From: Ben Greear <greearb@candelatech.com>
To: "linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>
Subject: ax200, fw crashes, and sdata-in-driver
Date: Mon, 13 Jul 2020 16:57:27 -0700 [thread overview]
Message-ID: <bb23b798-f347-7559-b3dc-d8f713899d26@candelatech.com> (raw)
Hello,
I larded up my 5.4 kernel with KASAN and lockdep, and ran some tests. This is with my
patch that keeps from busy-spinning forever (see previous ignored patch).
After a few restarts and FW crashes, the ax200 could not recover firmware. There
were lots of sdata-in-driver errors, and then KASAN hit a use-after-free issue
related to ax200 accessing sta object that was previously deleted.
Now, I think I know why:
In the ieee80211_handle_reconfig_failure(struct ieee80211_local *local)
method, it will clear the SDATA_IN_DRIVER flag, and according to comments,
this is run when firmware cannot be recovered. But, just because FW is
dead does not mean that the driver itself has cleaned up its state.
So question is, should ax200 (and all drivers) be responsible for cleaning
up all state when FW cannot be recovered, or should instead mac80211 do cleanup
in this case by, among other things, not clearing that flag (and probably
not doing the ctx->driver_present = false; config as well)?
Thanks,
Ben
--
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc http://www.candelatech.com
next reply other threads:[~2020-07-13 23:57 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-13 23:57 Ben Greear [this message]
2020-07-30 12:30 ` ax200, fw crashes, and sdata-in-driver Johannes Berg
2020-07-30 12:58 ` Ben Greear
2020-09-22 20:57 ` Ben Greear
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bb23b798-f347-7559-b3dc-d8f713899d26@candelatech.com \
--to=greearb@candelatech.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).