Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp451855ybb;
        Wed, 1 Apr 2020 03:20:35 -0700 (PDT)
X-Google-Smtp-Source: APiQypJYsb/Ls+TQHFd6RXpHCk/KYt4yH479R0AZ/MCgZZe7nYbrCw5t7fJBrino0zfLlRwJj9d3
X-Received: by 2002:aca:55ce:: with SMTP id j197mr2163004oib.84.1585736434856;
        Wed, 01 Apr 2020 03:20:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585736434; cv=none;
        d=google.com; s=arc-20160816;
        b=GPD+iG97ALWrQXURxZ0Gc718Ro0i7MKkF1lZxq/MJ3AaAgYVZwqT5+a12efkRTynMS
         ekIPIm7MK8N20KUBjlAS9xCWbjZS8FHdhptxcYxgNoF19am7FNYBjnQ6QEPpjhcpYmzC
         InTJvfmI+FghHATgAaQH+vpOEQn0ZKNDN1yi/5aS8+z/6j8IC0bs+dKd9zyKOZUlOVrI
         tHjkPLI9Qy+hX45pdq1PJEtY53E91ElBwW+Fjjuvh/6rx42O0w1Dg4gQr9koCsQe8cO6
         3JiW1AftUjCwdaRWOSZwpFWsT1aS9VsErk/8aTfy0RYAhjNGvmUohYjreU6gFICjLSXF
         lplg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dmarc-filter:dkim-signature;
        bh=OfZiRXyl5PVeBvmkOGvR32tTRTmOR19KTl0C35AMiTI=;
        b=hVrNa6X5YLrqRozsYLncAh1s1Oq3pJ8f0SMxXoDT7G/4NA2l+UMJ7TxXV0bY+ZcJAo
         kF+yaXzwKoXs4zAPvHCpcVGd6vLt8S6tCJgimp6IPQihKuH8kx3QPD8qHDowPuyLN4yX
         14Cg5Q5QS/Nj5Wr8dFSIupSz3EfcB33o7MOhegExwMwt8a6K3ebkYpz0jYYZPjLcX9vf
         cZJ94w2ckKNuSBgWllYvzhjJG49F+cT9zTdAYfVi4ZGWLTfQIl3mZu1v5v9iY3beT/fL
         XzBmZFhKDd0K2OoX/8ENMzT0iKepZF9bN2Ihcsmbo0LMJVeB3IZvueXM0/uBSKXuEtjc
         xRIw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@mg.codeaurora.org header.s=smtp header.b=D6CF6CnP;
       spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x8si620653otb.140.2020.04.01.03.20.13;
        Wed, 01 Apr 2020 03:20:34 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@mg.codeaurora.org header.s=smtp header.b=D6CF6CnP;
       spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732343AbgDAKSg (ORCPT <rfc822;shaikhkamal2012@gmail.com>
        + 99 others); Wed, 1 Apr 2020 06:18:36 -0400
Received: from mail26.static.mailgun.info ([104.130.122.26]:32434 "EHLO
        mail26.static.mailgun.info" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1731396AbgDAKSg (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Wed, 1 Apr 2020 06:18:36 -0400
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt;
 s=smtp; t=1585736316; h=Message-Id: Date: Subject: Cc: To: From:
 Sender; bh=OfZiRXyl5PVeBvmkOGvR32tTRTmOR19KTl0C35AMiTI=; b=D6CF6CnPzFrN6+mCVL96GF85v2ixjy4OzdXLDo6UEFrygridoMAU7/d6nM0gHGvWfuTVwEG1
 5k+bjM7Kmp3H5F8oZScmn11CofEGe1jr6shUPD/RHttXf8hgXymPlQFxtleUdw2NPfLgiWc6
 7XTNsuc/kNmnDtGPT2UkdR5mADM=
X-Mailgun-Sending-Ip: 104.130.122.26
X-Mailgun-Sid: WyI3YTAwOSIsICJsaW51eC13aXJlbGVzc0B2Z2VyLmtlcm5lbC5vcmciLCAiYmU5ZTRhIl0=
Received: from smtp.codeaurora.org (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171])
 by mxa.mailgun.org with ESMTP id 5e846a6e.7fae497e3ca8-smtp-out-n03;
 Wed, 01 Apr 2020 10:18:22 -0000 (UTC)
Received: by smtp.codeaurora.org (Postfix, from userid 1001)
        id 528B6C44793; Wed,  1 Apr 2020 10:18:22 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
        aws-us-west-2-caf-mail-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=2.0 tests=ALL_TRUSTED,SPF_NONE
        autolearn=unavailable autolearn_force=no version=3.4.0
Received: from vnaralas-linux.qualcomm.com (blr-c-bdr-fw-01_GlobalNAT_AllZones-Outside.qualcomm.com [103.229.19.19])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
        (No client certificate requested)
        (Authenticated sender: vnaralas)
        by smtp.codeaurora.org (Postfix) with ESMTPSA id DA512C44788;
        Wed,  1 Apr 2020 10:18:19 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org DA512C44788
Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org
Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; spf=none smtp.mailfrom=vnaralas@codeaurora.org
From:   Venkateswara Naralasetty <vnaralas@codeaurora.org>
To:     ath10k@lists.infradead.org
Cc:     linux-wireless@vger.kernel.org,
        Venkateswara Naralasetty <vnaralas@codeaurora.org>
Subject: [PATCH] ath10k: fix kernel null pointer dereference
Date:   Wed,  1 Apr 2020 15:48:10 +0530
Message-Id: <1585736290-17661-1-git-send-email-vnaralas@codeaurora.org>
X-Mailer: git-send-email 2.7.4
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

