- 27 Jun, 2019 11 commits
-
-
Alexei Avshalom Lazar authored
The return value of wil_find_cid()/wil_find_cid_by_idx() is validated with the lower boundary value. Check the upper boundary value as well. Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org> Signed-off-by: Maya Erez <merez@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Maya Erez authored
Clear the FW and ucode log address on device initialization to allow user space app identify when the address was set by FW/ucode and it can start read. Signed-off-by: Tzahi Sabo <stzahi@codeaurora.org> Signed-off-by: Maya Erez <merez@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Dedy Lansky authored
Replace sprintf with snprintf which checks the destination buffer size. Signed-off-by: Dedy Lansky <dlansky@codeaurora.org> Signed-off-by: Maya Erez <merez@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Alexei Avshalom Lazar authored
RBUFCAP support added in FW. The RBUFCAP feature is amendment to the block ack mechanism to prevent overloading of the recipient’s memory space, which may happen in case the link speed is higher than STA’s capability to process or consume incoming data. The block ack policy (ba_policy) is now controlled by FW so driver should ignore this field. Add new debugfs "rbufcap" to configure RBUFCAP. Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org> Signed-off-by: Maya Erez <merez@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Ahmad Masri authored
The driver updates Tx status ring HW tail only after it finishes processing the whole status ring, while the HW is still transmitting from other transmit rings. This can cause back-pressure on HW if no status entries are available. Update HW tail of Tx status ring without waiting for the end of the processing to help feeding back the HW with status entries and to allow additional packet transmission. Signed-off-by: Ahmad Masri <amasri@codeaurora.org> Signed-off-by: Maya Erez <merez@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Ahmad Masri authored
With multiple clients and in high throughput scenarios, Tx status ring can get full and become a bottleneck in Tx transmission. Set the default Tx status ring size order to 13, previous value was 12. This will double the status ring size from 4K entries to 8K entries. Signed-off-by: Ahmad Masri <amasri@codeaurora.org> Signed-off-by: Maya Erez <merez@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Alexei Avshalom Lazar authored
Currently the FW is reset on every interface type change, because of various FW bugs. FW reset is not required when switching from STA to P2P client, hence can be skipped. Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org> Signed-off-by: Maya Erez <merez@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Greg Kroah-Hartman authored
When calling debugfs functions, there is no need to ever check the return value. The function can work or not, but the code logic should never do something different based on this. Cc: Maya Erez <merez@codeaurora.org> Cc: Kalle Valo <kvalo@codeaurora.org> Cc: "David S. Miller" <davem@davemloft.net> Cc: linux-wireless@vger.kernel.org Cc: wil6210@qti.qualcomm.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Reviewed-by: Maya Erez <merez@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Christian Lamparter authored
This patch removes the error branch for (queue > ar->hw->queues). It is no longer needed anymore as the "queue" value is validated by cfg80211's parse_txq_params() before the driver code gets called. Some background: In the old days (linux 2.6 and early 3.x), the parse_txq_params() function did not verify the "queue" value. That's why these drivers had to do it. Signed-off-by: Christian Lamparter <chunkeey@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Christian Lamparter authored
This patch follows Alan Stern's recent patch: "p54: Fix race between disconnect and firmware loading" that overhauled carl9170 buggy firmware loading and driver unbinding procedures. Since the carl9170 code was adapted from p54 it uses the same functions and is likely to have the same problem, but it's just that the syzbot hasn't reproduce them (yet). a summary from the changes (copied from the p54 patch): * Call usb_driver_release_interface() rather than device_release_driver(). * Lock udev (the interface's parent) before unbinding the driver instead of locking udev->parent. * During the firmware loading process, take a reference to the USB interface instead of the USB device. * Don't take an unnecessary reference to the device during probe (and then don't drop it during disconnect). and * Make sure to prevent use-after-free bugs by explicitly setting the driver context to NULL after signaling the completion. Cc: <stable@vger.kernel.org> Cc: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Christian Lamparter <chunkeey@gmail.com> Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Zefir Kurtisi authored
