Received: by 2002:a05:7208:9594:b0:7e:5202:c8b4 with SMTP id gs20csp1191901rbb; Mon, 26 Feb 2024 01:23:53 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXTuE/ZosiHxVZOS6Qinuu35RD6N/Es96kZJc4m1fYXBNIl6aORi3uQGDfax2H4oUSK6RdFh4Tld032LybHAx06vHwOJEaqCYDFtw02og== X-Google-Smtp-Source: AGHT+IGlYnnAnOEoU8epboRkkqe6/FSOBvNXxs8Yxiqp6G8CNBs8bks4kvVAMW67pH4Rcxa/gRgb X-Received: by 2002:a17:906:8414:b0:a43:76d4:806c with SMTP id n20-20020a170906841400b00a4376d4806cmr539428ejx.74.1708939433354; Mon, 26 Feb 2024 01:23:53 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708939433; cv=pass; d=google.com; s=arc-20160816; b=QeR/FcWEf/IUhz/yxGXlmwNx1TCb+PgSKgG4FHm3HToX/lL6xJAu1uxwvfFT1YOHFl fL9H9tyfSQt9+e7WDhriisgPdFyEDo8MJnsJstXDs5Zfwaw3NiqbCl3/lDIyDcmwckl4 fsMvPZpdKaRi3yYIRxFaCO4kDFQFiHOX30yIFPcRumevFT7q8R3WU4IlsP6d/5ycl1Ed /zbelbB83ZgWRK02n3/Yl+9lgl4nZVW/PgvvvY4zPlb2WEz7miw99ZATlps6nXyMBOZE 3bMOYWU4oK6K3RYFTEuLlyu6oY6GuVNTG3Hw3IDTJBJBJCCoZHjMBtmMtKGzJGVEm2v7 zVJg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :user-agent:content-transfer-encoding:references:in-reply-to:date:to :from:subject:message-id:dkim-signature; bh=p8Dl8g22eUdmFxX5j5wZ+ZsU6se0mQqZf32WCzYmULA=; fh=+ddfSKpvgN3UwcB0Rp8lwCcwaC1ZngHIsfX2GLJijUM=; b=BG8WEdmDJ8hZxyz9w+ymmJmL8aO07TgpUCJlyWiHcD4BH+qx03YxYwW8UnAkIWxiNc 74Im89Mcv9uNF9Sw0z9JFkXU5dZea5oLFMTBFZy9zix7b3wR56ostMKF84qSothhpN+1 ZRNTmBUYfOJa9PmWEq2dUkFNH91W72HmLNC6a/yZ4YF7SavGPQ7/LK95dUYs/cjcBnIW zE6F2PdiQw/MOlFCddYaMnbPA81Vmbq33EPU74iLpDOmnFYa/kxwacaOSJFqyaojJbFv kv51UkNYBxdlNpwcGpzmNpb7SdWyt5HCuxQVJ4jiuWdmuYcOGJei7jGf7AQ7QHFmrcOc utxw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@sipsolutions.net header.s=mail header.b=fSaHsDjy; arc=pass (i=1 spf=pass spfdomain=sipsolutions.net dkim=pass dkdomain=sipsolutions.net dmarc=pass fromdomain=sipsolutions.net); spf=pass (google.com: domain of linux-wireless+bounces-3997-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-wireless+bounces-3997-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=sipsolutions.net Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id rv4-20020a17090710c400b00a3fc641ace9si1997536ejb.556.2024.02.26.01.23.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Feb 2024 01:23:53 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless+bounces-3997-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@sipsolutions.net header.s=mail header.b=fSaHsDjy; arc=pass (i=1 spf=pass spfdomain=sipsolutions.net dkim=pass dkdomain=sipsolutions.net dmarc=pass fromdomain=sipsolutions.net); spf=pass (google.com: domain of linux-wireless+bounces-3997-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-wireless+bounces-3997-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=sipsolutions.net Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 542CD1F287E0 for ; Mon, 26 Feb 2024 09:16:23 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 73F1438DD5; Mon, 26 Feb 2024 08:31:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=sipsolutions.net header.i=@sipsolutions.net header.b="fSaHsDjy" X-Original-To: linux-wireless@vger.kernel.org Received: from sipsolutions.net (s3.sipsolutions.net [168.119.38.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 41C8B18E3F for ; Mon, 26 Feb 2024 08:31:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=168.119.38.16 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708936306; cv=none; b=Sk24qLOgKOZi6oNkEvRMEIuooOwdshUeKxQNlcLLRVWGafPsDwWBIB4qxhhHBWD7rW2UlPUU62id5n6SrXe54oUhozbVgkCSusg7umzTiSutR1kLHg9C8yUo9ORIvzZ0LXZhhnVkNMU51iLwcFgBzIV4X4lT9TJAqD6tcvR6x+4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708936306; c=relaxed/simple; bh=nw1w1ya+r68TkmVTR1ws6QK3QMyXcidwoXzAgXCx0T8=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References: Content-Type:MIME-Version; b=SnaIumPk+GJlLesiWnG8/5Vj4+x3fRGi3Ig9XFyFm5W43OX1cwov/7Cg4wpdG9a7kHfdhfwQWhZ86gbWoubliN395mVHULxKejPyv2HdXxsnDIAvi/IjaRkPhOWd6EGb2oYaXhv5GMKFG6jiKRpy/Xl1rKf2K3aHMNVMwfV9aUY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sipsolutions.net; spf=pass smtp.mailfrom=sipsolutions.net; dkim=pass (2048-bit key) header.d=sipsolutions.net header.i=@sipsolutions.net header.b=fSaHsDjy; arc=none smtp.client-ip=168.119.38.16 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sipsolutions.