lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 27 Apr 2020 15:40:24 +0200
From:   Jerome Pouiller <Jerome.Pouiller@...abs.com>
To:     devel@...verdev.osuosl.org, linux-wireless@...r.kernel.org
Cc:     netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Kalle Valo <kvalo@...eaurora.org>,
        "David S . Miller" <davem@...emloft.net>,
        Jérôme Pouiller 
        <jerome.pouiller@...abs.com>
Subject: [PATCH 10/17] staging: wfx: fix the warning "inconsistent notification"

From: Jérôme Pouiller <jerome.pouiller@...abs.com>

In some circumstances, Tx traffic is sent without associated station but
the station exists when the Tx status is received. Beside that, the
driver keep a counter associated to each station. So, in this case, the
counter is not incremented, but is decremented. In this case a warning
"inconsistent notification" appears:

   ------------[ cut here ]------------
   WARNING: CPU: 3 PID: 82 at /home/jerome/wfx/data_tx.c:469 wfx_skb_dtor+0x1a4/0x1d4 [wfx]
   inconsistent notification
   Modules linked in: [...]
   CPU: 3 PID: 82 Comm: kworker/3:1H Tainted: G         C O      4.19.57-v7l+ #1244
   Hardware name: BCM2835
   Workqueue: events_highpri bh_work [wfx]
   [<c0212c8c>] (unwind_backtrace) from [<c020d49c>] (show_stack+0x20/0x24)
   [<c020d49c>] (show_stack) from [<c0976220>] (dump_stack+0xd4/0x118)
   [<c0976220>] (dump_stack) from [<c0222270>] (__warn+0x104/0x11c)
   [<c0222270>] (__warn) from [<c02222e0>] (warn_slowpath_fmt+0x58/0x74)
   [<c02222e0>] (warn_slowpath_fmt) from [<bf497b48>] (wfx_skb_dtor+0x1a4/0x1d4 [wfx])
   [<bf497b48>] (wfx_skb_dtor [wfx]) from [<bf4988b4>] (wfx_tx_confirm_cb+0x198/0x2f0 [wfx])
   [<bf4988b4>] (wfx_tx_confirm_cb [wfx]) from [<bf49d054>] (hif_tx_confirm+0x50/0x70 [wfx])
   [<bf49d054>] (hif_tx_confirm [wfx]) from [<bf49d42c>] (wfx_handle_rx+0x128/0x22c [wfx])
   [<bf49d42c>] (wfx_handle_rx [wfx]) from [<bf4953cc>] (bh_work+0x3cc/0x964 [wfx])
   [<bf4953cc>] (bh_work [wfx]) from [<c023dab8>] (process_one_work+0x170/0x458)
   [<c023dab8>] (process_one_work) from [<c023ddfc>] (worker_thread+0x5c/0x5a4)
   [<c023ddfc>] (worker_thread) from [<c02440e8>] (kthread+0x138/0x168)
   [<c02440e8>] (kthread) from [<c02010ac>] (ret_from_fork+0x14/0x28)
   Exception stack(0xee199fb0 to 0xee199ff8)
   9fa0:                                     00000000 00000000 00000000 00000000
   9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
   9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
   ---[ end trace 64b9e754e12ef7de ]---

This patch fix this race between the station creation and the Tx data.

Fixes: 7d2d2bfdeb82 ("staging: wfx: relocate "buffered" information to sta_priv")
Signed-off-by: Jérôme Pouiller <jerome.pouiller@...abs.com>
---
 drivers/staging/wfx/data_tx.c | 18 +++++++++++++-----
 drivers/staging/wfx/data_tx.h |  1 +
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/drivers/staging/wfx/data_tx.c b/drivers/staging/wfx/data_tx.c
index 9c1a91207dd8..f8812079d801 100644
--- a/drivers/staging/wfx/data_tx.c
+++ b/drivers/staging/wfx/data_tx.c
@@ -224,6 +224,7 @@ static void wfx_tx_manage_pm(struct wfx_vif *wvif, struct ieee80211_hdr *hdr,
 	int tid = ieee80211_get_tid(hdr);
 
 	if (sta) {
+		tx_priv->has_sta = true;
 		sta_priv = (struct wfx_sta_priv *)&sta->drv_priv;
 		spin_lock_bh(&sta_priv->lock);
 		sta_priv->buffered[tid]++;
@@ -469,7 +470,8 @@ static void wfx_notify_buffered_tx(struct wfx_vif *wvif, struct sk_buff *skb)
 	rcu_read_unlock();
 }
 
