Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp655015ybz; Wed, 15 Apr 2020 16:03:07 -0700 (PDT) X-Google-Smtp-Source: APiQypI0e+OhKYPZDAtCR6ijQkb28+mL63xDyYNMPsvY9gsy5Ie/xdc67TB5NE4ip+IbbeEcpaoF X-Received: by 2002:aa7:c3c2:: with SMTP id l2mr5614223edr.362.1586991787571; Wed, 15 Apr 2020 16:03:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586991787; cv=none; d=google.com; s=arc-20160816; b=zZaQGX6SFNMxFO3b1ApQhPP0OeNXRZIRH+vJuDJhFUb5mOpW2R6p0Eulci8OC8V30k qKzEzRRP4SLOe4yOPHBzsTI9xuTfuZlnJ+UMcFIRDG2aSsNhl27ydDbgxp9DjZ1HBjRv q4cegdUWmuSpdJCrprvpB1yBpm64x6tWqnAp0TnWt79vUjNDvJdSae6cte312I+Xmw/u z59rZ4k36w9GDkVFuADWpRrvjqdQMHlDd5qVIF6G7GJj/wyvEnoa1PYhUWOylYz00Hfh YFsaRY/RSYjC7zrYXtzmIYzzKjH+zRQfXtim/KBryolIqvvtB6jJmt6TSVaP6yC1y0Mw lH4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=KBpalj9lT5kvxcjd5x3o+owJyJdduvaY1jMLu6w9DYI=; b=zYHZT4Z1K2LUU422Oi+Kqx7humLmJcc9u91+YzYVf24SQlezmBGEkegud/g+6qwVl7 MtTsK3Uko8/huhn8ukRwBD5G2Sqfb+7M1XeqkYJjXK8eDQgeBEBZfltLM6z7/MHCipqi rCqgyGGWFxTw8MgF4neHXmnSd77Zrvrdjnii6OqSgc5WXwbCHJCvpO//ahBuY2WF9PCj fdJbR7nnFl2H2TWIimbdNaVgwAO7tGCPDTHfbDY27nlJlrk4bS9N9r3gRFikHhwus3lI 14SSTNiDvjL8243yWkLr5m0XY2tE+j4N17pPG+bVlIJWehqoYkiS8N4O1hWm0uiejGeD wB4g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="nHw/ApgL"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 13si8603375ejz.499.2020.04.15.16.02.43; Wed, 15 Apr 2020 16:03:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="nHw/ApgL"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2897338AbgDOLkI (ORCPT + 99 others); Wed, 15 Apr 2020 07:40:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40056 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2897074AbgDOLfn (ORCPT ); Wed, 15 Apr 2020 07:35:43 -0400 Received: from mail-lj1-x244.google.com (mail-lj1-x244.google.com [IPv6:2a00:1450:4864:20::244]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 654D2C061A0F for ; Wed, 15 Apr 2020 04:35:42 -0700 (PDT) Received: by mail-lj1-x244.google.com with SMTP id u15so3298475ljd.3 for ; Wed, 15 Apr 2020 04:35:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KBpalj9lT5kvxcjd5x3o+owJyJdduvaY1jMLu6w9DYI=; b=nHw/ApgLmxZUw2uFNTIAg/ctnJ7fmQ28uOV3gnu5UtZgIkXAbP43vB4FqdI4Q4eHiy 2VvlqpmAjlL2m4089uAWAE9xB5Ij13OPiCOtrf4qvHEmXCD8KwnyKwA0EWo8HZChlWN+ JP5Lx0ENlM/A4M96Hqzs+VVLySNgd7BTG9tGk1/+1/8BNdJAK0Qro1X93sr+kCJZx9YI SsvZM5+XuXR4L5fiXPNooZkqV2DvAJbk2cInkjEV6Tg5dAhu5lnQsxh/ygiRSfyx5XSN dx3OxqOfJ4SnxBViMHsrwgFydTWVJwl4ADXgcN5Of6iXY0A1K6+HLBQBGetTQbzJ6n/0 Di6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KBpalj9lT5kvxcjd5x3o+owJyJdduvaY1jMLu6w9DYI=; b=pzftTqVoiowN7Kc3iI+aWxL1+1NskamANTATVAzmzi587OiKsThNUaQMlLIVQ0Bw2/ YsGY7iYItDHJOhoyTLjU7j8UMb8J5CCzDACjkKjEorIJ538YOvY6mK6X600X+dBvM94p 3ODPlDoy+fae8BSfsnhLn78m9aDyG0VgVvt6g3xwdwBm+S4gLXzf1gr3+W0XLSfzW2Z2 UXFuAz07az78qp0TUMTWR9ccidBxXYiCM8PmCYznP72C6gz1rsJMXcfQP+awJ7xwumJl 5wQbNRwlAcsvz1qB4AYYY9aSChuzGjheq5Rkt6NDTVAeAejYZJHFXtQsQoqINvAOoCx/ h5rA== X-Gm-Message-State: AGi0PubvUOPi5Ml9ppDxxaowAqW7Yjhq2UbrB2UcCNaLYOQbvD2Z+MwX t/dZ1PkRuwH3n0lr8Or53Ao4LKUWsDWQ7ximK8bRxQ== X-Received: by 2002:a2e:b8c1:: with SMTP id