From patchwork Tue Apr 10 07:39:53 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Zhi Chen <zhichen@codeaurora.org>
X-Patchwork-Id: 10332451
Return-Path: 
 <ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@lists.infradead.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	582096053C for <patchwork-ath10k@patchwork.kernel.org>;
	Tue, 10 Apr 2018 07:40:58 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4925D28C75
	for <patchwork-ath10k@patchwork.kernel.org>;
	Tue, 10 Apr 2018 07:40:58 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 3D1D628C7A; Tue, 10 Apr 2018 07:40:58 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,LOTS_OF_MONEY,MAILING_LIST_MULTI autolearn=unavailable
	version=3.3.1
Received: from bombadil.infradead.org (bombadil.infradead.org
	[198.137.202.133])
	(using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id BAFC728C75
	for <patchwork-ath10k@patchwork.kernel.org>;
	Tue, 10 Apr 2018 07:40:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe:
	List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date:
	Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Owner; bh=LsturvEHBjcocd/8uZFCBqSxtRcyExDDm3HVvpZGI5M=;
	b=su+
	5a/2/u+C1e3M+pzmW+7BzJo8Ge7EL7fog9C0GKV1zbIQnhXqLxOSupDNWuYJO+HnPBh1X5YhNhnrN
	wtYQy6hSzZRlYuh0kkkLHjWiqPerxO79jDm0X1pgJ5/gtQ3f+4DB8C04pkjD1ZKAuz3L1AmQJJqyl
	MlF+Uyczjy1DoyIOH2bYNRuNstWZGRbPvHA4nTE8fOUn6xauIpdzwBuvgTfN5skrZdjbtNF5650Kd
	3DaMr2PStg/I7y2/DH+XI3tAQJ5ouINuFiwqFD1YxZSAebwXMt838eG9pn/VxAAX5S/2KM+AQbYXl
	jRXcm41zTOq77PbEEj81MUN8aQLDyMA==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux))
	id 1f5ntV-0000Zm-FX; Tue, 10 Apr 2018 07:40:45 +0000
Received: from smtp.codeaurora.org ([198.145.29.96])
	by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat
	Linux)) id 1f5nrU-0006fA-LB
	for ath10k@lists.infradead.org; Tue, 10 Apr 2018 07:38:42 +0000
Received: by smtp.codeaurora.org (Postfix, from userid 1000)
	id 1461760C66; Tue, 10 Apr 2018 07:38:29 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
	s=default; t=1523345909;
	bh=kp7ZdoxpqsK1Ae7AAUkzqDW6xAxBTtnKSdb2E6EszSA=;
	h=From:To:Cc:Subject:Date:From;
	b=TwacnxzrMgQtVQxMn7Jmc4pGPCUCCGRsVwGcLoKMxMYT94NCHeD0RKkhLN8kvLYpz
	NB3j0Xo5JTI6z8scff5AaPJOnlRU/pOryrziVqqefUca2xjCRxFOPb9DlshKEcsr68
	aDYQ8iryFQJu8Nd157l31TX/6DJJ9AmQ79IC/OuU=
Received: from smtp.codeaurora.org (unknown [180.166.53.21])
	(using TLSv1 with cipher AES128-SHA (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: zhichen@codeaurora.org)
	by smtp.codeaurora.org (Postfix) with ESMTPSA id 945E2602B6;
	Tue, 10 Apr 2018 07:38:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
	s=default; t=1523345908;
	bh=kp7ZdoxpqsK1Ae7AAUkzqDW6xAxBTtnKSdb2E6EszSA=;
	h=From:To:Cc:Subject:Date:From;
	b=HE+NLhOkCLVUO4FOUlTG7dGBQTVXJNX6w+p3aGVq3cWhBRbFQdypVLGLfiT/36dEm
	FO0CWk6vBGEkdEMpn/cSFJ1iFMdFP7geNCMxJ5tsI4XaU31DAIyJVYD0qAThMlsP+M
	Pmu+CNtZJ6ulR2J5zTq7/ilfyr8w6jYbHES/oJ9A=
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 945E2602B6
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
	dmarc=none (p=none dis=none) header.from=codeaurora.org
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
	spf=none smtp.mailfrom=zhichen@codeaurora.org
Received: by smtp.codeaurora.org (sSMTP sendmail emulation);
	Tue, 10 Apr 2018 15:40:12 +0800
From: zhichen@codeaurora.org
To: ath10k@lists.infradead.org
Subject: [PATCH] ath10k: fixed scan crash
Date: Tue, 10 Apr 2018 15:39:53 +0800
Message-Id: <1523345994-28800-1-git-send-email-zhichen@codeaurora.org>
X-Mailer: git-send-email 2.1.4
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20180410_003840_813418_F9FCCFFA 
X-CRM114-Status: UNSURE (   9.01  )
X-CRM114-Notice: Please train this message.
X-BeenThere: ath10k@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <ath10k.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/ath10k>,
	<mailto:ath10k-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/ath10k/>
List-Post: <mailto:ath10k@lists.infradead.org>
List-Help: <mailto:ath10k-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/ath10k>,
	<mailto:ath10k-request@lists.infradead.org?subject=subscribe>
Cc: Zhi Chen <zhichen@codeaurora.org>, kvalo@qca.qualcomm.com,
	linux-wireless@vger.kernel.org
MIME-Version: 1.0
Sender: "ath10k" <ath10k-bounces@lists.infradead.org>
Errors-To: 
 ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@lists.infradead.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Zhi Chen <zhichen@codeaurora.org>

