Received: by 2002:a05:6358:e9c4:b0:b2:91dc:71ab with SMTP id hc4csp4663316rwb; Mon, 8 Aug 2022 05:13:28 -0700 (PDT) X-Google-Smtp-Source: AA6agR4BSirNDDU2we8yNicWYuXNOCJA42kwqTAchVzKdPuKcpnv7XoVLBGsWn1hm3296PJIwPfa X-Received: by 2002:a17:90a:c402:b0:1f2:ca71:93a5 with SMTP id i2-20020a17090ac40200b001f2ca7193a5mr20422631pjt.34.1659960808750; Mon, 08 Aug 2022 05:13:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1659960808; cv=none; d=google.com; s=arc-20160816; b=Dbu01/n2Bz43OgOH1/PCu5hlc5vC2d6ZJpU1uExloVOFkDDqb1udmnGKPY1nikeTYq Gxx1cth8kBKvS62JY84yAK/hcIzINIVa3X2cnT4GZKRNZuJd1Br5bFvuHHhuy0BtDW2t vcjZygqR9Ad+bVuMIFjuEhJ6eVcN3UYzoHJBc6gRt2P79o7QvzbtOgyUlSS6LPvMH17o f10jIUMBAP7GM6yo3XTPxfBSkFX+47HuWRjJfNHWhRYr461mnasCZEM0YHjrzuPOYzDh 1Mv2kZGvHr0nZaHcFZEjG7ZnIfprzDH8dp1RrYAyDCPprLl9JrJ36Rku837zkR5/9zvd E86w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=5s6N1tgDZ2BQEGIP+tvG8pqTTCaTzwtNPh6tqB3uiKU=; b=txYWPrriZ4ij1cwKV4IDwJgUuO5ZPB3wLBhnAW3sASarUhiy51lAEjpBRjW35LF8is br16m2TaycR3TtOWbHQ4BTWtoKaBVBWxSft7dVuuDBg3LFhE+EggtSwmDTNEyQeZLKPZ UPi7QBacCwjH/pSfrPDUW4nTv49t6CtXMA290ZCeBPIUGavK6pS+9AA9SJyKBbASVWi4 5FIB8sLRfhSpwAu+wZxlAmkxxbsuXhRsLO4oaJA4ZxTGY1ExMt1Ta9ZIN0zrIUw4sXzN YlRuFyzetFVV2ksAq8bkpG+6LAgS6FxKMckHz6PnfFXDn0gk3wc/xeEY0t2KfaPHc6ZL uufA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=bYZUKfDi; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n5-20020a170902d2c500b0016d2959cf40si13052204plc.617.2022.08.08.05.13.12; Mon, 08 Aug 2022 05:13:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=bYZUKfDi; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237469AbiHHMK3 (ORCPT + 66 others); Mon, 8 Aug 2022 08:10:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40214 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231142AbiHHMK1 (ORCPT ); Mon, 8 Aug 2022 08:10:27 -0400 Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D1A5638AC for ; Mon, 8 Aug 2022 05:10:26 -0700 (PDT) Received: by mail-pl1-x633.google.com with SMTP id d16so8333194pll.11 for ; Mon, 08 Aug 2022 05:10:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=5s6N1tgDZ2BQEGIP+tvG8pqTTCaTzwtNPh6tqB3uiKU=; b=bYZUKfDiDLe8x0+wGulMRF9HAz1UuAlA0O50CZ7esz4YjAEuHmCc3BSVxuWnHwIHN0 j1R6znCs40UM5zIBx0eDq5TnQc/HGlE6V1B64efa/lrOq+6goS6P7Zvq8RErJqpPz65q qdFBoIJPa3LVL+n8GJIrNyuPpH3DRgaZBbqC99rt7iKcQf6xJUzm9EOHD4ARCH4tJq5Z MRtG+1GuNHqwUqpKIllbuRym5F01NrPlT0G9jhCaGZbql5QudyAA5BQKrYrOS/wYQmSe t3ZgUkGx3zVtyf7UXSpl6aIj2CJWZBLafCdj+SoT2mgZZ028rg8RQ+4+p+3+kvakfDKg LvPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=5s6N1tgDZ2BQEGIP+tvG8pqTTCaTzwtNPh6tqB3uiKU=; b=NIL/7WlCAggmt/Nc3EenxUBcVL+PrNCP9Q1fZX3d1wM6Nz2a8z59AUmeong8H0o+WW biXEPxVyFzxpF6KNDy1e2P5ecwMqTx+G2fu6ltPfBZ44olJJ0uhpuwz8rEL1zIPjg6UV Ei7FiiaCFmMnvav1D2wwEsragGQP8wXac++EG5599+pBPugMo99+0S1+owSfwqjk3MUl 