Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp4975186rwl;
        Mon, 3 Apr 2023 12:23:13 -0700 (PDT)
X-Google-Smtp-Source: AKy350bdBACMg76KWuhOzRNV+56DJAXfJuMGeYIV62b1qRpKLGHiCOeUL3zyWfQoxCeNTX/0z76x
X-Received: by 2002:a17:90a:7306:b0:237:b702:499f with SMTP id m6-20020a17090a730600b00237b702499fmr41320255pjk.22.1680549793320;
        Mon, 03 Apr 2023 12:23:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1680549793; cv=none;
        d=google.com; s=arc-20160816;
        b=Q/7RaMKKGG5CCPZTl/yoMgpJUMQ4AujUfsgXGSLbZtko4nddtz2pLbD4JKK0hFOGtB
         gfc67WGLqvkNa7+1XE1lfrNL1E/PceMSFvIHMM33TvWuwI1Exzye9z/iYRfNFeaRLHXJ
         i2el9MgaproO/eNx6pZBzctqyJDVhYG5DKuKyjW9wwbKjQf/Ok6pm9uJpgFoyJYBW2Eq
         ph+ndJp9GI3+h2THScAzsKFVZJivJvdbk4xsD7AM8HZW/prx+xLgCupFxGHHEWP1UB/9
         3VsvnKiawg0n5DSSAliDqLgIsps7d2xutSJ6AY1eazNfTmmb3FwhM3XNFP/DfBdlKdTv
         3x1w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=bli0BYYciNYJ+SvyQthPLEi/etRHSQFUZkpFIKglAHc=;
        b=WJUU2zzagS8RCAImJMxwjRGY44dv4Rd+eeDzFmbiVag8PtoiFUQ4HutVNTQ4eBdKit
         ZxUBX8gbg7ADGXtRqC4YX0PUzyQmEzF7ZptP9BcClAESSuUgB6+44jqz84kioE819Oxu
         2kv7rprS8ttXO89/egKD7YyuEKd/I2QvKcKUar6LL/5mjtKe0GHOG1bMDPKLdKJOqJrj
         rCQEgYLvUmlnTP9wIBveKRIE7K1sext+3CLP4mt5o0s3Q69YMQyQctXd0rc6+3UDC9G6
         z8c8Z+9If8JwEQlDJkkiPledm4c4Tss34Skhz0h5hlKaw5N8H8ezgi10uCKtUKpeSgT8
         5TLg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=XbKqdLLD;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id o4-20020a655bc4000000b0050c164c8e89si8937244pgr.858.2023.04.03.12.23.05;
        Mon, 03 Apr 2023 12:23:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=XbKqdLLD;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229961AbjDCTQC (ORCPT <rfc822;teotyrov@gmail.com> + 59 others);
        Mon, 3 Apr 2023 15:16:02 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37672 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229509AbjDCTQB (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Mon, 3 Apr 2023 15:16:01 -0400
Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 70B2A211F
        for <linux-wireless@vger.kernel.org>; Mon,  3 Apr 2023 12:16:00 -0700 (PDT)
Received: from pps.filterd (m0279870.ppops.net [127.0.0.1])
        by mx0a-0031df01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 333IsYtG028175;
        Mon, 3 Apr 2023 19:15:56 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=from : to : cc :
 subject : date : message-id : mime-version : content-type; s=qcppdkim1;
 bh=bli0BYYciNYJ+SvyQthPLEi/etRHSQFUZkpFIKglAHc=;
 b=XbKqdLLDi8bJnCK2wnNo9CBjgfz7ROF9YYN2lXSrl78IVAkgFizguf86ybRz6jgSz0o8
 Mx5LtjETrW25jeaGc/67qIMzk667ZGLAnKodtGgnk9DLhTD+E/7DYXdpsCZM7x60jFz/
 vLZ3fgBZ0BhQ42W9gJVjkFVk+Fg8YCmnOD8SO8URfsYGY6z4K3Gzjj0q1oziODgoiGwR
 APwFTbeUieQ09TSWn7sgr+Fx2SxF2MtVBTeEEa57Q3TSy4m9j3bMqLgALB84rn615DVV
 yL1atMNR9gmlu7loXspjFsigp2CGOVORBsh2QDgAeyOTLG+LdhN0L26AJKvpj9nCvREF OA== 
Received: from nalasppmta05.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20])
        by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3pqusu1faf-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Mon, 03 Apr 2023 19:15:56 +0000
Received: from nalasex01a.na.qualcomm.com (nalasex01a.na.qualcomm.com [10.47.209.196])
        by NALASPPMTA05.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 333JFtdY032008
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Mon, 3 Apr 2023 19:15:55 GMT
Received: from nmaran-linux.qualcomm.com (10.80.80.8) by
 nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.986.42; Mon, 3 Apr 2023 12:15:53 -0700
From:   Nagarajan Maran <quic_nmaran@quicinc.com>
To:     <ath11k@lists.infradead.org>
CC:     <linux-wireless@vger.kernel.org>,
        Nagarajan Maran <quic_nmaran@quicinc.com>
Subject: [PATCH] wifi: ath11k: Fix SKB corruption in REO destination ring
Date:   Tue, 4 Apr 2023 00:45:33 +0530
Message-ID: <20230403191533.28114-1-quic_nmaran@quicinc.com>
X-Mailer: git-send-email 2.17.1
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.80.80.8]
X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To
 nalasex01a.na.qualcomm.com (10.47.209.196)
X-QCInternal: smtphost
X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085
X-Proofpoint-GUID: ibiqGkv9qN62aQIdNgSX7ybFMkOZJG-L
X-Proofpoint-ORIG-GUID: ibiqGkv9qN62aQIdNgSX7ybFMkOZJG-L
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22
 definitions=2023-04-03_15,2023-04-03_03,2023-02-09_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 bulkscore=0
 phishscore=0 malwarescore=0 suspectscore=0 spamscore=0 clxscore=1015
 priorityscore=1501 mlxlogscore=563 impostorscore=0 lowpriorityscore=0
 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2303200000 definitions=main-2304030147
X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
        DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS
        autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

