Re: [linuxwifi] [PATCH] net: wireless: intel: iwlwifi: dvm: fix tid mask
On Thu, Jun 08, 2017 at 06:31:01AM +, Grumbach, Emmanuel wrote: > Hi, Hi, > True, OTOH we need tid to be 8 sometimes. We *just* need to make sure > that we don't index tid_data with this. Hence I think the proper fix is: > > diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/tx.c > b/drivers/net/wireless/intel/iwlwifi/dvm/tx.c > index 06ac3f1..16a8646 100644 > --- a/drivers/net/wireless/intel/iwlwifi/dvm/tx.c > +++ b/drivers/net/wireless/intel/iwlwifi/dvm/tx.c > @@ -1190,11 +1190,11 @@ void iwlagn_rx_reply_tx(struct iwl_priv *priv, struct > iwl_rx_cmd_buffer *rxb) > next_reclaimed; > IWL_DEBUG_TX_REPLY(priv, "Next reclaimed packet:%d\n", > next_reclaimed); > + iwlagn_check_ratid_empty(priv, sta_id, tid); > } > > iwl_trans_reclaim(priv->trans, txq_id, ssn, ); > > - iwlagn_check_ratid_empty(priv, sta_id, tid); > freed = 0; > > /* process frames */ I can confirm it works. You can add my Tested-By. Thanks, Seraph
[PATCH] net: wireless: intel: iwlwifi: dvm: fix tid mask
Currently the tid mask covers the first 4 bits of iwlagn_tx_resp::ra_tid,
which gives 16 possible values for tid.
This is problematic because IWL_MAX_TID_COUNT is 8, so indexing
iwl_priv::tid_data can go very wrong.
With UBSAN I can it happening while establishing the first connection
after module load.
[ 272.143440] UBSAN: Undefined behaviour in
drivers/net/wireless/intel/iwlwifi/dvm/tx.c:777:32
[ 272.143447] index 8 is out of range for type 'iwl_tid_data [8]'
[ 272.143457] CPU: 0 PID: 4605 Comm: irq/32-iwlwifi Not tainted 4.12.0-dirty #2
[ 272.143460] Hardware name: Hewlett-Packard HP EliteBook 2560p/162B, BIOS
68SSU Ver. F.02 07/26/2011
[ 272.143462] Call Trace:
[ 272.143472] dump_stack+0x9c/0x10b
[ 272.143477] ? _atomic_dec_and_lock+0x285/0x285
[ 272.143486] ubsan_epilogue+0xd/0x4e
[ 272.143493] __ubsan_handle_out_of_bounds+0xef/0x118
[ 272.143498] ? __ubsan_handle_shift_out_of_bounds+0x221/0x221
[ 272.143519] ? iwl_trans_pcie_reclaim+0x153/0xc90 [iwlwifi]
[ 272.143539] iwlagn_check_ratid_empty+0x337/0x410 [iwldvm]
[ 272.143556] ? iwl_hcmd_names_cmp+0x2f/0x60 [iwlwifi]
[ 272.143571] iwlagn_rx_reply_tx+0x8a4/0x1820 [iwldvm]
Signed-off-by: Seraphime Kirkovski <kirkser...@gmail.com>
---
I'm currently running this patch on my machines and I have wifi.
The patch presumes а cleanup patch, I sent yesterday:
https://www.spinics.net/lists/kernel/msg2526314.html
drivers/net/wireless/intel/iwlwifi/dvm/commands.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/commands.h
b/drivers/net/wireless/intel/iwlwifi/dvm/commands.h
index 37d2ba5ae852..e5994df9ea4c 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/commands.h
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/commands.h
@@ -1448,7 +1448,7 @@ struct agg_tx_status {
*/
/* refer to ra_tid */
#define IWLAGN_TX_RES_TID_POS 0
-#define IWLAGN_TX_RES_TID_MSK 0x0f
+#define IWLAGN_TX_RES_TID_MSK 0x07
#define IWLAGN_TX_RES_RA_POS 4
#define IWLAGN_TX_RES_RA_MSK 0xf0
--
2.11.0
[PATCH] net: wireless: intel: iwlwifi: dvm: remove unused defines
Those constants have been unused for quite some time now.
Signed-off-by: Seraphime Kirkovski <kirkser...@gmail.com>
---
I've compile-tested it.
drivers/net/wireless/intel/iwlwifi/dvm/commands.h | 7 ---
1 file changed, 7 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/commands.h
b/drivers/net/wireless/intel/iwlwifi/dvm/commands.h
index 2ab2773655a8..37d2ba5ae852 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/commands.h
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/commands.h
@@ -1446,13 +1446,6 @@ struct agg_tx_status {
* or rate table color was changed during frame retries
* refer tlc rate info
*/
-
-#define IWL50_TX_RES_INIT_RATE_INDEX_POS 0
-#define IWL50_TX_RES_INIT_RATE_INDEX_MSK 0x0f
-#define IWL50_TX_RES_RATE_TABLE_COLOR_POS 4
-#define IWL50_TX_RES_RATE_TABLE_COLOR_MSK 0x70
-#define IWL50_TX_RES_INV_RATE_INDEX_MSK0x80
-
/* refer to ra_tid */
#define IWLAGN_TX_RES_TID_POS 0
#define IWLAGN_TX_RES_TID_MSK 0x0f
--
2.11.0
