| Message ID | 1521739394-15218-1-git-send-email-tamizhr@codeaurora.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Hi Tamizh,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on ath6kl/ath-next]
[also build test ERROR on v4.16-rc6 next-20180323]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Tamizh-chelvam/ath10k-fix-kernel-panic-while-reading-tpc_stats/20180325-093724
base: https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git ath-next
config: i386-randconfig-h0-03251902 (attached as .config)
compiler: gcc-4.9 (Debian 4.9.4-2) 4.9.4
reproduce:
# save the attached .config to linux build tree
make ARCH=i386
All errors (new ones prefixed by >>):
drivers/net/wireless/ath/ath10k/wmi.c: In function 'ath10k_wmi_event_pdev_tpc_config':
>> drivers/net/wireless/ath/ath10k/wmi.c:4465:14: error: 'struct ath10k' has no member named 'debug'
complete(&ar->debug.tpc_complete);
^
vim +4465 drivers/net/wireless/ath/ath10k/wmi.c
4315
4316 void ath10k_wmi_event_pdev_tpc_config(struct ath10k *ar, struct sk_buff *skb)
4317 {
4318 u32 i, j, pream_idx, num_tx_chain;
4319 u8 rate_code[WMI_TPC_RATE_MAX], rate_idx;
4320 u16 pream_table[WMI_TPC_PREAM_TABLE_MAX];
4321 struct wmi_pdev_tpc_config_event *ev;
4322 struct ath10k_tpc_stats *tpc_stats;
4323
4324 ev = (struct wmi_pdev_tpc_config_event *)skb->data;
4325
4326 tpc_stats = kzalloc(sizeof(*tpc_stats), GFP_ATOMIC);
4327 if (!tpc_stats)
4328 goto exit;
4329
4330 /* Create the rate code table based on the chains supported */
4331 rate_idx = 0;
4332 pream_idx = 0;
4333
4334 /* Fill CCK rate code */
4335 for (i = 0; i < 4; i++) {
4336 rate_code[rate_idx] =
4337 ATH10K_HW_RATECODE(i, 0, WMI_RATE_PREAMBLE_CCK);
4338 rate_idx++;
4339 }
4340 pream_table[pream_idx] = rate_idx;
4341 pream_idx++;
4342
4343 /* Fill OFDM rate code */
4344 for (i = 0; i < 8; i++) {
4345 rate_code[rate_idx] =
4346 ATH10K_HW_RATECODE(i, 0, WMI_RATE_PREAMBLE_OFDM);
4347 rate_idx++;
4348 }
4349 pream_table[pream_idx] = rate_idx;
4350 pream_idx++;
4351
4352 num_tx_chain = __le32_to_cpu(ev->num_tx_chain);
4353
4354 if (num_tx_chain > WMI_TPC_TX_N_CHAIN) {
4355 ath10k_warn(ar, "number of tx chain is %d greater than TPC configured tx chain %d\n",
4356 num_tx_chain, WMI_TPC_TX_N_CHAIN);
4357 goto exit;
4358 }
4359
4360 /* Fill HT20 rate code */
4361 for (i = 0; i < num_tx_chain; i++) {
4362 for (j = 0; j < 8; j++) {
4363 rate_code[rate_idx] =
4364 ATH10K_HW_RATECODE(j, i, WMI_RATE_PREAMBLE_HT);
4365 rate_idx++;
4366 }
4367 }
4368 pream_table[pream_idx] = rate_idx;
4369 pream_idx++;
4370
4371 /* Fill HT40 rate code */
4372 for (i = 0; i < num_tx_chain; i++) {
4373 for (j = 0; j < 8; j++) {
4374 rate_code[rate_idx] =
4375 ATH10K_HW_RATECODE(j, i, WMI_RATE_PREAMBLE_HT);
4376 rate_idx++;
4377 }
4378 }
