Received: by 2002:a05:7412:1492:b0:e2:908c:2ebd with SMTP id s18csp749642rdh; Tue, 22 Aug 2023 09:32:40 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFvXW40963GBIfkT3BZgLWkg51jM5JIeEIMEaxbIlKpzndQlMhpTBXhGZ35ZwounEwQcxC4 X-Received: by 2002:a17:907:2c57:b0:98e:419b:4cc6 with SMTP id hf23-20020a1709072c5700b0098e419b4cc6mr7172190ejc.70.1692721959763; Tue, 22 Aug 2023 09:32:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1692721959; cv=none; d=google.com; s=arc-20160816; b=QPfx3hdNBCtWE2cb9QaJVyFX3YrsUzURstUPZGq8+Uw4WH0cl+AmI4XldON8tt/3NT 9JFq3N00DFxkAcX6Hp/7Gcy7Uq7Z3adXzHIlIF1yqnrmfyNoo1V2wlWRwGm1s3sxzsJx 2gMT7WYcoWUxbfE5b4753yMeWwcN548efSIpslwBO9CEj8JwtT6aCOFMQ8TCrQrzie3U 9QyEudZJAUEOOLjjI6aza0agsX5vj4RJwW6piKH2OE95zE+SbLUSjZKLx+b18Vr+HDJk lAl4zGuPujLsJ+32JEdcbqK/7xYLiC5AsKmU7usslvLsI7IH3/8BcJVhGupUjvOP3c/T nguw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:date:message-id:user-agent:cc:to:references :in-reply-to:from:subject:content-transfer-encoding:mime-version :dkim-signature; bh=vkjNQH4sBEZ1RbYIvxzPYXKcZxzMsfv2uTV8V4wL1o0=; fh=5e7DvU9cPXchTwclvYB0eY0M6nkdaGmKWq422l5FYCE=; b=CN54kp43qrc9toBc55EKbrF7tFQA1/AwZWyMe+i6UuUR31g/kMBX6/4FyKwQtS74u6 7AsrxjZumh+IuBn2tinrpiw4yhpk/3NZaGkN+ksm7i54cqzhZE1WCFdsvDEjFxlPkFBY VmEtM37h47l5oFb4Hhr6R71KiCRAtFZIQgElaPWLfSu6Qi6LJxMgofhaobfyGi1mrFk0 +/75hnDYrKhNCK9jQuWYzC896ojV3r/6ksiAWu3KYqWojHqe/JdcWwIplliW25TB5yMa 8U6JPc3D6XboD/LJZiyfC2l25eEnHGu1aNrVpgr5Kn21s2/Kv0RSQFT6x7LZqqBaVlm3 hBpQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=KQcg6omm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id rv6-20020a17090710c600b00994b9b22346si7163947ejb.887.2023.08.22.09.32.14; Tue, 22 Aug 2023 09:32:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=KQcg6omm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236132AbjHVNfg (ORCPT + 99 others); Tue, 22 Aug 2023 09:35:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46738 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230029AbjHVNff (ORCPT ); Tue, 22 Aug 2023 09:35:35 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 42DB8184; Tue, 22 Aug 2023 06:35:34 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id D08956105A; Tue, 22 Aug 2023 13:35:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 58F2CC433C8; Tue, 22 Aug 2023 13:35:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1692711333; bh=Sw6GjOreS9Wn30iQzohzLQD6OAvSJRscDAQK+ZFkrpk=; h=Subject:From:In-Reply-To:References:To:Cc:Date:From; b=KQcg6omm2DC5Pi5FP6/A1kIgebA+S8CKE/gVQBs4gI0ro4muCCoAjBg6KwB2yKaYr FuTGat09gmJNt4A7D9df+I6eHKvO4GIrr597oyibY/fdVtU4L1i3H4TdbWdYTiHUU+ RZreBL/Kmr+3eQyy0yCf4K8poqLVYDAQTdH9MLNrIDOLsQmo9JAm82yFLikOHqi9KX RvwwK3y5OHyMAE5hc5WBsQF8yfvPFXJ7MDCqxjlGDRiiZ5rLS6O9yiIHwK5x01fS9K F9lDax1BpSXWq8ufNbouow+BJh5X1rMupZYamrCnvA27mDtay6B7q0kYhQVZqLKQjA kmKE/lneXIKIA== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: Re: [PATCH v3 1/2] wifi: ath9k: fix races between ath9k_wmi_cmd and ath9k_wmi_ctrl_rx From: Kalle Valo In-Reply-To: <20230425192607.18015-1-pchelkin@ispras.ru> References: <20230425192607.18015-1-pchelkin@ispras.ru> To: Fedor Pchelkin Cc: =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= , Fedor Pchelkin , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Senthil Balasubramanian , "John W. Linville" , Vasanthakumar Thiagarajan , Sujith , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Alexey Khoroshilov , lvc-project@linuxtesting.org, syzbot+f2cb6e0ffdb961921e4d@syzkaller.appspotmail.com, Hillf Danton User-Agent: pwcli/0.1.1-git (https://github.com/kvalo/pwcli/) Python/3.11.2 Message-ID: <169271132742.680890.9212359181887346936.kvalo@kernel.org> Date: Tue, 22 Aug 2023 13:35:29 +0000 (UTC) X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Fedor Pchelkin wrote: > Currently, the synchronization between ath9k_wmi_cmd() and > ath9k_wmi_ctrl_rx() is exposed to a race condition which, although being > rather unlikely, can lead to invalid behaviour of ath9k_wmi_cmd(). > > Consider the following scenario: > > CPU0 CPU1 > > ath9k_wmi_cmd(...) > mutex_lock(&wmi->op_mutex) > ath9k_wmi_cmd_issue(...) > wait_for_completion_timeout(...) > --- > timeout > --- > /* the callback is being processed > * before last_seq_id became zero > */ > ath9k_wmi_ctrl_rx(...) > spin_lock_irqsave(...) > /* wmi->last_seq_id check here > * doesn't detect timeout yet > */ > spin_unlock_irqrestore(...) > /* last_seq_id is zeroed to > * indicate there was a timeout > */ > wmi->last_seq_id = 0 > mutex_unlock(&wmi->op_mutex) > return -ETIMEDOUT > > ath9k_wmi_cmd(...) > mutex_lock(&wmi->op_mutex) > /* the buffer is replaced with > * another one > */ > wmi->cmd_rsp_buf = rsp_buf > wmi->cmd_rsp_len = rsp_len > ath9k_wmi_cmd_issue(...) > spin_lock_irqsave(...) > spin_unlock_irqrestore(...) > wait_for_completion_timeout(...) > /* the continuation of the > * callback left after the first > * ath9k_wmi_cmd call > */ > ath9k_wmi_rsp_callback(...) > /* copying data designated > * to already timeouted > * WMI command into an > * inappropriate wmi_cmd_buf > */ > memcpy(...) > complete(&wmi->cmd_wait) > /* awakened by the bogus callback > * => invalid return result > */ > mutex_unlock(&wmi->op_mutex) > return 0 > > To fix this, update last_seq_id on timeout path inside ath9k_wmi_cmd() > under the wmi_lock. Move ath9k_wmi_rsp_callback() under wmi_lock inside > ath9k_wmi_ctrl_rx() so that the wmi->cmd_wait can be completed only for > initially designated wmi_cmd call, otherwise the path would be rejected > with last_seq_id check. > > Found by Linux Verification Center (linuxtesting.org) with Syzkaller. > > Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") > Signed-off-by: Fedor Pchelkin > Acked-by: Toke Høiland-Jørgensen > Signed-off-by: Kalle Valo 2 patches applied to ath-next branch of ath.git, thanks. b674fb513e2e wifi: ath9k: fix races between ath9k_wmi_cmd and ath9k_wmi_ctrl_rx 454994cfa9e4 wifi: ath9k: protect WMI command response buffer replacement with a lock -- https://patchwork.kernel.org/project/linux-wireless/patch/20230425192607.18015-1-pchelkin@ispras.ru/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches