• Sumit Garg's avatar
    mac80211: fix race in ieee80211_register_hw() · 52e04b4c
    Sumit Garg authored
    A race condition leading to a kernel crash is observed during invocation
    of ieee80211_register_hw() on a dragonboard410c device having wcn36xx
    driver built as a loadable module along with a wifi manager in user-space
    waiting for a wifi device (wlanX) to be active.
    
    Sequence diagram for a particular kernel crash scenario:
    
        user-space  ieee80211_register_hw()  ieee80211_tasklet_handler()
        ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
           |                    |                 |
           |<---phy0----wiphy_register()          |
           |-----iwd if_add---->|                 |
           |                    |<---IRQ----(RX packet)
           |              Kernel crash            |
           |              due to unallocated      |
           |              workqueue.              |
           |                    |                 |
           |       alloc_ordered_workqueue()      |
           |                    |                 |
           |              Misc wiphy init.        |
           |                    |                 |
           |            ieee80211_if_add()        |
           |                    |                 |
    
    As evident from above sequence diagram, this race condition isn't specific
    to a particular wifi driver but rather the initialization sequence in
    ieee80211_register_hw() needs to be fixed. So re-order the initialization
    sequence and the updated sequence diagram would look like:
    
        user-space  ieee80211_register_hw()  ieee80211_tasklet_handler()
        ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
           |                    |                 |
           |       alloc_ordered_workqueue()      |
           |                    |                 |
           |              Misc wiphy init.        |
           |                    |                 |
           |<---phy0----wiphy_register()          |
           |-----iwd if_add---->|                 |
           |                    |<---IRQ----(RX packet)
           |                    |                 |
           |            ieee80211_if_add()        |
           |                    |                 |
    
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarSumit Garg <sumit.garg@linaro.org>
    Link: https://lore.kernel.org/r/1586254255-28713-1-git-send-email-sumit.garg@linaro.org
    [Johannes: fix rtnl imbalances]
    Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
    52e04b4c
main.c 41 KB