From patchwork Wed Jun 7 22:33:52 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Seraphime Kirkovski X-Patchwork-Id: 772717 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3wjjz02rH5z9sCZ for ; Thu, 8 Jun 2017 08:34:20 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="WobnfLpp"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751680AbdFGWeE (ORCPT ); Wed, 7 Jun 2017 18:34:04 -0400 Received: from mail-wm0-f65.google.com ([74.125.82.65]:33366 "EHLO mail-wm0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751425AbdFGWeC (ORCPT ); Wed, 7 Jun 2017 18:34:02 -0400 Received: by mail-wm0-f65.google.com with SMTP id x3so4627383wme.0; Wed, 07 Jun 2017 15:34:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Kn/FFgHsIwvPsWB2AFT6ThUpwpmi9HUaKctCqH/XQEc=; b=WobnfLpp6K8OiOHWy3mkMyV0XHqE6EiDBfOHlekiWy67sABZ5os1pODZHNXZMB927M rhYUX0WEJZG+Xm9JcMgfy/RdeXwfGizVyb2I5Spv2Wsq2rEYX86ROJUIQSANA4PmoEur eURbGB6NbhVi+UwrMdr4VE1Wk0j5J6+VkCT/BB/O3qiTFCYwTsAkOR6gsB/5r2SO8EsP 6TUYyqTkqpSSSR7ZX+iRFKidGLssysi/UOKopRpUNq0D5aVfSsMzwHbD0ud+UPinM7Gp Cfp/ggxWLR6rNx268Z5J1/KJHPldqj+syCMDwYiJQlh8sXYImWK22O8MXAW5rgc7ojew rjnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Kn/FFgHsIwvPsWB2AFT6ThUpwpmi9HUaKctCqH/XQEc=; b=RIFoOoTNg6QysiO41ZvScdnDfuAksAvJqul9F6KpIKkCNW5PW4fjN95TtgfJ97jtGu +Rys0HZkI/R2cRvsLbThiIcQJ7l149D4l5AT/tHjmyq+kG6dga1/E8Wd7GDjlBUjbr7W ZKkIr9GN9WSRclisLz9/JBgeU2EU2CDQQbgQoEpXn55J5fAvMQjM/1Pzm1Du408M4bBo ffHRHex265Jl3W1DQs1d2W/7jAGXv9H8WDt6rAczrozb/FSBcG/gdEh8gg28ylc5B46i GR6RXxlBE5iZ/eweTXCJ5WcF7Lianhc1dA06kkjEHoo5HHvx+bduULetqbKz0EtQMVfm emrw== X-Gm-Message-State: AODbwcCP0E2ayyPPiBtl4h/ZJNJQMv88dOYR/G2IL4xlkYm1tzSqB+E3 Bml5FUdKFYSelg== X-Received: by 10.28.151.193 with SMTP id z184mr1237174wmd.2.1496874840397; Wed, 07 Jun 2017 15:34:00 -0700 (PDT) Received: from macchiaveli (cha92-19-78-239-153-115.fbx.proxad.net. [78.239.153.115]) by smtp.gmail.com with ESMTPSA id i3sm3799601wmb.13.2017.06.07.15.33.57 (version=TLS1 cipher=AES128-SHA bits=128/128); Wed, 07 Jun 2017 15:33:59 -0700 (PDT) Received: by macchiaveli (sSMTP sendmail emulation); Thu, 08 Jun 2017 00:33:57 +0200 From: Seraphime Kirkovski To: luca@coelho.fi Cc: Seraphime Kirkovski , Johannes Berg , Emmanuel Grumbach , Luca Coelho , Intel Linux Wireless , Kalle Valo , linux-wireless@vger.kernel.org (open list:INTEL WIRELESS WIFI LINK (iwlwifi)), netdev@vger.kernel.org (open list:NETWORKING DRIVERS), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] net: wireless: intel: iwlwifi: dvm: fix tid mask Date: Thu, 8 Jun 2017 00:33:52 +0200 Message-Id: <20170607223354.22399-1-kirkseraph@gmail.com> X-Mailer: git-send-email 2.11.0 MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Currently the tid mask covers the first 4 bits of iwlagn_tx_resp::ra_tid, which gives 16 possible values for tid. This is problematic because IWL_MAX_TID_COUNT is 8, so indexing iwl_priv::tid_data can go very wrong. With UBSAN I can it happening while establishing the first connection after module load. [ 272.143440] UBSAN: Undefined behaviour in drivers/net/wireless/intel/iwlwifi/dvm/tx.c:777:32 [ 272.143447] index 8 is out of range for type 'iwl_tid_data [8]' [ 272.143457] CPU: 0 PID: 4605 Comm: irq/32-iwlwifi Not tainted 4.12.0-dirty #2 [ 272.143460] Hardware name: Hewlett-Packard HP EliteBook 2560p/162B, BIOS 68SSU Ver. F.02 07/26/2011 [ 272.143462] Call Trace: [ 272.143472] dump_stack+0x9c/0x10b [ 272.143477] ? _atomic_dec_and_lock+0x285/0x285 [ 272.143486] ubsan_epilogue+0xd/0x4e [ 272.143493] __ubsan_handle_out_of_bounds+0xef/0x118 [ 272.143498] ? __ubsan_handle_shift_out_of_bounds+0x221/0x221 [ 272.143519] ? iwl_trans_pcie_reclaim+0x153/0xc90 [iwlwifi] [ 272.143539] iwlagn_check_ratid_empty+0x337/0x410 [iwldvm] [ 272.143556] ? iwl_hcmd_names_cmp+0x2f/0x60 [iwlwifi] [ 272.143571] iwlagn_rx_reply_tx+0x8a4/0x1820 [iwldvm] Signed-off-by: Seraphime Kirkovski --- I'm currently running this patch on my machines and I have wifi. The patch presumes а cleanup patch, I sent yesterday: https://www.spinics.net/lists/kernel/msg2526314.html drivers/net/wireless/intel/iwlwifi/dvm/commands.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/commands.h b/drivers/net/wireless/intel/iwlwifi/dvm/commands.h index 37d2ba5ae852..e5994df9ea4c 100644 --- a/drivers/net/wireless/intel/iwlwifi/dvm/commands.h +++ b/drivers/net/wireless/intel/iwlwifi/dvm/commands.h @@ -1448,7 +1448,7 @@ struct agg_tx_status { */ /* refer to ra_tid */ #define IWLAGN_TX_RES_TID_POS 0 -#define IWLAGN_TX_RES_TID_MSK 0x0f +#define IWLAGN_TX_RES_TID_MSK 0x07 #define IWLAGN_TX_RES_RA_POS 4 #define IWLAGN_TX_RES_RA_MSK 0xf0