Currently the tid mask covers the first 4 bits of iwlagn_tx_resp::ra_tid,
which gives 16 possible values for tid.
This is problematic because IWL_MAX_TID_COUNT is 8, so indexing
iwl_priv::tid_data can go very wrong.
With UBSAN I can it happening while establishing the first connection
after module load.
[ 272.143440] UBSAN: Undefined behaviour in drivers/net/wireless/intel/iwlwifi/dvm/tx.c:777:32
[ 272.143447] index 8 is out of range for type 'iwl_tid_data [8]'
[ 272.143457] CPU: 0 PID: 4605 Comm: irq/32-iwlwifi Not tainted 4.12.0-dirty #2
[ 272.143460] Hardware name: Hewlett-Packard HP EliteBook 2560p/162B, BIOS 68SSU Ver. F.02 07/26/2011
[ 272.143462] Call Trace:
[ 272.143472] dump_stack+0x9c/0x10b
[ 272.143477] ? _atomic_dec_and_lock+0x285/0x285
[ 272.143486] ubsan_epilogue+0xd/0x4e
[ 272.143493] __ubsan_handle_out_of_bounds+0xef/0x118
[ 272.143498] ? __ubsan_handle_shift_out_of_bounds+0x221/0x221
[ 272.143519] ? iwl_trans_pcie_reclaim+0x153/0xc90 [iwlwifi]
[ 272.143539] iwlagn_check_ratid_empty+0x337/0x410 [iwldvm]
[ 272.143556] ? iwl_hcmd_names_cmp+0x2f/0x60 [iwlwifi]
[ 272.143571] iwlagn_rx_reply_tx+0x8a4/0x1820 [iwldvm]
Signed-off-by: Seraphime Kirkovski <[email protected]>
---
I'm currently running this patch on my machines and I have wifi.
The patch presumes а cleanup patch, I sent yesterday:
https://www.spinics.net/lists/kernel/msg2526314.html
drivers/net/wireless/intel/iwlwifi/dvm/commands.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/commands.h b/drivers/net/wireless/intel/iwlwifi/dvm/commands.h
index 37d2ba5ae852..e5994df9ea4c 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/commands.h
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/commands.h
@@ -1448,7 +1448,7 @@ struct agg_tx_status {
*/
/* refer to ra_tid */
#define IWLAGN_TX_RES_TID_POS 0
-#define IWLAGN_TX_RES_TID_MSK 0x0f
+#define IWLAGN_TX_RES_TID_MSK 0x07
#define IWLAGN_TX_RES_RA_POS 4
#define IWLAGN_TX_RES_RA_MSK 0xf0
--
2.11.0
Hi,
> Subject: [linuxwifi] [PATCH] net: wireless: intel: iwlwifi: dvm: fix tid mask
>
> Currently the tid mask covers the first 4 bits of iwlagn_tx_resp::ra_tid,
> which gives 16 possible values for tid.
> This is problematic because IWL_MAX_TID_COUNT is 8, so indexing
> iwl_priv::tid_data can go very wrong.
True, OTOH we need tid to be 8 sometimes. We *just* need to make sure
that we don't index tid_data with this. Hence I think the proper fix is:
diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/tx.c b/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
index 06ac3f1..16a8646 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
@@ -1190,11 +1190,11 @@ void iwlagn_rx_reply_tx(struct iwl_priv *priv, struct iwl_rx_cmd_buffer *rxb)
next_reclaimed;
IWL_DEBUG_TX_REPLY(priv, "Next reclaimed packet:%d\n",
next_reclaimed);
+ iwlagn_check_ratid_empty(priv, sta_id, tid);
}
iwl_trans_reclaim(priv->trans, txq_id, ssn, &skbs);
- iwlagn_check_ratid_empty(priv, sta_id, tid);
freed = 0;
/* process frames */
Clearly calling iwlagn_check_ratid_empty with tid = IWL_TID_NON_QOS is a bad idea.
>
> With UBSAN I can it happening while establishing the first connection
> after module load.
