From patchwork Wed Nov 6 07:14:23 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tamizh chelvam X-Patchwork-Id: 11229557 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 410531515 for ; Wed, 6 Nov 2019 07:14:47 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 139CF217F4 for ; Wed, 6 Nov 2019 07:14:47 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="jgU8AkhY"; dkim=fail reason="key not found in DNS" (0-bit key) header.d=codeaurora.org header.i=@codeaurora.org header.b="CSsHenE3"; dkim=fail reason="key not found in DNS" (0-bit key) header.d=codeaurora.org header.i=@codeaurora.org header.b="FDsJJtgL" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 139CF217F4 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=ath11k-bounces+patchwork-ath11k=patchwork.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=U8pXlYIpDWQGr8FUCp1L7X37TK82PyAF2aUd0xwvrxM=; b=jgU 8AkhYwqURxvbpq98oNkQ5AD62UksPuJCRF68t66P1uc1S1RkyCCEW0MDFro4d7jkCRONv4vDwHpcG M37yqutqd1RbCyZPO+ah4c9p9i1bTdFBD8BjsJ6briVoyzduwLBp7zC+j1BlPoJzsABILY1O21UDy QRLjdsFqqiQFDMs/zGkQ+RC/Gfq7vW51h8PhpTnDVayCBlARSEqC6X0w5VLJMlalCW7J4f6bEfN2h g1+77ofJ5B7B1SQm4mb2+emcsset9jj2pooXP0QH+z7MEMn9pj4xdMZc/r4hPkWDolXFqJrkua1NB 43jrdBjj756tlarRAzq1GuwoHODEiow==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1iSFWe-0002ya-Vl; Wed, 06 Nov 2019 07:14:44 +0000 Received: from smtp.codeaurora.org ([198.145.29.96]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1iSFWc-0002y7-1o for ath11k@lists.infradead.org; Wed, 06 Nov 2019 07:14:43 +0000 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id 1708260EC1; Wed, 6 Nov 2019 07:14:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1573024481; bh=pq/9mbjGmwhQsRLrbrpJ8Sb+RyFCDbyjhdHF6kg2Z7g=; h=From:To:Cc:Subject:Date:From; b=CSsHenE3i3H83Az6cKNjBNwLQh1A1w9LzMBxNpHUEpUHvZjbyczsuyTlgSz8Exx3O TSpG7upxmfX0frKv7Oci1TTFXGfmd9H7Tg5CtKo2rQogO+1EN4wZW1pTv3IKZX215S S3F6u/P6HfT3QXwoYj3sx8psMIOqXLlcXddK2KDY= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on pdx-caf-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.7 required=2.0 tests=ALL_TRUSTED,BAYES_00, DKIM_INVALID,DKIM_SIGNED,SPF_NONE autolearn=no autolearn_force=no version=3.4.0 Received: from cheath10p342229-lin.qca.qualcomm.com (blr-c-bdr-fw-01_globalnat_allzones-outside.qualcomm.com [103.229.19.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: tamizhr@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 3FC0160F81; Wed, 6 Nov 2019 07:14:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1573024480; bh=pq/9mbjGmwhQsRLrbrpJ8Sb+RyFCDbyjhdHF6kg2Z7g=; h=From:To:Cc:Subject:Date:From; b=FDsJJtgLOxwaqbsD1BMFhboTQSBEvGekrlgKegeSm2nwKEwvXVprLyLvZvQ9s923b ibcf3c3+VEmex6D+TPLtTw4GJijCwZEGtEX7OGMb4vYtJ7LeqTYl5r6lU8o1C+w/GX 7kC6j+Yfw2aoeJ3CHodl+T2vcgwL2wmhS2hv/YMo= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 3FC0160F81 Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=tamizhr@codeaurora.org From: Tamizh chelvam To: ath11k@lists.infradead.org Subject: [PATCH] ath11k: fix kernel panic by freeing the msdu received with invalid length Date: Wed, 6 Nov 2019 12:44:23 +0530 Message-Id: <1573024463-9066-1-git-send-email-tamizhr@codeaurora.org> X-Mailer: git-send-email 1.9.1 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20191105_231442_137155_41F5904D X-CRM114-Status: GOOD ( 10.59 ) X-Spam-Score: -2.5 (--) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-2.5 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [198.145.29.96 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-BeenThere: ath11k@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Tamizh chelvam MIME-Version: 1.0 Sender: "ath11k" Errors-To: ath11k-bounces+patchwork-ath11k=patchwork.kernel.org@lists.infradead.org In certain scenario host receives the packets with invalid length which causes below kernel panic. Free up those msdus to avoid this kernel panic. And printed packet information for debugging purpose. 