Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp1424571pxb;
        Wed, 12 Jan 2022 14:35:09 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyY+OHNslA24G42VfAUYHRErOlygVbb3QZn9o1QA48Oc2mzD1L+wE1hct/5kuhFMcyEZDb1
X-Received: by 2002:a17:903:191:b0:14a:59cb:3199 with SMTP id z17-20020a170903019100b0014a59cb3199mr1568367plg.139.1642026908963;
        Wed, 12 Jan 2022 14:35:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1642026908; cv=none;
        d=google.com; s=arc-20160816;
        b=M6dLCblpYwlS+NUg3Zzgs0ENZDNrRC5ggrYw5qTuyldZUvPsqhQ7ZvvKCmAlAOXz9/
         WW7Ro1uOryYGNh+ZVgEwc06s0MhVkFwxk7dv0Cjf0iRWDd6cItP1UsmwH62+l92eof9W
         Ot6m0FGTnm7QzEkXxOIuK4bkZsRDh3XF1Ig62BdjWJX4ZoIrbOyphuBQ9DPE5uSTHBsx
         v9TZ+vQ3+oSlMTh25rVRXgo/RaNkiReXgqikWbu2IjLH2s54B/t8gjkj38kE96pBtC1O
         oUJ4sh0QgpwTv8w5aDharWCbLGLzhHEjZpFMoysqgEdapQOInLsg5mLQappw0yWyapER
         pSsQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:date:message-id:user-agent:cc:to:references
         :in-reply-to:from:subject:content-transfer-encoding:mime-version
         :dkim-signature;
        bh=19NgDuJso7Bl9OKTKX0RSAjJTbeAwhrMPAocwUcAgTQ=;
        b=GXq+vWjadBkmsyvOy76FQtnElaFJNwnBvDHNTYCIBRmOHoAgAX4r1oU/JkiRhgO9ZK
         r2O5/xP06MhD2+D8ET6ryb+umuCHEC6nKvaXzyOl/P3QN99xKao9M7H/OgpRHQ/coYjR
         V+UJx8bK1NEs6zo7FheYlsYuiLSFArlTQMzOLBWnaI20qcdfm1UKDdFiFWzvnnB4wZ9c
         kvq7SDZrKpNbpzm/FwJsDwU5AGjZIBYfDOO92W7lNHyoeDc4X2hGOTs3b/wJAq5Y5/I1
         EaLkaPrTekIUrRr67Jkc+myca6GKFFCdAs4LHG+3XJh9SrUOUfhdLV1Ol4eB46La2nf5
         q2jg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=q10KBJ2m;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id t123si1011152pfc.64.2022.01.12.14.35.00;
        Wed, 12 Jan 2022 14:35:08 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=q10KBJ2m;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1351443AbiALIM6 (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 71 others); Wed, 12 Jan 2022 03:12:58 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45852 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S237993AbiALIMz (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Wed, 12 Jan 2022 03:12:55 -0500
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5E82FC06173F
        for <linux-wireless@vger.kernel.org>; Wed, 12 Jan 2022 00:12:55 -0800 (PST)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 02636B81DD1
        for <linux-wireless@vger.kernel.org>; Wed, 12 Jan 2022 08:12:54 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id D1341C36AEA;
        Wed, 12 Jan 2022 08:12:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1641975172;
        bh=9V6RtsFUKjRrCFrKCuJtRAX6wFHlNf6qKs7wyOthQQ4=;
        h=Subject:From:In-Reply-To:References:To:Cc:Date:From;
        b=q10KBJ2my6pu0rpMxyHWJ+BqDFyocL3N6SweZNAJgw0eTf6X0pvMhegQt0VuxQQGp
         0z+c4kWLTTAqzHXsuoi0YAQ8GHOobGpep+IgsqT1akpJShBwqUwJNXYoK/SEAEl03A
         4LCJCHQASxacO4YAkJEdgbOQQLHlXLp3M/Sj+1GzwuSoaSA+9xkIZ2loJs6x44KM8s
         nGAvkSoR+6lk36c5SLOLsbGUbN/qXiQ3ynW+pdGCB3hVbGCAFoiMGWg0Lfxcb/srGw
         GnN+XBN/W9YdcxXoLdTA6KhvATXpRPRE2B0QTRFz8mwLtq1Y+7v/fnDy9v8Tj/zhRM
         uamM9RskHuqWA==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: Re: [PATCH v3] ath11k: free peer for station when disconnect from AP
 for
 QCA6390/WCN6855
From:   Kalle Valo <kvalo@kernel.org>
In-Reply-To: <20211222070431.29595-1-quic_wgong@quicinc.com>
References: <20211222070431.29595-1-quic_wgong@quicinc.com>
To:     Wen Gong <quic_wgong@quicinc.com>
Cc:     <ath11k@lists.infradead.org>, <linux-wireless@vger.kernel.org>,
        <quic_wgong@quicinc.com>
User-Agent: pwcli/0.1.0-git (https://github.com/kvalo/pwcli/) Python/3.7.3
Message-ID: <164197516971.14338.9522584257208946536.kvalo@kernel.org>
Date:   Wed, 12 Jan 2022 08:12:51 +0000 (UTC)
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

Wen Gong <quic_wgong@quicinc.com> wrote:

> Commit b4a0f54156ac ("ath11k: move peer delete after vdev stop of station
> for QCA6390 and WCN6855") is to fix firmware crash by changing the WMI
> command sequence, but actually skip all the peer delete operation, then
> it lead commit 58595c9874c6 ("ath11k: Fixing dangling pointer issue upon
> peer delete failure") not take effect, and then happened a use-after-free
> warning from KASAN. because the peer->sta is not set to NULL and then used
> later.