4379 pream_table[pream_idx] = rate_idx;
4380 pream_idx++;
4381
4382 /* Fill VHT20 rate code */
4383 for (i = 0; i < __le32_to_cpu(ev->num_tx_chain); i++) {
4384 for (j = 0; j < 10; j++) {
4385 rate_code[rate_idx] =
4386 ATH10K_HW_RATECODE(j, i, WMI_RATE_PREAMBLE_VHT);
4387 rate_idx++;
4388 }
4389 }
4390 pream_table[pream_idx] = rate_idx;
4391 pream_idx++;
4392
4393 /* Fill VHT40 rate code */
4394 for (i = 0; i < num_tx_chain; i++) {
4395 for (j = 0; j < 10; j++) {
4396 rate_code[rate_idx] =
4397 ATH10K_HW_RATECODE(j, i, WMI_RATE_PREAMBLE_VHT);
4398 rate_idx++;
4399 }
4400 }
4401 pream_table[pream_idx] = rate_idx;
4402 pream_idx++;
4403
4404 /* Fill VHT80 rate code */
4405 for (i = 0; i < num_tx_chain; i++) {
4406 for (j = 0; j < 10; j++) {
4407 rate_code[rate_idx] =
4408 ATH10K_HW_RATECODE(j, i, WMI_RATE_PREAMBLE_VHT);
4409 rate_idx++;
4410 }
4411 }
4412 pream_table[pream_idx] = rate_idx;
4413 pream_idx++;
4414
4415 rate_code[rate_idx++] =
4416 ATH10K_HW_RATECODE(0, 0, WMI_RATE_PREAMBLE_CCK);
4417 rate_code[rate_idx++] =
4418 ATH10K_HW_RATECODE(0, 0, WMI_RATE_PREAMBLE_OFDM);
4419 rate_code[rate_idx++] =
4420 ATH10K_HW_RATECODE(0, 0, WMI_RATE_PREAMBLE_CCK);
4421 rate_code[rate_idx++] =
4422 ATH10K_HW_RATECODE(0, 0, WMI_RATE_PREAMBLE_OFDM);
4423 rate_code[rate_idx++] =
4424 ATH10K_HW_RATECODE(0, 0, WMI_RATE_PREAMBLE_OFDM);
4425
4426 pream_table[pream_idx] = ATH10K_TPC_PREAM_TABLE_END;
4427
4428 tpc_stats->chan_freq = __le32_to_cpu(ev->chan_freq);
4429 tpc_stats->phy_mode = __le32_to_cpu(ev->phy_mode);
4430 tpc_stats->ctl = __le32_to_cpu(ev->ctl);
4431 tpc_stats->reg_domain = __le32_to_cpu(ev->reg_domain);
4432 tpc_stats->twice_antenna_gain = a_sle32_to_cpu(ev->twice_antenna_gain);
4433 tpc_stats->twice_antenna_reduction =
4434 __le32_to_cpu(ev->twice_antenna_reduction);
4435 tpc_stats->power_limit = __le32_to_cpu(ev->power_limit);
4436 tpc_stats->twice_max_rd_power = __le32_to_cpu(ev->twice_max_rd_power);
4437 tpc_stats->num_tx_chain = __le32_to_cpu(ev->num_tx_chain);
4438 tpc_stats->rate_max = __le32_to_cpu(ev->rate_max);
4439
4440 ath10k_tpc_config_disp_tables(ar, ev, tpc_stats,
4441 rate_code, pream_table,
4442 WMI_TPC_TABLE_TYPE_CDD);
4443 ath10k_tpc_config_disp_tables(ar, ev, tpc_stats,
4444 rate_code, pream_table,
4445 WMI_TPC_TABLE_TYPE_STBC);
4446 ath10k_tpc_config_disp_tables(ar, ev, tpc_stats,
4447 rate_code, pream_table,
4448 WMI_TPC_TABLE_TYPE_TXBF);
4449
4450 ath10k_debug_tpc_stats_process(ar, tpc_stats);
4451
4452 ath10k_dbg(ar, ATH10K_DBG_WMI,
4453 "wmi event tpc config channel %d mode %d ctl %d regd %d gain %d %d limit %d max_power %d tx_chanins %d rates %d\n",
4454 __le32_to_cpu(ev->chan_freq),
4455 __le32_to_cpu(ev->phy_mode),
4456 __le32_to_cpu(ev->ctl),
4457 __le32_to_cpu(ev->reg_domain),
