Wen Gong <quic_wgong@xxxxxxxxxxx> wrote:
> Commit b4a0f54156ac ("ath11k: move peer delete after vdev stop of station
> for QCA6390 and WCN6855") is to fix firmware crash by changing the WMI
> command sequence, but actually skip all the peer delete operation, then
> it lead commit 58595c9874c6 ("ath11k: Fixing dangling pointer issue upon
> peer delete failure") not take effect, and then happened a use-after-free
> warning from KASAN. because the peer->sta is not set to NULL and then used
> later.
>
> Change to only skip the WMI_PEER_DELETE_CMDID for QCA6390/WCN6855.
>
> log of user-after-free:
>
> [ 534.888665] BUG: KASAN: use-after-free in ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]
> [ 534.888696] Read of size 8 at addr ffff8881396bb1b8 by task rtcwake/2860
>
> [ 534.888705] CPU: 4 PID: 2860 Comm: rtcwake Kdump: loaded Tainted: G W 5.15.0-wt-ath+ #523
> [ 534.888712] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021
> [ 534.888716] Call Trace:
> [ 534.888720] <IRQ>
> [ 534.888726] dump_stack_lvl+0x57/0x7d
> [ 534.888736] print_address_description.constprop.0+0x1f/0x170
> [ 534.888745] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]
> [ 534.888771] kasan_report.cold+0x83/0xdf
> [ 534.888783] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]
> [ 534.888810] ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k]
> [ 534.888840] ath11k_dp_rx_process_mon_status+0x529/0xa70 [ath11k]
> [ 534.888874] ? ath11k_dp_rx_mon_status_bufs_replenish+0x3f0/0x3f0 [ath11k]
> [ 534.888897] ? check_prev_add+0x20f0/0x20f0
> [ 534.888922] ? __lock_acquire+0xb72/0x1870
> [ 534.888937] ? find_held_lock+0x33/0x110
> [ 534.888954] ath11k_dp_rx_process_mon_rings+0x297/0x520 [ath11k]
> [ 534.888981] ? rcu_read_unlock+0x40/0x40
> [ 534.888990] ? ath11k_dp_rx_pdev_alloc+0xd90/0xd90 [ath11k]
> [ 534.889026] ath11k_dp_service_mon_ring+0x67/0xe0 [ath11k]
> [ 534.889053] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k]
> [ 534.889075] call_timer_fn+0x167/0x4a0
> [ 534.889084] ? add_timer_on+0x3b0/0x3b0
> [ 534.889103] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370
> [ 534.889117] __run_timers.part.0+0x539/0x8b0
> [ 534.889123] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k]
> [ 534.889157] ? call_timer_fn+0x4a0/0x4a0
> [ 534.889164] ? mark_lock_irq+0x1c30/0x1c30
> [ 534.889173] ? clockevents_program_event+0xdd/0x280
> [ 534.889189] ? mark_held_locks+0xa5/0xe0
> [ 534.889203] run_timer_softirq+0x97/0x180
> [ 534.889213] __do_softirq+0x276/0x86a
> [ 534.889230] __irq_exit_rcu+0x11c/0x180
> [ 534.889238] irq_exit_rcu+0x5/0x20
> [ 534.889244] sysvec_apic_timer_interrupt+0x8e/0xc0
> [ 534.889251] </IRQ>
> [ 534.889254] <TASK>
> [ 534.889259] asm_sysvec_apic_timer_interrupt+0x12/0x20
> [ 534.889265] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70
> [ 534.889271] Code: 74 24 10 e8 ea c2 bf fd 48 89 ef e8 12 53 c0 fd 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 <e8> 13 a7 b5 fd 65 8b 05 cc d9 9c 5e 85 c0 74 0a 5b 5d c3 e8 a0 ee
> [ 534.889276] RSP: 0018:ffffc90002e5f880 EFLAGS: 00000206
> [ 534.889284] RAX: 0000000000000006 RBX: 0000000000000200 RCX: ffffffff9f256f10
> [ 534.889289] RDX: 0000000000000000 RSI: ffffffffa1c6e420 RDI: 0000000000000001
> [ 534.889293] RBP: ffff8881095e6200 R08: 0000000000000001 R09: ffffffffa40d2b8f
