Received: by 2002:a05:7412:5112:b0:fa:6e18:a558 with SMTP id fm18csp1266291rdb;
        Wed, 24 Jan 2024 09:35:01 -0800 (PST)
X-Google-Smtp-Source: AGHT+IFt9oZlTcCyAER7QICnxXwd50UPZMPfjx0hxf7eCOppMe98LqMNOzi9PZ7pMVzjlOunmZHF
X-Received: by 2002:a05:620a:5343:b0:783:218f:89ff with SMTP id op3-20020a05620a534300b00783218f89ffmr2249107qkn.30.1706117701321;
        Wed, 24 Jan 2024 09:35:01 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1706117701; cv=pass;
        d=google.com; s=arc-20160816;
        b=YbDadpjSocKu/mf3qjJ6fawQzlRQ8M/MI4yEgPfXzv+pU4Fg22WcfncwiANwen7wKD
         shUIEXoJG9hgIkYpa7w6DYEpmqb88Mjg4b12G/MkWlR3HZ2/4Q7qkkpI8vDAMbJcHVeF
         Pc20bClKu+WKTEVL4LgTLafqwQBZK73i6t6QctxoirrK5oMqvPf2mqAEDRIbC++O7DS5
         3/v8y30PNmo4HshmwbTxmuBCtCKzoOap51UV94xUGbsB3RwsP/b7pY3hBPL/Ln1s7bSz
         ZIaT/bch7tGLiQCNPs1nUhtBKk0xy/jfL2Q0t8+A4V12r+AheAL3Ymuq80vFz5n5sqIT
         TVxQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=cc:to:mime-version:list-unsubscribe:list-subscribe:list-id
         :precedence:user-agent:content-transfer-encoding:organization
         :references:in-reply-to:date:from:subject:message-id:dkim-signature;
        bh=yyJs6gKsIo+fb0cwkhjFc6Ot2H51UVOmkz/EFNiI6O8=;
        fh=TgQB0kTPRGZ660LjM+U/YcyS/ym3BGS1pexYSXu5kSE=;
        b=URsg+oCkNt0pyOaK6SDldCQ8jKuaDv4X23OU+I0Rb9OI4nZ62HY2+TK56dWlO4omeC
         4iXx9Clp+jl9L45QA0A4PydoM0q14pU9TcXrdDt8mC3g0rm7OWHlzm1+EPn6HqYEnO9P
         pnP3T/gxGpqKAGVFZGb2QGdD/R7JBIqMx/A+jhxaOt1N89vpJk4oLy6Y9Zz3BSQ8EzNF
         KfEmLHACq9CQo3yfMq12NKh3UuGHZ6vojuw4LUQsIQIhTdJBl1oQh1lwfCOnN/x5SjtR
         mrFlwILXCvUgqYfsODPaQ3ST/RwvTkP5VCgZGQSaerk05ffTTDBV3b8Z9mriC6wDEAyp
         hcuA==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@egauge.net header.s=sgd header.b=bpdncRGK;
       arc=pass (i=1 spf=pass spfdomain=em1190.egauge.net dkim=pass dkdomain=egauge.net dmarc=pass fromdomain=egauge.net);
       spf=pass (google.com: domain of linux-wireless+bounces-2454-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-wireless+bounces-2454-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=egauge.net
Return-Path: <linux-wireless+bounces-2454-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id b17-20020a05620a089100b0078325dbf784si10641790qka.241.2024.01.24.09.35.01
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 24 Jan 2024 09:35:01 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-wireless+bounces-2454-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@egauge.net header.s=sgd header.b=bpdncRGK;
       arc=pass (i=1 spf=pass spfdomain=em1190.egauge.net dkim=pass dkdomain=egauge.net dmarc=pass fromdomain=egauge.net);
       spf=pass (google.com: domain of linux-wireless+bounces-2454-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-wireless+bounces-2454-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=egauge.net
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 2E8A31C27A27
	for <linux.lists.archive@gmail.com>; Wed, 24 Jan 2024 17:34:21 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id EB2933D8E;
	Wed, 24 Jan 2024 17:32:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=egauge.net header.i=@egauge.net header.b="bpdncRGK"
X-Original-To: linux-wireless@vger.kernel.org
Received: from o1.ptr2625.egauge.net (o1.ptr2625.egauge.net [167.89.112.53])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3B4A08613D
	for <linux-wireless@vger.kernel.org>; Wed, 24 Jan 2024 17:31:59 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=167.89.112.53
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1706117521; cv=none; b=RXyQIYMxCHK7HzaFs+tCpf+e/h0uJOkk6lNJXAnkF9whtCe4zMQKgcAeSznGgZ4nB+MMm1NkHe2wPHRSArZCkZt8xCmSeXYRtTwLLrQWbx1GYDSdKXf89Bs2iIwSdotw5HOmVQNIOcFz7/pIYBF+Mt7YlXDVlyzUDE+USWMzsxs=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1706117521; c=relaxed/simple;
	bh=AIeuOyM8TY6aXu3c6pbmcT5hK+Vl3uNIMcoEzHlfJhA=;