In commit 3c0efb74 ("ath9k: discard undersized packets") the lower bound of RX packets was set to 10 (min ACK size) to filter those that would otherwise be treated as invalid at mac80211. Alas, short radar pulses are reported as PHY_ERROR frames with length set to 3. Therefore their detection stopped working after that commit. NOTE: ath9k drivers built thereafter will not pass DFS certification. This extends the criteria for short packets to explicitly handle PHY_ERROR frames. Fixes: 3c0efb74 ("ath9k: discard undersized packets") Signed-off-by: Zefir Kurtisi <zefir.kurtisi@neratec.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
- 25 Jun, 2019 17 commits
-
-
Govind Singh authored
Integrated WiFi chipset ex:WCN399x supports fw logging using WMI copy engine and shared mem DIAG based fw logging. By default shared mem DIAG based fw logging is enabled. To support WMI copy engine based fw logging add QMI control message to enable WMI copy engine based fw logging. Enable WMI based fw logging using fw_diag_log module parameter. insmod ath10k_core.ko fw_diag_log=1 DIAG utility(https://github.com/andersson/diag) implements extraction of diagnostics related messages between application processor and various subsystems while shared mem DIAG based fw logging is enabled. Testing: Tested on WCN3990/QCA6174 HW Tested FW: WLAN.HL.3.1-00959-QCAHLSWMTPLZ-1 Signed-off-by: Govind Singh <govinds@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Wen Gong authored
Firmware will report flag with HTT_RX_IND_MPDU_STATUS_TKIP_MIC_ERR if MIC error, the flag will be used in mac80211. ieee80211_rx_h_michael_mic_verify will check the flag and start TKIP countermeasures. Now countermeasure tests pass both with WPA only and WPA2/WPA mixed mode. Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00007-QCARMSWP-1. Signed-off-by: Wen Gong <wgong@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Ashok Raj Nagarajan authored
This patch will add the support to control the transmit power for traffic to a station associated with the AP. Underlying firmware will enforce that the maximum tx power will be based on the regulatory requirements. If the user given transmit power is greater than the allowed tx power in the given channel, then the firmware will use the maximum tx power in the same channel. Max and Min tx power values will depends on no of tx chain masks, for QCA9984 allowed tx power range values from 6 to 23. When 0 is sent to the firmware as tx power, it will revert to the default tx power for the station. Tested Hardware : QCA9984 Tested Firmware : 10.4-3.9.0.2-00046 Co-developed-by: Balaji Pothunoori <bpothuno@codeaurora.org> Signed-off-by: Ashok Raj Nagarajan <arnagara@codeaurora.org> Signed-off-by: Balaji Pothunoori <bpothuno@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Dundi Raviteja authored
Peer creation in firmware fails if last peer deletion is still in progress. The firmware sends a peer delete response event if it advertises the service WMI_SERVICE_SYNC_DELETE_CMDS. This peer delete response event is used to synchronize the peer deletion. Add peer delete response event and wait for the event after deleting every peer from host driver to synchronize with firmware. Tested HW: WCN3990 Tested FW: WLAN.HL.2.0-01188-QCAHLSWMTPLZ-1 Signed-off-by: Dundi Raviteja <dundi@codeaurora.org> Signed-off-by: Rakesh Pillai <pillair@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Rakesh Pillai authored
When we add an interface immediately after removing the interface the vdev deletion in firmware might not have been completed. We need to synchronize the vdev creation with the firmware. Wait for vdev delete response from firmware when we remove an interface. Tested HW: WCN3990 Tested FW: WLAN.HL.2.0-01188-QCAHLSWMTPLZ-1 Signed-off-by: Rakesh Pillai <pillair@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Miaoqing Pan authored