>
> [ 272.143440] UBSAN: Undefined behaviour in
> drivers/net/wireless/intel/iwlwifi/dvm/tx.c:777:32
> [ 272.143447] index 8 is out of range for type 'iwl_tid_data [8]'
> [ 272.143457] CPU: 0 PID: 4605 Comm: irq/32-iwlwifi Not tainted 4.12.0-dirty
> #2
> [ 272.143460] Hardware name: Hewlett-Packard HP EliteBook 2560p/162B,
> BIOS 68SSU Ver. F.02 07/26/2011
> [ 272.143462] Call Trace:
> [ 272.143472] dump_stack+0x9c/0x10b
> [ 272.143477] ? _atomic_dec_and_lock+0x285/0x285
> [ 272.143486] ubsan_epilogue+0xd/0x4e
> [ 272.143493] __ubsan_handle_out_of_bounds+0xef/0x118
> [ 272.143498] ? __ubsan_handle_shift_out_of_bounds+0x221/0x221
> [ 272.143519] ? iwl_trans_pcie_reclaim+0x153/0xc90 [iwlwifi]
> [ 272.143539] iwlagn_check_ratid_empty+0x337/0x410 [iwldvm]
> [ 272.143556] ? iwl_hcmd_names_cmp+0x2f/0x60 [iwlwifi]
> [ 272.143571] iwlagn_rx_reply_tx+0x8a4/0x1820 [iwldvm]
>
> Signed-off-by: Seraphime Kirkovski <[email protected]>
> ---
> I'm currently running this patch on my machines and I have wifi.
> The patch presumes а cleanup patch, I sent yesterday:
> https://www.spinics.net/lists/kernel/msg2526314.html
>
> drivers/net/wireless/intel/iwlwifi/dvm/commands.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/commands.h
> b/drivers/net/wireless/intel/iwlwifi/dvm/commands.h
> index 37d2ba5ae852..e5994df9ea4c 100644
> --- a/drivers/net/wireless/intel/iwlwifi/dvm/commands.h
> +++ b/drivers/net/wireless/intel/iwlwifi/dvm/commands.h
> @@ -1448,7 +1448,7 @@ struct agg_tx_status {
> */
> /* refer to ra_tid */
> #define IWLAGN_TX_RES_TID_POS 0
> -#define IWLAGN_TX_RES_TID_MSK 0x0f
> +#define IWLAGN_TX_RES_TID_MSK 0x07
> #define IWLAGN_TX_RES_RA_POS 4
> #define IWLAGN_TX_RES_RA_MSK 0xf0
>
> --
> 2.11.0
>
> -------------------------------------
> [email protected]
> https://eclists.intel.com/sympa/info/linuxwifi
> Unsubscribe by sending email to [email protected] with subject
> "Unsubscribe linuxwifi"
On Thu, Jun 08, 2017 at 06:31:01AM +0000, Grumbach, Emmanuel wrote:
> Hi,
Hi,
> True, OTOH we need tid to be 8 sometimes. We *just* need to make sure
> that we don't index tid_data with this. Hence I think the proper fix is:
>
> diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/tx.c b/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
> index 06ac3f1..16a8646 100644
> --- a/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
> +++ b/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
> @@ -1190,11 +1190,11 @@ void iwlagn_rx_reply_tx(struct iwl_priv *priv, struct iwl_rx_cmd_buffer *rxb)
> next_reclaimed;
> IWL_DEBUG_TX_REPLY(priv, "Next reclaimed packet:%d\n",
> next_reclaimed);
> + iwlagn_check_ratid_empty(priv, sta_id, tid);
> }
>
> iwl_trans_reclaim(priv->trans, txq_id, ssn, &skbs);
>
> - iwlagn_check_ratid_empty(priv, sta_id, tid);
> freed = 0;
>
> /* process frames */
I can confirm it works. You can add my Tested-By.
Thanks,
Seraph
>
> On Thu, Jun 08, 2017 at 06:31:01AM +0000, Grumbach, Emmanuel wrote:
> > Hi,
>
> Hi,
>
> > True, OTOH we need tid to be 8 sometimes. We *just* need to make sure
> > that we don't index tid_data with this. Hence I think the proper fix is:
> >
> > diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
> > b/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
> > index 06ac3f1..16a8646 100644
> > --- a/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
> > +++ b/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
> > @@ -1190,11 +1190,11 @@ void iwlagn_rx_reply_tx(struct iwl_priv *priv,
> struct iwl_rx_cmd_buffer *rxb)
> > next_reclaimed;
> > IWL_DEBUG_TX_REPLY(priv, "Next reclaimed packet:%d\n",
> > next_reclaimed);
> > + iwlagn_check_ratid_empty(priv, sta_id, tid);
> > }
> >
> > iwl_trans_reclaim(priv->trans, txq_id, ssn, &skbs);
> >
> > - iwlagn_check_ratid_empty(priv, sta_id, tid);
> > freed = 0;
> >
> > /* process frames */
>
> I can confirm it works. You can add my Tested-By.
Patch in review in our internal tree. It'll be upstreamed through the regular process.
Thanks for your report and debug work.