2GrJsX+o8LMgoiwS2K7bvwZ7mAG81VfSWaZZx/5Htk2ETBayvNlFOxNThpsEI6kdsyQf FjeQ1v/ZukNPcsztgoMpfJQ2MUmB6e7Km5WJdrhzHxPMoUnmCMJBug75gl9auF++Ek+6 q/pw== X-Gm-Message-State: ACgBeo3eUgssNdXAHd/wyX+vJbGaizsdec7P6DFajTmXRX23AcASd/Xy tg3MaqwY1+ZX4b+TZTvcTtqcP4EA88gJ0S8t X-Received: by 2002:a17:902:7293:b0:16f:17c3:e809 with SMTP id d19-20020a170902729300b0016f17c3e809mr18612461pll.158.1659960626351; Mon, 08 Aug 2022 05:10:26 -0700 (PDT) Received: from [10.176.68.61] ([192.19.148.250]) by smtp.gmail.com with ESMTPSA id j18-20020a170903029200b0016db43e5212sm8538274plr.175.2022.08.08.05.10.14 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 08 Aug 2022 05:10:19 -0700 (PDT) Message-ID: Date: Mon, 8 Aug 2022 14:10:13 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0 Subject: Re: [PATCH] brcmfmac: fix use-after-free bug Content-Language: en-US To: Alexander Coffin Cc: Franky Lin , Hante Meuleman , linux-wireless@vger.kernel.org, brcm80211-dev-list.pdl@broadcom.com, SHA-cyfmac-dev-list@infineon.com References: <20220802172823.1696680-1-alex.coffin@matician.com> <20220802172823.1696680-2-alex.coffin@matician.com> From: Arend Van Spriel In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On 8/8/2022 11:38 AM, Alexander Coffin wrote: > I am resending this message as apparently it wasn't delivered to some > people as it was an HTML message. I apologize for the double email, > but I forgot to tell Gmail to use plain text only. > > Arend, > >> A commit message would have been nice... > >> If there would be a commit message with some error report that proofs there is a use-after-free > > I apologize for not including a longer commit message. I thought that > my stack trace in my first email would be sufficient, but looking back > I see how I should have clarified what was going wrong. What occurs is > that line 360 of core.c > >> ret = brcmf_proto_tx_queue_data(drvr, ifp->ifidx, skb); > > may be entirely completed (as in not only scheduled, but also the > entire transaction may have completed) by the time that `skb->len` is > invoked which means that skb will have been freed by the corresponding > later function (in this case brcmu_pkt_buf_free_skb if you see the > trace from my first email). > >> We only get here when ret is zero. > > Therefore this error only occurs when ret is zero, but skb may have > been freed after line 360, and before that line (369) if how the > kernel schedules tasks is very unfavorable. > >> ndev->stats.tx_bytes += skb->len; > > Please let me know if you need any further information. Not sure I've seen your first email. It is better to have it all in the patch so it is clear the patch solves an actual observed failure. So if you can dig up that stack trace and add it to the patch I will be happy to acknowledge the patch so it can be taken upstream. Regards, Arend