> 
> Change to only skip the WMI_PEER_DELETE_CMDID for QCA6390/WCN6855.
> 
> log of user-after-free:
> 
> [  534.888665] BUG: KASAN: use-after-free in ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]
> [  534.888696] Read of size 8 at addr ffff8881396bb1b8 by task rtcwake/2860
> 
> [  534.888705] CPU: 4 PID: 2860 Comm: rtcwake Kdump: loaded Tainted: G        W         5.15.0-wt-ath+ #523
> [  534.888712] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021
> [  534.888716] Call Trace:
> [  534.888720]  <IRQ>
> [  534.888726]  dump_stack_lvl+0x57/0x7d
> [  534.888736]  print_address_description.constprop.0+0x1f/0x170
> [  534.888745]  ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]
> [  534.888771]  kasan_report.cold+0x83/0xdf
> [  534.888783]  ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]
> [  534.888810]  ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]
> [  534.888840]  ath11k_dp_rx_process_mon_status+0x529/0xa70 [ath11k]
> [  534.888874]  ? ath11k_dp_rx_mon_status_bufs_replenish+0x3f0/0x3f0 [ath11k]
> [  534.888897]  ? check_prev_add+0x20f0/0x20f0
> [  534.888922]  ? __lock_acquire+0xb72/0x1870
> [  534.888937]  ? find_held_lock+0x33/0x110
> [  534.888954]  ath11k_dp_rx_process_mon_rings+0x297/0x520 [ath11k]
> [  534.888981]  ? rcu_read_unlock+0x40/0x40
> [  534.888990]  ? ath11k_dp_rx_pdev_alloc+0xd90/0xd90 [ath11k]
> [  534.889026]  ath11k_dp_service_mon_ring+0x67/0xe0 [ath11k]
> [  534.889053]  ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k]
> [  534.889075]  call_timer_fn+0x167/0x4a0
> [  534.889084]  ? add_timer_on+0x3b0/0x3b0
> [  534.889103]  ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370
> [  534.889117]  __run_timers.part.0+0x539/0x8b0
> [  534.889123]  ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k]
> [  534.889157]  ? call_timer_fn+0x4a0/0x4a0
> [  534.889164]  ? mark_lock_irq+0x1c30/0x1c30
> [  534.889173]  ? clockevents_program_event+0xdd/0x280
> [  534.889189]  ? mark_held_locks+0xa5/0xe0
> [  534.889203]  run_timer_softirq+0x97/0x180
> [  534.889213]  __do_softirq+0x276/0x86a
> [  534.889230]  __irq_exit_rcu+0x11c/0x180
> [  534.889238]  irq_exit_rcu+0x5/0x20
> [  534.889244]  sysvec_apic_timer_interrupt+0x8e/0xc0
> [  534.889251]  </IRQ>
> [  534.889254]  <TASK>
> [  534.889259]  asm_sysvec_apic_timer_interrupt+0x12/0x20
> [  534.889265] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70
> [  534.889271] Code: 74 24 10 e8 ea c2 bf fd 48 89 ef e8 12 53 c0 fd 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 <e8> 13 a7 b5 fd 65 8b 05 cc d9 9c 5e 85 c0 74 0a 5b 5d c3 e8 a0 ee
> [  534.889276] RSP: 0018:ffffc90002e5f880 EFLAGS: 00000206
> [  534.889284] RAX: 0000000000000006 RBX: 0000000000000200 RCX: ffffffff9f256f10
> [  534.889289] RDX: 0000000000000000 RSI: ffffffffa1c6e420 RDI: 0000000000000001
> [  534.889293] RBP: ffff8881095e6200 R08: 0000000000000001 R09: ffffffffa40d2b8f
> [  534.889298] R10: fffffbfff481a571 R11: 0000000000000001 R12: ffff8881095e6e68
> [  534.889302] R13: ffffc90002e5f908 R14: 0000000000000246 R15: 0000000000000000
> [  534.889316]  ? mark_lock+0xd0/0x14a0
> [  534.889332]  klist_next+0x1d4/0x450
> [  534.889340]  ? dpm_wait_for_subordinate+0x2d0/0x2d0
> [  534.889350]  device_for_each_child+0xa8/0x140
