Received: by 2002:a05:7412:3290:b0:fa:6e18:a558 with SMTP id ev16csp167393rdb; Thu, 25 Jan 2024 11:18:11 -0800 (PST) X-Google-Smtp-Source: AGHT+IH1guqWF4gmDAF95GRfkAW6WQ+SkMAVDx+fJAk4JFjkG3XUt5pLmSTBJu3j6MJ50LFURXT0 X-Received: by 2002:a5e:d610:0:b0:7bf:197d:1aaa with SMTP id w16-20020a5ed610000000b007bf197d1aaamr392772iom.1.1706210291419; Thu, 25 Jan 2024 11:18:11 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706210291; cv=pass; d=google.com; s=arc-20160816; b=aCYsQiGVZOI7ZI9CBCv42aH+Mxpx7k/XSG3LmuP6o8vtfXTM8sNh9gi/aYYwry3G29 obVh+oIhMY4BQTvw1z6LCsVaTqQ0W0fT1OHYWCKqWVCA+soYusATSCuPNU+XOCVrCqhW pyroVAAUahrB4zIjCrgxCI+GWa9b9CLm8csuiz/ZIWFTQlI5MrrcDomogMgm9rj2T/am srPCWPRPgeZ64jY/LgYJWT1JrCVrCmHIJeMmpfpyY/SchXQ0P6srrMph96Z1C8WOBWMU DxstR75eiW18huI1kFyIqaotvW/NQRf3rQWqKQvB1cu82DFsqImM4Ymq6qds1jjIIAgB vAJQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:mime-version:list-unsubscribe:list-subscribe:list-id :precedence:user-agent:content-transfer-encoding:organization :references:in-reply-to:date:from:subject:message-id:dkim-signature; bh=9WfiMZw74T6VMe/uuVNOn/HJ/IhA5yNY6JncsKibAss=; fh=NbkIrrM6QUPBx3lcIz/7oAriB67zprV7O743VU54GuQ=; b=JzIyTVC87sWSI8kqk/2bbAwwwKWtw5C9nktwutoe/4b5QpxokzqqyW2M9XcRbA33Ir T0ThuJqbC0xGsruhpyFac4pZHyLXV5RudRVroEqX/sNgO1X6DO8+T5erY+cAK/pnNaJs O7497giFNZdYUI0WowtXVtQkYi7ObbKzuO0RhUrF3qGF6ypRc7LZu0qoSTYBNN/taBB3 +YQNiCXaCLiQjAfDukhbvp+ybb4eNWHDJ+TRwbqMj2TXwFIA8NOxUPY2bXXdOFfxx23E eBSlXdp9+hVaH0CJ2Sf+aEujAGjlCAK+nAYNktblZL+sutbbrL3JlNAPdwSLtRC01s+D upDg== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@egauge.net header.s=sgd header.b=a78bK8AC; arc=pass (i=1 spf=pass spfdomain=em1190.egauge.net dkim=pass dkdomain=egauge.net dmarc=pass fromdomain=egauge.net); spf=pass (google.com: domain of linux-wireless+bounces-2505-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-wireless+bounces-2505-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=egauge.net Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id f1-20020a63dc41000000b005cf58870685si14078020pgj.226.2024.01.25.11.18.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Jan 2024 11:18:11 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless+bounces-2505-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@egauge.net header.s=sgd header.b=a78bK8AC; arc=pass (i=1 spf=pass spfdomain=em1190.egauge.net dkim=pass dkdomain=egauge.net dmarc=pass fromdomain=egauge.net); spf=pass (google.com: domain of linux-wireless+bounces-2505-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-wireless+bounces-2505-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=egauge.net Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id AE485293911 for ; Thu, 25 Jan 2024 19:18:03 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id ECE6377F02; Thu, 25 Jan 2024 19:18:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=egauge.net header.i=@egauge.net header.b="a78bK8AC" X-Original-To: linux-wireless@vger.kernel.org Received: from o1.ptr2625.egauge.net (o1.ptr2625.egauge.net [167.89.112.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 26CB9111AA for ; Thu, 25 Jan 2024 19:17:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=167.89.112.53 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706210280; cv=none; b=nR5UOb4V49rc+H89RzuR6ltx+c8u2jnlCbRMCZ6GVXIFWmNCehK7GdK8KFcEA+9DZAHNrRp1SeD2Q8Og9DTNcahS+lmHyUl5uR+45RvdqLNW8G80HoWGvMcsEq4M4P377Fwk6XXSyjHMY3FE+XfPe1rkOat11GBsXN8GcOSdO3U= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706210280; c=relaxed/simple; bh=0qQU7SCNn84PuZeyF1JFYV5VTEUTu/fcW1rKMS/vV+Y=; h=Message-ID:Subject:From:Date:In-Reply-To:References:Content-Type: MIME-Version:To:Cc; b=GTaAaX6NRCTkGqsmKbjPvi/awx/L20duFyG6C/zSTn4DqJ8bcQSLDQQDK2YwH6fB8qO035IJ8jIwt217karl00XsVu4OGiHyOvVv664KJlWKW+Czys6R1tXOKt1tKfaSyydCP3VtAnJntkIDyRMpsQiXAbIgdnxovSuaJHcSJJM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=egauge.net; spf=pass smtp.mailfrom=em1190.egauge.net; dkim=pass (2048-bit key) header.d=egauge.net header.i=@egauge.net header.b=a78bK8AC; arc=none smtp.client-ip=167.89.112.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=egauge.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=em1190.egauge.