Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp3608657rwb; Tue, 20 Sep 2022 02:02:25 -0700 (PDT) X-Google-Smtp-Source: AMsMyM66SLoLz9S41x/CJQlQQ//UPmOGpNAAgQc7Zra62nbgMETGnUtUip29Q43foL0dkqKJh4Jb X-Received: by 2002:aa7:da9a:0:b0:44e:9774:c2ab with SMTP id q26-20020aa7da9a000000b0044e9774c2abmr19016746eds.10.1663664545673; Tue, 20 Sep 2022 02:02:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663664545; cv=none; d=google.com; s=arc-20160816; b=q24bZYqOxfb4H6vKt0WbMmhY7gwOiGvlVbvB/9tTmLawLbfJqRsYfSDNLY9gbKRJzh DeQ2JMfqlaOAszhZsXwDvzfYWEmZO+vfmpm8rm2ZbpMHBb4ga4JZOhAcomH/IFJ/D7X0 sRxsTBTm1CLHRxK9ZrZy7sjj96nLCXbkAgk5RVTrxNfIdf01dXS9tvYU4cUuXO8HwxaM tun3lm2ZQ3U9rw/X4VZTH4sPkNMA0YeYzbvB9auMJ7TgZgpqfz+B8dF2aDpFsP1W3f8i UJBNFkpWoF5hzIvvcSYOVtTql3MLI9LRwC2DWV5KxRF0Ub+yh1fzxOC2dBzA/ZJIBBK6 nfzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=i8HxRndOoMhka4vewDE1iax5QIELaQBczsCp0RIanDA=; b=Mxi/VG5NlckXA1BXJVErWgbIKOe16tyCgkmHLbAUIk+7n6oEeEckUPVED8gQophhKt pzffbIYS5lxMV3befvfOArip8iaTenGSTdxjbNlPlgrTq836ILFOPonJfhrQsdi9NWe4 gAoF7kQoOTUd0vSgJZv7B9DteNWEU/vCetQAGn2mustgK3fUicqIuoW9b80gzc34wdTg rPHsSbHJ4cJ+k08DMgQLGsRyUgJjNQdHSvgAEGsJnvO6aFAi1qFGCrnjR1WSvnOxYzdO gfSijYaXDQI5ZaUtfihcFRZO9XOLIb3J1FH8XNCEiSMPJ8+FFoD6DgR8Xp5n/VAXjuot RNzw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@nbd.name header.s=20160729 header.b="m/2Fyiye"; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nbd.name Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id cr21-20020a170906d55500b007813b1924ccsi989299ejc.934.2022.09.20.02.02.04; Tue, 20 Sep 2022 02:02:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@nbd.name header.s=20160729 header.b="m/2Fyiye"; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nbd.name Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231344AbiITIrL (ORCPT + 63 others); Tue, 20 Sep 2022 04:47:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34770 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231473AbiITIq5 (ORCPT ); Tue, 20 Sep 2022 04:46:57 -0400 Received: from nbd.name (nbd.name [46.4.11.11]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 54862371BD for ; Tue, 20 Sep 2022 01:46:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nbd.name; s=20160729; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From: References:Cc:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=i8HxRndOoMhka4vewDE1iax5QIELaQBczsCp0RIanDA=; b=m/2FyiyeQuIJGx1lwkinWCefLb FHCWNqCSroNsntiUyKolRen1gJfoYC/3gKe3qTirTMw8qvBsUbeWST5gBj1jxGSp6LrLz6Sb38HOC 4kDjkCIZiYlGUvy+upowdm2+NBwT0/omHmzJhOXVM847HNqIFcS3kfWYznqnkOmfPW5k=; Received: from p200300daa7301d00c12bff90dd0eb021.dip0.t-ipconnect.de ([2003:da:a730:1d00:c12b:ff90:dd0e:b021] helo=nf.local) by ds12 with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1oaYu4-006GFf-KC; Tue, 20 Sep 2022 10:46:52 +0200 Message-ID: <4d6953a0-e165-b203-7a41-afe62205b573@nbd.name> Date: Tue, 20 Sep 2022 10:46:52 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.13.0 Subject: Re: [PATCH] mac80211: fix memory corruption in minstrel_ht_update_rates() Content-Language: en-US To: Lech Perczak , Johannes Berg Cc: linux-wireless@vger.kernel.org, =?UTF-8?Q?Pawe=c5=82_Lenkow?