Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp8243413ioo; Sat, 4 Jun 2022 03:28:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxqW88EMU+Gg1Gf6qdAG4Cl8+mbe5xbnthP/t21qjhAV1/xGqEsJPOI6o1EAg7TN30vah3w X-Received: by 2002:a17:90a:d0f:b0:1e0:bd6d:633a with SMTP id t15-20020a17090a0d0f00b001e0bd6d633amr50993027pja.2.1654338494652; Sat, 04 Jun 2022 03:28:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654338494; cv=none; d=google.com; s=arc-20160816; b=nsaHU9AjClUN4HlcSLJf/QyKNE8+QKUSLRrsPxEiY1LD2r2UUPK2qgpoyuBwuZ97Pd PNoaOZ9Cu2E9NyO2gQDqx114BKNAGhrh1Wn9RZjG4GdhCJC6okX/GO1LDxPbwR913BQi hYEoQ1L2NDx+hdFP3o7qqcku1vBm9qGj+7aTiRIHEGzRlTQLXMOJx9BFi1mxvsfUhd08 XKTqXGR+MYTuo16Je8RgJhCaWUbKzAWUDlKtiWDUyIw35BSkwvfTZBxkI9Kdxw9pE20X SjIKU56wxDQMeFNJHPLj5XGeRor9L8kqv759jJIReT44Ug5uUPdiIyG9Pb+/EY2qy+iY 7Y+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :feedback-id:references:in-reply-to:message-id:subject:reply-to:from :to:dkim-signature:date; bh=Cq0/pCC/saQhbhE+l3whMTZvXQSRJ5YdHrdQJ0ldUkk=; b=c22lPtJZ7UXoKg8ylZpnZXSJS+LbpjKo8AbK4Qlw7KeCKKcjSR1vXLnjN+O3Of36Mg EMoHRlK9AwVaxeLF4ROqz5rKMqaI1ubF7fWZXtqJVieWqWqd3m3PUULVE7OJAUkGqlaX Gvmflzjd70A72w6G9kwQo/QyUhy07vpl8o0vRdstqg9U/5ZEvZWARjXwDuqZHJtV0HTX BWirpVO2S7Su8uiweUCZAaenYHDXMC5apPWzSTDjE+I+hxfrHzFDJ17hYn0EmQ3cRjSn cZZywqUa/yWhA0rZrM3Pi26c5yWZdnNV5VzISICHO1Vpjs/Dg9xNDsFhepTFFmVQSqYl IKOw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@dannyvanheumen.nl header.s=protonmail2 header.b=CUAnnq3s; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=dannyvanheumen.nl Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g9-20020a17090a640900b001e30e046cfcsi1822101pjj.46.2022.06.04.03.27.54; Sat, 04 Jun 2022 03:28:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@dannyvanheumen.nl header.s=protonmail2 header.b=CUAnnq3s; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=dannyvanheumen.nl Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346922AbiFCSkN (ORCPT + 67 others); Fri, 3 Jun 2022 14:40:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37638 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244339AbiFCSjS (ORCPT ); Fri, 3 Jun 2022 14:39:18 -0400 Received: from mail-4317.proton.ch (mail-4317.proton.ch [185.70.43.17]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3E24CC6 for ; Fri, 3 Jun 2022 11:39:15 -0700 (PDT) Date: Fri, 03 Jun 2022 18:39:02 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dannyvanheumen.nl; s=protonmail2; t=1654281553; x=1654540753; bh=Cq0/pCC/saQhbhE+l3whMTZvXQSRJ5YdHrdQJ0ldUkk=; h=Date:To:From:Reply-To:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID; b=CUAnnq3sJZKviJfbfCDqdqRhBBfsNMlxRJE8zdMDu3uf8/4Dtk/2VfF5VWERJJuqo /42V5TRfw15pvIjkqo0FcwdCWfbBG27c06gZNX/4obJ9gSSKlN2uraCPANa+k76VaW J15qo9XgQZ+gRkjQGGDwGJ4Ohc38WEJG1Pdwe45DRQMZn21C7GObZj62cX9UpOQHbU Vn6LLpVdoDG6UNsN+Lo4eljvlSogPuEt096Y48qj5NL5n73moVMUAlyFifUQTqcsNW VffHyOgCHZi5DMPUENnZojl39REz2TJs3LA5O8jjjTieYGZYMwe51kMalBxtUkc++7 RDugzKVmbVGUw== To: Arend van Spriel , Franky Lin , Hante Meuleman , "linux-wireless@vger.kernel.org" , "brcm80211-dev-list.pdl@broadcom.com" , "SHA-cyfmac-dev-list@infineon.com" From: Danny van Heumen Reply-To: Danny van Heumen Subject: Re: [PATCH] work-in-progress: double-free after hardware reset due to firmware-crash Message-ID: In-Reply-To: References: Feedback-ID: 15073070:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Hi, ------- Original Message ------- On Monday, May 30th, 2022 at 19:59, Danny van Heumen wrote: > Hi all, > > I'd like to follow up with an updated patch. I had another look at the co= de. I think the > following proposal may correct the control flow to prevent the double-fre= e from happening > in the first place. > > Again, I would appreciate any feedback you might have, as I have little e= xperience in this > area. A stacktrace is present in the commit message, in case you are look= ing for extra data > that demonstrates the issue. Could someone follow up on this? I have not received any response, so it is not clear to me if the patch is = the issue, or whether it is something else. I am running these changes on my Pinebook = Pro laptop, so far without issue. Thanks in advance, Danny > [..] > > ------- Original Message ------- > On Tuesday, May 24th, 2022 at 18:51, Danny van Heumen danny@dannyvanheume= n.nl wrote: > > > > > Dear all, > > > > I am not a regular C developer nor kernel developer. I don't regularly = report issues, so I will probably do things wrong. > > > > I investigated a crash that IIUC occurs with hardened memory allocation= enabled and a firmware-crash followed by an early failure during hardware = reinitialization/probing. The hardened allocator detects double-free issue. > > > > I have created the patch (see attachment) against linux-5.18. Though, p= lease check carefully, because I have not been able to confirm that it actu= ally works. I am hoping someone familiar with the code-base can either test= this easily, or confirm from review/analysis. > > > > The commit message describes it in more detail. In summary: > > 'brcmf_sdio_bus_reset' cleans up and reinitializes the hardware. It fre= es memory used by (struct brcmf_sdio_dev)->freezer (struct brcmf_sdiod_free= zer). However, it then goes to probe the hardware, and an early failure to = probe results in the same freeing, both called through function 'brcmf_sdio= d_freezer_detach' called inside 'brcmf_sdiod_remove'. Which results in doub= le freeing. > > > > As mentioned before, I was not able to test this and I do not regularly= develop in C. I am not confident that this is the proper way to fix it, bu= t it seemed obvious enough. I hope you can support in fixing this bug. > > > > Kind regards, > > Danny > > > > PS: Please let me know if I am doing things wrong. I have included both= maintainers and mailing lists from https://docs.kernel.org/process/maintai= ners.html#broadcom-brcm80211-ieee802-11n-wireless-driver I hope I this is a= lright.