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=egauge.net; h=subject:from:in-reply-to:references:content-type: content-transfer-encoding:mime-version:to:cc:cc:content-type:from:subject:to; s=sgd; bh=9WfiMZw74T6VMe/uuVNOn/HJ/IhA5yNY6JncsKibAss=; b=a78bK8AC3qV/zellcu81C8SUdiU7CUqkp61vVrzxMNCXULyu/P0wnrsdQDj/0wmGiAR5 +dnJdJ5XmweZPncnDq7A2JLl79w84lfiIDqNHkoqZIrIqETAFAobFw0X0RACGvAND8aYxG 85wfLv8rgLRnF2Ka14xJoHa/yQ+xrAQeHWdvCL4rePeo+aIj5sfGwSykp6TsrCJthf1mR9 QBj3mBopuc3Mrk9R5Yz+oGPiyHMCVJx1SGYfgIlxW/S++Ml/ih6xEkzMTnlRQ8XZ+muciM HyhCK7vAMtVgqWZU55IHCY6shW4V/iUJaOTSavKkIu95WSaWlsnKdHIBitX+zrGQ== Received: by filterdrecv-655bd866f5-sjj6q with SMTP id filterdrecv-655bd866f5-sjj6q-1-65B2B3E5-E 2024-01-25 19:17:57.449558095 +0000 UTC m=+1231261.315529971 Received: from bixby.lan (unknown) by geopod-ismtpd-5 (SG) with ESMTP id ELQubASlS6Oxe9gyiMOwOA Thu, 25 Jan 2024 19:17:57.187 +0000 (UTC) Message-ID: Subject: Re: [PATCH] wifi: wilc1000: validate chip id during bus probe From: David Mosberger-Tang Date: Thu, 25 Jan 2024 19:17:57 +0000 (UTC) In-Reply-To: <6fa6c238-9938-4e14-9b99-95759b659147@bootlin.com> References: <20240122211315.1444880-2-davidm@egauge.net> <20240122220350.1449413-1-davidm@egauge.net> <751bf8e4-c81c-495b-9166-9f91f9c4b2d5@bootlin.com> <0d77d857-35ce-43bc-aaf3-2b46c01a44ec@bootlin.com> <6fa6c238-9938-4e14-9b99-95759b659147@bootlin.com> Organization: eGauge Systems LLC Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.44.4-0ubuntu2 Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-SG-EID: =?us-ascii?Q?+kMxBqj35EdRUKoy8diX1j4AXmPtd302oan+iXZuF8m2Nw4HRW2irNspffT=2Fkh?= =?us-ascii?Q?ET6RJF6+Prbl0h=2FEtF1rRLvGP2D8Br9KLILkV5m?= =?us-ascii?Q?TKcuDdeYQ289hr3B6ILmlRbn3xX60V9de560j=2FN?= =?us-ascii?Q?y7QcX8tnG3TJMVrmFU38T=2FZtsyRVexdU5Ni=2FLkh?= =?us-ascii?Q?Pf5gB8gmHQ8Vk26Lkb+1xXC2Q5Keesn1XVtW6Hm?= =?us-ascii?Q?xPrphVjLdTyNk2R2bPZmGDtfW2SeG1L2RCNoQZa?= =?us-ascii?Q?6g=2FABvUssCx+jNhkePK+g=3D=3D?= To: Alexis =?iso-8859-1?q?Lothor=E9?= , Ajay.Kathat@microchip.com Cc: kvalo@kernel.org, linux-wireless@vger.kernel.org X-Entity-ID: Xg4JGAcGrJFIz2kDG9eoaQ== On Thu, 2024-01-25 at 12:04 +0100, Alexis Lothor=E9 wrote: > On 1/25/24 07:23, Ajay.Kathat@microchip.com wrote: > > On 1/24/24 11:45, David Mosberger-Tang wrote: > >=20 > > > >=20 > > > > OK, I think I see what's going on: it's the list traversal. Here i= s what > > > > wilc_netdev_cleanup() does: > > > >=20 > > > > list_for_each_entry_rcu(vif, &wilc->vif_list, list) { > > > > if (vif->ndev) > > > > unregister_netdev(vif->ndev); > > > > } > > > >=20 > > > > The problem is that "vif" is the private part of the netdev, so whe= n the netdev > > > > is freed, the vif structure is no longer valid and list_for_each_en= try_rcu() > > > > ends up dereferencing a dangling pointer. >=20 > Your diagnostic sounds relevant :) Yeah, it's definitely what's going on. And it's not just the list traversa= l: afterwards, wilc_netdev_cleanup() continues to access the vif structure whi= le removing them from the vif-list. I think the original idea of calling unregister_netdev() is probably the ri= ght one as, like you said, you want to remove the device from being visible to = the user before tearing down anything else. If I understood the problem correc= tly, the use-after-free caused by this line in wilc_netdev_ifc_init(): ndev->needs_free_netdev =3D true; This causes unregister_netdev() to implicitly call free_netdev(). Without = that code, I think you could call unregister_netdev() early on (as it is right n= ow) and when done with using the vifs, call free_netdev() while avoiding any dangling references. In any case, this is definitely not my area of expertise. I don't fully understand the motivition behind needs_free_netdev, even after reading https://docs.kernel.org/networking/netdevices.html - I suspect the use of t= hat flag has evolved over the years and the docs may not be entirely up-to-date anymore. One driver I looked at (wireless/ath/wil6210/netdev.c) sets needs_free_netdev only for secondary vifs (i.e., all but the first vif). Hopefully someone else on this list can figure out what the right solution = is here. Thanks, --david