2270.028121: <6> task: ffffffc0008306d0 ti: ffffffc0008306d0 task.ti: ffffffc0008306d0 2270.035247: <2> PC is at skb_panic+0x40/0x44 2270.042784: <2> LR is at skb_panic+0x40/0x44 2270.521775: <2> [] skb_panic+0x40/0x44 2270.524039: <2> [] skb_put+0x54/0x5c 2270.529264: <2> [] ath11k_dp_process_rx_err+0x320/0x5b0 [ath11k] 2270.533860: <2> [] ath11k_dp_service_srng+0x80/0x268 [ath11k] 2270.541063: <2> [] ath11k_hal_rx_reo_ent_buf_paddr_get+0x200/0xb64 [ath11k] 2270.547917: <2> [] net_rx_action+0xf8/0x274 2270.556247: <2> [] __do_softirq+0x128/0x228 2270.561625: <2> [] irq_exit+0x84/0xcc 2270.567008: <2> [] __handle_domain_irq+0x8c/0xb0 2270.571695: <2> [] gic_handle_irq+0x6c/0xbc Signed-off-by: Tamizh chelvam --- drivers/net/wireless/ath/ath11k/dp_rx.c | 43 +++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c index acad746..f2731cd 100644 --- a/drivers/net/wireless/ath/ath11k/dp_rx.c +++ b/drivers/net/wireless/ath/ath11k/dp_rx.c @@ -1440,6 +1440,35 @@ static struct sk_buff *ath11k_dp_rx_get_msdu_last_buf(struct sk_buff_head *msdu_ return NULL; } +static void ath11k_dp_rx_msdu_info(struct ath11k *ar, + struct hal_rx_desc *rx_desc, + struct ath11k_skb_rxcb *rxcb) +{ + enum hal_encrypt_type enctype; + bool is_decrypted; + bool mpdu_len_err; + u32 decap_format; + u8 *hdr_status; + u16 msdu_len; + + hdr_status = ath11k_dp_rx_h_80211_hdr(rx_desc); + msdu_len = ath11k_dp_rx_h_msdu_start_msdu_len(rx_desc); + rxcb->is_first_msdu = ath11k_dp_rx_h_msdu_end_first_msdu(rx_desc); + rxcb->is_last_msdu = ath11k_dp_rx_h_msdu_end_last_msdu(rx_desc); + + decap_format = ath11k_dp_rxdesc_get_decap_format(rx_desc); + mpdu_len_err = !!ath11k_dp_rxdesc_get_mpdulen_err(rx_desc); + + is_decrypted = ath11k_dp_rx_h_attn_is_decrypted(rx_desc); + enctype = ath11k_dp_rx_h_mpdu_start_enctype(rx_desc); + + ath11k_warn(ar->ab, "frame rx with invalid msdu len %u first msdu %d last msdu %d decap format %u mpdu_len_err %d decrypted %d encryption type %u\n", + msdu_len, rxcb->is_first_msdu, rxcb->is_last_msdu, + decap_format, mpdu_len_err, is_decrypted, enctype); + ath11k_dbg_dump(ar->ab, ATH11K_DBG_DATA, NULL, "", hdr_status, + sizeof(struct ieee80211_hdr)); +} + static int ath11k_dp_rx_retrieve_amsdu(struct ath11k *ar, struct sk_buff_head *msdu_list, struct sk_buff_head *amsdu_list) @@ -1492,6 +1521,12 @@ static int ath11k_dp_rx_retrieve_amsdu(struct ath11k *ar, l3_pad_bytes = ath11k_dp_rx_h_msdu_end_l3pad(lrx_desc); if (!rxcb->is_continuation) { + if ((msdu_len + HAL_RX_DESC_SIZE) > DP_RX_BUFFER_SIZE) { + ath11k_dbg_dump(ar->ab, ATH11K_DBG_DATA, NULL, "", rx_desc, + sizeof(struct hal_rx_desc)); + ath11k_dp_rx_msdu_info(ar, rx_desc, rxcb); + goto free_out; + } skb_put(msdu, HAL_RX_DESC_SIZE + l3_pad_bytes + msdu_len); skb_pull(msdu, HAL_RX_DESC_SIZE + l3_pad_bytes); } else { @@ -2764,6 +2799,14 @@ static void ath11k_dp_rx_frag_h_mpdu(struct ath11k *ar, rx_desc = (struct hal_rx_desc *)msdu->data; msdu_len = ath11k_dp_rx_h_msdu_start_msdu_len(rx_desc); + if ((msdu_len + HAL_RX_DESC_SIZE) > DP_RX_BUFFER_SIZE) { + ath11k_dbg_dump(ar->ab, ATH11K_DBG_DATA, NULL, "", rx_desc, + sizeof(struct hal_rx_desc)); + ath11k_dp_rx_msdu_info(ar, rx_desc, rxcb); + dev_kfree_skb_any(msdu); + goto exit; + } + skb_put(msdu, HAL_RX_DESC_SIZE + msdu_len); skb_pull(msdu, HAL_RX_DESC_SIZE);