> [  534.889360]  ? device_remove_class_symlinks+0x1b0/0x1b0
> [  534.889370]  ? __lock_release+0x4bd/0x9f0
> [  534.889378]  ? dpm_suspend+0x26b/0x3f0
> [  534.889390]  dpm_wait_for_subordinate+0x82/0x2d0
> [  534.889400]  ? dpm_for_each_dev+0xa0/0xa0
> [  534.889410]  ? dpm_suspend+0x233/0x3f0
> [  534.889427]  __device_suspend+0xd4/0x10c0
> [  534.889440]  ? wait_for_completion_io+0x270/0x270
> [  534.889456]  ? async_suspend_late+0xe0/0xe0
> [  534.889463]  ? async_schedule_node_domain+0x468/0x640
> [  534.889482]  dpm_suspend+0x25a/0x3f0
> [  534.889491]  ? dpm_suspend_end+0x1a0/0x1a0
> [  534.889497]  ? ktime_get+0x214/0x2f0
> [  534.889502]  ? lockdep_hardirqs_on+0x79/0x100
> [  534.889509]  ? recalibrate_cpu_khz+0x10/0x10
> [  534.889516]  ? ktime_get+0x119/0x2f0
> [  534.889528]  dpm_suspend_start+0xab/0xc0
> [  534.889538]  suspend_devices_and_enter+0x1ca/0x350
> [  534.889546]  ? suspend_enter+0x850/0x850
> [  534.889566]  enter_state+0x27c/0x3d7
> [  534.889575]  pm_suspend.cold+0x42/0x189
> [  534.889583]  state_store+0xab/0x160
> [  534.889595]  ? sysfs_file_ops+0x160/0x160
> [  534.889601]  kernfs_fop_write_iter+0x2b5/0x450
> [  534.889615]  new_sync_write+0x36a/0x600
> [  534.889625]  ? new_sync_read+0x600/0x600
> [  534.889639]  ? rcu_read_unlock+0x40/0x40
> [  534.889668]  vfs_write+0x619/0x910
> [  534.889681]  ksys_write+0xf4/0x1d0
> [  534.889689]  ? __ia32_sys_read+0xa0/0xa0
> [  534.889699]  ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370
> [  534.889707]  ? syscall_enter_from_user_mode+0x1d/0x50
> [  534.889719]  do_syscall_64+0x3b/0x90
> [  534.889725]  entry_SYSCALL_64_after_hwframe+0x44/0xae
> [  534.889731] RIP: 0033:0x7f0b9bc931e7
> [  534.889736] Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
> [  534.889741] RSP: 002b:00007ffd9d34cc88 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
> [  534.889749] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f0b9bc931e7
> [  534.889753] RDX: 0000000000000004 RSI: 0000561cd023c5f0 RDI: 0000000000000004
> [  534.889757] RBP: 0000561cd023c5f0 R08: 0000000000000000 R09: 0000000000000004
> [  534.889761] R10: 0000561ccef842a6 R11: 0000000000000246 R12: 0000000000000004
> [  534.889765] R13: 0000561cd0239590 R14: 00007f0b9bd6f4a0 R15: 00007f0b9bd6e8a0
> [  534.889789]  </TASK>
> 
> [  534.889796] Allocated by task 2711:
> [  534.889800]  kasan_save_stack+0x1b/0x40
> [  534.889805]  __kasan_kmalloc+0x7c/0x90
> [  534.889810]  sta_info_alloc+0x98/0x1ef0 [mac80211]
> [  534.889874]  ieee80211_prep_connection+0x30b/0x11e0 [mac80211]
> [  534.889950]  ieee80211_mgd_auth+0x529/0xe00 [mac80211]
> [  534.890024]  cfg80211_mlme_auth+0x332/0x6f0 [cfg80211]
> [  534.890090]  nl80211_authenticate+0x839/0xcf0 [cfg80211]
> [  534.890147]  genl_family_rcv_msg_doit+0x1f4/0x2f0
> [  534.890154]  genl_rcv_msg+0x280/0x500
> [  534.890160]  netlink_rcv_skb+0x11c/0x340
> [  534.890165]  genl_rcv+0x1f/0x30
> [  534.890170]  netlink_unicast+0x42b/0x700
> [  534.890176]  netlink_sendmsg+0x71b/0xc60
> [  534.890181]  sock_sendmsg+0xdf/0x110
> [  534.890187]  ____sys_sendmsg+0x5c0/0x850
> [  534.890192]  ___sys_sendmsg+0xe4/0x160
> [  534.890197]  __sys_sendmsg+0xb2/0x140
> [  534.890202]  do_syscall_64+0x3b/0x90
