| Message ID | 20240813083808.9224-1-quic_bqiang@quicinc.com |
|---|---|
| State | New |
| Headers | show |
| Series | [ath-current] wifi: ath11k: fix NULL pointer dereference in ath11k_mac_get_eirp_power() | expand |
On 8/13/2024 1:38 AM, Baochen Qiang wrote: > Commit 39dc8b8ea387 ("wifi: mac80211: pass parsed TPE data to drivers") breaks > ath11k, leading to kernel crash: > > BUG: kernel NULL pointer dereference, address: 0000000000000018 > RIP: 0010:ath11k_mac_get_eirp_power.isra.0+0x5b/0x80 [ath11k] > Call Trace: > <TASK> > ath11k_mac_fill_reg_tpc_info+0x3d6/0x800 [ath11k] > ath11k_mac_vdev_start_restart+0x412/0x4d0 [ath11k] > ath11k_mac_op_sta_state+0x7bc/0xbb0 [ath11k] > drv_sta_state+0xf1/0x5f0 [mac80211] > sta_info_insert_rcu+0x28d/0x530 [mac80211] > sta_info_insert+0xf/0x20 [mac80211] > ieee80211_prep_connection+0x3b4/0x4c0 [mac80211] > ieee80211_mgd_auth+0x363/0x600 [mac80211] > > The issue scenario is, AP advertises power spectral density (PSD) values in its > transmit power envelope (TPE) IE and supports 160 MHz bandwidth in 6 GHz. When > connecting to this AP, in ath11k_mac_parse_tx_pwr_env(), the local variable > psd is true and then reg_tpc_info.num_pwr_levels is set to 8 due to 160 MHz > bandwidth. Note here ath11k fails to set reg_tpc_info.is_psd_power as TRUE due > to above commit. Then in ath11k_mac_fill_reg_tpc_info(), for each of the 8 > power levels, for a PSD channel, ath11k_mac_get_psd_channel() is expected to > be called to get required information. However due to invalid > reg_tpc_info.is_psd_power, it is ath11k_mac_get_eirp_power() that gets called > and passed with pwr_lvl_idx as one of the arguments. Note this function > implicitly requires pwr_lvl_idx to be no more than 3. So when pwr_lvl_idx is > larger than that ath11k_mac_get_seg_freq() returns invalid center frequency, > with which as the input ieee80211_get_channel() returns NULL, then kernel > crashes due to NULL pointer dereference. > > Fix it by setting reg_tpc_info.is_psd_power properly. > > Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30 > > Fixes: 39dc8b8ea387 ("wifi: mac80211: pass parsed TPE data to drivers") > Reported-by: Mikko Tiihonen <mikko.tiihonen@iki.fi> > Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219131 > Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com> Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Baochen Qiang <quic_bqiang@quicinc.com> writes: > Commit 39dc8b8ea387 ("wifi: mac80211: pass parsed TPE data to drivers") breaks > ath11k, leading to kernel crash: > > BUG: kernel NULL pointer dereference, address: 0000000000000018 > RIP: 0010:ath11k_mac_get_eirp_power.isra.0+0x5b/0x80 [ath11k] > Call Trace: > <TASK> > ath11k_mac_fill_reg_tpc_info+0x3d6/0x800 [ath11k] > ath11k_mac_vdev_start_restart+0x412/0x4d0 [ath11k] > ath11k_mac_op_sta_state+0x7bc/0xbb0 [ath11k] > drv_sta_state+0xf1/0x5f0 [mac80211] > sta_info_insert_rcu+0x28d/0x530 [mac80211] > sta_info_insert+0xf/0x20 [mac80211] > ieee80211_prep_connection+0x3b4/0x4c0 [mac80211] > ieee80211_mgd_auth+0x363/0x600 [mac80211] > > The issue scenario is, AP advertises power spectral density (PSD) values in its > transmit power envelope (TPE) IE and supports 160 MHz bandwidth in 6 GHz. When > connecting to this AP, in ath11k_mac_parse_tx_pwr_env(), the local variable > psd is true and then reg_tpc_info.num_pwr_levels is set to 8 due to 160 MHz > bandwidth. Note here ath11k fails to set reg_tpc_info.is_psd_power as TRUE due > to above commit. Then in ath11k_mac_fill_reg_tpc_info(), for each of the 8 > power levels, for a PSD channel, ath11k_mac_get_psd_channel() is expected to > be called to get required information. However due to invalid > reg_tpc_info.is_psd_power, it is ath11k_mac_get_eirp_power() that gets called > and passed with pwr_lvl_idx as one of the arguments. Note this function > implicitly requires pwr_lvl_idx to be no more than 3. So when pwr_lvl_idx is > larger than that ath11k_mac_get_seg_freq() returns invalid center frequency, > with which as the input ieee80211_get_channel() returns NULL, then kernel > crashes due to NULL pointer dereference. > > Fix it by setting reg_tpc_info.is_psd_power properly. > > Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30 > > Fixes: 39dc8b8ea387 ("wifi: mac80211: pass parsed TPE data to drivers") > Reported-by: Mikko Tiihonen <mikko.tiihonen@iki.fi> > Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219131 > Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com> The reporter confirmed that this fixes the issue and asked to add: Tested-by: Mikko Tiihonen <mikko.tiihonen@iki.fi>
