Received: by 2002:a25:ca44:0:0:0:0:0 with SMTP id a65csp1889792ybg; Thu, 30 Jul 2020 05:31:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw3+nALFEAaK1hxyHIC4GHwsfK5pOg+3omTnkL4ZlN5eESSk7LBnaVgkviuysTmGNTGLFid X-Received: by 2002:aa7:d6cc:: with SMTP id x12mr2525068edr.354.1596112297586; Thu, 30 Jul 2020 05:31:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596112297; cv=none; d=google.com; s=arc-20160816; b=yQGQgwAhbDM60rIeP207jjGEv5UkO8jn6TItKq8oHRCAvfvJVDQWxdk+75DhwETbNH y00g8FxMonosWy46HVgWPhXcN2UMGpYNwKIFneIdzMLxt5hxXfYABtIHwF+KCO4lVrzv RgFxqQ9oJwVbgxoX4dh7elQv/46lI/Dz23BBsVSg/W/JgfmhEOCrxe6FEegmqVb+E3u4 wYYPzUideb7LIC6qBNq1037K4j+WutISv0dxbpTBsG+RqO88qnfUh1kck0w48O7iqLqO XY+E2/7Q8Fc1zcH45+TAZTrmPdkuUys45zBEfTM/KK0HBVMfnHuupn1zsyxbz2dH0sMf KDDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:to:from:subject:message-id; bh=hoZssHIUQPlm7VHGqxzg1UpAhAxX0RL0s5jxzu0DNPs=; b=zpW+mpAeL7lHmgBrRriW8PlREVXIAwmKW8Ai2GcBn/IZvU7VK0hwlBzH6AZPovvTbA oMei9zZAchKRXC9DjTuFSgjDca01IMywo0fs5GFij1iOOMmuJ2CcM57DkGK8KtOHmB2a ZC5CA01obAiNY06KPMHMqtqPZckc5YTJY4tSs0dOfN0CmTvG2YAHIXAwFD344Xk/3U15 lgavWEY68QtiHVsikMk/nMIsLF3mfFykkjIq18GV301UafWsXSQJMtihSUjcuAID2VSc jGvppHeCihwMqtL4afeDgjga+u8Na8iWKmtJ4DtATSqrdPdclrrP1u5llemRDggjvM5K jTvw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e19si3086618ejc.215.2020.07.30.05.31.01; Thu, 30 Jul 2020 05:31:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728219AbgG3MbA (ORCPT + 99 others); Thu, 30 Jul 2020 08:31:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36920 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728197AbgG3Ma7 (ORCPT ); Thu, 30 Jul 2020 08:30:59 -0400 Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6B0C2C061794 for ; Thu, 30 Jul 2020 05:30:59 -0700 (PDT) Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.93) (envelope-from ) id 1k17i4-00DWCD-FG; Thu, 30 Jul 2020 14:30:56 +0200 Message-ID: Subject: Re: ax200, fw crashes, and sdata-in-driver From: Johannes Berg To: Ben Greear , "linux-wireless@vger.kernel.org" Date: Thu, 30 Jul 2020 14:30:55 +0200 In-Reply-To: (sfid-20200714_015810_768492_BCCFB763) References: (sfid-20200714_015810_768492_BCCFB763) Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.36.4 (3.36.4-1.fc32) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Hi, > I larded up my 5.4 kernel with KASAN and lockdep, and ran some tests. This is with my > patch that keeps from busy-spinning forever (see previous ignored patch). Right, sorry, hadn't gotten to patches in a while. > After a few restarts and FW crashes, the ax200 could not recover firmware. There > were lots of sdata-in-driver errors, and then KASAN hit a use-after-free issue > related to ax200 accessing sta object that was previously deleted. > > Now, I think I know why: > > In the ieee80211_handle_reconfig_failure(struct ieee80211_local *local) > method, it will clear the SDATA_IN_DRIVER flag, and according to comments, > this is run when firmware cannot be recovered. But, just because FW is > dead does not mean that the driver itself has cleaned up its state. > > So question is, should ax200 (and all drivers) be responsible for cleaning > up all state when FW cannot be recovered, or should instead mac80211 do cleanup > in this case by, among other things, not clearing that flag (and probably > not doing the ctx->driver_present = false; config as well)? I think it should be the driver. It's not clear _why_ the driver failed, after all. If the firmware is still alive and just rejected something then perhaps rolling things back will work. But if the firmware just died again, that will just cause even more trouble. johannes