Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp591901ybt; Fri, 19 Jun 2020 08:53:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwkeTMZ2GScEhzkX20cNGg3FEXPcCfjEUh8ejHYKA+1/V0MmVeywsbr5Q4r8CY1s/AgNh4a X-Received: by 2002:a17:906:19d3:: with SMTP id h19mr4193871ejd.106.1592582030608; Fri, 19 Jun 2020 08:53:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592582030; cv=none; d=google.com; s=arc-20160816; b=CTHz9kCP8RbALM4Iwcu5Tp1U9KEc+pk+H3rVgu+XJ0j16oGD2JyFjdW38JMRtkksAl 8dIxlwC5/sgZsqNjqVDtKiUgLM+Mpn2R72FRu8y6XbfxmSBmF9lU8RKslyF+qevWG+X2 Xi1ojwtAyelF8hMoLQJtJvTIIdEam85IA+u/khWCM0zaYNoJL9zhU552SJdCWj7WTcK8 Uq0Y8HYpabDyPncI48Ccy5Z9fXfkBbVQ/PEhtDRg0bLSqLY7xKo+RcmCjgvhTIAdgQ5i j6pLl84ctHE1hdWALiC/p/8JhsQyyqglF5KlgJ4IkCnsMhgWFoI/2kqv0QZ/xSigfWFR f4Ag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=HjOYT2MOGWdVueihF+K+L+FkUmmFQAgMZXgq6dHzDxM=; b=EQY1BYsXeC/JBGMKapXkj+heHNuCLIPr+SGugMdp470qSeRd7KVZng82cpe79fsb37 65I2DuB+ngSk7lZK8DvBy4m1ofcjv5vMF2tUhAXIzbMFQaK0FnBFPU+HEBsXkBGVOcD0 JS36KSaXn84P8tMpY8L3A4ckeE4YdsJXVawIc2GZEF8Y+ErCrijNDvDHtqRIIJCBm89F IDAdZSyEbN6VcnL4iEzBpbO2S2H0CqWUeQky36ZNfLwEH2Ke4LC6FY4cmo/2pZpjfZh6 ej9WvEYoZotd59d+Ur7++dDd8QMvL/6fifRtfsWRaOCkvwBF1oHuTUMKKnu8uysFS+CI W4UQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QsTiuN9h; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id gu10si4077870ejb.38.2020.06.19.08.53.26; Fri, 19 Jun 2020 08:53:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=QsTiuN9h; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2394145AbgFSPux (ORCPT + 99 others); Fri, 19 Jun 2020 11:50:53 -0400 Received: from mail.kernel.org ([198.145.29.99]:56134 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2393252AbgFSPYY (ORCPT ); Fri, 19 Jun 2020 11:24:24 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4C8B021548; Fri, 19 Jun 2020 15:24:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1592580263; bh=b8sF3nzdbNYI7vM2opADzKQK1kEfaHKTQBe+5In3VHI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QsTiuN9hKSJhHmOD6zRuHfZ3yzbf7PxPvmF619lDW911/NRsOm0QSqsHoYLdHrxNH yaxu/XTISOZX3Ph5bo7nCDbojm/eHCzeabh8kZONteM6QcREkO9Cwe0plloapgZ9gk E1x6DlZeIRwOSymG+BlZeifc3Nma/ci5argl81yk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tamizh Chelvam , Kalle Valo , Sasha Levin Subject: [PATCH 5.7 153/376] ath11k: fix kernel panic by freeing the msdu received with invalid length Date: Fri, 19 Jun 2020 16:31:11 +0200 Message-Id: <20200619141717.566399422@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200619141710.350494719@linuxfoundation.org> References: <20200619141710.350494719@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Tamizh Chelvam [ Upstream commit d7d43782d541edb8596d2f4fc7f41b0734948ec5 ] In certain scenario host receives the packets with invalid length which causes below kernel panic. Free up those msdus to avoid this kernel panic. 