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sipsolutions.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sipsolutions.net; s=mail; h=MIME-Version:Content-Transfer-Encoding: Content-Type:References:In-Reply-To:Date:To:From:Subject:Message-ID:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-To: Resent-Cc:Resent-Message-ID; bh=p8Dl8g22eUdmFxX5j5wZ+ZsU6se0mQqZf32WCzYmULA=; t=1708936303; x=1710145903; b=fSaHsDjylHzKw+lgoJ1zPSSk+09ezTdCoaHSMUzSIMl5lk0 szcNk+8+0pMGDuiiXg7WnkjNWfvB5nw3nuVBiiE2qQHjYHo4/tIx9+984LVRurD37SS8/McfKBtip 479bwmFbPravopQ1N+iBvVdvX7JoNtfTLRkktt+C7SXRw2hZ0bksKMjOGY/ypLOvjiA2Q84Sbsxlm rGxH0lX7nzTw9AkRK23yVrGT/IJDEvT/OlLtkVBRULS7hQcO5gRA1XNidpRRR4i4iiZaaocqdP0U5 05l0NGYTExuvehg8JC6TtFl+JsGj82xqXf6cJkxBcpnCD9BhpGRIU1OSVIOHjJkQ==; Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.97) (envelope-from ) id 1reWOb-0000000957k-3qch; Mon, 26 Feb 2024 09:31:34 +0100 Message-ID: Subject: Re: What is the lifetime of an instance of struct cfg80211_chan_def::chan From: Johannes Berg To: Jeff Johnson , linux-wireless Date: Mon, 26 Feb 2024 09:31:32 +0100 In-Reply-To: <181138f2-77c2-47f5-94d0-28ccd52fb166@quicinc.com> References: <181138f2-77c2-47f5-94d0-28ccd52fb166@quicinc.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.50.4 (3.50.4-1.fc39) Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-malware-bazaar: not-scanned On Fri, 2024-02-23 at 14:14 -0800, Jeff Johnson wrote: > I'm concerned about a potential race condition in the ath12k driver, but > need to understand the lifetime of struct cfg80211_chan_def::chan to see > if there is an actual issue. Almost certainly isn't - the 'chan' pointer in chandef is to a struct ieee80211_channel, and those are more or less constant and need to be around for the lifetime of the entire wiphy, at least. Often they're just in static memory in the driver module. > This is the target of my concern, which at first glance looks benign: > static int ath12k_mac_vif_chan(struct ieee80211_vif *vif, > struct cfg80211_chan_def *def) > { > struct ieee80211_chanctx_conf *conf; >=20 > rcu_read_lock(); > conf =3D rcu_dereference(vif->bss_conf.chanctx_conf); > *def =3D conf->def; > rcu_read_unlock(); >=20 > return 0; > } > Note: I've omitted some error code that isn't important to this discussio= n. >=20 > This code starts a read side critical section, gets the config from the > BSS configuration, makes a copy of the conf->def and then exits the read > side critical section. What could go wrong? Well what is this conf->def > that is being copied? > struct ieee80211_bss_conf { > struct ieee80211_chanctx_conf __rcu *chanctx_conf; >=20 > struct ieee80211_chanctx_conf { > struct cfg80211_chan_def def; >=20 > struct cfg80211_chan_def { > struct ieee80211_channel *chan; > enum nl80211_chan_width width; > u32 center_freq1; > u32 center_freq2; > struct ieee80211_edmg edmg; > u16 freq1_offset; > }; >=20 > Note well the following: > struct ieee80211_channel *chan; >=20 > This is a pointer to some memory.=C2=A0 Right. > During the time we are in the read > side critical section we are guaranteed that, if this pointer is not > NULL, the memory backing this pointer is valid. Actually ... I would say since that pointer _itself_ doesn't even have __rcu annotation (and doesn't get copied via RCU), the RCU does nothing for its protection. > But as soon as we exit > the read side critical section there is no guarantee, at least not one > enforced by RCU, that a writer might update, or even free, the memory > referenced by chan. There never was though, since you didn't rcu_dereference(chan). > So I'm trying to determine what else, if anything, protects the lifetime > of this pointer, and I'm getting lost in the mac80211 code, so any hints > would be appreciated. See above. It's always pointing to an entry in the wiphy's supported band's channels array, which is around for at least the life of the wiphy. At least should be! johannes