-static void wfx_skb_dtor(struct wfx_dev *wdev, struct sk_buff *skb)
+static void wfx_skb_dtor(struct wfx_dev *wdev,
+			 struct sk_buff *skb, bool has_sta)
 {
 	struct hif_msg *hif = (struct hif_msg *)skb->data;
 	struct hif_req_tx *req = (struct hif_req_tx *)hif->body;
@@ -480,7 +482,8 @@ static void wfx_skb_dtor(struct wfx_dev *wdev, struct sk_buff *skb)
 
 	WARN_ON(!wvif);
 	skb_pull(skb, offset);
-	wfx_notify_buffered_tx(wvif, skb);
+	if (has_sta)
+		wfx_notify_buffered_tx(wvif, skb);
 	wfx_tx_policy_put(wvif, req->tx_flags.retry_policy_index);
 	ieee80211_tx_status_irqsafe(wdev->hw, skb);
 }
@@ -493,6 +496,7 @@ void wfx_tx_confirm_cb(struct wfx_vif *wvif, const struct hif_cnf_tx *arg)
 	struct ieee80211_tx_rate *rate;
 	struct ieee80211_tx_info *tx_info;
 	const struct wfx_tx_priv *tx_priv;
+	bool has_sta;
 
 	skb = wfx_pending_get(wvif->wdev, arg->packet_id);
 	if (!skb) {
@@ -503,6 +507,7 @@ void wfx_tx_confirm_cb(struct wfx_vif *wvif, const struct hif_cnf_tx *arg)
 	}
 	tx_info = IEEE80211_SKB_CB(skb);
 	tx_priv = wfx_skb_tx_priv(skb);
+	has_sta = tx_priv->has_sta;
 	_trace_tx_stats(arg, skb,
 			wfx_pending_get_pkt_us_delay(wvif->wdev, skb));
 
@@ -561,12 +566,13 @@ void wfx_tx_confirm_cb(struct wfx_vif *wvif, const struct hif_cnf_tx *arg)
 		}
 		tx_info->flags |= IEEE80211_TX_STAT_TX_FILTERED;
 	}
-	wfx_skb_dtor(wvif->wdev, skb);
+	wfx_skb_dtor(wvif->wdev, skb, has_sta);
 }
 
 void wfx_flush(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
 	       u32 queues, bool drop)
 {
+	const struct wfx_tx_priv *tx_priv;
 	struct wfx_dev *wdev = hw->priv;
 	struct sk_buff_head dropped;
 	struct wfx_queue *queue;
@@ -593,7 +599,9 @@ void wfx_flush(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
 	wfx_tx_flush(wdev);
 	if (wdev->chip_frozen)
 		wfx_pending_drop(wdev, &dropped);
-	while ((skb = skb_dequeue(&dropped)) != NULL)
-		wfx_skb_dtor(wdev, skb);
+	while ((skb = skb_dequeue(&dropped)) != NULL) {
+		tx_priv = wfx_skb_tx_priv(skb);
+		wfx_skb_dtor(wdev, skb, tx_priv->has_sta);
+	}
 }
 
diff --git a/drivers/staging/wfx/data_tx.h b/drivers/staging/wfx/data_tx.h
index a308af3d68ad..54fff24508fb 100644
--- a/drivers/staging/wfx/data_tx.h
+++ b/drivers/staging/wfx/data_tx.h
@@ -36,6 +36,7 @@ struct tx_policy_cache {
 struct wfx_tx_priv {
 	ktime_t xmit_timestamp;
 	struct ieee80211_key_conf *hw_key;
+	bool has_sta;
 } __packed;
 
 void wfx_tx_policy_init(struct wfx_vif *wvif);
-- 
2.26.1

Powered by blists - more mailing lists