2014-06-10 10:52:31

by Stanislaw Gruszka

[permalink] [raw]
Subject: [PATCH] rt2x00: disable TKIP on USB

On USB we can not get atomically TKIP key. We have to disable support
for TKIP acceleration on USB hardware to avoid bug as showed bellow.

[ 860.827243] BUG: scheduling while atomic: hostapd/3397/0x00000002
<snip>
[ 860.827280] Call Trace:
[ 860.827282] [<ffffffff81682ea6>] dump_stack+0x4d/0x66
[ 860.827284] [<ffffffff8167eb9b>] __schedule_bug+0x47/0x55
[ 860.827285] [<ffffffff81685bb3>] __schedule+0x733/0x7b0
[ 860.827287] [<ffffffff81685c59>] schedule+0x29/0x70
[ 860.827289] [<ffffffff81684f8a>] schedule_timeout+0x15a/0x2b0
[ 860.827291] [<ffffffff8105ac50>] ? ftrace_raw_event_tick_stop+0xc0/0xc0
[ 860.827294] [<ffffffff810c13c2>] ? __module_text_address+0x12/0x70
[ 860.827296] [<ffffffff81686823>] wait_for_completion_timeout+0xb3/0x140
[ 860.827298] [<ffffffff81080fc0>] ? wake_up_state+0x20/0x20
[ 860.827301] [<ffffffff814d5b3d>] usb_start_wait_urb+0x7d/0x150
[ 860.827303] [<ffffffff814d5cd5>] usb_control_msg+0xc5/0x110
[ 860.827305] [<ffffffffa02fb0c6>] rt2x00usb_vendor_request+0xc6/0x160 [rt2x00usb]
[ 860.827307] [<ffffffffa02fb215>] rt2x00usb_vendor_req_buff_lock+0x75/0x150 [rt2x00usb]
[ 860.827309] [<ffffffffa02fb393>] rt2x00usb_vendor_request_buff+0xa3/0xe0 [rt2x00usb]
[ 860.827311] [<ffffffffa023d1a3>] rt2x00usb_register_multiread+0x33/0x40 [rt2800usb]
[ 860.827314] [<ffffffffa05805f9>] rt2800_get_tkip_seq+0x39/0x50 [rt2800lib]
[ 860.827321] [<ffffffffa0480f88>] ieee80211_get_key+0x218/0x2a0 [mac80211]
[ 860.827322] [<ffffffff815cc68c>] ? __nlmsg_put+0x6c/0x80
[ 860.827329] [<ffffffffa051b02e>] nl80211_get_key+0x22e/0x360 [cfg80211]

Cc: [email protected]
Reported-by: Peter Wu <[email protected]>
Reported-and-tested-by: Pontus Fuchs <[email protected]>
Signed-off-by: Stanislaw Gruszka <[email protected]>
---
drivers/net/wireless/rt2x00/rt2x00mac.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/net/wireless/rt2x00/rt2x00mac.c b/drivers/net/wireless/rt2x00/rt2x00mac.c
index 212ac48..004dff9 100644
--- a/drivers/net/wireless/rt2x00/rt2x00mac.c
+++ b/drivers/net/wireless/rt2x00/rt2x00mac.c
@@ -487,6 +487,8 @@ int rt2x00mac_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
crypto.cipher = rt2x00crypto_key_to_cipher(key);
if (crypto.cipher == CIPHER_NONE)
return -EOPNOTSUPP;
+ if (crypto.cipher == CIPHER_TKIP && rt2x00_is_usb(rt2x00dev))
+ return -EOPNOTSUPP;

crypto.cmd = cmd;

--
1.8.3.1



2014-06-10 12:58:25

by Peter Wu

[permalink] [raw]
Subject: Re: [PATCH] rt2x00: disable TKIP on USB

Oops, forgot to test this one.

On Tuesday 10 June 2014 12:51:06 Stanislaw Gruszka wrote:
> On USB we can not get atomically TKIP key. We have to disable support
> for TKIP acceleration on USB hardware to avoid bug as showed bellow.