> [ 534.889298] R10: fffffbfff481a571 R11: 0000000000000001 R12: ffff8881095e6e68
> [ 534.889302] R13: ffffc90002e5f908 R14: 0000000000000246 R15: 0000000000000000
> [ 534.889316] ? mark_lock+0xd0/0x14a0
> [ 534.889332] klist_next+0x1d4/0x450
> [ 534.889340] ? dpm_wait_for_subordinate+0x2d0/0x2d0
> [ 534.889350] device_for_each_child+0xa8/0x140
> [ 534.889360] ? device_remove_class_symlinks+0x1b0/0x1b0
> [ 534.889370] ? __lock_release+0x4bd/0x9f0
> [ 534.889378] ? dpm_suspend+0x26b/0x3f0
> [ 534.889390] dpm_wait_for_subordinate+0x82/0x2d0
> [ 534.889400] ? dpm_for_each_dev+0xa0/0xa0
> [ 534.889410] ? dpm_suspend+0x233/0x3f0
> [ 534.889427] __device_suspend+0xd4/0x10c0
> [ 534.889440] ? wait_for_completion_io+0x270/0x270
> [ 534.889456] ? async_suspend_late+0xe0/0xe0
> [ 534.889463] ? async_schedule_node_domain+0x468/0x640
> [ 534.889482] dpm_suspend+0x25a/0x3f0
> [ 534.889491] ? dpm_suspend_end+0x1a0/0x1a0
> [ 534.889497] ? ktime_get+0x214/0x2f0
> [ 534.889502] ? lockdep_hardirqs_on+0x79/0x100
> [ 534.889509] ? recalibrate_cpu_khz+0x10/0x10
> [ 534.889516] ? ktime_get+0x119/0x2f0
> [ 534.889528] dpm_suspend_start+0xab/0xc0
> [ 534.889538] suspend_devices_and_enter+0x1ca/0x350
> [ 534.889546] ? suspend_enter+0x850/0x850
> [ 534.889566] enter_state+0x27c/0x3d7
> [ 534.889575] pm_suspend.cold+0x42/0x189
> [ 534.889583] state_store+0xab/0x160
> [ 534.889595] ? sysfs_file_ops+0x160/0x160
> [ 534.889601] kernfs_fop_write_iter+0x2b5/0x450
> [ 534.889615] new_sync_write+0x36a/0x600
> [ 534.889625] ? new_sync_read+0x600/0x600
> [ 534.889639] ? rcu_read_unlock+0x40/0x40
> [ 534.889668] vfs_write+0x619/0x910
> [ 534.889681] ksys_write+0xf4/0x1d0
> [ 534.889689] ? __ia32_sys_read+0xa0/0xa0
> [ 534.889699] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370
> [ 534.889707] ? syscall_enter_from_user_mode+0x1d/0x50
> [ 534.889719] do_syscall_64+0x3b/0x90
> [ 534.889725] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 534.889731] RIP: 0033:0x7f0b9bc931e7
> [ 534.889736] Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
> [ 534.889741] RSP: 002b:00007ffd9d34cc88 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
> [ 534.889749] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f0b9bc931e7
> [ 534.889753] RDX: 0000000000000004 RSI: 0000561cd023c5f0 RDI: 0000000000000004
> [ 534.889757] RBP: 0000561cd023c5f0 R08: 0000000000000000 R09: 0000000000000004
> [ 534.889761] R10: 0000561ccef842a6 R11: 0000000000000246 R12: 0000000000000004
> [ 534.889765] R13: 0000561cd0239590 R14: 00007f0b9bd6f4a0 R15: 00007f0b9bd6e8a0
> [ 534.889789] </TASK>
>
> [ 534.889796] Allocated by task 2711:
> [ 534.889800] kasan_save_stack+0x1b/0x40
> [ 534.889805] __kasan_kmalloc+0x7c/0x90
> [ 534.889810] sta_info_alloc+0x98/0x1ef0 [mac80211]
> [ 534.889874] ieee80211_prep_connection+0x30b/0x11e0 [mac80211]
> [ 534.889950] ieee80211_mgd_auth+0x529/0xe00 [mac80211]
> [ 534.890024] cfg80211_mlme_auth+0x332/0x6f0 [cfg80211]
> [ 534.890090] nl80211_authenticate+0x839/0xcf0 [cfg80211]
> [ 534.890147] genl_family_rcv_msg_doit+0x1f4/0x2f0
> [ 534.890154] genl_rcv_msg+0x280/0x500
> [ 534.890160] netlink_rcv_skb+0x11c/0x340
> [ 534.890165] genl_rcv+0x1f/0x30
> [ 534.890170] netlink_unicast+0x42b/0x700
> [ 534.890176] netlink_sendmsg+0x71b/0xc60
> [ 534.890181] sock_sendmsg+0xdf/0x110
