TX_STAT_ADD(c, a) do { } while (0) -#define RX_STAT_INC(c) do { } while (0) -#define RX_STAT_ADD(c, a) do { } while (0) -#define CAB_STAT_INC do { } while (0) +#define TX_STAT_INC(hif_dev, c) +#define TX_STAT_ADD(hif_dev, c, a) +#define RX_STAT_INC(hif_dev, c) +#define RX_STAT_ADD(hif_dev, c, a) -#define TX_QSTAT_INC(c) do { } while (0) +#define CAB_STAT_INC(priv) +#define TX_QSTAT_INC(priv, c) static inline void ath9k_htc_err_stat_rx(struct ath9k_htc_priv *priv, struct ath_rx_status *rs) diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c index a23eaca0326d..672789e3c55d 100644 --- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c @@ -106,20 +106,20 @@ static inline enum htc_endpoint_id get_htc_epid(struct ath9k_htc_priv *priv, switch (qnum) { case 0: - TX_QSTAT_INC(IEEE80211_AC_VO); + TX_QSTAT_INC(priv, IEEE80211_AC_VO); epid = priv->data_vo_ep; break; case 1: - TX_QSTAT_INC(IEEE80211_AC_VI); + TX_QSTAT_INC(priv, IEEE80211_AC_VI); epid = priv->data_vi_ep; break; case 2: - TX_QSTAT_INC(IEEE80211_AC_BE); + TX_QSTAT_INC(priv, IEEE80211_AC_BE); epid = priv->data_be_ep; break; case 3: default: - TX_QSTAT_INC(IEEE80211_AC_BK); + TX_QSTAT_INC(priv, IEEE80211_AC_BK); epid = priv->data_bk_ep; break; } @@ -328,7 +328,7 @@ static void ath9k_htc_tx_data(struct ath9k_htc_priv *priv, memcpy(tx_fhdr, (u8 *) &tx_hdr, sizeof(tx_hdr)); if (is_cab) { - CAB_STAT_INC; + CAB_STAT_INC(priv); tx_ctl->epid = priv->cab_ep; return; }
I've changed *STAT_* macros a bit in previous patch and I seems like they become really unreadable. Align these macros definitions to make code cleaner and fix folllowing checkpatch warning ERROR: Macros with complex values should be enclosed in parentheses Also, statistics macros now accept an hif_dev as argument, since macros that depend on having a local variable with a magic name don't abide by the coding style. No functional change Suggested-by: Jeff Johnson <quic_jjohnson@quicinc.com> Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> --- Changes since v4: - Rebased on top of ath-next branch Changes since v3: - Added additional clean up related to relying on magical name from outside of the macro Changes since v2: - My send-email script forgot, that mailing lists exist. Added back all related lists - Fixed checkpatch warning Changes since v1: - Added this patch --- drivers/net/wireless/ath/ath9k/hif_usb.c | 26 +++++++-------- drivers/net/wireless/ath/ath9k/htc.h | 32 +++++++++++-------- drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 10 +++--- 3 files changed, 36 insertions(+), 32 deletions(-)