--- /dev/null
+From 50e79e25250bf928369996277e85b00536b380c7 Mon Sep 17 00:00:00 2001
+From: Yu Wang <yyuwang@codeaurora.org>
+Date: Tue, 30 Jan 2018 14:06:08 +0200
+Subject: ath10k: fix kernel panic issue during pci probe
+
+From: Yu Wang <yyuwang@codeaurora.org>
+
+commit 50e79e25250bf928369996277e85b00536b380c7 upstream.
+
+If device gone during chip reset, ar->normal_mode_fw.board is not
+initialized, but ath10k_debug_print_hwfw_info() will try to access its
+member, which will cause 'kernel NULL pointer' issue. This was found
+using a faulty device (pci link went down sometimes) in a random
+insmod/rmmod/other-op test.
+To fix it, check ar->normal_mode_fw.board before accessing the member.
+
+pci 0000:02:00.0: BAR 0: assigned [mem 0xf7400000-0xf75fffff 64bit]
+ath10k_pci 0000:02:00.0: enabling device (0000 -> 0002)
+ath10k_pci 0000:02:00.0: pci irq msi oper_irq_mode 2 irq_mode 0 reset_mode 0
+ath10k_pci 0000:02:00.0: failed to read device register, device is gone
+ath10k_pci 0000:02:00.0: failed to wait for target init: -5
+ath10k_pci 0000:02:00.0: failed to warm reset: -5
+ath10k_pci 0000:02:00.0: firmware crashed during chip reset
+ath10k_pci 0000:02:00.0: firmware crashed! (uuid 5d018951-b8e1-404a-8fde-923078b4423a)
+ath10k_pci 0000:02:00.0: (null) target 0x00000000 chip_id 0x00340aff sub 0000:0000
+ath10k_pci 0000:02:00.0: kconfig debug 1 debugfs 1 tracing 1 dfs 1 testmode 1
+ath10k_pci 0000:02:00.0: firmware ver api 0 features crc32 00000000
+...
+BUG: unable to handle kernel NULL pointer dereference at 00000004
+...
+Call Trace:
+ [<fb4e7882>] ath10k_print_driver_info+0x12/0x20 [ath10k_core]
+ [<fb62b7dd>] ath10k_pci_fw_crashed_dump+0x6d/0x4d0 [ath10k_pci]
+ [<fb629f07>] ? ath10k_pci_sleep.part.19+0x57/0xc0 [ath10k_pci]
+ [<fb62c8ee>] ath10k_pci_hif_power_up+0x14e/0x1b0 [ath10k_pci]
+ [<c10477fb>] ? do_page_fault+0xb/0x10
+ [<fb4eb934>] ath10k_core_register_work+0x24/0x840 [ath10k_core]
+ [<c18a00d8>] ? netlbl_unlhsh_remove+0x178/0x410
+ [<c10477f0>] ? __do_page_fault+0x480/0x480
+ [<c1068e44>] process_one_work+0x114/0x3e0
+ [<c1069d07>] worker_thread+0x37/0x4a0
+ [<c106e294>] kthread+0xa4/0xc0
+ [<c1069cd0>] ? create_worker+0x180/0x180
+ [<c106e1f0>] ? kthread_park+0x50/0x50
+ [<c18ab4f7>] ret_from_fork+0x1b/0x28
+ Code: 78 80 b8 50 09 00 00 00 75 5d 8d 75 94 c7 44 24 08 aa d7 52 fb c7 44 24 04 64 00 00 00
+ 89 34 24 e8 82 52 e2 c5 8b 83 dc 08 00 00 <8b> 50 04 8b 08 31 c0 e8 20 57 e3 c5 89 44 24 10 8b 83 58 09 00
+ EIP: [<fb4e7754>]-
+ ath10k_debug_print_board_info+0x34/0xb0 [ath10k_core]
+ SS:ESP 0068:f4921d90
+ CR2: 0000000000000004
+
+Signed-off-by: Yu Wang <yyuwang@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+[AmitP: Minor rebasing for 4.14.y and 4.9.y]
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath10k/debug.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath10k/debug.c
++++ b/drivers/net/wireless/ath/ath10k/debug.c
+@@ -1,6 +1,7 @@
+ /*
+ * Copyright (c) 2005-2011 Atheros Communications Inc.
+ * Copyright (c) 2011-2013 Qualcomm Atheros, Inc.
