Kezdőlap Felfedezés Súgó
Bejelentkezés
jahway603
/
libreCMC
másolva libreCMC/libreCMC
1
0
Másolás 0
Fájlok
Fa: df73ffc518
Branch-ok Tag-ek
libreCMC
/
package
/
kernel
/
mac80211
/
patches
/
ath11k
/
0062-wifi-ath11k-fix-double-free-of-peer-rx_tid-during-re.patch

0062-wifi-ath11k-fix-double-free-of-peer-rx_tid-during-re.patch 4.5 KB
Előzmények Nyers

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144 
  1. From 93a91f40c25c3d0e61f8540a7accf105090f9995 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Harshitha Prem <quic_hprem@quicinc.com>
    3. 

  3. Date: Mon, 17 Apr 2023 13:35:00 +0300
    4. 

  4. Subject: [PATCH] wifi: ath11k: fix double free of peer rx_tid during reo cmd
    5. 

  5.  failure
    6. 

  6. 

  7. Peer rx_tid is locally copied thrice during peer_rx_tid_cleanup to
    8. 

  8. send REO_CMD_UPDATE_RX_QUEUE followed by REO_CMD_FLUSH_CACHE to flush
    9. 

  9. all aged REO descriptors from HW cache.
    10. 

  10. 

  11. When sending REO_CMD_FLUSH_CACHE fails, we do dma unmap of already
    12. 

  12. mapped rx_tid->vaddr and free it. This is not checked during
    13. 

  13. reo_cmd_list_cleanup() and dp_reo_cmd_free() before trying to free and
    14. 

  14. unmap again.
    15. 

  15. 

  16. Fix this by setting rx_tid->vaddr NULL in rx tid delete and also
    17. 

  17. wherever freeing it to check in reo_cmd_list_cleanup() and
    18. 

  18. reo_cmd_free() before trying to free again.
    19. 

  19. 

  20. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
    21. 

  21. Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
    22. 

  22. 

  23. Signed-off-by: Sathishkumar Muruganandam <quic_murugana@quicinc.com>
    24. 

  24. Signed-off-by: Harshitha Prem <quic_hprem@quicinc.com>
    25. 

  25. Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
    26. 

  26. Link: https://lore.kernel.org/r/20230403182420.23375-2-quic_hprem@quicinc.com
    27. 

  27. ---
    28. 

  28.  drivers/net/wireless/ath/ath11k/dp_rx.c | 43 ++++++++++++++++++-------
    29. 

  29.  1 file changed, 31 insertions(+), 12 deletions(-)
    30. 

  30. 

  31. --- a/drivers/net/wireless/ath/ath11k/dp_rx.c
    32. 

  32. +++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
    33. 

  33. @@ -668,13 +668,18 @@ void ath11k_dp_reo_cmd_list_cleanup(stru
    34. 

  34.  	struct ath11k_dp *dp = &ab->dp;
    35. 

  35.  	struct dp_reo_cmd *cmd, *tmp;
    36. 

  36.  	struct dp_reo_cache_flush_elem *cmd_cache, *tmp_cache;
    37. 

  37. +	struct dp_rx_tid *rx_tid;
    38. 

  38.  
    39. 

  39.  	spin_lock_bh(&dp->reo_cmd_lock);
    40. 

  40.  	list_for_each_entry_safe(cmd, tmp, &dp->reo_cmd_list, list) {
    41. 

  41.  		list_del(&cmd->list);
    42. 

  42. -		dma_unmap_single(ab->dev, cmd->data.paddr,
    43. 

  43. -				 cmd->data.size, DMA_BIDIRECTIONAL);
    44. 

  44. -		kfree(cmd->data.vaddr);
    45. 

  45. +		rx_tid = &cmd->data;
    46. 

  46. +		if (rx_tid->vaddr) {
    47. 

  47. +			dma_unmap_single(ab->dev, rx_tid->paddr,
    48. 

  48. +					 rx_tid->size, DMA_BIDIRECTIONAL);
    49. 

  49. +			kfree(rx_tid->vaddr);
    50. 

  50. +			rx_tid->vaddr = NULL;
    51. 

  51. +		}
    52. 

  52.  		kfree(cmd);
    53. 

  53.  	}
    54. 

  54.  
    55. 

  55. @@ -682,9 +687,13 @@ void ath11k_dp_reo_cmd_list_cleanup(stru
    56. 

  56.  				 &dp->reo_cmd_cache_flush_list, list) {
    57. 

  57.  		list_del(&cmd_cache->list);
    58. 

  58.  		dp->reo_cmd_cache_flush_count--;
    59. 

  59. -		dma_unmap_single(ab->dev, cmd_cache->data.paddr,
    60. 

  60. -				 cmd_cache->data.size, DMA_BIDIRECTIONAL);
    61. 

  61. -		kfree(cmd_cache->data.vaddr);
    62. 

  62. +		rx_tid = &cmd_cache->data;
    63. 

  63. +		if (rx_tid->vaddr) {
    64. 

  64. +			dma_unmap_single(ab->dev, rx_tid->paddr,
    65. 