Observed PCIE device wake up failed after ~120 iterations of soft-reboot test. The error message is "ath10k_pci 0000:01:00.0: failed to wake up device : -110" The call trace as below: ath10k_pci_probe -> ath10k_pci_force_wake -> ath10k_pci_wake_wait -> ath10k_pci_is_awake Once trigger the device to wake up, we will continuously check the RTC state until it returns RTC_STATE_V_ON or timeout. But for QCA99x0 chips, we use wrong value for RTC_STATE_V_ON. Occasionally, we get 0x7 on the fist read, we thought as a failure case, but actually is the right value, also verified with the spec. So fix the issue by changing RTC_STATE_V_ON from 0x5 to 0x7, passed ~2000 iterations. Tested HW: QCA9984 Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Miaoqing Pan authored
Currently, below fixed rate commands are broken, iw wlanx set bitrates legacy-<2.4|5> ht-mcs-<2.4|5> vht-mcs-<2.4|5> \ <NSS:MCSx> iw wlanx set bitrates legacy-<2.4|5> <legacy rate> ht-mcs-<2.4|5> \ vht-mcs-<2.4|5> <NSS:MCSx> There are two methods to set fixed rate, both failed, - Use vdev fixed rate command This command only support one single rate, but it's broken due to mac80211 change commit e8e4f528 ("mac80211: reject/clear user rate mask if not usable"), which requires user to specify at least one legacy rate. So we can't use this command to set ht/vht single rate any more. - Use peer_assoc command This command can update rx capability for multiple rates, it will work fine for ht mcs rates, as each supported mcs can be advertised in ht_mcs index mask. But this will not work with vht rates because, as per the vht mcs capability advertisement, there are only two bits to indicate the supported mcs. E.g. only support 0-7, 0-8, 0-9. So introduced new WMI command: WMI_PEER_PARAM_FIXED_RATE. After peer assoc, the peer fixed rate cmd will work for that specific peer. Remaining peers will use auto rate. If both vdev fixed rate and peer fixed rates are given, peer fixed rate will take effect to peers for which this cmd is given. Remaining peers in that vdev, will use vdev fixed rate. Tested HW: QCA9984 Tested FW: 10.4-3.9.0.2-00035 Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Fabio Estevam authored
The "WARNING" string confuses syzbot, which thinks it found a crash [1]. Change the string to avoid such problem. [1] https://lkml.org/lkml/2019/5/9/243 Reported-by: syzbot+c1b25598aa60dcd47e78@syzkaller.appspotmail.com Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Fabio Estevam <festevam@gmail.com> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Miaoqing Pan authored
On SMP platform, when continuously running wifi up/down, the napi poll can be scheduled during chip reset, which will call ath10k_pci_has_fw_crashed() to check the fw status. But in the reset period, the value from FW_INDICATOR_ADDRESS register will return 0xdeadbeef, which also be treated as fw crash. Fix the issue by moving chip reset after napi disabled. ath10k_pci 0000:01:00.0: firmware crashed! (guid 73b30611-5b1e-4bdd-90b4-64c81eb947b6) ath10k_pci 0000:01:00.0: qca9984/qca9994 hw1.0 target 0x01000000 chip_id 0x00000000 sub 168c:cafe ath10k_pci 0000:01:00.0: htt-ver 2.2 wmi-op 6 htt-op 4 cal otp max-sta 512 raw 0 hwcrypto 1 ath10k_pci 0000:01:00.0: failed to get memcpy hi address for firmware address 4: -16 ath10k_pci 0000:01:00.0: failed to read firmware dump area: -16 ath10k_pci 0000:01:00.0: Copy Engine register dump: ath10k_pci 0000:01:00.0: [00]: 0x0004a000 0 0 0 0 ath10k_pci 0000:01:00.0: [01]: 0x0004a400 0 0 0 0 ath10k_pci 0000:01:00.0: [02]: 0x0004a800 0 0 0 0 ath10k_pci 0000:01:00.0: [03]: 0x0004ac00 0 0 0 0 ath10k_pci 0000:01:00.0: [04]: 0x0004b000 0 0 0 0 ath10k_pci 0000:01:00.0: [05]: 0x0004b400 0 0 0 0 ath10k_pci 0000:01:00.0: [06]: 0x0004b800 0 0 0 0 ath10k_pci 0000:01:00.0: [07]: 0x0004bc00 1 0 1 0 ath10k_pci 0000:01:00.0: [08]: 0x0004c000 0 0 0 0 ath10k_pci 0000:01:00.0: [09]: 0x0004c400 0 0 0 0 ath10k_pci 0000:01:00.0: [10]: 0x0004c800 0 0 0 0 ath10k_pci 0000:01:00.0: [11]: 0x0004cc00 0 0 0 0 Tested HW: QCA9984,QCA9887,WCN3990 Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Claire Chang authored
In function ath10k_sdio_mbox_rx_alloc() [sdio.c], ath10k_sdio_mbox_alloc_rx_pkt() is called without handling the error cases. This will make the driver think the allocation for skb is successful and try to access the skb. If we enable failslab, system will easily crash with NULL pointer dereferencing. Call trace of CONFIG_FAILSLAB: ath10k_sdio_irq_handler+0x570/0xa88 [ath10k_sdio] process_sdio_pending_irqs+0x4c/0x174 sdio_run_irqs+0x3c/0x64 sdio_irq_work+0x1c/0x28 Fixes: d96db25d ("ath10k: add initial SDIO support") Signed-off-by: Claire Chang <tientzu@chromium.org> Reviewed-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Balaji Pothunoori authored