*below

> [ 860.827243] BUG: scheduling while atomic: hostapd/3397/0x00000002
> <snip>
> [ 860.827280] Call Trace:
> [ 860.827282] [<ffffffff81682ea6>] dump_stack+0x4d/0x66
> [ 860.827284] [<ffffffff8167eb9b>] __schedule_bug+0x47/0x55
> [ 860.827285] [<ffffffff81685bb3>] __schedule+0x733/0x7b0
> [ 860.827287] [<ffffffff81685c59>] schedule+0x29/0x70
> [ 860.827289] [<ffffffff81684f8a>] schedule_timeout+0x15a/0x2b0
> [ 860.827291] [<ffffffff8105ac50>] ? ftrace_raw_event_tick_stop+0xc0/0xc0
> [ 860.827294] [<ffffffff810c13c2>] ? __module_text_address+0x12/0x70
> [ 860.827296] [<ffffffff81686823>] wait_for_completion_timeout+0xb3/0x140
> [ 860.827298] [<ffffffff81080fc0>] ? wake_up_state+0x20/0x20
> [ 860.827301] [<ffffffff814d5b3d>] usb_start_wait_urb+0x7d/0x150
> [ 860.827303] [<ffffffff814d5cd5>] usb_control_msg+0xc5/0x110
> [ 860.827305] [<ffffffffa02fb0c6>] rt2x00usb_vendor_request+0xc6/0x160 [rt2x00usb]
> [ 860.827307] [<ffffffffa02fb215>] rt2x00usb_vendor_req_buff_lock+0x75/0x150 [rt2x00usb]
> [ 860.827309] [<ffffffffa02fb393>] rt2x00usb_vendor_request_buff+0xa3/0xe0 [rt2x00usb]
> [ 860.827311] [<ffffffffa023d1a3>] rt2x00usb_register_multiread+0x33/0x40 [rt2800usb]
> [ 860.827314] [<ffffffffa05805f9>] rt2800_get_tkip_seq+0x39/0x50 [rt2800lib]
> [ 860.827321] [<ffffffffa0480f88>] ieee80211_get_key+0x218/0x2a0 [mac80211]
> [ 860.827322] [<ffffffff815cc68c>] ? __nlmsg_put+0x6c/0x80
> [ 860.827329] [<ffffffffa051b02e>] nl80211_get_key+0x22e/0x360 [cfg80211]

FWIW, this is my backtrace:

BUG: sleeping function called from invalid context at kernel/locking/mutex.c:586
in_atomic(): 0, irqs_disabled(): 0, pid: 398, name: wpa_supplicant
4 locks held by wpa_supplicant/398:
#0: (cb_lock){++++++}, at: [<ffffffff815345f9>] genl_rcv+0x19/0x40
#1: (genl_mutex){+.+.+.}, at: [<ffffffff81535dea>] genl_rcv_msg+0xba/0xc0
#2: (rtnl_mutex){+.+.+.}, at: [<ffffffff81513c17>] rtnl_lock+0x17/0x20
#3: (rcu_read_lock){......}, at: [<ffffffffa04602c5>] ieee80211_get_key+0x5/0x310 [mac80211]
Preemption disabled at:[<ffffffff810a9a65>] console_unlock+0x275/0x420

