diff options
| author | Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> | 2019-10-07 19:52:10 -0700 |
|---|---|---|
| committer | Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> | 2019-10-09 18:31:21 -0700 |
| commit | a21a3f1f1e42148c14fae334a1b7dd57995ec43a (patch) | |
| tree | d38174957ef4f58646e87c4126d0a42cb647edb2 /drivers/rmnet/shs/rmnet_shs_wq.h | |
| parent | 1ff991750f195087f1d0015e2c9c9c099598f77c (diff) | |
| download | data-kernel-a21a3f1f1e42148c14fae334a1b7dd57995ec43a.tar.gz | |
drivers: rmnet_shs: Remove rmnet ep access
Rmnet driver allocates rmnet_endpoint which rmnet_shs was using
to keep track of endpoints that needed. However rmnet driver
frees the memory before endpoint unregistration so this leaves a
potential race condition where the wq can run after freeing.
Change is to instead use net_dev refrerences we keep track of from
net_dev_cb and no longer use rmnet_endpoints allocated by rmnet driver.
Rmnet_shs was only using netdev references in rmnet_endpoint so no
impact should be expected.
This use-after-free would cause the following crash-signature.
<6> Unable to handle kernel paging request at virtual address 00005000
<6> Mem abort info:
<6> Exception class = DABT (current EL), IL = 32 bits
<6> SET = 0, FnV = 0
<6> EA = 0, S1PTW = 0
<6> FSC = 5
<6> Data abort info:
<6> ISV = 0, ISS = 0x00000005
<6> CM = 0, WnR = 0
<6> user pgtable: 4k pages, 39-bit VAs, pgd = 0000000070b0b425
<6> Internal error: Oops: 96000005 [#1] PREEMPT SMP
<6> Workqueue: rmnet_shs_wq rmnet_shs_wq_process_wq [rmnet_shs]
<6> task: 00000000deaad59d task.stack: 00000000053e0949
<2> pc : rmnet_shs_wq_update_ep_rps_msk+0x3c/0xd8 [rmnet_shs]
<2> lr : rmnet_shs_wq_update_ep_rps_msk+0x28/0xd8 [rmnet_shs]
<2> Call trace:
<2> rmnet_shs_wq_update_ep_rps_msk+0x3c/0xd8 [rmnet_shs]
<2> rmnet_shs_wq_update_stats+0x98/0x928 [rmnet_shs]
<2> rmnet_shs_wq_process_wq+0x10c/0x248 [rmnet_shs]
<2> process_one_work+0x1f0/0x458
<2> worker_thread+0x2ec/0x450
<2> kthread+0x11c/0x130
<2> ret_from_fork+0x10/0x1c
CRs-Fixed: 2541604
Change-Id: I7026f2564c463f4ca989af97572e2a8fe5652087
Acked-by: Raul Martinez <mraul@qti.qualcomm.com>
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Diffstat (limited to 'drivers/rmnet/shs/rmnet_shs_wq.h')
| -rw-r--r-- | drivers/rmnet/shs/rmnet_shs_wq.h | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/drivers/rmnet/shs/rmnet_shs_wq.h b/drivers/rmnet/shs/rmnet_shs_wq.h index b0bbd9c..90d1604 100644 --- a/drivers/rmnet/shs/rmnet_shs_wq.h +++ b/drivers/rmnet/shs/rmnet_shs_wq.h @@ -32,8 +32,7 @@ struct rmnet_shs_wq_ep_s { struct list_head ep_list_id; - struct rmnet_endpoint *ep; - struct net_device *netdev; + struct net_device *ep; int new_lo_core[MAX_CPUS]; int new_hi_core[MAX_CPUS]; u16 default_core_msk; @@ -133,7 +132,6 @@ struct rmnet_shs_wq_rx_flow_s { struct rmnet_shs_delay_wq_s { struct delayed_work wq; - struct net_device *netdev; }; @@ -214,6 +212,8 @@ void rmnet_shs_wq_exit(void); void rmnet_shs_wq_restart(void); void rmnet_shs_wq_pause(void); +void rmnet_shs_update_cfg_mask(void); + u64 rmnet_shs_wq_get_max_pps_among_cores(u32 core_msk); void rmnet_shs_wq_create_new_flow(struct rmnet_shs_skbn_s *node_p); int rmnet_shs_wq_get_least_utilized_core(u16 core_msk); @@ -221,9 +221,9 @@ int rmnet_shs_wq_get_lpwr_cpu_new_flow(struct net_device *dev); int rmnet_shs_wq_get_perf_cpu_new_flow(struct net_device *dev); u64 rmnet_shs_wq_get_max_allowed_pps(u16 cpu); void rmnet_shs_wq_inc_cpu_flow(u16 cpu); -u32 rmnet_shs_wq_get_dev_rps_msk(struct net_device *dev); void rmnet_shs_wq_dec_cpu_flow(u16 cpu); void rmnet_shs_hstat_tbl_delete(void); void rmnet_shs_wq_set_ep_active(struct net_device *dev); void rmnet_shs_wq_reset_ep_active(struct net_device *dev); +void rmnet_shs_wq_refresh_new_flow_list(void); #endif /*_RMNET_SHS_WQ_H_*/ |