For QCA988X target, pktlog gives details of the tx bitrate which is used in the driver for station info. Enabling pktlog by default will cause more interrupts in target to host CE pipe, which can impact more CPU usage for targets ex:WCN3990 and also not required for all other platforms (eg: WCN3990), for getting tx bitrate. Enable pktlog only for QCA988X based on hardware params. Tested HW : WCN3990 Tested FW : WLAN.HL.3.1-00784-QCAHLSWMTPLZ-1 Fixes: e8123bb7 ("ath10k: add per peer tx stats support for 10.2.4") Signed-off-by: Balaji Pothunoori <bpothuno@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Claire Chang authored
Lockdep warns at lockdep_assert_held(&ar->data_lock) in ath10k_htt_rx_pn_check_replay_hl(). Acquire ar->data_lock before calling ath10k_htt_rx_pn_check_replay_hl() to fix it. Call trace: ath10k_htt_rx_pn_check_replay_hl+0x118/0x134 [ath10k_core] ath10k_htt_rx_proc_rx_ind_hl+0xd8/0x250 [ath10k_core] ath10k_htt_t2h_msg_handler+0x148/0xf30 [ath10k_core] ath10k_htt_htc_t2h_msg_handler+0x24/0x40 [ath10k_core] ath10k_sdio_irq_handler+0x374/0xaa4 [ath10k_sdio] Fixes: 130c7749 ("ath10k: add PN replay protection for high latency devices") Signed-off-by: Claire Chang <tientzu@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Wen Gong authored
Firmware name for UTF mode of SDIO has changed from utf-2.bin to utf-sdio-2.bin, so it need to change in ath10k, otherwise it will fail for UTF mode. After change the name in ath10k, it will success for UTF mode of SDIO/USB. Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00007-QCARMSWP-1. Signed-off-by: Wen Gong <wgong@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Wen Gong authored
The command to simulate firmware crash: echo soft > /sys/kernel/debug/ieee80211/phy0/ath10k/simulate_fw_crash It will send WMI_FORCE_FW_HANG_ASSERT to firmware, then it will trigger CPU interrupt status register for SDIO chip, ath10k driver need to configure it while enable SDIO interrupt, otherwise ath10k driver will not get the assert error info. After this change, it will success for simulate firmware crash. Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00007-QCARMSWP-1. Signed-off-by: Wen Gong <wgong@codeaurora.org> Tested-by: Claire Chang <tientzu@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Venkateswara Naralasetty authored
ath10k_dbg() is called in ath10k_process_rx() with huge set of arguments which is causing CPU overhead even when debug_mask is not set. Good improvement was observed in the receive side performance when call to ath10k_dbg() is avoided in the RX path. Since currently all debug messages are sent via tracing infrastructure, we cannot entirely avoid calling ath10k_dbg. Therefore, call to ath10k_dbg() is made conditional based on tracing config in the driver. Trasmit performance remains unchanged with this patch; below are some experimental results with this patch and tracing disabled. mesh mode: w/o this patch with this patch Traffic TP CPU Usage TP CPU usage TCP 840Mbps 76.53% 960Mbps 78.14% UDP 1030Mbps 74.58% 1132Mbps 74.31% Infra mode: w/o this patch with this patch Traffic TP CPU Usage TP CPU usage TCP Rx 1241Mbps 80.89% 1270Mbps 73.50% UDP Rx 1433Mbps 81.77% 1472Mbps 72.80% Tested platform : IPQ8064 hardware used : QCA9984 firmware ver : ver 10.4-3.5.3-00057 Signed-off-by: Kan Yan <kyan@chromium.org> Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Erik Stromdahl authored
Without this op, it will not be possible to configure aggregation for high latency devices. Signed-off-by: Erik Stromdahl <erik.stromdahl@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Erik Stromdahl authored
This is done in order to make the *htt_h2t_aggr_cfg_msg* op align better with the rest of the htt ops (whom all have inline wrappers). It also adds support for the case when the op is missing (function pointer is NULL). As a result of this, the name of the 32 bit implementation in htt_tx.c was changed and the function was made static. Signed-off-by: Erik Stromdahl <erik.stromdahl@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
- 27 May, 2019 5 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.gitKalle Valo authored
ath.git patches for 5.3. Major changes: ath10k * enable SDIO support, first one being QCA6174 hw3.2
-
YueHaibing authored
Fix sparse warning: drivers/net/ethernet/chelsio/cxgb4/t4_hw.c:6216:14: warning: symbol 't4_get_tp_e2c_map' was not declared. Should it be static? Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: YueHaibing <yuehaibing@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David Ahern authored
I was really surprised that the IPv6 mtu exception followed by redirect test was passing as nothing about the code suggests it should. The problem is actually with the logic in the test script. Fix the test cases as follows: 1. add debug function to dump the initial and redirect gateway addresses for ipv6. This is shown only in verbose mode. It helps verify the output of 'route get'. 2. fix the check_exception logic for the reset case to make sure that for IPv4 neither mtu nor redirect appears in the 'route get' output. For IPv6, make sure mtu is not present and the gateway is the initial R1 lladdr. 3. fix the reset logic by using a function to delete the routes added by initial_route_*. This format works better for the nexthop version of the tests. While improving the test cases, go ahead and ensure that forwarding is disabled since IPv6 redirect requires it. Also, runs with kernel debugging enabled sometimes show a failure with one of the ipv4 tests, so spread the pings over longer time interval. The end result is that 2 tests now show failures: TEST: IPv6: mtu exception plus redirect [FAIL] and the VRF version. This is a bug in the IPv6 logic that will need to be fixed separately. Redirect followed by MTU works because __ip6_rt_update_pmtu hits the 'if (!rt6_cache_allowed_for_pmtu(rt6))' path and updates the mtu on the exception rt6_info. MTU followed by redirect does not have this logic. rt6_do_redirect creates a new exception and then rt6_insert_exception removes the old one which has the MTU exception. Fixes: ec810535 ("selftests: Add redirect tests") Signed-off-by: David Ahern <dsahern@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Colin Ian King authored
The pointer n is being assigned a value however this value is never read in the code block and the end of the code block continues to the next loop iteration. Clean up the code by removing the redundant assignment. Fixes: 1bff1a0c ("ipv4: Add function to send route updates") Addresses-Coverity: ("Unused value") Signed-off-by: Colin Ian King <colin.king@canonical.com> Reviewed-by: David Ahern <dsahern@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Heiner Kallweit authored
PHY drivers don't have to and shouldn't fiddle with phylib internals. Most of the code in bcm87xx_config_init() can be removed because phylib takes care. In addition I replaced usage of PHY_10GBIT_FEC_FEATURES with an implementation of the get_features callback. PHY_10GBIT_FEC_FEATURES is used by this driver only and it's questionable whether there will be any other PHY supporting this mode only. Having said that in one of the next kernel versions we may decide to remove it. Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 26 May, 2019 7 commits
-
-
David S. Miller authored
Eric Dumazet says: ==================== inet: frags: avoid possible races at netns dismantle This patch series fixes a race happening on netns dismantle with frag queues. While rhashtable_free_and_destroy() is running, concurrent timers might run inet_frag_kill() and attempt rhashtable_remove_fast() calls. This is not allowed by rhashtable logic. Since I do not want to add expensive synchronize_rcu() calls in the netns dismantle path, I had to no longer inline netns_frags structures, but dynamically allocate them. The ten first patches make this preparation, so that the last patch clearly shows the fix. As this patch series is not exactly trivial, I chose to target 5.3. We will backport it once soaked a bit. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
syszbot found an interesting use-after-free [1] happening while IPv4 fragment rhashtable was destroyed at netns dismantle. While no insertions can possibly happen at the time a dismantling netns is destroying this rhashtable, timers can still fire and attempt to remove elements from this rhashtable. This is forbidden, since rhashtable_free_and_destroy() has no synchronization against concurrent inserts and deletes. Add a new fqdir->dead flag so that timers do not attempt a rhashtable_remove_fast() operation. We also have to respect an RCU grace period before starting the rhashtable_free_and_destroy() from process context, thus we use rcu_work infrastructure. This is a refinement of a prior rough attempt to fix this bug : https://marc.info/?l=linux-netdev&m=153845936820900&w=2 Since the rhashtable cleanup is now deferred to a work queue, netns dismantles should be slightly faster. [1] BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:194 [inline] BUG: KASAN: use-after-free in rhashtable_last_table+0x162/0x180 lib/rhashtable.c:212 Read of size 8 at addr ffff8880a6497b70 by task kworker/0:0/5 CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.2.0-rc1+ #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events