While running traffics for a long time, randomly an RX descriptor
filled with value "0" from REO destination ring is received.
This descriptor which is invalid causes the wrong SKB (SKB stored in
the IDR lookup with buffer id "0") to be fetched which in turn
causes SKB memory corruption issue and the same leads to crash
after some time.

Changed the start id for idr allocation to "1" and the buffer id "0"
is reserved for error validation. Introduced Sanity check to validate
the descriptor, before processing the SKB.

Crash Signature :

Unable to handle kernel paging request at virtual address 3f004900
PC points to "b15_dma_inv_range+0x30/0x50"
LR points to "dma_cache_maint_page+0x8c/0x128".
The Backtrace obtained is as follows:
[<8031716c>] (b15_dma_inv_range) from [<80313a4c>] (dma_cache_maint_page+0x8c/0x128)
[<80313a4c>] (dma_cache_maint_page) from [<80313b90>] (__dma_page_dev_to_cpu+0x28/0xcc)
[<80313b90>] (__dma_page_dev_to_cpu) from [<7fb5dd68>] (ath11k_dp_process_rx+0x1e8/0x4a4 [ath11k])
[<7fb5dd68>] (ath11k_dp_process_rx [ath11k]) from [<7fb53c20>] (ath11k_dp_service_srng+0xb0/0x2ac [ath11k])
[<7fb53c20>] (ath11k_dp_service_srng [ath11k]) from [<7f67bba4>] (ath11k_pci_ext_grp_napi_poll+0x1c/0x78 [ath11k_pci])
[<7f67bba4>] (ath11k_pci_ext_grp_napi_poll [ath11k_pci]) from [<807d5cf4>] (__napi_poll+0x28/0xb8)
[<807d5cf4>] (__napi_poll) from [<807d5f28>] (net_rx_action+0xf0/0x280)
[<807d5f28>] (net_rx_action) from [<80302148>] (__do_softirq+0xd0/0x280)
[<80302148>] (__do_softirq) from [<80320408>] (irq_exit+0x74/0xd4)
[<80320408>] (irq_exit) from [<803638a4>] (__handle_domain_irq+0x90/0xb4)
[<803638a4>] (__handle_domain_irq) from [<805bedec>] (gic_handle_irq+0x58/0x90)
[<805bedec>] (gic_handle_irq) from [<80301a78>] (__irq_svc+0x58/0x8c)

Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1

Signed-off-by: Nagarajan Maran <quic_nmaran@quicinc.com>
---
 drivers/net/wireless/ath/ath11k/dp_rx.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
index 99859b59138e..4f51123a3ccd 100644
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -389,10 +389,10 @@ int ath11k_dp_rxbufs_replenish(struct ath11k_base *ab, int mac_id,
 			goto fail_free_skb;
 
 		spin_lock_bh(&rx_ring->idr_lock);
-		buf_id = idr_alloc(&rx_ring->bufs_idr, skb, 0,
-				   rx_ring->bufs_max * 3, GFP_ATOMIC);
+		buf_id = idr_alloc(&rx_ring->bufs_idr, skb, 1,
+				   (rx_ring->bufs_max * 3) + 1, GFP_ATOMIC);
 		spin_unlock_bh(&rx_ring->idr_lock);
-		if (buf_id < 0)
+		if (buf_id <= 0)
 			goto fail_dma_unmap;
 
 		desc = ath11k_hal_srng_src_get_next_entry(ab, srng);
@@ -2642,6 +2642,8 @@ int ath11k_dp_process_rx(struct ath11k_base *ab, int ring_id,
 				   cookie);
 		mac_id = FIELD_GET(DP_RXDMA_BUF_COOKIE_PDEV_ID, cookie);
 
+		if (unlikely(buf_id == 0))
+			continue;
 		ar = ab->pdevs[mac_id].ar;
 		rx_ring = &ar->dp.rx_refill_buf_ring;
 		spin_lock_bh(&rx_ring->idr_lock);

base-commit: bea046575a2e6d7d1cf63cc7ab032647a3585de5
-- 
2.17.1