Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp6020410rwr; Mon, 24 Apr 2023 12:23:05 -0700 (PDT) X-Google-Smtp-Source: AKy350Yf3gkqMcgV0qZU+KUxw2B+tO1gDx2G5KFB37xUhCZFPMDYp7y3qRv32P8mJFKA/NFCwk0w X-Received: by 2002:a17:90a:9707:b0:247:31c9:65a1 with SMTP id x7-20020a17090a970700b0024731c965a1mr14854033pjo.14.1682364185255; Mon, 24 Apr 2023 12:23:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1682364185; cv=none; d=google.com; s=arc-20160816; b=Ai984L8Zikh0wJqsbx4fVVgPaNvNCH2t+mkVvyRq0vRU7MM6/sRMMEOKMMqKpIt81u Q0IHyt8tPog5FOIT05in8XvNqB5B1kYzVoBwWe3IZlQ88lrwK2UgvQHiUENao7F1coV1 lxRl80N3PX0LiJIMtiU6pYfn0rhS5LLbAm224p/+FgI2Gyd76XbJ5IwCQYHdLF3gBarq VJPNUexjhYNBUWZwIUu7gwUTBrLOLUdYFCM7LEOribNOaqSdim6LzFFmJqDDZS2Dg2rB hoAP7n+LX95gQjYUywqN/nTYVv84hBA3oFh1PvTU/2DN/4kr2fenMJb+yOVRNLIxsyDc 5d7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :dkim-filter; bh=mS4Y7rIFdUwUfVv7Jse8uehF8rfPCZBGekclWUdo4Vo=; b=vIIhEFYvECghW7QLd4KrlQUutVHjdajGNU2BwOKib1V9/koeiuF73aMRCSA4GZ0xMj Az5VQuwhbEYeaq325pOrNVwrUUeDip4T/mljWJglBWFzoslX7h8aBykgxdfNWPigl6xh 9Ro70KHa6gCr9CYkcJ4Hzg3alsOC1qkagUx3gXW8Rd6ymgqx5vOlgQvvr/zOaul1rY9J 4ZtaPsbLE/sUoWvsoI+FP0bYC23sHJT+ogHDshCpILEPoR0BHgRV2uTP21WXlIk9jA5K CCYXfoKP0X89fCi8+e6svQn19gXGdiV8X0Yazs87ibUiKvMexcs0nDpgqOGxcPYtVkxI nS2Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=q9hl9Bgw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y2-20020a17090322c200b001a5abc9d9bcsi12832465plg.583.2023.04.24.12.22.41; Mon, 24 Apr 2023 12:23:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=q9hl9Bgw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232573AbjDXTMP (ORCPT + 99 others); Mon, 24 Apr 2023 15:12:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59682 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232530AbjDXTMI (ORCPT ); Mon, 24 Apr 2023 15:12:08 -0400 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4DA25E5D; Mon, 24 Apr 2023 12:12:05 -0700 (PDT) Received: from fpc (unknown [46.242.14.200]) by mail.ispras.ru (Postfix) with ESMTPSA id 3981940755C6; Mon, 24 Apr 2023 19:12:03 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 3981940755C6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1682363523; bh=mS4Y7rIFdUwUfVv7Jse8uehF8rfPCZBGekclWUdo4Vo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=q9hl9BgwcJJoJgecJZ0W+IMwIrUWLGdHaIe02B0CvfgexxSQGiJwdLkycD09eDJI8 jr+BkclsHR6JYN3x0LuD3NOEAY9LW4Soi/rvMnXIrYSCE+5OCwu0rZLTNiD08qThtp ayXgmBgz8Y5FOr+XLt/lqz8/qOeQaSxtzEMeIc70= Date: Mon, 24 Apr 2023 22:11:58 +0300 From: Fedor Pchelkin To: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= , Kalle Valo Cc: Kalle Valo , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Senthil Balasubramanian , "John W. Linville" , Vasanthakumar Thiagarajan , Sujith , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Alexey Khoroshilov , lvc-project@linuxtesting.org, syzbot+df61b36319e045c00a08@syzkaller.appspotmail.com Subject: Re: [PATCH 2/3] wifi: ath9k: fix races between ath9k_wmi_cmd and ath9k_wmi_ctrl_rx Message-ID: <20230424191158.iebfqubeanurdabk@fpc> References: <20230315202112.163012-1-pchelkin@ispras.ru> <20230315202112.163012-3-pchelkin@ispras.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230315202112.163012-3-pchelkin@ispras.ru> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This problem is realy subtle, I suppose. In the v2 commit info, which I'll send in the next mail, the race condition is described which can lead to invalid behaviour. Couldn't reproduce that particular problem on real hardware, but if force timeouts to wmi cmd completions, local KMSan catches some uninit values. The synchronization between ath9k_wmi_cmd and ath9k_wmi_ctrl_rx on timeouts is good, especially after 8a2f35b98306 ("wifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback()"). And I think the only place where the fuzzer can provoke failure is when wmi->last_seq_id in callback is checked before it is assigned zero inside ath9k_wmi_cmd() during timeout exit. This scenario is more thoroughly described in patch v2. Well, the issue seems to be rare and I don't know how to properly test it on real hardware. I've made some checks on a basic driver workflow, and there weren't any stalls or explicit failures, and the patch seems to close that tiny race condition window. But, anyway, it requires more discussion.