Received: by 2002:a05:7412:e794:b0:fa:551:50a7 with SMTP id o20csp2771502rdd; Sat, 13 Jan 2024 01:01:00 -0800 (PST) X-Google-Smtp-Source: AGHT+IGVwyMMXHHes3nnqOY3WESFvsqHuLaew9qJnobiVXQMbbTbH9qZd+cTQKnj4x2W7rMyIXAG X-Received: by 2002:a05:6512:551:b0:50e:75fc:35be with SMTP id h17-20020a056512055100b0050e75fc35bemr1263898lfl.90.1705136459931; Sat, 13 Jan 2024 01:00:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1705136459; cv=none; d=google.com; s=arc-20160816; b=PymzFx4Amhknli4pAkHIjyP8PPpTdKZ03YO5OQTymZ8r5Evpg//IoeGiIVwd+7hFH0 1xnw+PMb8hxm1nALUIIuCP8HLkbQcqmNjtEPXiuLs88n0bt7iQJi30HilwLXdQ37Xb1l 2y4L/npsh+1dWiw1Mhp4AHh+oO8Z2NA/zmqC1udqxlwvjTKGdk+QBjp3fBGBB6X84wLM jxCF0Pt4kjMlfUf/ehSiLP1onqqZPMIIok2CfqV+Yb/4l9LENlii8tKaRCb1ymnHKaGw pIaNAzXy0C+5T1bppaPNzG8OAiayaAkRelkDBDudPT9A5ZKmsUSPfP/7mtndOWQi6IKc LyUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :message-id:date:subject:cc:to:from:dkim-signature; bh=jUpRoMwXiMcq+F1SDXQGYUVejYi/UalmN4jhxJyXTww=; fh=lYH76K+Y47kS3o3IDIDIdk0o/qqp7AOiJuMkcs2/OaM=; b=wKdjGxrFGhKAVJfz4tnhMvSbLsG1VtcYVWQ682utVC2ilNjAq0btlZJ/+YR3vLGXFH uH2cQgYauImgm+GwvF1LH1x1L0XPVFFz1km41c1MJjEvSa4a5PI6SeiF2GuK2SD6bjFS fXbJJMksF0//yfbtAVJQC36QTgTlgBrMwjtCS4BqwwKntPMQzQn8G3odr6WtUdz9nghU LzjISuZhnMujJO+4nczA0/LR2psuWTGdfZl+xipImwNxVTv5dxgBKC/mcNq0/7jAFTt1 0urGnhlmrEiucKhlEUW0asLzXa/i4QaU48n/nnJwPg2+pO7zCTGVdERsH8ZgfCgDmFmB /3+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mediatek.com header.s=dk header.b=u3Y3RCuK; spf=pass (google.com: domain of linux-wireless+bounces-1872-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-wireless+bounces-1872-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mediatek.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id s8-20020a1709060c0800b00a2b1e8df684si2124512ejf.806.2024.01.13.01.00.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 13 Jan 2024 01:00:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless+bounces-1872-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@mediatek.com header.s=dk header.b=u3Y3RCuK; spf=pass (google.com: domain of linux-wireless+bounces-1872-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-wireless+bounces-1872-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mediatek.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id A69EE1F22067 for ; Sat, 13 Jan 2024 09:00:59 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C00D5A38; Sat, 13 Jan 2024 09:00:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=mediatek.com header.i=@mediatek.com header.b="u3Y3RCuK" X-Original-To: linux-wireless@vger.kernel.org Received: from mailgw01.mediatek.com (unknown [60.244.123.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D63D07E8 for ; Sat, 13 Jan 2024 09:00:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=mediatek.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mediatek.com X-UUID: 38a018b6b1f211ee9e680517dc993faa-20240113 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mediatek.com; s=dk; h=Content-Type:MIME-Version:Message-ID:Date:Subject:CC:To:From; bh=jUpRoMwXiMcq+F1SDXQGYUVejYi/UalmN4jhxJyXTww=; b=u3Y3RCuKfj+geE0kVp42OZ3QJ0/vbcSK+UW+zz8V4T4b39coQDqrhBBPDq9foYo89eSRim39rDL9uNbLSyiIcBJDo66ERO57e6UIYRq8THRtn8Gc4f5j08L5luPYqqTGy8SkguoWMBlkqFdOdbc0r9vCqKqMLWQ19nYojNfB0B8=; X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.1.35,REQID:f1ba8b34-dd5a-43e7-8d88-60d4abd0e7f4,IP:0,U RL:0,TC:0,Content:-25,EDM:0,RT:0,SF:0,FILE:0,BULK:0,RULE:Release_Ham,ACTIO N:release,TS:-25 X-CID-META: VersionHash:5d391d7,CLOUDID:98e9348e-e2c0-40b0-a8fe-7c7e47299109,B ulkID:nil,BulkQuantity:0,Recheck:0,SF:102,TC:nil,Content:0,EDM:-3,IP:nil,U RL:1,File:nil,Bulk:nil,QS:nil,BEC:nil,COL:0,OSI:0,OSA:0,AV:0,LES:1,SPR:NO, DKR:0,DKP:0,BRR:0,BRE:0 X-CID-BVR: 0 X-CID-BAS: 0,_,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR,TF_CID_SPAM_ULS X-UUID: 38a018b6b1f211ee9e680517dc993faa-20240113 Received: from mtkmbs10n1.mediatek.inc [(172.21.101.34)] by mailgw01.mediatek.com (envelope-from ) (Generic MTA with TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256/256) with ESMTP id 1456607307; Sat, 13 Jan 2024 17:00:38 +0800 Received: from mtkmbs11n1.mediatek.inc (172.21.101.185) by mtkmbs11n1.mediatek.inc (172.21.101.185) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Sat, 13 Jan 2024 17:00:37 +0800 Received: from mtksdccf07.mediatek.inc (172.21.84.99) by mtkmbs11n1.