Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp3270127ybb; Mon, 6 Apr 2020 05:44:52 -0700 (PDT) X-Google-Smtp-Source: APiQypLyOEZfn9KDOTe/kNjHpjotK6RpCDzJhW5/GBWJan73+GwWNWTJTFdE4MOGPSrP8IvcLbz3 X-Received: by 2002:a54:448a:: with SMTP id v10mr12780424oiv.49.1586177091930; Mon, 06 Apr 2020 05:44:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586177091; cv=none; d=google.com; s=arc-20160816; b=0cHiem2T4tPvD/5plnyvRhYL2U5uTdH6XbC6nd22t/bFzSNhWHB6ZUAb/OcV2uDikT TsE731K8sbTbJlGHw+rm903qL5aP5Meh5yblN2R2KsLscrtairig9P6ySnDXaqXBtLbf roc8vicY3E6JoOxE9/idA2koe7CV5VdjvC+apVcWILk9C7HS5lgFfgavBekQsSLCFl3M KmgnG+ZOcjVm3+gcxNkAFPxEsPc+lRwHdZxzZUYqCsGVO0KCX/kghdc9MgvLR9bzCPqo QQmc5KGJnMyqYqTtkoZo/tuRaKE9CgTtD5YP0IPX9seBJvP/iJ1HESr4pTAml5vfkXJP EqAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id; bh=3oDVd+6GLbrJKJIPaOazEkXfZ8oXBg6GjnO2XVEktPc=; b=DAQOKS5SzsMQVuC1Z1tQPdPyoE9XQrwirT8/cYD6rm1HcXf4nLdY4ux8/emcBSmXVN PPAs1YqaNtCwrkLtunVW2/+b7d4KDAvWRhl8931YvIB763ZvnQoK+/0vJl49gR1EnHej /2Pc2eugwxmZyzylGObCE4GEWG3sXXGHxVAjfcbLRtV6n3UQGwUKwJWhQCyFhJKeRM5E diYeuvQXE6DHmdWI0dv6VAdqLopPd/ppnxy8h/4s/ZDSf7BlKgpPApRqY4/R6UktzF48 YLt76OWsmcTAHabKLzNNI8AHPFQ1KHYcpzReAo5xTDMSeFl9ARoOUK7fkzsbG3CLG4W9 T98w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l25si8469883otn.206.2020.04.06.05.44.38; Mon, 06 Apr 2020 05:44:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728061AbgDFMoV (ORCPT + 99 others); Mon, 6 Apr 2020 08:44:21 -0400 Received: from s3.sipsolutions.net ([144.76.43.62]:57804 "EHLO sipsolutions.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727993AbgDFMoV (ORCPT ); Mon, 6 Apr 2020 08:44:21 -0400 Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.93) (envelope-from ) id 1jLR6j-009kcZ-Dx; Mon, 06 Apr 2020 14:44:05 +0200 Message-ID: Subject: Re: [PATCH] mac80211: fix race in ieee80211_register_hw() From: Johannes Berg To: Sumit Garg , linux-wireless@vger.kernel.org Cc: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, matthias.schoepfer@ithinx.io, Philipp.Berg@liebherr.com, Michael.Weitner@liebherr.com, daniel.thompson@linaro.org, loic.poulain@linaro.org, stable@vger.kernel.org Date: Mon, 06 Apr 2020 14:44:02 +0200 In-Reply-To: <1586175677-3061-1-git-send-email-sumit.garg@linaro.org> (sfid-20200406_142251_569735_E1B08414) References: <1586175677-3061-1-git-send-email-sumit.garg@linaro.org> (sfid-20200406_142251_569735_E1B08414) Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.34.4 (3.34.4-1.fc31) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2020-04-06 at 17:51 +0530, Sumit Garg wrote: > A race condition leading to a kernel crash is observed during invocation > of ieee80211_register_hw() on a dragonboard410c device having wcn36xx > driver built as a loadable module along with a wifi manager in user-space > waiting for a wifi device (wlanX) to be active. > > Sequence diagram for a particular kernel crash scenario: > > user-space ieee80211_register_hw() RX IRQ > +++++++++++++++++++++++++++++++++++++++++++++ > | | | > |<---wlan0---wiphy_register() | > |----start wlan0---->| | > | |<---IRQ---(RX packet) > | Kernel crash | > | due to unallocated | > | workqueue. | > | | | > | alloc_ordered_workqueue() | > | | | > | Misc wiphy init. | > | | | > | ieee80211_if_add() | > | | | > > As evident from above sequence diagram, this race condition isn't specific > to a particular wifi driver but rather the initialization sequence in > ieee80211_register_hw() needs to be fixed. Indeed, oops. > So re-order the initialization > sequence and the updated sequence diagram would look like: > > user-space ieee80211_register_hw() RX IRQ > +++++++++++++++++++++++++++++++++++++++++++++ > | | | > | alloc_ordered_workqueue() | > | | | > | Misc wiphy init. | > | | | > |<---wlan0---wiphy_register() | > |----start wlan0---->| | > | |<---IRQ---(RX packet) > | | | > | ieee80211_if_add() | > | | | Makes sense. > @@ -1254,6 +1250,14 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) > local->sband_allocated |= BIT(band); > } > > + rtnl_unlock(); > + > + result = wiphy_register(local->hw.wiphy); > + if (result < 0) > + goto fail_wiphy_register; > + > + rtnl_lock(); I'm a bit worried about this unlock/relock here though. I think we only need the RTNL for the call to ieee80211_init_rate_ctrl_alg() and then later ieee80211_if_add(), so perhaps we can move that a little closer? All the stuff between is really just setting up local stuff, so doesn't really need to worry? johannes