2270.028121: <6> task: ffffffc0008306d0 ti: ffffffc0008306d0 task.ti: ffffffc0008306d0 2270.035247: <2> PC is at skb_panic+0x40/0x44 2270.042784: <2> LR is at skb_panic+0x40/0x44 2270.521775: <2> [] skb_panic+0x40/0x44 2270.524039: <2> [] skb_put+0x54/0x5c 2270.529264: <2> [] ath11k_dp_process_rx_err+0x320/0x5b0 [ath11k] 2270.533860: <2> [] ath11k_dp_service_srng+0x80/0x268 [ath11k] 2270.541063: <2> [] ath11k_hal_rx_reo_ent_buf_paddr_get+0x200/0xb64 [ath11k] 2270.547917: <2> [] net_rx_action+0xf8/0x274 2270.556247: <2> [] __do_softirq+0x128/0x228 2270.561625: <2> [] irq_exit+0x84/0xcc 2270.567008: <2> [] __handle_domain_irq+0x8c/0xb0 2270.571695: <2> [] gic_handle_irq+0x6c/0xbc Signed-off-by: Tamizh Chelvam Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/1588611568-20791-1-git-send-email-tamizhr@codeaurora.org Signed-off-by: Sasha Levin --- drivers/net/wireless/ath/ath11k/dp_rx.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c index 34b1e8e6a7fb..007bb73d6c61 100644 --- a/drivers/net/wireless/ath/ath11k/dp_rx.c +++ b/drivers/net/wireless/ath/ath11k/dp_rx.c @@ -2265,6 +2265,7 @@ static int ath11k_dp_rx_process_msdu(struct ath11k *ar, struct ieee80211_hdr *hdr; struct sk_buff *last_buf; u8 l3_pad_bytes; + u8 *hdr_status; u16 msdu_len; int ret; @@ -2293,8 +2294,13 @@ static int ath11k_dp_rx_process_msdu(struct ath11k *ar, skb_pull(msdu, HAL_RX_DESC_SIZE); } else if (!rxcb->is_continuation) { if ((msdu_len + HAL_RX_DESC_SIZE) > DP_RX_BUFFER_SIZE) { + hdr_status = ath11k_dp_rx_h_80211_hdr(rx_desc); ret = -EINVAL; ath11k_warn(ar->ab, "invalid msdu len %u\n", msdu_len); + ath11k_dbg_dump(ar->ab, ATH11K_DBG_DATA, NULL, "", hdr_status, + sizeof(struct ieee80211_hdr)); + ath11k_dbg_dump(ar->ab, ATH11K_DBG_DATA, NULL, "", rx_desc, + sizeof(struct hal_rx_desc)); goto free_out; } skb_put(msdu, HAL_RX_DESC_SIZE + l3_pad_bytes + msdu_len); @@ -3389,6 +3395,7 @@ ath11k_dp_process_rx_err_buf(struct ath11k *ar, u32 *ring_desc, int buf_id, bool struct sk_buff *msdu; struct ath11k_skb_rxcb *rxcb; struct hal_rx_desc *rx_desc; + u8 *hdr_status; u16 msdu_len; spin_lock_bh(&rx_ring->idr_lock); @@ -3426,6 +3433,17 @@ ath11k_dp_process_rx_err_buf(struct ath11k *ar, u32 *ring_desc, int buf_id, bool rx_desc = (struct hal_rx_desc *)msdu->data; msdu_len = ath11k_dp_rx_h_msdu_start_msdu_len(rx_desc); + if ((msdu_len + HAL_RX_DESC_SIZE) > DP_RX_BUFFER_SIZE) { + hdr_status = ath11k_dp_rx_h_80211_hdr(rx_desc); + ath11k_warn(ar->ab, "invalid msdu leng %u", msdu_len); + ath11k_dbg_dump(ar->ab, ATH11K_DBG_DATA, NULL, "", hdr_status, + sizeof(struct ieee80211_hdr)); + ath11k_dbg_dump(ar->ab, ATH11K_DBG_DATA, NULL, "", rx_desc, + sizeof(struct hal_rx_desc)); + dev_kfree_skb_any(msdu); + goto exit; + } + skb_put(msdu, HAL_RX_DESC_SIZE + msdu_len); if (ath11k_dp_rx_frag_h_mpdu(ar, msdu, ring_desc)) { -- 2.25.1