Received: by 2002:a05:7412:5112:b0:fa:6e18:a558 with SMTP id fm18csp1321256rdb; Wed, 24 Jan 2024 11:15:19 -0800 (PST) X-Google-Smtp-Source: AGHT+IGWVL+PyjYD3uTPlNhX1QxfDd/b//tg/fx74xUS5Sfjn8iS3xzgkYq5rbl2AoXF7NRRTgVv X-Received: by 2002:a17:90b:3747:b0:290:1464:e994 with SMTP id ne7-20020a17090b374700b002901464e994mr21637pjb.46.1706123719214; Wed, 24 Jan 2024 11:15:19 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706123719; cv=pass; d=google.com; s=arc-20160816; b=AwRfcLYMn7/aPeVsIChqasSegS+8eIndM1qF313ZcHjr7Mca1sJ4WnVT25idvChRpZ KSRKSG3dJcw/b7yb4q6PzR003Ntp8b0KhnzRe2ct86W5mY18sN9m5O8qw/Et280N6Iqz LJ9ST6g7lXq2+CnfUafhSiunP4x1VoPauEuSozLJd9EHxLNtGKvVcNGZkb/CKehy2qK+ oN8qKapUWIlIRLnHMqGGNfRkVesOmQ8TarayMPx4iqyEtVthHsdJRx8YR0PfH/Qx2NjR SOPZQJRTtPIchw95LoRH1OaUbjgGdRiL1ZvuvFKs3GftY9eOU0X0CwJDVP+hG8UrNyvl 2u5g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:mime-version:list-unsubscribe:list-subscribe:list-id :precedence:user-agent:content-transfer-encoding:organization :references:in-reply-to:date:from:subject:message-id:dkim-signature; bh=aF7m+tfN8g6RPuUFvmo9ESlJtzfvEk5zFKsA/qbgRZw=; fh=TgQB0kTPRGZ660LjM+U/YcyS/ym3BGS1pexYSXu5kSE=; b=ZmC+5bD8gF6Y1WQQzBVdtYtFPybjMNzhsORqt6NfGGyuCpUje/wKb1ZmFshg1pQlqC +g73Txel2XKN8j0dgy4xc4slbLnED4FC9c3QJZ0EKgpP8OABpqUqTmoO49EtgjBhljJP nfza4Iy39+tg08w/UfwJGpyLmfENc25xNndCw4Wl8+ZSg2Khgv18xRyYY7RNvF3Ak4cV Onh2qmtyt9KoXNPdl3HVc+Pp/BFoHLexmt7kPMUlnY+FYr2LZm20TMzFgN7rHcMLxFkk O9+GzP9CzPLgFhUTkmWW8jP6SFLkJbHVxGg06rc010EmdhrBDvsxCmBHYcoPGdO6DdF3 Ld7w== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@egauge.net header.s=sgd header.b=qoGd7ypk; arc=pass (i=1 spf=pass spfdomain=em1190.egauge.net dkim=pass dkdomain=egauge.net dmarc=pass fromdomain=egauge.net); spf=pass (google.com: domain of linux-wireless+bounces-2455-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-wireless+bounces-2455-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=egauge.net Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id mp3-20020a17090b190300b002908e864e5asi6364388pjb.98.2024.01.24.11.15.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Jan 2024 11:15:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless+bounces-2455-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@egauge.net header.s=sgd header.b=qoGd7ypk; arc=pass (i=1 spf=pass spfdomain=em1190.egauge.net dkim=pass dkdomain=egauge.net dmarc=pass fromdomain=egauge.net); spf=pass (google.com: domain of linux-wireless+bounces-2455-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-wireless+bounces-2455-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=egauge.net Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 237F4B230DA for ; Wed, 24 Jan 2024 18:45:34 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7E40A12A166; Wed, 24 Jan 2024 18:45:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=egauge.net header.i=@egauge.net header.b="qoGd7ypk" X-Original-To: linux-wireless@vger.kernel.org Received: from o1.ptr2625.egauge.net (o1.ptr2625.egauge.net [167.89.112.