[linuxwifi] net: wireless: intel: iwlwifi: dvm: fix tid mask

Commit Message

Emmanuel Grumbach June 8, 2017, 6:31 a.m. UTC

Hi,

> Subject: [linuxwifi] [PATCH] net: wireless: intel: iwlwifi: dvm: fix tid mask

> 

> Currently the tid mask covers the first 4 bits of iwlagn_tx_resp::ra_tid,

> which gives 16 possible values for tid.

> This is problematic because IWL_MAX_TID_COUNT is 8, so indexing

> iwl_priv::tid_data can go very wrong.


True, OTOH we need tid to be 8 sometimes. We *just* need to make sure
that we don't index tid_data with this. Hence I think the proper fix is:



Clearly calling iwlagn_check_ratid_empty with tid = IWL_TID_NON_QOS is a bad idea.

> 

> With UBSAN I can it happening while establishing the first connection

> after module load.

> 

> [  272.143440] UBSAN: Undefined behaviour in

> drivers/net/wireless/intel/iwlwifi/dvm/tx.c:777:32

> [  272.143447] index 8 is out of range for type 'iwl_tid_data [8]'

> [  272.143457] CPU: 0 PID: 4605 Comm: irq/32-iwlwifi Not tainted 4.12.0-dirty

> #2

> [  272.143460] Hardware name: Hewlett-Packard HP EliteBook 2560p/162B,

> BIOS 68SSU Ver. F.02 07/26/2011

> [  272.143462] Call Trace:

> [  272.143472]  dump_stack+0x9c/0x10b

> [  272.143477]  ? _atomic_dec_and_lock+0x285/0x285

> [  272.143486]  ubsan_epilogue+0xd/0x4e

> [  272.143493]  __ubsan_handle_out_of_bounds+0xef/0x118

> [  272.143498]  ? __ubsan_handle_shift_out_of_bounds+0x221/0x221

> [  272.143519]  ? iwl_trans_pcie_reclaim+0x153/0xc90 [iwlwifi]

> [  272.143539]  iwlagn_check_ratid_empty+0x337/0x410 [iwldvm]

> [  272.143556]  ? iwl_hcmd_names_cmp+0x2f/0x60 [iwlwifi]

> [  272.143571]  iwlagn_rx_reply_tx+0x8a4/0x1820 [iwldvm]

> 

> Signed-off-by: Seraphime Kirkovski <kirkseraph@gmail.com>

> ---

>    I'm currently running this patch on my machines and I have wifi.

>    The patch presumes а cleanup patch, I sent yesterday:

>       https://www.spinics.net/lists/kernel/msg2526314.html

> 

>  drivers/net/wireless/intel/iwlwifi/dvm/commands.h | 2 +-

>  1 file changed, 1 insertion(+), 1 deletion(-)

> 

> diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/commands.h

> b/drivers/net/wireless/intel/iwlwifi/dvm/commands.h

> index 37d2ba5ae852..e5994df9ea4c 100644

> --- a/drivers/net/wireless/intel/iwlwifi/dvm/commands.h

> +++ b/drivers/net/wireless/intel/iwlwifi/dvm/commands.h

> @@ -1448,7 +1448,7 @@ struct agg_tx_status {

>   */

>  /* refer to ra_tid */

>  #define IWLAGN_TX_RES_TID_POS	0

> -#define IWLAGN_TX_RES_TID_MSK	0x0f

> +#define IWLAGN_TX_RES_TID_MSK	0x07

>  #define IWLAGN_TX_RES_RA_POS	4

>  #define IWLAGN_TX_RES_RA_MSK	0xf0

> 

> --

> 2.11.0

> 

> -------------------------------------

> linuxwifi@eclists.intel.com

> https://eclists.intel.com/sympa/info/linuxwifi

> Unsubscribe by sending email to sympa@eclists.intel.com with subject

> "Unsubscribe linuxwifi"

Comments

Seraphime Kirkovski June 8, 2017, 7:49 a.m. UTC | #1

On Thu, Jun 08, 2017 at 06:31:01AM +0000, Grumbach, Emmanuel wrote:
> Hi,

Hi,

> True, OTOH we need tid to be 8 sometimes. We *just* need to make sure
> that we don't index tid_data with this. Hence I think the proper fix is:
> 
> diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/tx.c b/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
> index 06ac3f1..16a8646 100644
> --- a/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
> +++ b/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
> @@ -1190,11 +1190,11 @@ void iwlagn_rx_reply_tx(struct iwl_priv *priv, struct iwl_rx_cmd_buffer *rxb)
>                                 next_reclaimed;
>                         IWL_DEBUG_TX_REPLY(priv, "Next reclaimed packet:%d\n",
>                                                   next_reclaimed);
> +                       iwlagn_check_ratid_empty(priv, sta_id, tid);
>                 }
> 
>                 iwl_trans_reclaim(priv->trans, txq_id, ssn, &skbs);
> 
> -               iwlagn_check_ratid_empty(priv, sta_id, tid);
>                 freed = 0;
> 
>                 /* process frames */

I can confirm it works. You can add my Tested-By.

Thanks,
Seraph

Emmanuel Grumbach June 8, 2017, 8:31 a.m. UTC | #2

> 
> On Thu, Jun 08, 2017 at 06:31:01AM +0000, Grumbach, Emmanuel wrote:
> > Hi,
> 
> Hi,
> 
> > True, OTOH we need tid to be 8 sometimes. We *just* need to make sure
> > that we don't index tid_data with this. Hence I think the proper fix is:
> >
> > diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
> > b/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
> > index 06ac3f1..16a8646 100644
> > --- a/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
> > +++ b/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
> > @@ -1190,11 +1190,11 @@ void iwlagn_rx_reply_tx(struct iwl_priv *priv,
> struct iwl_rx_cmd_buffer *rxb)
> >                                 next_reclaimed;
> >                         IWL_DEBUG_TX_REPLY(priv, "Next reclaimed packet:%d\n",
> >                                                   next_reclaimed);
> > +                       iwlagn_check_ratid_empty(priv, sta_id, tid);
> >                 }
> >
> >                 iwl_trans_reclaim(priv->trans, txq_id, ssn, &skbs);
> >
> > -               iwlagn_check_ratid_empty(priv, sta_id, tid);
> >                 freed = 0;
> >
> >                 /* process frames */
> 
> I can confirm it works. You can add my Tested-By.

Patch in review in our internal tree. It'll be upstreamed through the regular process.
Thanks for your report and debug work.

Patch

diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/tx.c b/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
index 06ac3f1..16a8646 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
@@ -1190,11 +1190,11 @@  void iwlagn_rx_reply_tx(struct iwl_priv *priv, struct iwl_rx_cmd_buffer *rxb)
                                next_reclaimed;
                        IWL_DEBUG_TX_REPLY(priv, "Next reclaimed packet:%d\n",
                                                  next_reclaimed);
+                       iwlagn_check_ratid_empty(priv, sta_id, tid);
                }

                iwl_trans_reclaim(priv->trans, txq_id, ssn, &skbs);

-               iwlagn_check_ratid_empty(priv, sta_id, tid);
                freed = 0;

                /* process frames */