Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4691305ybb; Tue, 7 Apr 2020 12:26:08 -0700 (PDT) X-Google-Smtp-Source: APiQypIFGfUVEUHXQQsYSpkh6I/6G6HY9BOwK8IGmF26UPWmxXL47keoWzbkMdYmYKCFKq9c0y44 X-Received: by 2002:a9d:364b:: with SMTP id w69mr2915635otb.332.1586287568172; Tue, 07 Apr 2020 12:26:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586287568; cv=none; d=google.com; s=arc-20160816; b=XieNvTBLJ4FXP2fGllbsTRvrHJSa5oTXHlXFMEdfc2iqNrrZgek5NpNtKksHpG125l igAJ2ZH8Sxzty6/VdlFlXjIfz8g1bAtIOsTzjLKVnZ2mR7G3Jn++nUHoQX5osWcGLrUX oGeb6k/xVx06Xp+8L8HIX7j23VWE7htt+nE+Mhha2e5cG0UAYP7/XrbmNEiTmhmklkCs T65ZfDPc+D1D/sj55eKjxgaoSZAW2Id8NPWnDqEbz1CuqPEcr2xrz46yvNWKPCkwCw6x THXEcGg1WLGQMT4RcrPQpN3ROyR8CdelQjH8i0lmVISNbrui799juQCECkuoJSXkllxn rKXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=7Hzvtg6W0i9DvnOErHW1hryLvey/3wLijh3fHGUEWdw=; b=0V/o9q/YBOsMsdOLFo+sf+GA7nWcFEusCzTOnJVexFakqXDjsVsSosFVqKQzKUjuhm kp/a9dBRiny3GUbL91LkLgeREwEBFkP/Egq4JgH9jIB7sbAsI0a0jTkgZ3OOvoPLcqQI K5ZvoA2KqJTZn1O5PmsqlKMQ0klceNJtjNjY9juHZ5+8Ie3imhR7tVbvnYCs5JkahE9k g3Z/NOTSWx55PC0uGfNwhblkmXBgryD4kINexVoO1mCDIFSNBdL7l2w8TJ+ny0LuHtQ2 ssROYBpNLquP6bhtIm6+DXV8rjgwId5lcdfKJcP1qXSbjKltT2+xTck9opiY2Bs/Pypj jkYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="s/kJS3q1"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m18si1692069otn.322.2020.04.07.12.25.53; Tue, 07 Apr 2020 12:26:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="s/kJS3q1"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726894AbgDGTZQ (ORCPT + 99 others); Tue, 7 Apr 2020 15:25:16 -0400 Received: from mail-yb1-f195.google.com ([209.85.219.195]:46952 "EHLO mail-yb1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726705AbgDGTZQ (ORCPT ); Tue, 7 Apr 2020 15:25:16 -0400 Received: by mail-yb1-f195.google.com with SMTP id f14so2413056ybr.13; Tue, 07 Apr 2020 12:25:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7Hzvtg6W0i9DvnOErHW1hryLvey/3wLijh3fHGUEWdw=; b=s/kJS3q1UOBpbuEZ+pkttGQ5l06EF7BUXxAUEee2bEUKn6ltPTrIePhhewjMEG2m+R Dpu8sLfRYsNkGWBrd1aS2/rr5414FSnmOk6dpj+Q7rXj81MhSFqAEDHXzzVohJiJgSOC yidiTuF+4+cE9iC5aJXqW/SlO7Agso91d4Z47zNynyIFBAp3XuKjCroR4zllE6ENgJz9 djhC88WaA0dtRdvNNs6cKuw8GfZdCaKXhR17AG/gOuVWkBZlR6D8ZwgG6rlEQGlpscBX CYiTKitbuQaTXGxTN5iZx1oAHJ8SA6thrmOQDQGQLNvbFmB8TrJL45WUDIpG3hdCrFf3 YF0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7Hzvtg6W0i9DvnOErHW1hryLvey/3wLijh3fHGUEWdw=; b=OgfAqqyxnfH2tyZgJERMTpdAI22KZCvvA+1Jtl6JEkvrkdbRGdorQr3udwrMG8qg3V A/s0m6ZaWIn2SIC38My5OI9cyvxKdJBK6cTLdl5F8xjZIAJjBBEE4x7VUhdtpo9KS5Vt 3haRpFyjBSz4WDYsG5Uo13T64XvcOwuKl6RM79vyB++gz+LK5FRtT9pCjJ1IrGgiSfON eia7A0o/jBZMsQ8Lj8AQ/rQ+NK5v1e678f7n/8CxHUzoHXAVvtoK4lFWuD54z2H4x5Gr oQ5ibfcyGz2eEKv9RoKzHsTL2cVd51J+GLYyw0B1GDsUOkipK0yTOIht8o+YhsYMqpSv sqOw== X-Gm-Message-State: AGi0PuZEejlI5GDKFeoLe9ftmn3eFEbGkrmPbh9QlJrALUgG+wIzA2FV KoU7VHgBT2sDDgU62m4gfPN+ewkhgu/m2XmdRlY= X-Received: by 2002:a5b:443:: with SMTP id s3mr6522316ybp.14.1586287514312; Tue, 07 Apr 2020 12:25:14 -0700 (PDT) MIME-Version: 1.0 References: <1586254255-28713-1-git-send-email-sumit.garg@linaro.org> In-Reply-To: <1586254255-28713-1-git-send-email-sumit.garg@linaro.org> From: Krishna Chaitanya Date: Wed, 8 Apr 2020 00:55:02 +0530 Message-ID: Subject: Re: [PATCH v2] mac80211: fix race in ieee80211_register_hw() To: Sumit Garg Cc: linux-wireless , Johannes Berg , "David S. Miller" , kuba@kernel.org, Kalle Valo , netdev , Linux Kernel Mailing List , =?UTF-8?Q?Matthias=2DPeter_Sch=C3=B6pfer?= , "Berg Philipp (HAU-EDS)" , "Weitner Michael (HAU-EDS)" , Daniel Thompson , Loic Poulain , stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 7, 2020 at 3:41 PM Sumit Garg wrote: > > A race condition leading to a kernel crash is observed during invocation > of ieee80211_register_hw() on a dragonboard410c device having wcn36xx > driver built as a loadable module along with a wifi manager in user-space > waiting for a wifi device (wlanX) to be active. > > Sequence diagram for a particular kernel crash scenario: > > user-space ieee80211_register_hw() ieee80211_tasklet_handler() > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > | | | > |<---phy0----wiphy_register() | > |-----iwd