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BF3308002E for ; Wed, 24 Jan 2024 18:45:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=167.89.112.53 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706121930; cv=none; b=WbgUriapj/emmSNngITdJy3F2L8jtfGLxBfK33oa1r7NquHeS2Gw8W9u/6rj+ykf5KUNcuPAKOgsbVCm9RIM5g4CMz0W9f7hvDMnKKizhceEcv8m9Osx8m2D5MRaeWVwUMaAOws/375cBpUUruTh/T1VfbVMOam3CsEsVlXcuis= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706121930; c=relaxed/simple; bh=9x6wU+tfXBcrFsfSdCCh+fbQAkExaYXczq0YYw2pNjQ=; h=Message-ID:Subject:From:Date:In-Reply-To:References:Content-Type: MIME-Version:To:Cc; b=tl/HF5mpCgaCkbPak0u9MYx6SASdnvuOBIMmmIAnX2mYtrurHS1R7EWAefWIJ77Hu4M8uybx9/m6zzxiHn1EwAE0Cwjh4v8isp01bRxusiGHZx/grJdFVK5HqGVdefUPsb0DSSJDiWtowzyFBCueXJFtxdERE6pTHOAsts4zRms= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=egauge.net; spf=pass smtp.mailfrom=em1190.egauge.net; dkim=pass (2048-bit key) header.d=egauge.net header.i=@egauge.net header.b=qoGd7ypk; arc=none smtp.client-ip=167.89.112.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=egauge.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=em1190.egauge.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=egauge.net; h=subject:from:in-reply-to:references:content-type: content-transfer-encoding:mime-version:to:cc:cc:content-type:from:subject:to; s=sgd; bh=aF7m+tfN8g6RPuUFvmo9ESlJtzfvEk5zFKsA/qbgRZw=; b=qoGd7ypkHJf/7DAMeOHCRxh+XBn+bqjdg7mzRRzJ84aCAXNbF9q1iLT+d5gk7niGMGRQ SJUaOMIeky8XGB8D/TdRxNaxsj8dXpPh95BpsYNE8iRptJNk1JKZ45+GwlUqkSy5gSGm/y cO/JwyVc2vNSGkTOQaVJ1/4grat0zz5TPmTxS1Wwj96PnxZ7LwPUfwsGxauIyA3mHXD2bz oIsYBOUj5qvYHSY3Tg0Qr9fCjPpR+JvD9tT1AP9wI3Pj6M2Ln889UgYM3nj/jutyvDpNB5 mypoN4J0lXdRcFr/tHPve8X+kipjlmhFAZWqJ9bMfQqb0blufj4GQFp+fYhbC+eA== Received: by filterdrecv-655bd866f5-c4wvc with SMTP id filterdrecv-655bd866f5-c4wvc-1-65B15AC7-1C 2024-01-24 18:45:27.297262808 +0000 UTC m=+1142910.120992772 Received: from bixby.lan (unknown) by geopod-ismtpd-22 (SG) with ESMTP id qGP6ZeFcRquDUoeQsFIIaQ Wed, 24 Jan 2024 18:45:27.065 +0000 (UTC) Message-ID: Subject: Re: [PATCH] wifi: wilc1000: validate chip id during bus probe From: David Mosberger-Tang Date: Wed, 24 Jan 2024 18:45:27 +0000 (UTC) In-Reply-To: References: <20240122211315.1444880-2-davidm@egauge.net> <20240122220350.1449413-1-davidm@egauge.net> <751bf8e4-c81c-495b-9166-9f91f9c4b2d5@bootlin.com> <0d77d857-35ce-43bc-aaf3-2b46c01a44ec@bootlin.com> Organization: eGauge Systems LLC Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.44.4-0ubuntu2 Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-SG-EID: =?us-ascii?Q?