Length of WMI scan message was not calculated correctly. The allocated
buffer was smaller than what we expected. So WMI message corrupted
skb_info, which is at the end of skb->data. This fix takes TLV header
into account even if the element is zero-length.
Crash log:
  [49.629986] Unhandled kernel unaligned access[#1]:
  [49.634932] CPU: 0 PID: 1176 Comm: logd Not tainted 4.4.60 #180
  [49.641040] task: 83051460 ti: 8329c000 task.ti: 8329c000
  [49.646608] $ 0   : 00000000 00000001 80984a80 00000000
  [49.652038] $ 4   : 45259e89 8046d484 8046df30 8024ba70
  [49.657468] $ 8   : 00000000 804cc4c0 00000001 20306320
  [49.662898] $12   : 33322037 000110f2 00000000 31203930
  [49.668327] $16   : 82792b40 80984a80 00000001 804207fc
  [49.673757] $20   : 00000000 0000012c 00000040 80470000
  [49.679186] $24   : 00000000 8024af7c
  [49.684617] $28   : 8329c000 8329db88 00000001 802c58d0
  [49.690046] Hi    : 00000000
  [49.693022] Lo    : 453c0000
  [49.696013] epc   : 800efae4 put_page+0x0/0x58
  [49.700615] ra    : 802c58d0 skb_release_data+0x148/0x1d4
  [49.706184] Status: 1000fc03 KERNEL EXL IE
  [49.710531] Cause : 00800010 (ExcCode 04)
  [49.714669] BadVA : 45259e89
  [49.717644] PrId  : 00019374 (MIPS 24Kc)

Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
---
 drivers/net/wireless/ath/ath10k/wmi-tlv.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
index ae77a00..25efbb5 100644
--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
@@ -1515,10 +1515,10 @@ ath10k_wmi_tlv_op_gen_start_scan(struct ath10k *ar,
 	bssid_len = arg->n_bssids * sizeof(struct wmi_mac_addr);
 	ie_len = roundup(arg->ie_len, 4);
 	len = (sizeof(*tlv) + sizeof(*cmd)) +
-	      (arg->n_channels ? sizeof(*tlv) + chan_len : 0) +
-	      (arg->n_ssids ? sizeof(*tlv) + ssid_len : 0) +
-	      (arg->n_bssids ? sizeof(*tlv) + bssid_len : 0) +
-	      (arg->ie_len ? sizeof(*tlv) + ie_len : 0);
+	      sizeof(*tlv) + chan_len +
+	      sizeof(*tlv) + ssid_len +
+	      sizeof(*tlv) + bssid_len +
+	      sizeof(*tlv) + ie_len;
 
 	skb = ath10k_wmi_alloc_skb(ar, len);
 	if (!skb)