> [  534.890207]  entry_SYSCALL_64_after_hwframe+0x44/0xae
> 
> [  534.890215] Freed by task 2825:
> [  534.890218]  kasan_save_stack+0x1b/0x40
> [  534.890223]  kasan_set_track+0x1c/0x30
> [  534.890227]  kasan_set_free_info+0x20/0x30
> [  534.890232]  __kasan_slab_free+0xce/0x100
> [  534.890237]  slab_free_freelist_hook+0xf0/0x1a0
> [  534.890242]  kfree+0xe5/0x370
> [  534.890248]  __sta_info_flush+0x333/0x4b0 [mac80211]
> [  534.890308]  ieee80211_set_disassoc+0x324/0xd20 [mac80211]
> [  534.890382]  ieee80211_mgd_deauth+0x537/0xee0 [mac80211]
> [  534.890472]  cfg80211_mlme_deauth+0x349/0x810 [cfg80211]
> [  534.890526]  cfg80211_mlme_down+0x1ce/0x270 [cfg80211]
> [  534.890578]  cfg80211_disconnect+0x4f5/0x7b0 [cfg80211]
> [  534.890631]  cfg80211_leave+0x24/0x40 [cfg80211]
> [  534.890677]  wiphy_suspend+0x23d/0x2f0 [cfg80211]
> [  534.890723]  dpm_run_callback+0xf4/0x1b0
> [  534.890728]  __device_suspend+0x648/0x10c0
> [  534.890733]  async_suspend+0x16/0xe0
> [  534.890737]  async_run_entry_fn+0x90/0x4f0
> [  534.890741]  process_one_work+0x866/0x1490
> [  534.890747]  worker_thread+0x596/0x1010
> [  534.890751]  kthread+0x35d/0x420
> [  534.890756]  ret_from_fork+0x22/0x30
> 
> [  534.890763] The buggy address belongs to the object at ffff8881396ba000
>                 which belongs to the cache kmalloc-8k of size 8192
> [  534.890767] The buggy address is located 4536 bytes inside of
>                 8192-byte region [ffff8881396ba000, ffff8881396bc000)
> [  534.890772] The buggy address belongs to the page:
> [  534.890775] page:ffffea0004e5ae00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1396b8
> [  534.890780] head:ffffea0004e5ae00 order:3 compound_mapcount:0 compound_pincount:0
> [  534.890784] flags: 0x200000000010200(slab|head|node=0|zone=2)
> [  534.890791] raw: 0200000000010200 ffffea000562be08 ffffea0004b04c08 ffff88810004e340
> [  534.890795] raw: 0000000000000000 0000000000010001 00000001ffffffff 0000000000000000
> [  534.890798] page dumped because: kasan: bad access detected
> 
> [  534.890804] Memory state around the buggy address:
> [  534.890807]  ffff8881396bb080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [  534.890811]  ffff8881396bb100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [  534.890814] >ffff8881396bb180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [  534.890817]                                         ^
> [  534.890821]  ffff8881396bb200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [  534.890824]  ffff8881396bb280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [  534.890827] ==================================================================
> [  534.890830] Disabling lock debugging due to kernel taint
> 
> Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1
> 
> Fixes: b4a0f54156ac ("ath11k: move peer delete after vdev stop of station for QCA6390 and WCN6855")
> Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>

Patch applied to ath-next branch of ath.git, thanks.

212ad7cb7d75 ath11k: free peer for station when disconnect from AP for QCA6390/WCN6855

-- 
https://patchwork.kernel.org/project/linux-wireless/patch/20211222070431.29595-1-quic_wgong@quicinc.com/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches