From patchwork Fri Nov 9 08:54:06 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Karthikeyan periyasamy X-Patchwork-Id: 10675535 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D75645A4 for ; Fri, 9 Nov 2018 08:55:32 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C49922DC2C for ; Fri, 9 Nov 2018 08:55:32 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B7A4E2E7B9; Fri, 9 Nov 2018 08:55:32 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=2.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW autolearn=unavailable version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 276E92DC2C for ; Fri, 9 Nov 2018 08:55:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=CRfHH7UKprZ6UNnK+YqCskm9VfqVrpw+wosXKj8ik40=; b=uvT Ujk8wIuLC6UvwXXRFpKjSI+wBgBYurT8YUVpPycFzRl2Iq7UckJ4dSkskar+LCXmx+CkxfQ59OH4r lLksBC8J3If0xJAQNdZq7G4G6BN6xYtYkIhEe0xPGcK4x7964jQGSirPqzZeb2kGZsvLrxbDwVj0C mKOkQ6sZFl+HRJAjvPatMGgDmr8u3w4qL00kWu7L0pYqwSUbDN0m6alQ1iEBX0UcfkGRcjp+bqy8v OhRQPsR/1+yQ/CAdrWOpz/MND7zVc993U/eMfQhy/UyAAY0e2Y1anI61z7mwcZ6DKByQcMgN5b3nJ gtD3VtdPEGehUlWY74bWQniRee92SNQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1gL2Zc-0001vJ-PJ; Fri, 09 Nov 2018 08:55:28 +0000 Received: from merlin.infradead.org ([2001:8b0:10b:1231::1]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1gL2Za-0001vA-L1 for ath10k@bombadil.infradead.org; Fri, 09 Nov 2018 08:55:26 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=Message-Id:Date:Subject:Cc:To:From: Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=iKHKMhEQ91c3pIs6z1MJgIFlyTB3xo4fruNH64zcMg4=; b=w8nskAwNg8PL2TwlhaaoDvDtr WLFG8xvvQAL6c5nN7C1D+muGzJZyUVlPoWtCyxvcmNxIlqgN3Ew99bUWW0wsZRXpE7XB5lAt83i8n k+10pb2OL8RXZwx/wPScqbB4E9leAtwqqpDZ5T2tHc0zJY0R/hZNp7pD7TVvonObYbuiNgRkL/V3B 2TLqZ2QwqJcukQ2zgIMK1XFnicV9AJVVGJ13MlzWRRDrSWWddkzTUdL4uTBR7G3ve2/NzKzZxgfOB KoSaEv1ij8hjdppdHfSw5lBwCLRr0tc+/t3YBe0mQRsL/7I+iLUYQw/WgUTw2GPZxWKZNL5LiOfBi 54O8JYasQ==; Received: from smtp.codeaurora.org ([198.145.29.96]) by merlin.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1gL2ZY-00024K-2E for ath10k@lists.infradead.org; Fri, 09 Nov 2018 08:55:24 +0000 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id 235EE60710; Fri, 9 Nov 2018 08:55:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1541753711; bh=676vyYyAgpIn+80c/InIR75e6CP8rh3XYL1Y5p93gS8=; h=From:To:Cc:Subject:Date:From; b=QTMHkzkUWYFZM9pq8By+oFePCkIfbWmnDMS5uceF13rbxV7Hv2EIRpjpq5dX97R07 J6nkMCPrInxEwuuENCGxE0jMAuXM+dWdUAjkevBr4KWl7xD/ZiU3w6fdZmRPq8nfOf /Ij8AfORJAT5IrTo/Zb6Pk9NnbDkFrj6hsHTbhzw= Received: from localhost (blr-c-bdr-fw-01_globalnat_allzones-outside.qualcomm.com [103.229.19.19]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: periyasa@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 28A326019D; Fri, 9 Nov 2018 08:55:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1541753710; bh=676vyYyAgpIn+80c/InIR75e6CP8rh3XYL1Y5p93gS8=; h=From:To:Cc:Subject:Date:From; b=ceEZXM9ZsqC8qvQ9qIcLCI/1YylasBXPOejJDr6HGD+g91M0mkPJGaUfusL3K31y1 LAGVeLa2qYbOMjtZwc3iLIM7cthNAXyO8Y8IWLfUX/et98QftfbMIR8hNANCFXjB1B 1Y7PgT0B1KvbG/5VQruMLt7MjnRFOYPBSpM5plWA= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 28A326019D Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=periyasa@codeaurora.org From: Karthikeyan Periyasamy To: ath10k@lists.infradead.org Subject: [PATCH] ath10k: Fix kernel panic due to use after free Date: Fri, 9 Nov 2018 14:24:06 +0530 Message-Id: <1541753646-11533-1-git-send-email-periyasa@codeaurora.org> X-Mailer: git-send-email 1.9.1 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20181109_035524_234271_C23E4675 X-CRM114-Status: GOOD ( 16.57 ) X-BeenThere: ath10k@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Karthikeyan Periyasamy , linux-wireless@vger.kernel.org MIME-Version: 1.0 Sender: "ath10k" Errors-To: ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP This issue arise in a race condition between ath10k_sta_state() and ath10k_htt_fetch_peer_stats(), explained in below scenario Steps: 1. In ath10k_sta_state(), arsta->tx_stats get deallocated before peer deletion when the station moves from IEEE80211_STA_NONE to IEEE80211_STA_NOTEXIST state. 2. Meanwhile ath10k receive HTT_T2H_MSG_TYPE_PEER_STATS message. In ath10k_htt_fetch_peer_stats(), arsta->tx_stats get accessed after the peer validation check. Since arsta->tx_stats get freed before the peer deletion [1]. ath10k_htt_fetch_peer_stats() ended up in "use after free" situation. Fixed this issue by moving the arsta->tx_stats free handling after the peer deletion. so that ath10k_htt_fetch_peer_stats() will not end up in "use after free" situation. Kernel Panic: Unable to handle kernel NULL pointer dereference at virtual address 00000286 pgd = d8754000 [00000286] *pgd=00000000 Internal error: Oops: 5 [#1] PREEMPT SMP ARM ... CPU: 0 PID: 6245 Comm: hostapd Not tainted task: dc44cac0 ti: d4a38000 task.ti: d4a38000 PC is at kmem_cache_alloc+0x7c/0x114 LR is at ath10k_sta_state+0x190/0xd58 [ath10k_core] pc : [] lr : [] psr: 20000013 sp : d4a39b88 ip : 00000000 fp : 00000001 r10: 00000000 r9 : 1d3bc000 r8 : 00000dc0 r7 : 000080d0 r6 : d4a38000 r5 : dd401b00 r4 : 00000286 r3 : 00000000 r2 : d4a39ba0 r1 : 000080d0 r0 : dd401b00 Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5787d Table: 5a75406a DAC: 00000015 Process hostapd (pid: 6245, stack limit = 0xd4a38238) Stack: (0xd4a39b88 to 0xd4a3a000) ... [] (kmem_cache_alloc) from [] (ath10k_sta_state+0x190/0xd58 [ath10k_core]) [] (ath10k_sta_state [ath10k_core]) from [] (sta_info_insert_rcu+0x418/0x61c [mac80211]) [] (sta_info_insert_rcu [mac80211]) from [] (ieee80211_add_station+0xf0/0x134 [mac80211]) [] (ieee80211_add_station [mac80211]) from [] (nl80211_new_station+0x330/0x36c [cfg80211]) [] (nl80211_new_station [cfg80211]) from [] (extack_doit+0x2c/0x74 [compat]) [] (extack_doit [compat]) from [] (genl_rcv_msg+0x274/0x30c) [] (genl_rcv_msg) from [] (netlink_rcv_skb+0x58/0xac) [] (netlink_rcv_skb) from [] (genl_rcv+0x20/0x34) [] (genl_rcv) from [] (netlink_unicast+0x11c/0x204) [] (netlink_unicast) from [] (netlink_sendmsg+0x30c/0x370) [] (netlink_sendmsg) from [] (sock_sendmsg+0x70/0x84) [] (sock_sendmsg) from [] (___sys_sendmsg.part.3+0x188/0x228) [] (___sys_sendmsg.part.3) from [] (__sys_sendmsg+0x4c/0x70) [] (__sys_sendmsg) from [] (ret_fast_syscall+0x0/0x44) Code: ebfffec1 e1a04000 ea00001b e5953014 (e7940003) ath10k_pci 0000:01:00.0: SWBA overrun on vdev 0, skipped old beacon Hardware tested: QCA9984 Firmware tested: 10.4-3.6.0.1-00004 Fixes: a904417fc ("ath10k: add extended per sta tx statistics support") Signed-off-by: Karthikeyan Periyasamy --- drivers/net/wireless/ath/ath10k/mac.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c index c5130fa..fbf4ff0 100644 --- a/drivers/net/wireless/ath/ath10k/mac.c +++ b/drivers/net/wireless/ath/ath10k/mac.c @@ -6387,11 +6387,6 @@ static int ath10k_sta_state(struct ieee80211_hw *hw, "mac vdev %d peer delete %pM sta %pK (sta gone)\n", arvif->vdev_id, sta->addr, sta); - if (ath10k_debug_is_extd_tx_stats_enabled(ar)) { - kfree(arsta->tx_stats); - arsta->tx_stats = NULL; - } - if (sta->tdls) { ret = ath10k_mac_tdls_peer_update(ar, arvif->vdev_id, sta, @@ -6431,6 +6426,11 @@ static int ath10k_sta_state(struct ieee80211_hw *hw, } spin_unlock_bh(&ar->data_lock); + if (ath10k_debug_is_extd_tx_stats_enabled(ar)) { + kfree(arsta->tx_stats); + arsta->tx_stats = NULL; + } + for (i = 0; i < ARRAY_SIZE(sta->txq); i++) ath10k_mac_txq_unref(ar, sta->txq[i]);