From patchwork Mon Nov 26 08:22:06 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: AceLan Kao <acelan.kao@canonical.com>
X-Patchwork-Id: 1003057
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="XZdGh5eO"; dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 433Kf529YJz9s9J;
	Mon, 26 Nov 2018 19:22:21 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1gRC9o-00032s-NX; Mon, 26 Nov 2018 08:22:16 +0000
Received: from mail-pl1-f193.google.com ([209.85.214.193])
	by huckleberry.canonical.com with esmtps
	(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
	(envelope-from <acelan@gmail.com>) id 1gRC9m-00032R-GC
	for kernel-team@lists.ubuntu.com; Mon, 26 Nov 2018 08:22:14 +0000
Received: by mail-pl1-f193.google.com with SMTP id gn14so13511307plb.10
	for <kernel-team@lists.ubuntu.com>;
	Mon, 26 Nov 2018 00:22:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=sender:from:to:subject:date:message-id:in-reply-to:references;
	bh=AMuOA+EYEF49Ma003GKv1JtixVLx3Ox9nq3/oJIeg9I=;
	b=XZdGh5eOUcJyk0Ix+teumvroGE/ZZfid2A2k3zWrU2OBQfaSN/++y1tsd7h672b86l
	fMJQKKCMrrz20mRahOg6sM62jOVGc1T2r00wOHFtXEH/un5uR6YixeDCLw8o1gwEuS2T
	BZam5kEMewGEFOnUSy2mmIXfD3z9/F0j2gpzzcgHO53MG9cMsWekzp9g/m00E2r8Gxpu
	pEDeVuwfz8TIxfIUDhXwbxCHCh82gDvhHtFy4X1vqskTdYAf9cmnyzmlSHFXExEFAESF
	rHTKS4Eq/otAjPj5oohrfX8ydKq5b6c5IrtO+OXbkd0Q3dUI3jTHBgKOZ83TO0htWq7D
	tkOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:subject:date:message-id
	:in-reply-to:references;
	bh=AMuOA+EYEF49Ma003GKv1JtixVLx3Ox9nq3/oJIeg9I=;
	b=UyI99LrtpJ53HIOXD5o+OrpWRuGF8IJEqCdVmmH2CQ/tf5W0EjPP7KLN6Mt66Q8inN
	DSpGGcxjxQxGGVI6ZCqYABgVJJEEiEbQK3yhTpB7ky97vm6abNhDWdlPKuSHApaiU+sy
	b/WyTGMGlRivsnaAFpLHFPSMXBZK84Q2c4eBEKPoxx8qhnF5iEYptWgzb+LE+1YrtpG5
	3zrFqCTVOh6a+gTTwMWNdGpvD7PqhoJKl6Np4PRMxq6CMe6y3YsBhvu/mIg/gcySvdOg
	YbHf92P7rQU0AptJGJzgoaT7oOUmNII2DV2OWutFzlNNj/T38HPxAA/Hp59Gym1KgSvM
	xvgw==
X-Gm-Message-State: AA+aEWaXNHOFN4yfnCzXOBsSe00KwXJAKfuVdnxblyelz+gcZmKp4KPA
	xI7cqvEv+X6X2cXWEmdiARWya+QN
X-Google-Smtp-Source: 
 AFSGD/V0g/MIH+PtAy2/5vksk/9yF8gz5/NVKeWBdmsrT8zsIMC91vPXcLlwZagbpo1y+zFmhDgELw==
X-Received: by 2002:a17:902:2887:: with SMTP id
	f7mr25943586plb.176.1543220532592;
	Mon, 26 Nov 2018 00:22:12 -0800 (PST)
Received: from localhost (61-220-137-37.HINET-IP.hinet.net. [61.220.137.37])
	by smtp.gmail.com with ESMTPSA id
	j6sm40104518pfg.126.2018.11.26.00.22.11
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Mon, 26 Nov 2018 00:22:11 -0800 (PST)
From: AceLan Kao <acelan.kao@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 1/1][SRU][B][OEM-B]iwlwifi: pcie: compare with number of IRQs
	requested for, not number of CPUs
Date: Mon, 26 Nov 2018 16:22:06 +0800
Message-Id: <20181126082206.9057-2-acelan.kao@canonical.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20181126082206.9057-1-acelan.kao@canonical.com>
References: <20181126082206.9057-1-acelan.kao@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Hao Wei Tee <angelsl@in04.sg>