	h=Message-ID:Subject:From:Date:In-Reply-To:References:Content-Type:
	 MIME-Version:To:Cc; b=qWXRdhOXfzXCrbaUIhqZq56CLOAfH3oeEFaTQ4BQEqdp/JLN4WMn/ix9Pen7y78x8ZsYqOTey0pb+rtWfjUk1AF40j9SaKvmkEONInbrVwE8Y5fbqAanvCQk07GhZPR3iSGYOPnu1UddWMyKU4MRiawtzLqtPkgyM9KuAEhaAes=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=egauge.net; spf=pass smtp.mailfrom=em1190.egauge.net; dkim=pass (2048-bit key) header.d=egauge.net header.i=@egauge.net header.b=bpdncRGK; arc=none smtp.client-ip=167.89.112.53
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=egauge.net
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=em1190.egauge.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=egauge.net;
	h=subject:from:in-reply-to:references:content-type:
	content-transfer-encoding:mime-version:to:cc:cc:content-type:from:subject:to;
	s=sgd; bh=yyJs6gKsIo+fb0cwkhjFc6Ot2H51UVOmkz/EFNiI6O8=;
	b=bpdncRGKmYyHdPI8yCn2PVKRYq921dIyxoX+1yoSmnejAMdKQWYlUAA1Ma01m8nQkJQe
	6p1DzMY0mDRjhBfelluQRN8RaWHFdKSVT0UgTwwxaEOreSB1FyD6X2hzaECRF8o76AMYvi
	wyKuemEJCmBP/cjpOHs7rS0ffLmFIWa2zMpxIKgV5Q60pxYTohIbyT4gbaeF0LFD2pUvvK
	EUTyhlW10tA1Fu3d8T8tNVSk6EZgRCCM4dcRA9B346gQnr+XSPjF4DyCZasxfKCL1RJmf/
	FImLiaUwKdrXSaqgMDUfjVV6LgXf2TyunFDZXV7FTrx3MLtyfJSrADi4f6lThGhA==
Received: by filterdrecv-655bd866f5-tzxlm with SMTP id filterdrecv-655bd866f5-tzxlm-1-65B1498E-35
        2024-01-24 17:31:58.762699388 +0000 UTC m=+509925.707668573
Received: from bixby.lan (unknown)
	by geopod-ismtpd-26 (SG) with ESMTP
	id 285Thze7TAiZcrQCPz-Wfg
	Wed, 24 Jan 2024 17:31:58.530 +0000 (UTC)
Message-ID: <ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net>
Subject: Re: [PATCH] wifi: wilc1000: validate chip id during bus probe
From: David Mosberger-Tang <davidm@egauge.net>
Date: Wed, 24 Jan 2024 17:31:58 +0000 (UTC)
In-Reply-To: <0d77d857-35ce-43bc-aaf3-2b46c01a44ec@bootlin.com>
References: <20240122211315.1444880-2-davidm@egauge.net>
	 <20240122220350.1449413-1-davidm@egauge.net>
	 <751bf8e4-c81c-495b-9166-9f91f9c4b2d5@bootlin.com>
	 <b8e8a3f82fe240506e82322a10be7b4e9f218eca.camel@egauge.net>
	 <0d77d857-35ce-43bc-aaf3-2b46c01a44ec@bootlin.com>
Organization: eGauge Systems LLC
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.44.4-0ubuntu2 
Precedence: bulk
X-Mailing-List: linux-wireless@vger.kernel.org
List-Id: <linux-wireless.vger.kernel.org>
List-Subscribe: <mailto:linux-wireless+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-wireless+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-SG-EID: 
 =?us-ascii?Q?+kMxBqj35EdRUKoy8diX1j4AXmPtd302oan+iXZuF8m2Nw4HRW2irNspffT=2Fkh?=
 =?us-ascii?Q?ET6RJF6+Prbl0h=2FEtF1rRLvLA3Uz04M7dO6s6bf?=
 =?us-ascii?Q?nWDLR2lK8+Feh5EDtnMPhXHAS5JFiJs=2Fh+YdAWB?=
 =?us-ascii?Q?pgHNwSk8aTli35SI6ibdCMHmyfhm0n0xDCvgYvd?=
 =?us-ascii?Q?1ELK7VXE=2F0R+F6ghC4r+mo5QuRfnfRabyXuleul?=
 =?us-ascii?Q?OqQgVRgNKLLrnDIg6yHDkAolyMsSljtGkefFF5G?=
 =?us-ascii?Q?0SiRgma85G+O4yFlvFMuw=3D=3D?=
To: Alexis =?iso-8859-1?q?Lothor=E9?= <alexis.lothore@bootlin.com>,
	linux-wireless@vger.kernel.org
Cc: Ajay.Kathat@microchip.com, kvalo@kernel.org
X-Entity-ID: Xg4JGAcGrJFIz2kDG9eoaQ==

Alexis,

On Wed, 2024-01-24 at 10:01 +0100, Alexis Lothor=E9 wrote:
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> BUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x294/0x2c0
> Read of size 4 at addr c3c91ce8 by task swapper/1

OK, I think I see what's going on: it's the list traversal.  Here is what
wilc_netdev_cleanup() does:

	list_for_each_entry_rcu(vif, &wilc->vif_list, list) {
		if (vif->ndev)
			unregister_netdev(vif->ndev);
	}

The problem is that "vif" is the private part of the netdev, so when the ne=
tdev
is freed, the vif structure is no longer valid and list_for_each_entry_rcu(=
)
ends up dereferencing a dangling pointer.

Ajay or Alexis, could you propose a fix for this - this is not something I'=
m
familiar with.

Thanks!

  --david