+kMxBqj35EdRUKoy8diX1j4AXmPtd302oan+iXZuF8m2Nw4HRW2irNspffT=2Fkh?= =?us-ascii?Q?ET6RJF6+Prbl0h=2FEtF1rRLvBy1k6LyRUfRc5Hz3?= =?us-ascii?Q?huu0NoXvSB7ZLpzJ6h6QMhvr0cdt9aabmxQSzJi?= =?us-ascii?Q?4Uxj+K6ST+BMMtNC0Z4ZKuFm2bkqj1a84D+=2FLDw?= =?us-ascii?Q?cHgw+uoeC+PgQflnKVxlnMxiBG=2FJO52aXCeoIH0?= =?us-ascii?Q?HsoHu+nzcv3XVQUTiaaQ9QzZYX6oJEUl1vWsFlz?= =?us-ascii?Q?vUzXI1dFm7Ja28RGDJZOw=3D=3D?= To: Alexis =?iso-8859-1?q?Lothor=E9?= , linux-wireless@vger.kernel.org Cc: Ajay.Kathat@microchip.com, kvalo@kernel.org X-Entity-ID: Xg4JGAcGrJFIz2kDG9eoaQ== On Wed, 2024-01-24 at 10:31 -0700, David Mosberger-Tang wrote: > Alexis, >=20 > On Wed, 2024-01-24 at 10:01 +0100, Alexis Lothor=E9 wrote: > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > BUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x294/0x2c0 > > Read of size 4 at addr c3c91ce8 by task swapper/1 >=20 > OK, I think I see what's going on: it's the list traversal. Here is what > wilc_netdev_cleanup() does: >=20 > list_for_each_entry_rcu(vif, &wilc->vif_list, list) { > if (vif->ndev) > unregister_netdev(vif->ndev); > } >=20 > The problem is that "vif" is the private part of the netdev, so when the = netdev > is freed, the vif structure is no longer valid and list_for_each_entry_rc= u() > ends up dereferencing a dangling pointer. >=20 > Ajay or Alexis, could you propose a fix for this - this is not something = I'm > familiar with. Actually, after staring at the code a little longer, is there anything wron= g with delaying the unregister_netdev() call until after the vif has been rem= oved from the vif-list? Something along the lines of the below. --david diff --git a/drivers/net/wireless/microchip/wilc1000/netdev.c b/drivers/net/wireless/microchip/wilc1000/netdev.c index 0bf6aef4661e..e78e7d971243 100644 --- a/drivers/net/wireless/microchip/wilc1000/netdev.c +++ b/drivers/net/wireless/microchip/wilc1000/netdev.c @@ -884,7 +884,7 @@ static const struct net_device_ops wilc_netdev_ops =3D = { void wilc_netdev_cleanup(struct wilc *wilc) { struct wilc_vif *vif; - int srcu_idx, ifc_cnt =3D 0; + int ifc_cnt =3D 0; =20 if (!wilc) return; @@ -894,13 +894,6 @@ void wilc_netdev_cleanup(struct wilc *wilc) wilc->firmware =3D NULL; } =20 - srcu_idx =3D srcu_read_lock(&wilc->srcu); - list_for_each_entry_rcu(vif, &wilc->vif_list, list) { - if (vif->ndev) - unregister_netdev(vif->ndev); - } - srcu_read_unlock(&wilc->srcu, srcu_idx); - wilc_wfi_deinit_mon_interface(wilc, false); destroy_workqueue(wilc->hif_workqueue); =20 @@ -918,6 +911,10 @@ void wilc_netdev_cleanup(struct wilc *wilc) mutex_unlock(&wilc->vif_mutex); synchronize_srcu(&wilc->srcu); ifc_cnt++; + + if (vif->ndev) + /* vif gets freed as part of this call: */ + unregister_netdev(vif->ndev); } =20 wilc_wlan_cfg_deinit(wilc);