rht_deferred_worker Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188 __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 kasan_report+0x12/0x20 mm/kasan/common.c:614 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 __read_once_size include/linux/compiler.h:194 [inline] rhashtable_last_table+0x162/0x180 lib/rhashtable.c:212 rht_deferred_worker+0x111/0x2030 lib/rhashtable.c:411 process_one_work+0x989/0x1790 kernel/workqueue.c:2269 worker_thread+0x98/0xe40 kernel/workqueue.c:2415 kthread+0x354/0x420 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 32687: save_stack+0x23/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_kmalloc mm/kasan/common.c:489 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503 __do_kmalloc_node mm/slab.c:3620 [inline] __kmalloc_node+0x4e/0x70 mm/slab.c:3627 kmalloc_node include/linux/slab.h:590 [inline] kvmalloc_node+0x68/0x100 mm/util.c:431 kvmalloc include/linux/mm.h:637 [inline] kvzalloc include/linux/mm.h:645 [inline] bucket_table_alloc+0x90/0x480 lib/rhashtable.c:178 rhashtable_init+0x3f4/0x7b0 lib/rhashtable.c:1057 inet_frags_init_net include/net/inet_frag.h:109 [inline] ipv4_frags_init_net+0x182/0x410 net/ipv4/ip_fragment.c:683 ops_init+0xb3/0x410 net/core/net_namespace.c:130 setup_net+0x2d3/0x740 net/core/net_namespace.c:316 copy_net_ns+0x1df/0x340 net/core/net_namespace.c:439 create_new_namespaces+0x400/0x7b0 kernel/nsproxy.c:107 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:206 ksys_unshare+0x440/0x980 kernel/fork.c:2692 __do_sys_unshare kernel/fork.c:2760 [inline] __se_sys_unshare kernel/fork.c:2758 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:2758 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 7: save_stack+0x23/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451 kasan_slab_free+0xe/0x10 mm/kasan/common.c:459 __cache_free mm/slab.c:3432 [inline] kfree+0xcf/0x220 mm/slab.c:3755 kvfree+0x61/0x70 mm/util.c:460 bucket_table_free+0x69/0x150 lib/rhashtable.c:108 rhashtable_free_and_destroy+0x165/0x8b0 lib/rhashtable.c:1155 inet_frags_exit_net+0x3d/0x50 net/ipv4/inet_fragment.c:152 ipv4_frags_exit_net+0x73/0x90 net/ipv4/ip_fragment.c:695 ops_exit_list.isra.0+0xaa/0x150 net/core/net_namespace.c:154 cleanup_net+0x3fb/0x960 net/core/net_namespace.c:553 process_one_work+0x989/0x1790 kernel/workqueue.c:2269 worker_thread+0x98/0xe40 kernel/workqueue.c:2415 kthread+0x354/0x420 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff8880a6497b40 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 48 bytes inside of 1024-byte region [ffff8880a6497b40, ffff8880a6497f40) The buggy address belongs to the page: page:ffffea0002992580 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0xffff8880a64964c0 compound_mapcount: 0 flags: 0x1fffc0000010200(slab|head) raw: 01fffc0000010200 ffffea0002916e88 ffffea000218fe08 ffff8880aa400ac0 raw: ffff8880a64964c0 ffff8880a6496040 0000000100000005 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a6497a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a6497a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff8880a6497b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8880a6497b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a6497c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Fixes: 648700f7 ("inet: frags: use rhashtables for reassembly units") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
Following patch will add rcu grace period before fqdir rhashtable destruction, so we need to dynamically allocate fqdir structures to not force expensive synchronize_rcu() calls in netns dismantle path. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
fqdir will soon be dynamically allocated. We need to reach the struct net pointer from fqdir, so add it, and replace the various container_of() constructs by direct access to the new field. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
And pass an extra parameter, since we will soon dynamically allocate fqdir structures. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
(struct net *)->ieee802154_lowpan.fqdir will soon be a pointer, so make sure lowpan_frags_ns_ctl_table[] does not reference init_net. lowpan_frags_ns_sysctl_register() can perform the needed initialization for all netns. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
(struct net *)->nf_frag.fqdir will soon be a pointer, so make sure nf_ct_frag6_sysctl_table[] does not reference init_net. nf_ct_frag6_sysctl_register() can perform the needed initialization for all netns. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-