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.2.1118.26 via Frontend Transport; Sat, 13 Jan 2024 17:00:37 +0800 From: Deren Wu To: Felix Fietkau , Lorenzo Bianconi CC: Sean Wang , Soul Huang , Ming Yen Hsieh , Leon Yen , Eric-SY Chang , KM Lin , Robin Chiu , CH Yeh , Posh Sun , Quan Zhou , Ryder Lee , Shayne Chen , linux-wireless , linux-mediatek , Deren Wu Subject: [PATCH 1/2] wifi: mt76: mt7921e: fix use-after-free in free_irq() Date: Sat, 13 Jan 2024 17:00:22 +0800 Message-ID: <572d6af305a09fc8bdd96a8ee57399039803a2bb.1705135817.git.deren.wu@mediatek.com> X-Mailer: git-send-email 2.18.0 Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain X-MTK: N From commit a304e1b82808 ("[PATCH] Debug shared irqs"), there is a test to make sure the shared irq handler should be able to handle the unexpected event after deregistration. For this case, let's apply MT76_REMOVED flag to indicate the device was removed and do not run into the resource access anymore. BUG: KASAN: use-after-free in mt7921_irq_handler+0xd8/0x100 [mt7921e] Read of size 8 at addr ffff88824a7d3b78 by task rmmod/11115 CPU: 28 PID: 11115 Comm: rmmod Tainted: G W L 5.17.0 #10 Hardware name: Micro-Star International Co., Ltd. MS-7D73/MPG B650I EDGE WIFI (MS-7D73), BIOS 1.81 01/05/2024 Call Trace: dump_stack_lvl+0x6f/0xa0 print_address_description.constprop.0+0x1f/0x190 ? mt7921_irq_handler+0xd8/0x100 [mt7921e] ? mt7921_irq_handler+0xd8/0x100 [mt7921e] kasan_report.cold+0x7f/0x11b ? mt7921_irq_handler+0xd8/0x100 [mt7921e] mt7921_irq_handler+0xd8/0x100 [mt7921e] free_irq+0x627/0xaa0 devm_free_irq+0x94/0xd0 ? devm_request_any_context_irq+0x160/0x160 ? kobject_put+0x18d/0x4a0 mt7921_pci_remove+0x153/0x190 [mt7921e] pci_device_remove+0xa2/0x1d0 __device_release_driver+0x346/0x6e0 driver_detach+0x1ef/0x2c0 bus_remove_driver+0xe7/0x2d0 ? __check_object_size+0x57/0x310 pci_unregister_driver+0x26/0x250 __do_sys_delete_module+0x307/0x510 ? free_module+0x6a0/0x6a0 ? fpregs_assert_state_consistent+0x4b/0xb0 ? rcu_read_lock_sched_held+0x10/0x70 ? syscall_enter_from_user_mode+0x20/0x70 ? trace_hardirqs_on+0x1c/0x130 do_syscall_64+0x5c/0x80 ? trace_hardirqs_on_prepare+0x72/0x160 ? do_syscall_64+0x68/0x80 ? trace_hardirqs_on_prepare+0x72/0x160 entry_SYSCALL_64_after_hwframe+0x44/0xae Reported-by: Mikhail Gavrilov Closes: https://lore.kernel.org/linux-wireless/CABXGCsOdvVwdLmSsC8TZ1jF0UOg_F_W3wqLECWX620PUkvNk=A@mail.gmail.com/ Fixes: 9270270d6219 ("wifi: mt76: mt7921: fix PCI DMA hang after reboot") Tested-by: Mikhail Gavrilov Signed-off-by: Deren Wu --- drivers/net/wireless/mediatek/mt76/mt7921/pci.c | 1 + drivers/net/wireless/mediatek/mt76/mt792x_dma.c | 2 ++ 2 files changed, 3 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c index 57903c6e4f11..2f04d6658b6b 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c +++ b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c @@ -387,6 +387,7 @@ static void mt7921_pci_remove(struct pci_dev *pdev) struct mt792x_dev *dev = container_of(mdev, struct mt792x_dev, mt76); mt7921e_unregister_device(dev); + set_bit(MT76_REMOVED, &mdev->phy.state); devm_free_irq(&pdev->dev, pdev->irq, dev); mt76_free_device(&dev->mt76); pci_free_irq_vectors(pdev); diff --git a/drivers/net/wireless/mediatek/mt76/mt792x_dma.c b/drivers/net/wireless/mediatek/mt76/mt792x_dma.c index 488326ce5ed4..3893dbe866fe 100644 --- a/drivers/net/wireless/mediatek/mt76/mt792x_dma.c +++ b/drivers/net/wireless/mediatek/mt76/mt792x_dma.c @@ -12,6 +12,8 @@ irqreturn_t mt792x_irq_handler(int irq, void *dev_instance) { struct mt792x_dev *dev = dev_instance; + if (test_bit(MT76_REMOVED, &dev->mt76.phy.state)) + return IRQ_NONE; mt76_wr(dev, dev->irq_map->host_irq_enable, 0); if (!test_bit(MT76_STATE_INITIALIZED, &dev->mphy.state)) -- 2.18.0