  65. +					 rx_tid->size, DMA_BIDIRECTIONAL);
    66. 

  66. +			kfree(rx_tid->vaddr);
    67. 

  67. +			rx_tid->vaddr = NULL;
    68. 

  68. +		}
    69. 

  69.  		kfree(cmd_cache);
    70. 

  70.  	}
    71. 

  71.  	spin_unlock_bh(&dp->reo_cmd_lock);
    72. 

  72. @@ -698,10 +707,12 @@ static void ath11k_dp_reo_cmd_free(struc
    73. 

  73.  	if (status != HAL_REO_CMD_SUCCESS)
    74. 

  74.  		ath11k_warn(dp->ab, "failed to flush rx tid hw desc, tid %d status %d\n",
    75. 

  75.  			    rx_tid->tid, status);
    76. 

  76. -
    77. 

  77. -	dma_unmap_single(dp->ab->dev, rx_tid->paddr, rx_tid->size,
    78. 

  78. -			 DMA_BIDIRECTIONAL);
    79. 

  79. -	kfree(rx_tid->vaddr);
    80. 

  80. +	if (rx_tid->vaddr) {
    81. 

  81. +		dma_unmap_single(dp->ab->dev, rx_tid->paddr, rx_tid->size,
    82. 

  82. +				 DMA_BIDIRECTIONAL);
    83. 

  83. +		kfree(rx_tid->vaddr);
    84. 

  84. +		rx_tid->vaddr = NULL;
    85. 

  85. +	}
    86. 

  86.  }
    87. 

  87.  
    88. 

  88.  static void ath11k_dp_reo_cache_flush(struct ath11k_base *ab,
    89. 

  89. @@ -740,6 +751,7 @@ static void ath11k_dp_reo_cache_flush(st
    90. 

  90.  		dma_unmap_single(ab->dev, rx_tid->paddr, rx_tid->size,
    91. 

  91.  				 DMA_BIDIRECTIONAL);
    92. 

  92.  		kfree(rx_tid->vaddr);
    93. 

  93. +		rx_tid->vaddr = NULL;
    94. 

  94.  	}
    95. 

  95.  }
    96. 

  96.  
    97. 

  97. @@ -792,6 +804,7 @@ free_desc:
    98. 

  98.  	dma_unmap_single(ab->dev, rx_tid->paddr, rx_tid->size,
    99. 

  99.  			 DMA_BIDIRECTIONAL);
    100. 

  100.  	kfree(rx_tid->vaddr);
    101. 

  101. +	rx_tid->vaddr = NULL;
    102. 

  102.  }
    103. 

  103.  
    104. 

  104.  void ath11k_peer_rx_tid_delete(struct ath11k *ar,
    105. 

  105. @@ -804,6 +817,8 @@ void ath11k_peer_rx_tid_delete(struct at
    106. 

  106.  	if (!rx_tid->active)
    107. 

  107.  		return;
    108. 

  108.  
    109. 

  109. +	rx_tid->active = false;
    110. 

  110. +
    111. 

  111.  	cmd.flag = HAL_REO_CMD_FLG_NEED_STATUS;
    112. 

  112.  	cmd.addr_lo = lower_32_bits(rx_tid->paddr);
    113. 

  113.  	cmd.addr_hi = upper_32_bits(rx_tid->paddr);
    114. 

  114. @@ -818,9 +833,11 @@ void ath11k_peer_rx_tid_delete(struct at
    115. 

  115.  		dma_unmap_single(ar->ab->dev, rx_tid->paddr, rx_tid->size,
    116. 

  116.  				 DMA_BIDIRECTIONAL);
    117. 

  117.  		kfree(rx_tid->vaddr);
    118. 

  118. +		rx_tid->vaddr = NULL;
    119. 

  119.  	}
    120. 

  120.  
    121. 

  121. -	rx_tid->active = false;
    122. 

  122. +	rx_tid->paddr = 0;
    123. 

  123. +	rx_tid->size = 0;
    124. 

  124.  }
    125. 

  125.  
    126. 

  126.  static int ath11k_dp_rx_link_desc_return(struct ath11k_base *ab,
    127. 

  127. @@ -967,6 +984,7 @@ static void ath11k_dp_rx_tid_mem_free(st
    128. 

  128.  	dma_unmap_single(ab->dev, rx_tid->paddr, rx_tid->size,
    129. 

  129.  			 DMA_BIDIRECTIONAL);
    130. 

  130.  	kfree(rx_tid->vaddr);
    131. 

  131. +	rx_tid->vaddr = NULL;
    132. 

  132.  
    133. 

  133.  	rx_tid->active = false;
    134. 

  134.  
    135. 

  135. @@ -1067,7 +1085,8 @@ int ath11k_peer_rx_tid_setup(struct ath1
    136. 

  136.  	return ret;
    137. 

  137.  
    138. 

  138.  err_mem_free:
    139. 

  139. -	kfree(vaddr);
    140. 

  140. +	kfree(rx_tid->vaddr);
    141. 

  141. +	rx_tid->vaddr = NULL;
    142. 

  142.  
    143. 

  143.  	return ret;
    144. 

  144.  }
    145.