= , =?UTF-8?B?SsOpcsO0bWUgUG91aWxsZXI=?= , Peter Seiderer , Kalle Valo , =?UTF-8?Q?Krzysztof_Drobi=c5=84ski?= References: <20220919150135.90785-1-lech.perczak@camlingroup.com> From: Felix Fietkau In-Reply-To: <20220919150135.90785-1-lech.perczak@camlingroup.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On 19.09.22 17:01, Lech Perczak wrote: > From: Paweł Lenkow > > During our testing of WFM200 module over SDIO on i.MX6Q-based platform, > we discovered a memory corruption on the system, tracing back to the wfx > driver. Using kfence, it was possible to trace it back to the root > cause, which is hw->max_rates set to 8 in wfx_init_common, > while the maximum defined by IEEE80211_TX_TABLE_SIZE is 4. > > This causes array out-of-bounds writes during updates of the rate table, > as seen below: > > BUG: KFENCE: memory corruption in kfree_rcu_work+0x320/0x36c > > Corrupted memory at 0xe0a4ffe0 [ 0x03 0x03 0x03 0x03 0x01 0x00 0x00 > 0x02 0x02 0x02 0x09 0x00 0x21 0xbb 0xbb 0xbb ] (in kfence-#81): > kfree_rcu_work+0x320/0x36c > process_one_work+0x3ec/0x920 > worker_thread+0x60/0x7a4 > kthread+0x174/0x1b4 > ret_from_fork+0x14/0x2c > 0x0 > > kfence-#81: 0xe0a4ffc0-0xe0a4ffdf, size=32, cache=kmalloc-64 > > allocated by task 297 on cpu 0 at 631.039555s: > minstrel_ht_update_rates+0x38/0x2b0 [mac80211] > rate_control_tx_status+0xb4/0x148 [mac80211] > ieee80211_tx_status_ext+0x364/0x1030 [mac80211] > ieee80211_tx_status+0xe0/0x118 [mac80211] > ieee80211_tasklet_handler+0xb0/0xe0 [mac80211] > tasklet_action_common.constprop.0+0x11c/0x148 > __do_softirq+0x1a4/0x61c > irq_exit+0xcc/0x104 > call_with_stack+0x18/0x20 > __irq_svc+0x80/0xb0 > wq_worker_sleeping+0x10/0x100 > wq_worker_sleeping+0x10/0x100 > schedule+0x50/0xe0 > schedule_timeout+0x2e0/0x474 > wait_for_completion+0xdc/0x1ec > mmc_wait_for_req_done+0xc4/0xf8 > mmc_io_rw_extended+0x3b4/0x4ec > sdio_io_rw_ext_helper+0x290/0x384 > sdio_memcpy_toio+0x30/0x38 > wfx_sdio_copy_to_io+0x88/0x108 [wfx] > wfx_data_write+0x88/0x1f0 [wfx] > bh_work+0x1c8/0xcc0 [wfx] > process_one_work+0x3ec/0x920 > worker_thread+0x60/0x7a4 > kthread+0x174/0x1b4 > ret_from_fork+0x14/0x2c 0x0 > > After discussion on the wireless mailing list it was clarified > that the issue has been introduced by: > commit ee0e16ab756a ("mac80211: minstrel_ht: fill all requested rates") > and fix shall be in minstrel_ht_update_rates in rc80211_minstrel_ht.c. > > Fixes: ee0e16ab756a ("mac80211: minstrel_ht: fill all requested rates") > Link: https://lore.kernel.org/all/12e5adcd-8aed-f0f7-70cc-4fb7b656b829@camlingroup.com/ > Link: https://lore.kernel.org/linux-wireless/20220915131445.30600-1-lech.perczak@camlingroup.com/ > Cc: Jérôme Pouiller > Cc: Johannes Berg > Cc: Peter Seiderer > Cc: Kalle Valo > Cc: Krzysztof Drobiński , > Signed-off-by: Paweł Lenkow > Signed-off-by: Lech Perczak Acked-by: Felix Fietkau Thanks, - Felix