++ * Copyright (c) 2018, The Linux Foundation. All rights reserved.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+@@ -161,6 +162,8 @@ void ath10k_debug_print_hwfw_info(struct
+ void ath10k_debug_print_board_info(struct ath10k *ar)
+ {
+ char boardinfo[100];
++ const struct firmware *board;
++ u32 crc;
+
+ if (ar->id.bmi_ids_valid)
+ scnprintf(boardinfo, sizeof(boardinfo), "%d:%d",
+@@ -168,11 +171,16 @@ void ath10k_debug_print_board_info(struc
+ else
+ scnprintf(boardinfo, sizeof(boardinfo), "N/A");
+
++ board = ar->normal_mode_fw.board;
++ if (!IS_ERR_OR_NULL(board))
++ crc = crc32_le(0, board->data, board->size);
++ else
++ crc = 0;
++
+ ath10k_info(ar, "board_file api %d bmi_id %s crc32 %08x",
+ ar->bd_api,
+ boardinfo,
+- crc32_le(0, ar->normal_mode_fw.board->data,
+- ar->normal_mode_fw.board->size));
++ crc);
+ }
+
+ void ath10k_debug_print_boot_info(struct ath10k *ar)
--- /dev/null
+From 9ef0f58ed7b4a55da4a64641d538e0d9e46579ac Mon Sep 17 00:00:00 2001
+From: Carl Huang <cjhuang@codeaurora.org>
+Date: Mon, 5 Mar 2018 14:44:02 +0800
+Subject: ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait
+
+From: Carl Huang <cjhuang@codeaurora.org>
+
+commit 9ef0f58ed7b4a55da4a64641d538e0d9e46579ac upstream.
+
+The skb may be freed in tx completion context before
+trace_ath10k_wmi_cmd is called. This can be easily captured when
+KASAN(Kernel Address Sanitizer) is enabled. The fix is to move
+trace_ath10k_wmi_cmd before the send operation. As the ret has no
+meaning in trace_ath10k_wmi_cmd then, so remove this parameter too.
+
+Signed-off-by: Carl Huang <cjhuang@codeaurora.org>
+Tested-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath10k/trace.h | 12 ++++--------
+ drivers/net/wireless/ath/ath10k/wmi.c | 2 +-
+ 2 files changed, 5 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath10k/trace.h
++++ b/drivers/net/wireless/ath/ath10k/trace.h
+@@ -152,10 +152,9 @@ TRACE_EVENT(ath10k_log_dbg_dump,
+ );
+
+ TRACE_EVENT(ath10k_wmi_cmd,
+- TP_PROTO(struct ath10k *ar, int id, const void *buf, size_t buf_len,
+- int ret),
++ TP_PROTO(struct ath10k *ar, int id, const void *buf, size_t buf_len),
+
+- TP_ARGS(ar, id, buf, buf_len, ret),
++ TP_ARGS(ar, id, buf, buf_len),
+
+ TP_STRUCT__entry(
+ __string(device, dev_name(ar->dev))
+@@ -163,7 +162,6 @@ TRACE_EVENT(ath10k_wmi_cmd,
+ __field(unsigned int, id)
+ __field(size_t, buf_len)
+ __dynamic_array(u8, buf, buf_len)
+- __field(int, ret)
+ ),
+
+ TP_fast_assign(
+@@ -171,17 +169,15 @@ TRACE_EVENT(ath10k_wmi_cmd,
+ __assign_str(driver, dev_driver_string(ar->dev));
+ __entry->id = id;
+ __entry->buf_len = buf_len;
+- __entry->ret = ret;
+ memcpy(__get_dynamic_array(buf), buf, buf_len);
+ ),
+
+ TP_printk(
+- "%s %s id %d len %zu ret %d",
++ "%s %s id %d len %zu",
+ __get_str(driver),
+ __get_str(device),
+ __entry->id,
+- __entry->buf_len,
+- __entry->ret
++ __entry->buf_len
+ )
+ );
+
+--- a/drivers/net/wireless/ath/ath10k/wmi.c
++++ b/drivers/net/wireless/ath/ath10k/wmi.c
+@@ -1711,8 +1711,8 @@ int ath10k_wmi_cmd_send_nowait(struct at
+ cmd_hdr->cmd_id = __cpu_to_le32(cmd);
+
+ memset(skb_cb, 0, sizeof(*skb_cb));
++ trace_ath10k_wmi_cmd(ar, cmd_id, skb->data, skb->len);
+ ret = ath10k_htc_send(&ar->htc, ar->wmi.eid, skb);
+- trace_ath10k_wmi_cmd(ar, cmd_id, skb->data, skb->len, ret);
+
+ if (ret)
+ goto err_pull;
projects / thirdparty / kernel / stable-queue.git / commitdiff
