Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1556979yba; Thu, 25 Apr 2019 01:39:29 -0700 (PDT) X-Google-Smtp-Source: APXvYqwudQOO6zX9XhDiHgBMa5Ge96ILn4cp8mrVKnPMRl+bN29iQPkeNUgcEmT8T//x0KbnEs4w X-Received: by 2002:a62:e315:: with SMTP id g21mr39640034pfh.2.1556181569801; Thu, 25 Apr 2019 01:39:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556181569; cv=none; d=google.com; s=arc-20160816; b=ZP4PA7ECAiNWOykfBOSsE4LC53D0v3/cAz+h4d0sj0qRO2fI/Q4oJ3UZLTK2SbIUpR nHHB764wI6KRAJweTbJKwz9hAv13CIsxbLQ6fwQUlZUMsfc/YrKB3C8ya+rEcG7Fm40q dCRL80Z+3+ziuDRX4rsElNhT4mcT1xDqpmVeOqU2uJP6CyGXqql2aqueFUaDYdfS9vmZ 4TfxQru9/xIDQP1dTs/MoClAPZtX8+yKdQZocCC8m3DqK8sZjOre9+w8IrBVKtta6EcH X4BfTxnRMo6J/lyAKtIDOYYmf+cJXClwjbam0yAgsObOd3qcmTZJf/oFG8W/O1pMmnmZ bdzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=pZcr2YNCl8TcWNGw6ntjPqDUENWVzR6c52NG4J3TN88=; b=j4unFMUWPEM1ICbT2lLaQZWTYU3A2rh2o7frBXkRENRdC/kQTH2VUwIKKaO9ohP7Gj LnM+S6fGNMhqcFyy5TNdx2Upi5iSiy6iobcHj/FMQS4d1yqhmPI/s2BDYpto6JDXoooO ulwapQpg1Dj1xD/W5ILv5bmqGiqjnIo3qxIaZvOweUTA1VDAgCCr+1EQR47LcCPzF9FA WUBs4RGlbTe7TOa9xqQRIgV06w61rAVE2iWlDD+7s5G/PDAfEZ7b8gIp3vjU2FtWFGvY nQqxPKCsG04IjxMQLjO4dbcFtLkwolZj2tQX87EaSVtD89nQpFqgrz4dZlHcTJaajixU r3wA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@broadcom.com header.s=google header.b=VcArmuk3; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=broadcom.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k72si20514721pgc.362.2019.04.25.01.39.14; Thu, 25 Apr 2019 01:39:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@broadcom.com header.s=google header.b=VcArmuk3; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=broadcom.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730116AbfDYHRv (ORCPT + 99 others); Thu, 25 Apr 2019 03:17:51 -0400 Received: from mail-ed1-f68.google.com ([209.85.208.68]:41689 "EHLO mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729910AbfDYHRv (ORCPT ); Thu, 25 Apr 2019 03:17:51 -0400 Received: by mail-ed1-f68.google.com with SMTP id m4so45474edd.8 for ; Thu, 25 Apr 2019 00:17:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=pZcr2YNCl8TcWNGw6ntjPqDUENWVzR6c52NG4J3TN88=; b=VcArmuk31uf/hSt/PsvJ849U53opjThVlbZfnqQ5c4bZYsF61QiHPHHhqKGOnC9hvO pkSw9SSP2vM9YPBrX3NUDgUabxcwzPz4Wv0V5LmzYZDesLSF/RFo+AAzf9g9F1G+Qr8c A6GjPj/MBAOFbmVX8jMVh1bQ1lBvEC29pfxWQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=pZcr2YNCl8TcWNGw6ntjPqDUENWVzR6c52NG4J3TN88=; b=Evp29mnv9AHYNTnN+rk2WHitr++AjADv0lcPgnyvOCg9EMc/KvfetIsj6ZjZy8jRdT 5vpEdyBuVQQb8KdZ+LUO2bztmJF1UM5IXeLpMWHyiIF5OAb/+GRclaI9YaXL2UxGx3T0 83+Cydr4QdYY9MowcI7iiA2rhhkb+oYI3duyc8/ce57a2UOOOSIZzWo//EbRIZQyJMoC u0y0SbyXemCjsnbA9dg03puQfgv+VNZAA3OzBXcOvrRYc+C4DUAqmVxtXoI4C32ywSRV QCXNXZS/5h5IIagXuinxIAz+0ezusWeHiLhmQioQp8gquvQeJ2Ggssy5r4haCCox/XQA AJ+Q== X-Gm-Message-State: APjAAAXdtnaLV6nhld//IpAcdfCSh6Kj6Uw2I36iA2J1/aJMPsoyvCsl NypHhhv3QNk3IXJ/zk/b4lCFLA== X-Received: by 2002:a05:6402:691:: with SMTP id f17mr15349450edy.50.1556176669564; Thu, 25 Apr 2019 00:17:49 -0700 (PDT) Received: from [192.168.178.129] (f140230.upc-f.chello.nl. [80.56.140.230]) by smtp.gmail.com with ESMTPSA id s56sm351669edd.35.2019.04.25.00.17.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 25 Apr 2019 00:17:48 -0700 (PDT) Subject: Re: brcmfmac: NULL pointer dereference during brcmf_detach() after firmware crash To: =?UTF-8?B?UmFmYcWCIE1pxYJlY2tp?= Cc: "linux-wireless@vger.kernel.org" , "open list:BROADCOM BRCM80211 IEEE802.11n WIRELESS DRIVER" , "open list:BROADCOM BRCM80211 IEEE802.11n WIRELESS DRIVER" , brcm80211-dev-list@cypress.com, Aaron Blair References: <16ea722f-e08d-044f-216c-4ea745cc6344@broadcom.com> From: Arend Van Spriel Message-ID: Date: Thu, 25 Apr 2019 09:17:48 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On 4/18/2019 1:55 PM, Rafał Miłecki wrote: > On Fri, 15 Feb 2019 at 07:15, Rafał Miłecki wrote: >> On Thu, 14 Feb 2019 at 23:37, Arend Van Spriel >> wrote: >>> On 2/14/2019 11:30 PM, Rafał Miłecki wrote: >>>> I've just found a well reproducible brcmfmac crash (NULL pointer >>>> dereference). >>>> >>>> Steps: >>>> 1. Wait for or trigger a FullMAC firmware crash >>>> 2. Wait for some skb to get queued on a flowring >>>> 3. Call rmmod brcmfmac >>>> >>>> Problem: >>>> There is a NULL pointer dereference in one of the brcmf_detach() calls. >>>> >>>> Explanation: >>>> brcmf_detach() first frees all "ifp"s and then deletes flowrings. If any >>>> flowring has a skb it results in calling brcmf_txfinalize() which tries >>>> to access "ifp" (struct brcmf_if) which is a NULL. >>> >>> Hi Rafał, >>> >>> Thanks for diving in. That was my suspicion. Does it mean you are >>> working on a patch or shall I take care of it. >> >> It would be nice to have someone more experienced with detaching & >> rings look at it. Is adding a simple >> if (ifp) >> enough? Or should that code get redesigned? Should we e.g. reorder detach order? > > Hi Arend, would you find a moment to look at that crash, please? Hi Rafał, Sorry for getting back on this so late. The driver tries to gracefully teardown stuff by sending firmware commands to the device. I think that makes no sense as that level of communication is not possible once our driver .remove() callback is called. So I think upon calling brcmf_detach() we should cleanup everything bottom-up. I will rework the code and see how that goes. Thanks, Arend