BugLink: https://bugs.launchpad.net/bugs/1805088

When there are 16 or more logical CPUs, we request for
`IWL_MAX_RX_HW_QUEUES` (16) IRQs only as we limit to that number of
IRQs, but later on we compare the number of IRQs returned to
nr_online_cpus+2 instead of max_irqs, the latter being what we
actually asked for. This ends up setting num_rx_queues to 17 which
causes lots of out-of-bounds array accesses later on.

Compare to max_irqs instead, and also add an assertion in case
num_rx_queues > IWM_MAX_RX_HW_QUEUES.

This fixes https://bugzilla.kernel.org/show_bug.cgi?id=199551

Fixes: 2e5d4a8f61dc ("iwlwifi: pcie: Add new configuration to enable MSIX")
Signed-off-by: Hao Wei Tee <angelsl@in04.sg>
Tested-by: Sara Sharon <sara.sharon@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
(cherry picked from commit ab1068d6866e28bf6427ceaea681a381e5870a4a)
Signed-off-by: AceLan Kao <acelan.kao@canonical.com>
Acked-by: Aaron Ma <aaron.ma@canonical.com>
---
 drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
index fbc45361f0bb..14a755cdaf36 100644
--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
@@ -1588,14 +1588,13 @@ static void iwl_pcie_set_interrupt_capa(struct pci_dev *pdev,
 					struct iwl_trans *trans)
 {
 	struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
-	int max_irqs, num_irqs, i, ret, nr_online_cpus;
+	int max_irqs, num_irqs, i, ret;
 	u16 pci_cmd;
 
 	if (!trans->cfg->mq_rx_supported)
 		goto enable_msi;
 
-	nr_online_cpus = num_online_cpus();
-	max_irqs = min_t(u32, nr_online_cpus + 2, IWL_MAX_RX_HW_QUEUES);
+	max_irqs = min_t(u32, num_online_cpus() + 2, IWL_MAX_RX_HW_QUEUES);
 	for (i = 0; i < max_irqs; i++)
 		trans_pcie->msix_entries[i].entry = i;
 
@@ -1621,16 +1620,17 @@ static void iwl_pcie_set_interrupt_capa(struct pci_dev *pdev,
 	 * Two interrupts less: non rx causes shared with FBQ and RSS.
 	 * More than two interrupts: we will use fewer RSS queues.
 	 */
-	if (num_irqs <= nr_online_cpus) {
+	if (num_irqs <= max_irqs - 2) {
 		trans_pcie->trans->num_rx_queues = num_irqs + 1;
 		trans_pcie->shared_vec_mask = IWL_SHARED_IRQ_NON_RX |
 			IWL_SHARED_IRQ_FIRST_RSS;
-	} else if (num_irqs == nr_online_cpus + 1) {
+	} else if (num_irqs == max_irqs - 1) {
 		trans_pcie->trans->num_rx_queues = num_irqs;
 		trans_pcie->shared_vec_mask = IWL_SHARED_IRQ_NON_RX;
 	} else {
 		trans_pcie->trans->num_rx_queues = num_irqs - 1;
 	}
+	WARN_ON(trans_pcie->trans->num_rx_queues > IWL_MAX_RX_HW_QUEUES);
 
 	trans_pcie->alloc_vecs = num_irqs;
 	trans_pcie->msix_enabled = true;