4458 a_sle32_to_cpu(ev->twice_antenna_gain),
4459 __le32_to_cpu(ev->twice_antenna_reduction),
4460 __le32_to_cpu(ev->power_limit),
4461 __le32_to_cpu(ev->twice_max_rd_power) / 2,
4462 __le32_to_cpu(ev->num_tx_chain),
4463 __le32_to_cpu(ev->rate_max));
4464 exit:
> 4465 complete(&ar->debug.tpc_complete);
4466 }
4467
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
diff --git a/drivers/net/wireless/ath/ath10k/debug.c b/drivers/net/wireless/ath/ath10k/debug.c index 554cd78..8c41c81 100644 --- a/drivers/net/wireless/ath/ath10k/debug.c +++ b/drivers/net/wireless/ath/ath10k/debug.c @@ -1506,18 +1506,24 @@ static void ath10k_tpc_stats_print(struct ath10k_tpc_stats *tpc_stats, *len += scnprintf(buf + *len, buf_len - *len, "********************************\n"); *len += scnprintf(buf + *len, buf_len - *len, - "No. Preamble Rate_code tpc_value1 tpc_value2 tpc_value3\n"); + "No. Preamble Rate_code "); + + for (i = 0; i < WMI_TPC_TX_N_CHAIN; i++) + *len += scnprintf(buf + *len, buf_len - *len, + "tpc_value%d ", i); + + *len += scnprintf(buf + *len, buf_len - *len, "\n"); for (i = 0; i < tpc_stats->rate_max; i++) { *len += scnprintf(buf + *len, buf_len - *len, - "%8d %s 0x%2x %s\n", i, + "%8d %s 0x%2x %s", i, pream_str[tpc_stats->tpc_table[j].pream_idx[i]], tpc_stats->tpc_table[j].rate_code[i], tpc_stats->tpc_table[j].tpc_value[i]); } *len += scnprintf(buf + *len, buf_len - *len, - "***********************************\n"); + "\n***********************************\n"); } static void ath10k_tpc_stats_fill(struct ath10k *ar, diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c index 58dc218..ac9f6a5 100644 --- a/drivers/net/wireless/ath/ath10k/wmi.c +++ b/drivers/net/wireless/ath/ath10k/wmi.c @@ -4325,7 +4325,7 @@ void ath10k_wmi_event_pdev_tpc_config(struct ath10k *ar, struct sk_buff *skb) tpc_stats = kzalloc(sizeof(*tpc_stats), GFP_ATOMIC); if (!tpc_stats) - return; + goto exit; /* Create the rate code table based on the chains supported */ rate_idx = 0; @@ -4351,6 +4351,12 @@ void ath10k_wmi_event_pdev_tpc_config(struct ath10k *ar, struct sk_buff *skb) num_tx_chain = __le32_to_cpu(ev->num_tx_chain); + if (num_tx_chain > WMI_TPC_TX_N_CHAIN) { + ath10k_warn(ar, "number of tx chain is %d greater than TPC configured tx chain %d\n", + num_tx_chain, WMI_TPC_TX_N_CHAIN); + goto exit; + } + /* Fill HT20 rate code */ for (i = 0; i < num_tx_chain; i++) { for (j = 0; j < 8; j++) { @@ -4455,6 +4461,8 @@ void ath10k_wmi_event_pdev_tpc_config(struct ath10k *ar, struct sk_buff *skb) __le32_to_cpu(ev->twice_max_rd_power) / 2, __le32_to_cpu(ev->num_tx_chain), __le32_to_cpu(ev->rate_max)); +exit: + complete(&ar->debug.tpc_complete); } static void diff --git a/drivers/net/wireless/ath/ath10k/wmi.h b/drivers/net/wireless/ath/ath10k/wmi.h