Baochen Qiang <quic_bqiang@quicinc.com> wrote: > Commit 39dc8b8ea387 ("wifi: mac80211: pass parsed TPE data to drivers") breaks > ath11k, leading to kernel crash: > > BUG: kernel NULL pointer dereference, address: 0000000000000018 > RIP: 0010:ath11k_mac_get_eirp_power.isra.0+0x5b/0x80 [ath11k] > Call Trace: > <TASK> > ath11k_mac_fill_reg_tpc_info+0x3d6/0x800 [ath11k] > ath11k_mac_vdev_start_restart+0x412/0x4d0 [ath11k] > ath11k_mac_op_sta_state+0x7bc/0xbb0 [ath11k] > drv_sta_state+0xf1/0x5f0 [mac80211] > sta_info_insert_rcu+0x28d/0x530 [mac80211] > sta_info_insert+0xf/0x20 [mac80211] > ieee80211_prep_connection+0x3b4/0x4c0 [mac80211] > ieee80211_mgd_auth+0x363/0x600 [mac80211] > > The issue scenario is, AP advertises power spectral density (PSD) values in its > transmit power envelope (TPE) IE and supports 160 MHz bandwidth in 6 GHz. When > connecting to this AP, in ath11k_mac_parse_tx_pwr_env(), the local variable > psd is true and then reg_tpc_info.num_pwr_levels is set to 8 due to 160 MHz > bandwidth. Note here ath11k fails to set reg_tpc_info.is_psd_power as TRUE due > to above commit. Then in ath11k_mac_fill_reg_tpc_info(), for each of the 8 > power levels, for a PSD channel, ath11k_mac_get_psd_channel() is expected to > be called to get required information. However due to invalid > reg_tpc_info.is_psd_power, it is ath11k_mac_get_eirp_power() that gets called > and passed with pwr_lvl_idx as one of the arguments. Note this function > implicitly requires pwr_lvl_idx to be no more than 3. So when pwr_lvl_idx is > larger than that ath11k_mac_get_seg_freq() returns invalid center frequency, > with which as the input ieee80211_get_channel() returns NULL, then kernel > crashes due to NULL pointer dereference. > > Fix it by setting reg_tpc_info.is_psd_power properly. > > Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30 > > Fixes: 39dc8b8ea387 ("wifi: mac80211: pass parsed TPE data to drivers") > Reported-by: Mikko Tiihonen <mikko.tiihonen@iki.fi> > Tested-by: Mikko Tiihonen <mikko.tiihonen@iki.fi> > Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219131 > Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com> > Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com> > Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> Patch applied to ath-current branch of ath.git, thanks. 9abf199943a6 wifi: ath11k: fix NULL pointer dereference in ath11k_mac_get_eirp_power()
diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c index 71ef89be823b..f8068d2e848c 100644 --- a/drivers/net/wireless/ath/ath11k/mac.c +++ b/drivers/net/wireless/ath/ath11k/mac.c @@ -7912,6 +7912,7 @@ static void ath11k_mac_parse_tx_pwr_env(struct ath11k *ar, } if (psd) { + arvif->reg_tpc_info.is_psd_power = true; arvif->reg_tpc_info.num_pwr_levels = psd->count; for (i = 0; i < arvif->reg_tpc_info.num_pwr_levels; i++) {
Commit 39dc8b8ea387 ("wifi: mac80211: pass parsed TPE data to drivers") breaks ath11k, leading to kernel crash: BUG: kernel NULL pointer dereference, address: 0000000000000018 RIP: 0010:ath11k_mac_get_eirp_power.isra.0+0x5b/0x80 [ath11k] Call Trace: <TASK> ath11k_mac_fill_reg_tpc_info+0x3d6/0x800 [ath11k] ath11k_mac_vdev_start_restart+0x412/0x4d0 [ath11k] ath11k_mac_op_sta_state+0x7bc/0xbb0 [ath11k] drv_sta_state+0xf1/0x5f0 [mac80211] sta_info_insert_rcu+0x28d/0x530 [mac80211] sta_info_insert+0xf/0x20 [mac80211] ieee80211_prep_connection+0x3b4/0x4c0 [mac80211] ieee80211_mgd_auth+0x363/0x600 [mac80211] The issue scenario is, AP advertises power spectral density (PSD) values in its transmit power envelope (TPE) IE and supports 160 MHz bandwidth in 6 GHz. When connecting to this AP, in ath11k_mac_parse_tx_pwr_env(), the local variable psd is true and then reg_tpc_info.num_pwr_levels is set to 8 due to 160 MHz bandwidth. Note here ath11k fails to set reg_tpc_info.is_psd_power as TRUE due to above commit. Then in ath11k_mac_fill_reg_tpc_info(), for each of the 8 power levels, for a PSD channel, ath11k_mac_get_psd_channel() is expected to be called to get required information. However due to invalid reg_tpc_info.is_psd_power, it is ath11k_mac_get_eirp_power() that gets called and passed with pwr_lvl_idx as one of the arguments. Note this function implicitly requires pwr_lvl_idx to be no more than 3. So when pwr_lvl_idx is larger than that ath11k_mac_get_seg_freq() returns invalid center frequency, with which as the input ieee80211_get_channel() returns NULL, then kernel crashes due to NULL pointer dereference. Fix it by setting reg_tpc_info.is_psd_power properly. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30 Fixes: 39dc8b8ea387 ("wifi: mac80211: pass parsed TPE data to drivers") Reported-by: Mikko Tiihonen <mikko.tiihonen@iki.fi> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219131 Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com> --- drivers/net/wireless/ath/ath11k/mac.c | 1 + 1 file changed, 1 insertion(+) base-commit: 1462e8e1c93ecb96b5820ec28f7cbbb8a5aeb732