> [ 534.890187] ____sys_sendmsg+0x5c0/0x850
> [ 534.890192] ___sys_sendmsg+0xe4/0x160
> [ 534.890197] __sys_sendmsg+0xb2/0x140
> [ 534.890202] do_syscall_64+0x3b/0x90
> [ 534.890207] entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> [ 534.890215] Freed by task 2825:
> [ 534.890218] kasan_save_stack+0x1b/0x40
> [ 534.890223] kasan_set_track+0x1c/0x30
> [ 534.890227] kasan_set_free_info+0x20/0x30
> [ 534.890232] __kasan_slab_free+0xce/0x100
> [ 534.890237] slab_free_freelist_hook+0xf0/0x1a0
> [ 534.890242] kfree+0xe5/0x370
> [ 534.890248] __sta_info_flush+0x333/0x4b0 [mac80211]
> [ 534.890308] ieee80211_set_disassoc+0x324/0xd20 [mac80211]
> [ 534.890382] ieee80211_mgd_deauth+0x537/0xee0 [mac80211]
> [ 534.890472] cfg80211_mlme_deauth+0x349/0x810 [cfg80211]
> [ 534.890526] cfg80211_mlme_down+0x1ce/0x270 [cfg80211]
> [ 534.890578] cfg80211_disconnect+0x4f5/0x7b0 [cfg80211]
> [ 534.890631] cfg80211_leave+0x24/0x40 [cfg80211]
> [ 534.890677] wiphy_suspend+0x23d/0x2f0 [cfg80211]
> [ 534.890723] dpm_run_callback+0xf4/0x1b0
> [ 534.890728] __device_suspend+0x648/0x10c0
> [ 534.890733] async_suspend+0x16/0xe0
> [ 534.890737] async_run_entry_fn+0x90/0x4f0
> [ 534.890741] process_one_work+0x866/0x1490
> [ 534.890747] worker_thread+0x596/0x1010
> [ 534.890751] kthread+0x35d/0x420
> [ 534.890756] ret_from_fork+0x22/0x30
>
> [ 534.890763] The buggy address belongs to the object at ffff8881396ba000
> which belongs to the cache kmalloc-8k of size 8192
> [ 534.890767] The buggy address is located 4536 bytes inside of
> 8192-byte region [ffff8881396ba000, ffff8881396bc000)
> [ 534.890772] The buggy address belongs to the page:
> [ 534.890775] page:ffffea0004e5ae00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1396b8
> [ 534.890780] head:ffffea0004e5ae00 order:3 compound_mapcount:0 compound_pincount:0
> [ 534.890784] flags: 0x200000000010200(slab|head|node=0|zone=2)
> [ 534.890791] raw: 0200000000010200 ffffea000562be08 ffffea0004b04c08 ffff88810004e340
> [ 534.890795] raw: 0000000000000000 0000000000010001 00000001ffffffff 0000000000000000
> [ 534.890798] page dumped because: kasan: bad access detected
>
> [ 534.890804] Memory state around the buggy address:
> [ 534.890807] ffff8881396bb080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 534.890811] ffff8881396bb100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 534.890814] >ffff8881396bb180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 534.890817] ^
> [ 534.890821] ffff8881396bb200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 534.890824] ffff8881396bb280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 534.890827] ==================================================================
> [ 534.890830] Disabling lock debugging due to kernel taint
>
> Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1
>
> Fixes: b4a0f54156ac ("ath11k: move peer delete after vdev stop of station for QCA6390 and WCN6855")
> Signed-off-by: Wen Gong <quic_wgong@xxxxxxxxxxx>
> Signed-off-by: Kalle Valo <quic_kvalo@xxxxxxxxxxx>
Patch applied to ath-next branch of ath.git, thanks.
212ad7cb7d75 ath11k: free peer for station when disconnect from AP for QCA6390/WCN6855
--
https://patchwork.kernel.org/project/linux-wireless/patch/20211222070431.29595-1-quic_wgong@xxxxxxxxxxx/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
