On 2018-03-26 21:19, Kalle Valo wrote:
Tamizh chelvam <tamizhr@xxxxxxxxxxxxxx> writes:
When attempt to read tpc_stats for the chipsets which support
more than 3 tx chain will trigger kernel panic(kernel stack is
corrupted)
due to writing values on rate_code array out of range.
This patch changes the array size depends on the WMI_TPC_TX_N_CHAIN
and
added check to avoid write values on the array if the num tx chain
get in tpc config event is greater than WMI_TPC_TX_N_CHAIN.
Tested on QCA9984 with firmware-5.bin_10.4-3.5.3-00057
Kernel panic log :
[ 323.510944] Kernel panic - not syncing: stack-protector: Kernel
stack is corrupted in: bf90c654
[ 323.510944]
[ 323.524390] CPU: 0 PID: 1908 Comm: cat Not tainted 3.14.77 #31
[ 323.530224] [<c021db48>] (unwind_backtrace) from [<c021ac08>]
(show_stack+0x10/0x14)
[ 323.537941] [<c021ac08>] (show_stack) from [<c03c53c0>]
(dump_stack+0x80/0xa0)
[ 323.545146] [<c03c53c0>] (dump_stack) from [<c022e4ac>]
(panic+0x84/0x1e4)
[ 323.552000] [<c022e4ac>] (panic) from [<c022e61c>]
(__stack_chk_fail+0x10/0x14)
[ 323.559350] [<c022e61c>] (__stack_chk_fail) from [<bf90c654>]
(ath10k_wmi_event_pdev_tpc_config+0x424/0x438 [ath10k_core])
[ 323.570471] [<bf90c654>] (ath10k_wmi_event_pdev_tpc_config
[ath10k_core]) from [<bf90d800>] (ath10k_wmi_10_4_op_rx+0x2f0/0x39c
[ath10k_core])
[ 323.583047] [<bf90d800>] (ath10k_wmi_10_4_op_rx [ath10k_core]) from
[<bf8fcc18>] (ath10k_htc_rx_completion_handler+0x170/0x1a0
[ath10k_core])
[ 323.595702] [<bf8fcc18>] (ath10k_htc_rx_completion_handler
[ath10k_core]) from [<bf961f44>]
(ath10k_pci_hif_send_complete_check+0x1f0/0x220 [ath10k_pci])
[ 323.609421] [<bf961f44>] (ath10k_pci_hif_send_complete_check
[ath10k_pci]) from [<bf96562c>]
(ath10k_ce_per_engine_service+0x74/0xc4 [ath10k_pci])
[ 323.622490] [<bf96562c>] (ath10k_ce_per_engine_service
[ath10k_pci]) from [<bf9656f0>]
(ath10k_ce_per_engine_service_any+0x74/0x80 [ath10k_pci])
[ 323.635423] [<bf9656f0>] (ath10k_ce_per_engine_service_any
[ath10k_pci]) from [<bf96365c>] (ath10k_pci_napi_poll+0x44/0xe8
[ath10k_pci])
[ 323.647665] [<bf96365c>] (ath10k_pci_napi_poll [ath10k_pci]) from
[<c0599994>] (net_rx_action+0xac/0x160)
[ 323.657208] [<c0599994>] (net_rx_action) from [<c02324a4>]
(__do_softirq+0x104/0x294)
[ 323.665017] [<c02324a4>] (__do_softirq) from [<c0232920>]
(irq_exit+0x9c/0x11c)
[ 323.672314] [<c0232920>] (irq_exit) from [<c0217fc0>]
(handle_IRQ+0x6c/0x90)
[ 323.679341] [<c0217fc0>] (handle_IRQ) from [<c02084e0>]
(gic_handle_irq+0x3c/0x60)
[ 323.686893] [<c02084e0>] (gic_handle_irq) from [<c02095c0>]
(__irq_svc+0x40/0x70)
[ 323.694349] Exception stack(0xdd489c58 to 0xdd489ca0)
[ 323.699384] 9c40:
00000000 a0000013
[ 323.707547] 9c60: 00000000 dc4bce40 60000013 ddc1d800 dd488000
00000990 00000000 c085c800
[ 323.715707] 9c80: 00000000 dd489d44 0000092d dd489ca0 c026e664
c026e668 60000013 ffffffff
[ 323.723877] [<c02095c0>] (__irq_svc) from [<c026e668>]
(rcu_note_context_switch+0x170/0x184)