s1mr3169915ljp.0.1586950540057; Wed, 15 Apr 2020 04:35:40 -0700 (PDT) MIME-Version: 1.0 References: <1586254255-28713-1-git-send-email-sumit.garg@linaro.org> In-Reply-To: From: Sumit Garg Date: Wed, 15 Apr 2020 17:05:28 +0530 Message-ID: Subject: Re: [PATCH v2] mac80211: fix race in ieee80211_register_hw() To: Johannes Berg Cc: linux-wireless , Krishna Chaitanya , "David S. Miller" , kuba@kernel.org, Kalle Valo , netdev , Linux Kernel Mailing List , =?UTF-8?Q?Matthias=2DPeter_Sch=C3=B6pfer?= , "Berg Philipp (HAU-EDS)" , "Weitner Michael (HAU-EDS)" , Daniel Thompson , Loic Poulain , stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 9 Apr 2020 at 10:12, Sumit Garg wrote: > > Hi Johannes, > > On Wed, 8 Apr 2020 at 00:55, Krishna Chaitanya wrote: > > > > On Tue, Apr 7, 2020 at 3:41 PM Sumit Garg wrote: > > > > > > A race condition leading to a kernel crash is observed during invocation > > > of ieee80211_register_hw() on a dragonboard410c device having wcn36xx > > > driver built as a loadable module along with a wifi manager in user-space > > > waiting for a wifi device (wlanX) to be active. > > > > > > Sequence diagram for a particular kernel crash scenario: > > > > > > user-space ieee80211_register_hw() ieee80211_tasklet_handler() > > > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > > | | | > > > |<---phy0----wiphy_register() | > > > |-----iwd if_add---->| | > > just a nitpick, a better one would be (iwd: if_add + ap_start) since > > we need to have 'iwctl ap start' > > to trigger the interrupts. > > > | |<---IRQ----(RX packet) > > > | Kernel crash | > > > | due to unallocated | > > > | workqueue. | > > > | | | > > > | alloc_ordered_workqueue() | > > > | | | > > > | Misc wiphy init. | > > > | | | > > > | ieee80211_if_add() | > > > | | | > > > > > > As evident from above sequence diagram, this race condition isn't specific > > > to a particular wifi driver but rather the initialization sequence in > > > ieee80211_register_hw() needs to be fixed. So re-order the initialization > > > sequence and the updated sequence diagram would look like: > > > > > > user-space ieee80211_register_hw() ieee80211_tasklet_handler() > > > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > > | | | > > > | alloc_ordered_workqueue() | > > > | | | > > > | Misc wiphy init. | > > > | | | > > > |<---phy0----wiphy_register() | > > > |-----iwd if_add---->| | > > same as above. > > > | |<---IRQ----(RX packet) > > > | | | > > > | ieee80211_if_add() | > > > | | | > > > > > > Cc: > > > Signed-off-by: Sumit Garg > > > --- > > > > > In case we don't have any further comments, could you fix this nitpick > from Chaitanya while applying or would you like me to respin and send > v3? A gentle ping. Is this patch a good candidate for 5.7-rc2? -Sumit > > -Sumit > > > > Changes in v2: > > > - Move rtnl_unlock() just after ieee80211_init_rate_ctrl_alg(). > > > - Update sequence diagrams in commit message for more clarification. > > > > > > net/mac80211/main.c | 22 +++++++++++++--------- > > > 1 file changed, 13 insertions(+), 9 deletions(-) > > > > > > diff --git a/net/mac80211/main.c b/net/mac80211/main.c > > > index 4c2b5ba..d497129 100644 > > > --- a/net/mac80211/main.c > > > +++ b/net/mac80211/main.c > > > @@ -1051,7 +1051,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) > > > local->hw.wiphy->signal_type = CFG80211_SIGNAL_TYPE_UNSPEC; > > > if (hw->max_signal <= 0) { > > > result = -EINVAL; > > > - goto fail_wiphy_register; > > > + goto fail_workqueue; > > > } > > > } > > > > > > @@ -1113,7 +1113,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) > > > > > > result = ieee80211_init_cipher_suites(local); > > > if (result < 0) > > > - goto fail_wiphy_register; > > > + goto fail_workqueue; > > > > > > if (!local->ops->remain_on_channel) > > > local->hw.wiphy->max_remain_on_channel_duration = 5000; > > > @@ -1139,10 +1139,6 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) > > > > > > local->hw.wiphy->max_num_csa_counters = IEEE80211_MAX_CSA_COUNTERS_NUM; > > > > > > - result = wiphy_register(local->hw.wiphy); > > > - if (result < 0) > > > - goto fail_wiphy_register; > > > - > > > /* > > > * We use the number of queues for feature tests (QoS, HT) internally > > > * so restrict them appropriately. > > > @@ -1207,6 +1203,8 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) > > > goto fail_rate; > > > } > > > > > > + rtnl_unlock(); > > > + > > > if (local->rate_ctrl) { > > > clear_bit(IEEE80211_HW_SUPPORTS_VHT_EXT_NSS_BW, hw->flags); > > > if (local->rate_ctrl->ops->capa & RATE_CTRL_CAPA_VHT_EXT_NSS_BW) > > > @@ -1254,6 +1252,12 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) > > > local->sband_allocated |= BIT(band); > > > } > > > > > > + result = wiphy_register(local->hw.wiphy); > > > + if (result < 0) > > > + goto fail_wiphy_register; > > > + > > > + rtnl_lock(); > > > + > > > /* add one default STA interface if supported */ > > > if (local->hw.wiphy->interface_modes & BIT(NL80211_IFTYPE_STATION) && > > > !ieee80211_hw_check(hw, NO_AUTO_VIF)) { > > > @@ -1293,6 +1297,8 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) > > > #if defined(CONFIG_INET) || defined(CONFIG_IPV6) > > > fail_ifa: > > > #endif > > > + wiphy_unregister(local->hw.wiphy); > > > + fail_wiphy_register: > > > rtnl_lock(); > > > rate_control_deinitialize(local); > > > ieee80211_remove_interfaces(local); > > > @@ -1302,8 +1308,6 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) > > > ieee80211_led_exit(local); > > > destroy_workqueue(local->workqueue); > > > fail_workqueue: > > > - wiphy_unregister(local->hw.wiphy); > > > - fail_wiphy_register: > > > if (local->wiphy_ciphers_allocated) > > > kfree(local->hw.wiphy->cipher_suites); > > > kfree(local->int_scan_req); > > > @@ -1353,8 +1357,8 @@ void ieee80211_unregister_hw(struct ieee80211_hw *hw) > > > skb_queue_purge(&local->skb_queue_unreliable); > > > skb_queue_purge(&local->skb_queue_tdls_chsw); > > > > > > - destroy_workqueue(local->workqueue); > > > wiphy_unregister(local->hw.wiphy); > > > + destroy_workqueue(local->workqueue); > > > ieee80211_led_exit(local); > > > kfree(local->int_scan_req); > > > } > > > -- > > > 2.7.4 > > > > > > > > > -- > > Thanks, > > Regards, > > Chaitanya T K.