Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3625820pxb; Mon, 24 Jan 2022 13:49:42 -0800 (PST) X-Google-Smtp-Source: ABdhPJzuo4TLfQbqAo+I2G37Nt0IVCd/8LAO6/pUpzfcULAgpTOtcn+l036OYojCxbjP1OfpfUv0 X-Received: by 2002:a17:90b:4d88:: with SMTP id oj8mr319793pjb.194.1643060982717; Mon, 24 Jan 2022 13:49:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643060982; cv=none; d=google.com; s=arc-20160816; b=oZlZEZDzYgK9Bq6BBwHD/Myp6EY3I1vzV8MdYgiKdhRjVSa0SY4JnboJxxlPwfRDeB IDb5XU2HGmJymAiFGmxTZXFqJKjYLBlMXxhPEci+lVu0lgyyyw2ymgCUGOjyfMCR60hE 4piV+ESTGAkWczz1AOmxPPmKZJry1fQbzXq28ptRazFUUyC7+O7H2+2h5a13Scl1umSh a/cDpaM1NhbtnnavFo5hxgGD2qtz4vbuHOWZJnBKCv/pFoXz9o23BO4p0mCG2yQM6bv2 wG9eRr0u7n1yTOp4sf3zS1qFkCbXsZLYxaahajirJlr+gmzo5U5Jj7Mb/3lAqvkOontx CL8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=1+wJU/I/DzvDKoupKjcNVcr4VqeovTvSMU5achy9Dvc=; b=eF9FfPf8/i9OgfFbmNsHqEb+Pr1nbfPFo5jyDQbNH4KBnZ16WJuolFePk/plPRvIye /uiUfaPwHbtbRJzF83tjFmzt+WORQudnYeBgUnaPLwDxo7rPQs+w8ARuOd4tTOZIAGZV JtuBEoF2aeAb6Iitx/LIMci/uuuRQYgVlNjvEEiDPFgFQbESEfKae1qj8KVG/wOOSs5P Rqz72/4IWL8oeLOaHwG/cR8XckcPe12L/Wf0tv6DPIWozaSaoK7bZ/4MRhCB8jnmPoRu PWqVBQvb9hfzbMtg2bLL21mdbwLjgYc5CSJ1J8DFc0YzEXoIj0ygraMzWqkKhqXGSGjd 0g9Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=XkBvo8EO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v11si13360753plz.366.2022.01.24.13.49.30; Mon, 24 Jan 2022 13:49:42 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=XkBvo8EO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1455904AbiAXVgo (ORCPT + 99 others); Mon, 24 Jan 2022 16:36:44 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43148 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1391733AbiAXUs3 (ORCPT ); Mon, 24 Jan 2022 15:48:29 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4D677C0424F9; Mon, 24 Jan 2022 11:57:40 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E21A460916; Mon, 24 Jan 2022 19:57:39 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B421EC340E5; Mon, 24 Jan 2022 19:57:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643054259; bh=yVqrQMm+dBFHy3tLs5xHzr01Bu1+kQu+9Yzb3HWeDUs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XkBvo8EOVUpUms/CDuHFD8cqaW6VnDlmcWTlKmw+s2ZMfIfDJh5x6D4IPUShoO3/r Ku/KgZHk3fiWLzQCbYcknHN06d5Z+ha168/EMunviQI4lGWivFvEccf634BnJnM3BP TZwQr+MkIGiBiVfBZjecMW6aGX763DX81SyLktX8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sriram R , Kalle Valo , Sasha Levin Subject: [PATCH 5.10 331/563] ath11k: Avoid NULL ptr access during mgmt tx cleanup Date: Mon, 24 Jan 2022 19:41:36 +0100 Message-Id: <20220124184035.873094415@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124184024.407936072@linuxfoundation.org> References: <20220124184024.407936072@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sriram R [ Upstream commit a93789ae541c7d5c1c2a4942013adb6bcc5e2848 ] Currently 'ar' reference is not added in skb_cb during WMI mgmt tx. Though this is generally not used during tx completion callbacks, on interface removal the remaining idr cleanup callback uses the ar ptr from skb_cb from mgmt txmgmt_idr. Hence