[ 323.732298] [<c026e668>] (rcu_note_context_switch) from
[<c020e928>] (__schedule+0x50/0x4d4)
[ 323.740716] [<c020e928>] (__schedule) from [<c020e490>]
(schedule_timeout+0x148/0x178)
[ 323.748611] [<c020e490>] (schedule_timeout) from [<c020f804>]
(wait_for_common+0x114/0x154)
[ 323.756972] [<c020f804>] (wait_for_common) from [<bf8f6ef0>]
(ath10k_tpc_stats_open+0xc8/0x340 [ath10k_core])
[ 323.766873] [<bf8f6ef0>] (ath10k_tpc_stats_open [ath10k_core]) from
[<c02bb598>] (do_dentry_open+0x1ac/0x274)
[ 323.776741] [<c02bb598>] (do_dentry_open) from [<c02c838c>]
(do_last+0x8c0/0xb08)
[ 323.784201] [<c02c838c>] (do_last) from [<c02c87e4>]
(path_openat+0x210/0x598)
[ 323.791408] [<c02c87e4>] (path_openat) from [<c02c9d1c>]
(do_filp_open+0x2c/0x78)
[ 323.798873] [<c02c9d1c>] (do_filp_open) from [<c02bc85c>]
(do_sys_open+0x114/0x1b4)
[ 323.806509] [<c02bc85c>] (do_sys_open) from [<c0208c80>]
(ret_fast_syscall+0x0/0x44)
[ 323.814241] CPU1: stopping
[ 323.816927] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 3.14.77 #31
[ 323.823008] [<c021db48>] (unwind_backtrace) from [<c021ac08>]
(show_stack+0x10/0x14)
[ 323.830731] [<c021ac08>] (show_stack) from [<c03c53c0>]
(dump_stack+0x80/0xa0)
[ 323.837934] [<c03c53c0>] (dump_stack) from [<c021cfac>]
(handle_IPI+0xb8/0x140)
[ 323.845224] [<c021cfac>] (handle_IPI) from [<c02084fc>]
(gic_handle_irq+0x58/0x60)
[ 323.852774] [<c02084fc>] (gic_handle_irq) from [<c02095c0>]
(__irq_svc+0x40/0x70)
[ 323.860233] Exception stack(0xdd499fa0 to 0xdd499fe8)
[ 323.865273] 9fa0: ffffffed 00000000 1d3c9000 00000000 dd498000
dd498030 10c0387d c08b62c8
[ 323.873432] 9fc0: 4220406a 512f04d0 00000000 00000000 00000001
dd499fe8 c021838c c0218390
[ 323.881588] 9fe0: 60000013 ffffffff
[ 323.885070] [<c02095c0>] (__irq_svc) from [<c0218390>]
(arch_cpu_idle+0x30/0x50)
[ 323.892454] [<c0218390>] (arch_cpu_idle) from [<c026500c>]
(cpu_startup_entry+0xa4/0x108)
[ 323.900690] [<c026500c>] (cpu_startup_entry) from [<422085a4>]
(0x422085a4)
Signed-off-by: Tamizh chelvam <tamizhr@xxxxxxxxxxxxxx>
In v1 kbuild reported this warning:
drivers/net/wireless/ath/ath10k/wmi.c:4465:14: error: 'struct ath10k'
has no member named 'debug'
Did you fix it?
oops:( sorry, I'll send next version of the patch by fixing it.
@@ -4455,6 +4461,8 @@ void ath10k_wmi_event_pdev_tpc_config(struct
ath10k *ar, struct sk_buff *skb)
__le32_to_cpu(ev->twice_max_rd_power) / 2,
__le32_to_cpu(ev->num_tx_chain),
__le32_to_cpu(ev->rate_max));
+exit:
+ complete(&ar->debug.tpc_complete);
}
And why do you need this anyway? The commit log doesn't explain that.
Previously this complete call was not there in the error case and
without this we will get "failed to request tpc config stats: -110"
along with the error message and this is a timeout warning. I've added
this since we have received the event and the warning message is
incorrect. I'll remove this complete call here since it is a harmless
message and send the next version of a patch.