CPU: 3 PID: 398 Comm: wpa_supplicant Tainted: G O 3.15.0-rc8-custom-00058-gd2cfd31 #1
Hardware name: CLEVO CO. B7130 /B7130 , BIOS 6.00 08/27/2010
0000000000000008 ffff8800abcbb850 ffffffff815f14da 0000000000000000
ffff8800abcbb868 ffffffff8107ca83 0000000000000000 ffff8800abcbb8e0
ffffffff815f57c2 ffff8800abcbb960 0000000000000296 0000000000000019
Call Trace:
[<ffffffff815f14da>] dump_stack+0x4e/0x7a
[<ffffffff8107ca83>] __might_sleep+0x123/0x1a0
[<ffffffff815f57c2>] mutex_lock_nested+0x32/0x400
[<ffffffffa060042c>] rt2x00usb_vendor_request_buff+0x3c/0xe0 [rt2x00usb]
[<ffffffffa06521a1>] rt2x00usb_register_multiread+0x31/0x40 [rt2800usb]
[<ffffffffa063ce49>] rt2800_get_tkip_seq+0x39/0x50 [rt2800lib]
[<ffffffffa046052e>] ieee80211_get_key+0x26e/0x310 [mac80211]
[<ffffffffa04602c5>] ? ieee80211_get_key+0x5/0x310 [mac80211]
[<ffffffffa02a584b>] nl80211_get_key+0x22b/0x390 [cfg80211]
[<ffffffffa0298d10>] ? __cfg80211_alloc_vendor_skb+0x140/0x140 [cfg80211]
[<ffffffffa02955f6>] ? __cfg80211_wdev_from_attrs+0x36/0x1a0 [cfg80211]
[<ffffffff81535b5b>] genl_family_rcv_msg+0x18b/0x360
[<ffffffff81535db4>] genl_rcv_msg+0x84/0xc0
[<ffffffff81535d30>] ? genl_family_rcv_msg+0x360/0x360
[<ffffffff81534079>] netlink_rcv_skb+0xa9/0xd0
[<ffffffff81534608>] genl_rcv+0x28/0x40
[<ffffffff815339e6>] netlink_unicast+0x166/0x210
[<ffffffff81533da6>] netlink_sendmsg+0x316/0x430
[<ffffffff814ea7cd>] sock_sendmsg+0x8d/0xc0
[<ffffffff811542fe>] ? might_fault+0x5e/0xc0
[<ffffffff81154359>] ? might_fault+0xb9/0xc0
[<ffffffff811542fe>] ? might_fault+0x5e/0xc0
[<ffffffff814f933e>] ? verify_iovec+0x5e/0xe0
[<ffffffff814eac30>] ___sys_sendmsg+0x3d0/0x3e0
[<ffffffff815fd265>] ? preempt_count_add+0x55/0xb0
[<ffffffff811b5897>] ? mntput_no_expire+0x17/0x260
[<ffffffff811b58ed>] ? mntput_no_expire+0x6d/0x260
[<ffffffff811b5897>] ? mntput_no_expire+0x17/0x260
[<ffffffff811b5b04>] ? mntput+0x24/0x40
[<ffffffff81194698>] ? __fput+0x188/0x200
[<ffffffff814ebe02>] __sys_sendmsg+0x42/0x80
[<ffffffff814ebe52>] SyS_sendmsg+0x12/0x20
[<ffffffff816015d2>] system_call_fastpath+0x16/0x1b

> Cc: [email protected]

At least 3.13 up to 3.15 is affected.

> Reported-by: Peter Wu <[email protected]>

Confirmed that the patched version does not trigger the bug while the
unpatched one is still buggy.

Reported-and-tested-by: Peter Wu <[email protected]>

> Reported-and-tested-by: Pontus Fuchs <[email protected]>
> Signed-off-by: Stanislaw Gruszka <[email protected]>
> ---
> drivers/net/wireless/rt2x00/rt2x00mac.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/net/wireless/rt2x00/rt2x00mac.c b/drivers/net/wireless/rt2x00/rt2x00mac.c
> index 212ac48..004dff9 100644
> --- a/drivers/net/wireless/rt2x00/rt2x00mac.c
> +++ b/drivers/net/wireless/rt2x00/rt2x00mac.c
> @@ -487,6 +487,8 @@ int rt2x00mac_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
> crypto.cipher = rt2x00crypto_key_to_cipher(key);
> if (crypto.cipher == CIPHER_NONE)
> return -EOPNOTSUPP;
> + if (crypto.cipher == CIPHER_TKIP && rt2x00_is_usb(rt2x00dev))
> + return -EOPNOTSUPP;
>
> crypto.cmd = cmd;
>
>