fill them during tx call for proper usage. Also free the skb which is missing currently in these callbacks. Crash_info: [19282.489476] Unable to handle kernel NULL pointer dereference at virtual address 00000000 [19282.489515] pgd = 91eb8000 [19282.496702] [00000000] *pgd=00000000 [19282.502524] Internal error: Oops: 5 [#1] PREEMPT SMP ARM [19282.783728] PC is at ath11k_mac_vif_txmgmt_idr_remove+0x28/0xd8 [ath11k] [19282.789170] LR is at idr_for_each+0xa0/0xc8 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-00729-QCAHKSWPL_SILICONZ-3 v2 Signed-off-by: Sriram R Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/1637832614-13831-1-git-send-email-quic_srirrama@quicinc.com Signed-off-by: Sasha Levin --- drivers/net/wireless/ath/ath11k/mac.c | 35 +++++++++++++++------------ 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c index 18e841e1a016d..cc9122f420243 100644 --- a/drivers/net/wireless/ath/ath11k/mac.c +++ b/drivers/net/wireless/ath/ath11k/mac.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: BSD-3-Clause-Clear /* * Copyright (c) 2018-2019 The Linux Foundation. All rights reserved. + * Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved. */ #include @@ -3883,23 +3884,32 @@ static int __ath11k_set_antenna(struct ath11k *ar, u32 tx_ant, u32 rx_ant) return 0; } -int ath11k_mac_tx_mgmt_pending_free(int buf_id, void *skb, void *ctx) +static void ath11k_mac_tx_mgmt_free(struct ath11k *ar, int buf_id) { - struct sk_buff *msdu = skb; + struct sk_buff *msdu; struct ieee80211_tx_info *info; - struct ath11k *ar = ctx; - struct ath11k_base *ab = ar->ab; spin_lock_bh(&ar->txmgmt_idr_lock); - idr_remove(&ar->txmgmt_idr, buf_id); + msdu = idr_remove(&ar->txmgmt_idr, buf_id); spin_unlock_bh(&ar->txmgmt_idr_lock); - dma_unmap_single(ab->dev, ATH11K_SKB_CB(msdu)->paddr, msdu->len, + + if (!msdu) + return; + + dma_unmap_single(ar->ab->dev, ATH11K_SKB_CB(msdu)->paddr, msdu->len, DMA_TO_DEVICE); info = IEEE80211_SKB_CB(msdu); memset(&info->status, 0, sizeof(info->status)); ieee80211_free_txskb(ar->hw, msdu); +} + +int ath11k_mac_tx_mgmt_pending_free(int buf_id, void *skb, void *ctx) +{ + struct ath11k *ar = ctx; + + ath11k_mac_tx_mgmt_free(ar, buf_id); return 0; } @@ -3908,17 +3918,10 @@ static int ath11k_mac_vif_txmgmt_idr_remove(int buf_id, void *skb, void *ctx) { struct ieee80211_vif *vif = ctx; struct ath11k_skb_cb *skb_cb = ATH11K_SKB_CB((struct sk_buff *)skb); - struct sk_buff *msdu = skb; struct ath11k *ar = skb_cb->ar; - struct ath11k_base *ab = ar->ab; - if (skb_cb->vif == vif) { - spin_lock_bh(&ar->txmgmt_idr_lock); - idr_remove(&ar->txmgmt_idr, buf_id); - spin_unlock_bh(&ar->txmgmt_idr_lock); - dma_unmap_single(ab->dev, skb_cb->paddr, msdu->len, - DMA_TO_DEVICE); - } + if (skb_cb->vif == vif) + ath11k_mac_tx_mgmt_free(ar, buf_id); return 0; } @@ -3933,6 +3936,8 @@ static int ath11k_mac_mgmt_tx_wmi(struct ath11k *ar, struct ath11k_vif *arvif, int buf_id; int ret; + ATH11K_SKB_CB(skb)->ar = ar; + spin_lock_bh(&ar->txmgmt_idr_lock); buf_id = idr_alloc(&ar->txmgmt_idr, skb, 0, ATH11K_TX_MGMT_NUM_PENDING_MAX, GFP_ATOMIC); -- 2.34.1