index c7b30ed..5646ea0 100644 --- a/drivers/net/wireless/ath/ath10k/wmi.h +++ b/drivers/net/wireless/ath/ath10k/wmi.h @@ -3992,8 +3992,8 @@ struct wmi_pdev_get_tpc_config_cmd { } __packed; #define WMI_TPC_CONFIG_PARAM 1 -#define WMI_TPC_RATE_MAX 160 #define WMI_TPC_TX_N_CHAIN 4 +#define WMI_TPC_RATE_MAX (WMI_TPC_TX_N_CHAIN * 65) #define WMI_TPC_PREAM_TABLE_MAX 10 #define WMI_TPC_FLAG 3 #define WMI_TPC_BUF_SIZE 10
When attempt to read tpc_stats for the chipsets which support more than 3 tx chain will trigger kernel panic(kernel stack is corrupted) due to writing values on rate_code array out of range. This patch changes the array size depends on the WMI_TPC_TX_N_CHAIN and added check to avoid write values on the array if the num tx chain get in tpc config event is greater than WMI_TPC_TX_N_CHAIN. Tested on QCA9984 with firmware-5.bin_10.4-3.5.3-00057 Kernel panic log : [ 323.510944] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: bf90c654 [ 323.510944] [ 323.524390] CPU: 0 PID: 1908 Comm: cat Not tainted 3.14.77 #31 [ 323.530224] [<c021db48>] (unwind_backtrace) from [<c021ac08>] (show_stack+0x10/0x14) [ 323.537941] [<c021ac08>] (show_stack) from [<c03c53c0>] (dump_stack+0x80/0xa0) [ 323.545146] [<c03c53c0>] (dump_stack) from [<c022e4ac>] (panic+0x84/0x1e4) [ 323.552000] [<c022e4ac>] (panic) from [<c022e61c>] (__stack_chk_fail+0x10/0x14) [ 323.559350] [<c022e61c>] (__stack_chk_fail) from [<bf90c654>] (ath10k_wmi_event_pdev_tpc_config+0x424/0x438 [ath10k_core]) [ 323.570471] [<bf90c654>] (ath10k_wmi_event_pdev_tpc_config [ath10k_core]) from [<bf90d800>] (ath10k_wmi_10_4_op_rx+0x2f0/0x39c [ath10k_core]) [ 323.583047] [<bf90d800>] (ath10k_wmi_10_4_op_rx [ath10k_core]) from [<bf8fcc18>] (ath10k_htc_rx_completion_handler+0x170/0x1a0 [ath10k_core]) [ 323.595702] [<bf8fcc18>] (ath10k_htc_rx_completion_handler [ath10k_core]) from [<bf961f44>] (ath10k_pci_hif_send_complete_check+0x1f0/0x220 [ath10k_pci]) [ 323.609421] [<bf961f44>] (ath10k_pci_hif_send_complete_check [ath10k_pci]) from [<bf96562c>] (ath10k_ce_per_engine_service+0x74/0xc4 [ath10k_pci]) [ 323.622490] [<bf96562c>] (ath10k_ce_per_engine_service [ath10k_pci]) from [<bf9656f0>] (ath10k_ce_per_engine_service_any+0x74/0x80 [ath10k_pci]) [ 323.635423] [<bf9656f0>] (ath10k_ce_per_engine_service_any [ath10k_pci]) from [<bf96365c>] (ath10k_pci_napi_poll+0x44/0xe8 [ath10k_pci]) [ 323.647665] [<bf96365c>] (ath10k_pci_napi_poll [ath10k_pci]) from [<c0599994>] (net_rx_action+0xac/0x160) [ 323.657208] [<c0599994>] (net_rx_action) from [<c02324a4>] (__do_softirq+0x104/0x294) [ 323.665017] [<c02324a4>] (__do_softirq) from [<c0232920>] (irq_exit+0x9c/0x11c) [ 323.672314] [<c0232920>] (irq_exit) from [<c0217fc0>] (handle_IRQ+0x6c/0x90) [ 323.679341] [<c0217fc0>] (handle_IRQ) from [<c02084e0>] (gic_handle_irq+0x3c/0x60) [ 323.686893] [<c02084e0>] (gic_handle_irq) from [<c02095c0>] (__irq_svc+0x40/0x70) [ 323.694349] Exception stack(0xdd489c58 to 0xdd489ca0) [ 323.699384] 9c40: 00000000 a0000013 [ 323.707547] 9c60: 00000000 dc4bce40 60000013 ddc1d800 dd488000 00000990 00000000 c085c800 [ 323.715707] 9c80: 00000000 dd489d44 0000092d dd489ca0 c026e664 c026e668 60000013 ffffffff [ 323.723877] [<c02095c0>] (__irq_svc) from [<c026e668>] (rcu_note_context_switch+0x170/0x184) [ 323.732298] [<c026e668>] (rcu_note_context_switch) from [<c020e928>] (__schedule+0x50/0x4d4) [ 323.740716] [<c020e928>] (__schedule) from [<c020e490>] (schedule_timeout+0x148/0x178) [ 323.748611] [<c020e490>] (schedule_timeout) from [<c020f804>] (wait_for_common+0x114/0x154) [ 323.756972] [<c020f804>] (wait_for_common) from [<bf8f6ef0>] (ath10k_tpc_stats_open+0xc8/0x340 [ath10k_core]) [ 323.766873] [<bf8f6ef0>] (ath10k_tpc_stats_open [ath10k_core]) from [<c02bb598>] (do_dentry_open+0x1ac/0x274) [ 323.776741] [<c02bb598>] (do_dentry_open) from [<c02c838c>] (do_last+0x8c0/0xb08) [ 323.784201] [<c02c838c>] (do_last) from [<c02c87e4>] (path_openat+0x210/0x598) [ 323.791408] [<c02c87e4>] (path_openat) from [<c02c9d1c>] (do_filp_open+0x2c/0x78) [ 323.798873] [<c02c9d1c>] (do_filp_open) from [<c02bc85c>] (do_sys_open+0x114/0x1b4) [ 323.806509] [<c02bc85c>] (do_sys_open) from [<c0208c80>] (ret_fast_syscall+0x0/0x44) [ 323.814241] CPU1: stopping [ 323.816927] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 3.14.77 #31 [ 323.823008] [<c021db48>] (unwind_backtrace) from [<c021ac08>] (show_stack+0x10/0x14) [ 323.830731] [<c021ac08>] (show_stack) from [<c03c53c0>] (dump_stack+0x80/0xa0) [ 323.837934] [<c03c53c0>] (dump_stack) from [<c021cfac>] (handle_IPI+0xb8/0x140) [ 323.845224] [<c021cfac>] (handle_IPI) from [<c02084fc>] (gic_handle_irq+0x58/0x60) [ 323.852774] [<c02084fc>] (gic_handle_irq) from [<c02095c0>] (__irq_svc+0x40/0x70) [ 323.860233] Exception stack(0xdd499fa0 to 0xdd499fe8) [ 323.865273] 9fa0: ffffffed 00000000 1d3c9000 00000000 dd498000 dd498030 10c0387d c08b62c8 [ 323.873432] 9fc0: 4220406a 512f04d0 00000000 00000000 00000001 dd499fe8 c021838c c0218390 [ 323.881588] 9fe0: 60000013 ffffffff [ 323.885070] [<c02095c0>] (__irq_svc) from [<c0218390>] (arch_cpu_idle+0x30/0x50) [ 323.892454] [<c0218390>] (arch_cpu_idle) from [<c026500c>] (cpu_startup_entry+0xa4/0x108) [ 323.900690] [<c026500c>] (cpu_startup_entry) from [<422085a4>] (0x422085a4) Signed-off-by: Tamizh chelvam <tamizhr@codeaurora.org> --- drivers/net/wireless/ath/ath10k/debug.c | 12 +++++++++--- drivers/net/wireless/ath/ath10k/wmi.c | 10 +++++++++- drivers/net/wireless/ath/ath10k/wmi.h | 2 +- 3 files changed, 19 insertions(+), 5 deletions(-)