]>
Commit | Line | Data |
---|---|---|
f9c32f58 GKH |
1 | From c8291988806407e02a01b4b15b4504eafbcc04e0 Mon Sep 17 00:00:00 2001 |
2 | From: Zhi Chen <zhichen@codeaurora.org> | |
3 | Date: Mon, 18 Jun 2018 17:00:39 +0300 | |
4 | Subject: ath10k: fix scan crash due to incorrect length calculation | |
5 | ||
6 | From: Zhi Chen <zhichen@codeaurora.org> | |
7 | ||
8 | commit c8291988806407e02a01b4b15b4504eafbcc04e0 upstream. | |
9 | ||
10 | Length of WMI scan message was not calculated correctly. The allocated | |
11 | buffer was smaller than what we expected. So WMI message corrupted | |
12 | skb_info, which is at the end of skb->data. This fix takes TLV header | |
13 | into account even if the element is zero-length. | |
14 | ||
15 | Crash log: | |
16 | [49.629986] Unhandled kernel unaligned access[#1]: | |
17 | [49.634932] CPU: 0 PID: 1176 Comm: logd Not tainted 4.4.60 #180 | |
18 | [49.641040] task: 83051460 ti: 8329c000 task.ti: 8329c000 | |
19 | [49.646608] $ 0 : 00000000 00000001 80984a80 00000000 | |
20 | [49.652038] $ 4 : 45259e89 8046d484 8046df30 8024ba70 | |
21 | [49.657468] $ 8 : 00000000 804cc4c0 00000001 20306320 | |
22 | [49.662898] $12 : 33322037 000110f2 00000000 31203930 | |
23 | [49.668327] $16 : 82792b40 80984a80 00000001 804207fc | |
24 | [49.673757] $20 : 00000000 0000012c 00000040 80470000 | |
25 | [49.679186] $24 : 00000000 8024af7c | |
26 | [49.684617] $28 : 8329c000 8329db88 00000001 802c58d0 | |
27 | [49.690046] Hi : 00000000 | |
28 | [49.693022] Lo : 453c0000 | |
29 | [49.696013] epc : 800efae4 put_page+0x0/0x58 | |
30 | [49.700615] ra : 802c58d0 skb_release_data+0x148/0x1d4 | |
31 | [49.706184] Status: 1000fc03 KERNEL EXL IE | |
32 | [49.710531] Cause : 00800010 (ExcCode 04) | |
33 | [49.714669] BadVA : 45259e89 | |
34 | [49.717644] PrId : 00019374 (MIPS 24Kc) | |
35 | ||
36 | Signed-off-by: Zhi Chen <zhichen@codeaurora.org> | |
37 | Signed-off-by: Kalle Valo <kvalo@codeaurora.org> | |
38 | Cc: Brian Norris <briannorris@chromium.org> | |
39 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
40 | ||
41 | --- | |
42 | drivers/net/wireless/ath/ath10k/wmi-tlv.c | 8 ++++---- | |
43 | 1 file changed, 4 insertions(+), 4 deletions(-) | |
44 | ||
45 | --- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c | |
46 | +++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c | |
47 | @@ -1619,10 +1619,10 @@ ath10k_wmi_tlv_op_gen_start_scan(struct | |
48 | bssid_len = arg->n_bssids * sizeof(struct wmi_mac_addr); | |
49 | ie_len = roundup(arg->ie_len, 4); | |
50 | len = (sizeof(*tlv) + sizeof(*cmd)) + | |
51 | - (arg->n_channels ? sizeof(*tlv) + chan_len : 0) + | |
52 | - (arg->n_ssids ? sizeof(*tlv) + ssid_len : 0) + | |
53 | - (arg->n_bssids ? sizeof(*tlv) + bssid_len : 0) + | |
54 | - (arg->ie_len ? sizeof(*tlv) + ie_len : 0); | |
55 | + sizeof(*tlv) + chan_len + | |
56 | + sizeof(*tlv) + ssid_len + | |
57 | + sizeof(*tlv) + bssid_len + | |
58 | + sizeof(*tlv) + ie_len; | |
59 | ||
60 | skb = ath10k_wmi_alloc_skb(ar, len); | |
61 | if (!skb) |