From patchwork Tue Oct 28 09:34:36 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michal Kazior X-Patchwork-Id: 5173941 Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id B481AC11AC for ; Tue, 28 Oct 2014 09:46:19 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id DB45D2027D for ; Tue, 28 Oct 2014 09:46:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 0B56920254 for ; Tue, 28 Oct 2014 09:46:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754984AbaJ1JqM (ORCPT ); Tue, 28 Oct 2014 05:46:12 -0400 Received: from mail-lb0-f180.google.com ([209.85.217.180]:49982 "EHLO mail-lb0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753715AbaJ1JqH (ORCPT ); Tue, 28 Oct 2014 05:46:07 -0400 Received: by mail-lb0-f180.google.com with SMTP id z12so251421lbi.11 for ; Tue, 28 Oct 2014 02:46:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tieto.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=QeyDLvPsLzTzwnF35XqTfnI/dFdsD1iE0wEqy8pBmVk=; b=pK3g5BHv3ukkPiQUQs0OsUCESmA69zS8gKOkBNr9V8ueVkq7YUD6uMvIpBw7NCxCLq Ec9ki/h6O581/wp/KwQMg4nnuND2L35hPBoGYmhIt4Td+m5ROHCXgJ4LOhPJjw/IBV/A xp3KyniJthYLcjk3Ub3pEiYhtcqxywHzvwGCU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=QeyDLvPsLzTzwnF35XqTfnI/dFdsD1iE0wEqy8pBmVk=; b=CDP5CyAW5GfasvGa1W+03yUj+CiNBA4I16wa+ziwTBItvPfm/TfqOp0gn1ji4DyCAQ n4pMvC7/H7GCV0n+r1hLwsDAdoLgiYiuaX8HL/5lgEDaQDH3BUvLsEcSh7qq4w2OuZe0 fq9EEYl2oxhEBmRWte52ipgCiKbufKlzCX1cBVg022lrJFlzkUHKVvcsKWquijK3+Xon 39VJJ7cUhNvy6/swJI7gWpnz4kNEMP9EkBRJv5lnEEDbSvCC6VHYVqmttCwXxgbF8622 PBcTQmCWcqOv27KJ0NQpHJe7x2D8yvJcR8ue6lR1TIsOPqTmwzMXCNOfGXSAobzCpTtx x2Hg== X-Gm-Message-State: ALoCoQk2VTL6O8IZjyQvDzhPL5wC9jPLHMh+MiZtSe1SJkA95T3AitojWsEDQHJM+Q6+FwGcqTPrsZNWh+L4PmJPDQLiUJHAcbT/Fj6QDfCGwtWO6N7+q5WexWDqE13r71mA3G3r8bcj X-Received: by 10.153.7.107 with SMTP id db11mr2531037lad.35.1414489565302; Tue, 28 Oct 2014 02:46:05 -0700 (PDT) Received: from localhost.localdomain ([91.198.246.8]) by mx.google.com with ESMTPSA id f8sm381127lbv.39.2014.10.28.02.46.04 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Oct 2014 02:46:04 -0700 (PDT) From: Michal Kazior To: ath10k@lists.infradead.org Cc: linux-wireless@vger.kernel.org, Michal Kazior Subject: [PATCH v3 1/3] ath10k: fix possible bmi crash Date: Tue, 28 Oct 2014 10:34:36 +0100 Message-Id: <1414488878-31561-2-git-send-email-michal.kazior@tieto.com> X-Mailer: git-send-email 1.8.5.3 In-Reply-To: <1414488878-31561-1-git-send-email-michal.kazior@tieto.com> References: <1414488878-31561-1-git-send-email-michal.kazior@tieto.com> X-DomainID: tieto.com Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP While testing other things I've found that CE items aren't cleared properly. This could lead to null dereferences in BMI. To prevent that make sure CE revoking clears the nbytes value (which is used as a buffer completion indication) and memset the entire CE ring data shared between host and target when (re)initializing. Also make sure to check BMI xfer pointer and print a splat instead of crashing the kernel. Signed-off-by: Michal Kazior --- Notes: v3: * dont reset shadow desc - its used for cleanup in hif_stop() drivers/net/wireless/ath/ath10k/ce.c | 7 +++++++ drivers/net/wireless/ath/ath10k/pci.c | 3 +++ 2 files changed, 10 insertions(+) diff --git a/drivers/net/wireless/ath/ath10k/ce.c b/drivers/net/wireless/ath/ath10k/ce.c index 878e1ec..a156e6e 100644 --- a/drivers/net/wireless/ath/ath10k/ce.c +++ b/drivers/net/wireless/ath/ath10k/ce.c @@ -558,6 +558,7 @@ int ath10k_ce_revoke_recv_next(struct ath10k_ce_pipe *ce_state, /* sanity */ dest_ring->per_transfer_context[sw_index] = NULL; + desc->nbytes = 0; /* Update sw_index */ sw_index = CE_RING_IDX_INCR(nentries_mask, sw_index); @@ -835,6 +836,9 @@ static int ath10k_ce_init_src_ring(struct ath10k *ar, nentries = roundup_pow_of_two(attr->src_nentries); + memset(src_ring->base_addr_owner_space, 0, + nentries * sizeof(struct ce_desc)); + src_ring->sw_index = ath10k_ce_src_ring_read_index_get(ar, ctrl_addr); src_ring->sw_index &= src_ring->nentries_mask; src_ring->hw_index = src_ring->sw_index; @@ -869,6 +873,9 @@ static int ath10k_ce_init_dest_ring(struct ath10k *ar, nentries = roundup_pow_of_two(attr->dest_nentries); + memset(dest_ring->base_addr_owner_space, 0, + nentries * sizeof(struct ce_desc)); + dest_ring->sw_index = ath10k_ce_dest_ring_read_index_get(ar, ctrl_addr); dest_ring->sw_index &= dest_ring->nentries_mask; dest_ring->write_index = diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c index 63f374ed..f5e426e 100644 --- a/drivers/net/wireless/ath/ath10k/pci.c +++ b/drivers/net/wireless/ath/ath10k/pci.c @@ -1442,6 +1442,9 @@ static void ath10k_pci_bmi_recv_data(struct ath10k_ce_pipe *ce_state) &nbytes, &transfer_id, &flags)) return; + if (WARN_ON_ONCE(!xfer)) + return; + if (!xfer->wait_for_resp) { ath10k_warn(ar, "unexpected: BMI data received; ignoring\n"); return;