Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp213192imw; Mon, 4 Jul 2022 07:56:47 -0700 (PDT) X-Google-Smtp-Source: AGRyM1s+PBI9DSBQ3DEaHMDossudiK8vFo46ApqMIc5MemLYyl1HruwXExjpOa5yIao4hS6QeTFl X-Received: by 2002:a17:906:118:b0:715:771b:251b with SMTP id 24-20020a170906011800b00715771b251bmr28642019eje.651.1656946607374; Mon, 04 Jul 2022 07:56:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1656946607; cv=none; d=google.com; s=arc-20160816; b=zZQPjGW0NO9Q/2IvjD5bhLP5csghtgnaHF7qLpPHXompWjqm94L+FXPsLQCW9RqyBN ABbEpJXqzEGTd6dUD9hMi/qu5al+EUtuwqpBfqIT8N0Nip003LIlhM1woDkUw74OrbpG VSdIJcw2eNGAE1eqwz/Nyq1rjiKdC1Ha966GbSE0rn3iNiOoKgfiyHHcJAgqkoaRdNHg FDCi+e9WwwpLAlaEGhqUO+kBoeYJw8iaPsPtHtUeLwCBiH5C0mWnePAntRfwePNj1CH1 KDnY3jxOrX4oqeSXw1OGeBeFlje8tk3Gx6H4E+4lMR152dPIpI2IFw3gjfY/L4A3qHsW cnWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :feedback-id:references:in-reply-to:message-id:subject:reply-to:cc :from:to:dkim-signature:date; bh=qk9SiVpkMaduwZpslx/4koc6GmdL5SSiZUS9Q31vCy0=; b=W/xBYs+Ct09gED4eOy3FYLudq5Z2dRvMqg0H0hxOW8JZAuZTr976eG87BIuDZv7pBs NWnH3Nfr45XV4dWEKwEOJ5MCUDUOCpT9iVk4sBMqjhZdc0tgyGwUDJcc7911xghu7WdS 7oKQPj/XtwD9+01cjedCB7Hm4AeJB5xaSkWK8RocDeasFQ95GNeRgA+zq95RkWu0Wck6 5vMuqq9Fi1G7JamAx4xSLMtEl5puoVgOM19EGSYSY7CJSY9sgrbZ54zAdOWHr4So+8DZ N72fnyiUbLHxPxn/cWB/y9+TtR6JUX2+YzaAvWRH0yRDboFcrfZgqHnwVHcyhKqysKJL GfUg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@dannyvanheumen.nl header.s=protonmail2 header.b=Sqt+RKtg; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=dannyvanheumen.nl Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hp21-20020a1709073e1500b007262c51b07dsi12740956ejc.724.2022.07.04.07.56.30; Mon, 04 Jul 2022 07:56:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@dannyvanheumen.nl header.s=protonmail2 header.b=Sqt+RKtg; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=dannyvanheumen.nl Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233235AbiGDOtz (ORCPT + 66 others); Mon, 4 Jul 2022 10:49:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46672 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230100AbiGDOty (ORCPT ); Mon, 4 Jul 2022 10:49:54 -0400 Received: from mail-4317.proton.ch (mail-4317.proton.ch [185.70.43.17]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C716BBE0 for ; Mon, 4 Jul 2022 07:49:52 -0700 (PDT) Date: Mon, 04 Jul 2022 14:49:43 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dannyvanheumen.nl; s=protonmail2; t=1656946190; x=1657205390; bh=qk9SiVpkMaduwZpslx/4koc6GmdL5SSiZUS9Q31vCy0=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To: References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To: Feedback-ID:Message-ID; b=Sqt+RKtgYhcZhjHFDiUmsNaBC/8XIlrJjD/SVIxLx5D9j+2cbm+mjw4tZoiFseY8Q mJXtVh2jl5TciRwXPdMNeU+Et4z1mGdr4vGMuUPqwWe/HEr/KxfOtappCV2o50YFIu BRzwjMkuf+3/KCitRWgzBMh+xs0+ZUwbZStifYTuQr+MXwvobN/GoTjO2uD1nTtXUi jyXNYoAIXxTxWd7WGrU1vCHIZQZnlq/ePEtzPUJlgHL+3AUtY/bV6jhKbhD3Scgu3J s8aIastOpP31oNnD9m+tb3TdKRdMtv3kiBT9yM8+rJaR+NMVoBA3o/eSh1tBJdPKOj IivhroVJJE1qg== To: Arend Van Spriel From: Danny van Heumen Cc: "linux-wireless@vger.kernel.org" , Franky Lin , Hante Meuleman , "ulf.hansson@linaro.org" Reply-To: Danny van Heumen Subject: Re: [PATCH v4] brcmfmac: prevent double-free on hardware-reset Message-ID: In-Reply-To: References: Feedback-ID: 15073070:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Hi Arend, ------- Original Message ------- On Monday, July 4th, 2022 at 11:43, Arend Van Spriel wr= ote: > [..] > > It is good practice to throw in a changelog here so people know what has > changed since earlier version of the patch. That's fair enough. The commit message is updated. Changes compared to v3: - brcmf_sdiod_remove(..) disables functions in reverse order. It also claim= s 'func2' when disabling 'func2'. However, operations on 'func2' are always performed after claiming 'func1'. So this corrects mistake that deviates from convention. - furthermore, following feedback from the kernel, irq is released for each individual function, but only func1 performs removal operations. This prevents the ordering issue from occurring. > --- > > > .../broadcom/brcm80211/brcmfmac/bcmsdh.c | 31 ++++++++++++------- > > .../broadcom/brcm80211/brcmfmac/sdio.c | 10 +----- > > 2 files changed, 21 insertions(+), 20 deletions(-) > > > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c = b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c > > index ac02244a6fdf..dd634edaa0b3 100644 > > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c > > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c > > > [...] > > > @@ -1096,12 +1093,24 @@ static void brcmf_ops_sdio_remove(struct sdio_f= unc *func) > > if (bus_if) { > > sdiodev =3D bus_if->bus_priv.sdio; > > > > + if (func->num !=3D 1) { > > + /* Satisfy kernel expectation that the irq is released once the > > + * '.remove' callback has executed, while respecting the design > > + * that removal is executed for 'sdiodev', instead of individual > > + * function. > > + / > > + brcmf_dbg(SDIO, "Only release irq for function %d", func->num); > > + sdio_claim_host(sdiodev->func1); > > + sdio_release_irq(func); > > + sdio_release_host(sdiodev->func1); > > + return; > > + } > > + > > + / func 1: so do full clean-up and removal */ > > + > > > The problem is that upon driver unload we get remove for function 2 and > then for function 1. Upon mmc_hw_reset() we get a remove for function 1 > and then for function 2. So in the scenario of mmc_hw_reset() we free > sdiodev upon func 1 removal and then for func 2 removal we have a > use-after-free of sdiodev. I understood this. I recognize the different orders. However, there is a false assumption regarding double-freeing. The removal logic in 'brcmf_ops_sdio_remove' is conditional on function number. Little is done for any function that is not `func->num =3D=3D 1`. The proposed patch V4 fi= ne- tunes this behavior slightly. In this fine-tuning it mostly (completely) negates order differences. > The code currently relies on the order in > which remove callback is done. To make it more robust we could throw in > a refcount for sdiodev and only do the full clean-up when refcount hits > zero. Am I missing something else, maybe? If not, I think I have your concerns covered. Note that I have (and am) testing this patch on my own system. So far without issue. I have run a script that resets the mmc device every 90 seconds to see if repeated use would cause issues. So far without issues. Regards, Danny