From f2de3ad0777c1345c7f1cd7482fbe9adf2d4c1d5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 11 Oct 2018 11:33:10 +0200 Subject: [PATCH] 4.9-stable patches added patches: ath10k-fix-kernel-panic-issue-during-pci-probe.patch ath10k-fix-use-after-free-in-ath10k_wmi_cmd_send_nowait.patch --- ...-kernel-panic-issue-during-pci-probe.patch | 100 ++++++++++++++++++ ...r-free-in-ath10k_wmi_cmd_send_nowait.patch | 82 ++++++++++++++ queue-4.9/series | 2 + 3 files changed, 184 insertions(+) create mode 100644 queue-4.9/ath10k-fix-kernel-panic-issue-during-pci-probe.patch create mode 100644 queue-4.9/ath10k-fix-use-after-free-in-ath10k_wmi_cmd_send_nowait.patch diff --git a/queue-4.9/ath10k-fix-kernel-panic-issue-during-pci-probe.patch b/queue-4.9/ath10k-fix-kernel-panic-issue-during-pci-probe.patch new file mode 100644 index 00000000000..ae338e69352 --- /dev/null +++ b/queue-4.9/ath10k-fix-kernel-panic-issue-during-pci-probe.patch @@ -0,0 +1,100 @@ +From 50e79e25250bf928369996277e85b00536b380c7 Mon Sep 17 00:00:00 2001 +From: Yu Wang +Date: Tue, 30 Jan 2018 14:06:08 +0200 +Subject: ath10k: fix kernel panic issue during pci probe + +From: Yu Wang + +commit 50e79e25250bf928369996277e85b00536b380c7 upstream. + +If device gone during chip reset, ar->normal_mode_fw.board is not +initialized, but ath10k_debug_print_hwfw_info() will try to access its +member, which will cause 'kernel NULL pointer' issue. This was found +using a faulty device (pci link went down sometimes) in a random +insmod/rmmod/other-op test. +To fix it, check ar->normal_mode_fw.board before accessing the member. + +pci 0000:02:00.0: BAR 0: assigned [mem 0xf7400000-0xf75fffff 64bit] +ath10k_pci 0000:02:00.0: enabling device (0000 -> 0002) +ath10k_pci 0000:02:00.0: pci irq msi oper_irq_mode 2 irq_mode 0 reset_mode 0 +ath10k_pci 0000:02:00.0: failed to read device register, device is gone +ath10k_pci 0000:02:00.0: failed to wait for target init: -5 +ath10k_pci 0000:02:00.0: failed to warm reset: -5 +ath10k_pci 0000:02:00.0: firmware crashed during chip reset +ath10k_pci 0000:02:00.0: firmware crashed! (uuid 5d018951-b8e1-404a-8fde-923078b4423a) +ath10k_pci 0000:02:00.0: (null) target 0x00000000 chip_id 0x00340aff sub 0000:0000 +ath10k_pci 0000:02:00.0: kconfig debug 1 debugfs 1 tracing 1 dfs 1 testmode 1 +ath10k_pci 0000:02:00.0: firmware ver api 0 features crc32 00000000 +... +BUG: unable to handle kernel NULL pointer dereference at 00000004 +... +Call Trace: + [] ath10k_print_driver_info+0x12/0x20 [ath10k_core] + [] ath10k_pci_fw_crashed_dump+0x6d/0x4d0 [ath10k_pci] + [] ? ath10k_pci_sleep.part.19+0x57/0xc0 [ath10k_pci] + [] ath10k_pci_hif_power_up+0x14e/0x1b0 [ath10k_pci] + [] ? do_page_fault+0xb/0x10 + [] ath10k_core_register_work+0x24/0x840 [ath10k_core] + [] ? netlbl_unlhsh_remove+0x178/0x410 + [] ? __do_page_fault+0x480/0x480 + [] process_one_work+0x114/0x3e0 + [] worker_thread+0x37/0x4a0 + [] kthread+0xa4/0xc0 + [] ? create_worker+0x180/0x180 + [] ? kthread_park+0x50/0x50 + [] ret_from_fork+0x1b/0x28 + Code: 78 80 b8 50 09 00 00 00 75 5d 8d 75 94 c7 44 24 08 aa d7 52 fb c7 44 24 04 64 00 00 00 + 89 34 24 e8 82 52 e2 c5 8b 83 dc 08 00 00 <8b> 50 04 8b 08 31 c0 e8 20 57 e3 c5 89 44 24 10 8b 83 58 09 00 + EIP: []- + ath10k_debug_print_board_info+0x34/0xb0 [ath10k_core] + SS:ESP 0068:f4921d90 + CR2: 0000000000000004 + +Signed-off-by: Yu Wang +Signed-off-by: Kalle Valo +[AmitP: Minor rebasing for 4.14.y and 4.9.y] +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/debug.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/debug.c ++++ b/drivers/net/wireless/ath/ath10k/debug.c +@@ -1,6 +1,7 @@ + /* + * Copyright (c) 2005-2011 Atheros Communications Inc. + * Copyright (c) 2011-2013 Qualcomm Atheros, Inc. ++ * Copyright (c) 2018, The Linux Foundation. All rights reserved. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -161,6 +162,8 @@ void ath10k_debug_print_hwfw_info(struct + void ath10k_debug_print_board_info(struct ath10k *ar) + { + char boardinfo[100]; ++ const struct firmware *board; ++ u32 crc; + + if (ar->id.bmi_ids_valid) + scnprintf(boardinfo, sizeof(boardinfo), "%d:%d", +@@ -168,11 +171,16 @@ void ath10k_debug_print_board_info(struc + else + scnprintf(boardinfo, sizeof(boardinfo), "N/A"); + ++ board = ar->normal_mode_fw.board; ++ if (!IS_ERR_OR_NULL(board)) ++ crc = crc32_le(0, board->data, board->size); ++ else ++ crc = 0; ++ + ath10k_info(ar, "board_file api %d bmi_id %s crc32 %08x", + ar->bd_api, + boardinfo, +- crc32_le(0, ar->normal_mode_fw.board->data, +- ar->normal_mode_fw.board->size)); ++ crc); + } + + void ath10k_debug_print_boot_info(struct ath10k *ar) diff --git a/queue-4.9/ath10k-fix-use-after-free-in-ath10k_wmi_cmd_send_nowait.patch b/queue-4.9/ath10k-fix-use-after-free-in-ath10k_wmi_cmd_send_nowait.patch new file mode 100644 index 00000000000..8b1d461407f --- /dev/null +++ b/queue-4.9/ath10k-fix-use-after-free-in-ath10k_wmi_cmd_send_nowait.patch @@ -0,0 +1,82 @@ +From 9ef0f58ed7b4a55da4a64641d538e0d9e46579ac Mon Sep 17 00:00:00 2001 +From: Carl Huang +Date: Mon, 5 Mar 2018 14:44:02 +0800 +Subject: ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait + +From: Carl Huang + +commit 9ef0f58ed7b4a55da4a64641d538e0d9e46579ac upstream. + +The skb may be freed in tx completion context before +trace_ath10k_wmi_cmd is called. This can be easily captured when +KASAN(Kernel Address Sanitizer) is enabled. The fix is to move +trace_ath10k_wmi_cmd before the send operation. As the ret has no +meaning in trace_ath10k_wmi_cmd then, so remove this parameter too. + +Signed-off-by: Carl Huang +Tested-by: Brian Norris +Reviewed-by: Brian Norris +Signed-off-by: Kalle Valo +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/trace.h | 12 ++++-------- + drivers/net/wireless/ath/ath10k/wmi.c | 2 +- + 2 files changed, 5 insertions(+), 9 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/trace.h ++++ b/drivers/net/wireless/ath/ath10k/trace.h +@@ -152,10 +152,9 @@ TRACE_EVENT(ath10k_log_dbg_dump, + ); + + TRACE_EVENT(ath10k_wmi_cmd, +- TP_PROTO(struct ath10k *ar, int id, const void *buf, size_t buf_len, +- int ret), ++ TP_PROTO(struct ath10k *ar, int id, const void *buf, size_t buf_len), + +- TP_ARGS(ar, id, buf, buf_len, ret), ++ TP_ARGS(ar, id, buf, buf_len), + + TP_STRUCT__entry( + __string(device, dev_name(ar->dev)) +@@ -163,7 +162,6 @@ TRACE_EVENT(ath10k_wmi_cmd, + __field(unsigned int, id) + __field(size_t, buf_len) + __dynamic_array(u8, buf, buf_len) +- __field(int, ret) + ), + + TP_fast_assign( +@@ -171,17 +169,15 @@ TRACE_EVENT(ath10k_wmi_cmd, + __assign_str(driver, dev_driver_string(ar->dev)); + __entry->id = id; + __entry->buf_len = buf_len; +- __entry->ret = ret; + memcpy(__get_dynamic_array(buf), buf, buf_len); + ), + + TP_printk( +- "%s %s id %d len %zu ret %d", ++ "%s %s id %d len %zu", + __get_str(driver), + __get_str(device), + __entry->id, +- __entry->buf_len, +- __entry->ret ++ __entry->buf_len + ) + ); + +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -1711,8 +1711,8 @@ int ath10k_wmi_cmd_send_nowait(struct at + cmd_hdr->cmd_id = __cpu_to_le32(cmd); + + memset(skb_cb, 0, sizeof(*skb_cb)); ++ trace_ath10k_wmi_cmd(ar, cmd_id, skb->data, skb->len); + ret = ath10k_htc_send(&ar->htc, ar->wmi.eid, skb); +- trace_ath10k_wmi_cmd(ar, cmd_id, skb->data, skb->len, ret); + + if (ret) + goto err_pull; diff --git a/queue-4.9/series b/queue-4.9/series index a73baa2199a..8335b144728 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -16,3 +16,5 @@ of-unittest-disable-interrupt-node-tests-for-old-world-mac-systems.patch ext4-add-corruption-check-in-ext4_xattr_set_entry.patch ext4-always-verify-the-magic-number-in-xattr-blocks.patch cgroup-fix-deadlock-in-cpu-hotplug-path.patch +ath10k-fix-use-after-free-in-ath10k_wmi_cmd_send_nowait.patch +ath10k-fix-kernel-panic-issue-during-pci-probe.patch -- 2.47.2