if_add---->| | just a nitpick, a better one would be (iwd: if_add + ap_start) since we need to have 'iwctl ap start' to trigger the interrupts. > | |<---IRQ----(RX packet) > | Kernel crash | > | due to unallocated | > | workqueue. | > | | | > | alloc_ordered_workqueue() | > | | | > | Misc wiphy init. | > | | | > | ieee80211_if_add() | > | | | > > As evident from above sequence diagram, this race condition isn't specific > to a particular wifi driver but rather the initialization sequence in > ieee80211_register_hw() needs to be fixed. So re-order the initialization > sequence and the updated sequence diagram would look like: > > user-space ieee80211_register_hw() ieee80211_tasklet_handler() > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > | | | > | alloc_ordered_workqueue() | > | | | > | Misc wiphy init. | > | | | > |<---phy0----wiphy_register() | > |-----iwd if_add---->| | same as above. > | |<---IRQ----(RX packet) > | | | > | ieee80211_if_add() | > | | | > > Cc: > Signed-off-by: Sumit Garg > --- > > Changes in v2: > - Move rtnl_unlock() just after ieee80211_init_rate_ctrl_alg(). > - Update sequence diagrams in commit message for more clarification. > > net/mac80211/main.c | 22 +++++++++++++--------- > 1 file changed, 13 insertions(+), 9 deletions(-) > > diff --git a/net/mac80211/main.c b/net/mac80211/main.c > index 4c2b5ba..d497129 100644 > --- a/net/mac80211/main.c > +++ b/net/mac80211/main.c > @@ -1051,7 +1051,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) > local->hw.wiphy->signal_type = CFG80211_SIGNAL_TYPE_UNSPEC; > if (hw->max_signal <= 0) { > result = -EINVAL; > - goto fail_wiphy_register; > + goto fail_workqueue; > } > } > > @@ -1113,7 +1113,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) > > result = ieee80211_init_cipher_suites(local); > if (result < 0) > - goto fail_wiphy_register; > + goto fail_workqueue; > > if (!local->ops->remain_on_channel) > local->hw.wiphy->max_remain_on_channel_duration = 5000; > @@ -1139,10 +1139,6 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) > > local->hw.wiphy->max_num_csa_counters = IEEE80211_MAX_CSA_COUNTERS_NUM; > > - result = wiphy_register(local->hw.wiphy); > - if (result < 0) > - goto fail_wiphy_register; > - > /* > * We use the number of queues for feature tests (QoS, HT) internally > * so restrict them appropriately. > @@ -1207,6 +1203,8 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) > goto fail_rate; > } > > + rtnl_unlock(); > + > if (local->rate_ctrl) { > clear_bit(IEEE80211_HW_SUPPORTS_VHT_EXT_NSS_BW, hw->flags); > if (local->rate_ctrl->ops->capa & RATE_CTRL_CAPA_VHT_EXT_NSS_BW) > @@ -1254,6 +1252,12 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) > local->sband_allocated |= BIT(band); > } > > + result = wiphy_register(local->hw.wiphy); > + if (result < 0) > + goto fail_wiphy_register; > + > + rtnl_lock(); > + > /* add one default STA interface if supported */ > if (local->hw.wiphy->interface_modes & BIT(NL80211_IFTYPE_STATION) && > !ieee80211_hw_check(hw, NO_AUTO_VIF)) { > @@ -1293,6 +1297,8 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) > #if defined(CONFIG_INET) || defined(CONFIG_IPV6) > fail_ifa: > #endif > + wiphy_unregister(local->hw.wiphy); > + fail_wiphy_register: > rtnl_lock(); > rate_control_deinitialize(local); > ieee80211_remove_interfaces(local); > @@ -1302,8 +1308,6 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) > ieee80211_led_exit(local); > destroy_workqueue(local->workqueue); > fail_workqueue: > - wiphy_unregister(local->hw.wiphy); > - fail_wiphy_register: > if (local->wiphy_ciphers_allocated) > kfree(local->hw.wiphy->cipher_suites); > kfree(local->int_scan_req); > @@ -1353,8 +1357,8 @@ void ieee80211_unregister_hw(struct ieee80211_hw *hw) > skb_queue_purge(&local->skb_queue_unreliable); > skb_queue_purge(&local->skb_queue_tdls_chsw); > > - destroy_workqueue(local->workqueue); > wiphy_unregister(local->hw.wiphy); > + destroy_workqueue(local->workqueue); > ieee80211_led_exit(local); > kfree(local->int_scan_req); > } > -- > 2.7.4 > -- Thanks, Regards, Chaitanya T K.