Currently sta airtime is updated without any lock in case of
host based airtime calculation. Which may result in accessing the
invalid sta pointer in case of continuous station connect/disconnect.

This patch fix the kernel null pointer dereference by updating the
station airtime with proper RCU lock in case of host based airtime
calculation.

Proceeding with the analysis of "ARM Kernel Panic".
The APSS crash happened due to OOPS on CPU 0.
Crash Signature : Unable to handle kernel NULL pointer dereference
at virtual address 00000300
During the crash,
PC points to "ieee80211_sta_register_airtime+0x1c/0x448 [mac80211]"
LR points to "ath10k_txrx_tx_unref+0x17c/0x364 [ath10k_core]".
The Backtrace obtained is as follows:
[<bf880238>] (ieee80211_sta_register_airtime [mac80211]) from
[<bf945a38>] (ath10k_txrx_tx_unref+0x17c/0x364 [ath10k_core])
[<bf945a38>] (ath10k_txrx_tx_unref [ath10k_core]) from
[<bf9428e4>] (ath10k_htt_txrx_compl_task+0xa50/0xfc0 [ath10k_core])
[<bf9428e4>] (ath10k_htt_txrx_compl_task [ath10k_core]) from
[<bf9b9bc8>] (ath10k_pci_napi_poll+0x50/0xf8 [ath10k_pci])
[<bf9b9bc8>] (ath10k_pci_napi_poll [ath10k_pci]) from
[<c059e3b0>] (net_rx_action+0xac/0x160)
[<c059e3b0>] (net_rx_action) from [<c02329a4>] (__do_softirq+0x104/0x294)
[<c02329a4>] (__do_softirq) from [<c0232b64>] (run_ksoftirqd+0x30/0x90)
[<c0232b64>] (run_ksoftirqd) from [<c024e358>] (smpboot_thread_fn+0x25c/0x274)
[<c024e358>] (smpboot_thread_fn) from [<c02482fc>] (kthread+0xd8/0xec)

Tested HW: QCA9888
Tested FW: 10.4-3.10-00047

Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org>
---
 drivers/net/wireless/ath/ath10k/txrx.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/wireless/ath/ath10k/txrx.c b/drivers/net/wireless/ath/ath10k/txrx.c
index 39abf8b..f46b908 100644
--- a/drivers/net/wireless/ath/ath10k/txrx.c
+++ b/drivers/net/wireless/ath/ath10k/txrx.c
@@ -84,9 +84,11 @@ int ath10k_txrx_tx_unref(struct ath10k_htt *htt,
 		wake_up(&htt->empty_tx_wq);
 	spin_unlock_bh(&htt->tx_lock);
 
+	rcu_read_lock();
 	if (txq && txq->sta && skb_cb->airtime_est)
 		ieee80211_sta_register_airtime(txq->sta, txq->tid,
 					       skb_cb->airtime_est, 0);
+	rcu_read_unlock();
 
 	if (ar->bus_param.dev_type != ATH10K_DEV_TYPE_HL)
 		dma_unmap_single(dev, skb_cb->paddr, msdu->len, DMA_TO_DEVICE);
-- 
2.7.4