wifi: rtw88: schedule rx work after everything is set up

Message ID	20240528110246.477321-1-marcin.slusarz@gmail.com
State	New
Headers	show Received: from mail-ed1-f51.google.com (mail-ed1-f51.google.com [209.85.208.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 24B981D53C; Tue, 28 May 2024 11:03:04 +0000 (UTC) From: =?utf-8?q?Marcin_=C5=9Alusarz?= <marcin.slusarz@gmail.com> To: linux-wireless@vger.kernel.org Cc: =?utf-8?q?Marcin_=C5=9Alusarz?= <mslusarz@renau.com>, Tim K <tpkuester@gmail.com>, Ping-Ke Shih <pkshih@realtek.com>, Larry Finger <Larry.Finger@lwfinger.net>, Kalle Valo <kvalo@kernel.org>, linux-kernel@vger.kernel.org Subject: [PATCH] wifi: rtw88: schedule rx work after everything is set up Date: Tue, 28 May 2024 13:02:46 +0200 Message-Id: <20240528110246.477321-1-marcin.slusarz@gmail.com> In-Reply-To: <13e848c1544245e6aef4b89c3f38daf0@realtek.com> References: <13e848c1544245e6aef4b89c3f38daf0@realtek.com> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
Series	wifi: rtw88: schedule rx work after everything is set up \| expand wifi: rtw88: schedule rx work after everything is set up

Message ID

20240528110246.477321-1-marcin.slusarz@gmail.com

State

New

Headers

From: =?utf-8?q?Marcin_=C5=9Alusarz?= <marcin.slusarz@gmail.com>
To: linux-wireless@vger.kernel.org
Cc: =?utf-8?q?Marcin_=C5=9Alusarz?= <mslusarz@renau.com>,
 Tim K <tpkuester@gmail.com>, Ping-Ke Shih <pkshih@realtek.com>,
 Larry Finger <Larry.Finger@lwfinger.net>, Kalle Valo <kvalo@kernel.org>,
 linux-kernel@vger.kernel.org
Subject: [PATCH] wifi: rtw88: schedule rx work after everything is set up
Date: Tue, 28 May 2024 13:02:46 +0200
Message-Id: <20240528110246.477321-1-marcin.slusarz@gmail.com>
In-Reply-To: <13e848c1544245e6aef4b89c3f38daf0@realtek.com>
References: <13e848c1544245e6aef4b89c3f38daf0@realtek.com>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Series

wifi: rtw88: schedule rx work after everything is set up | expand

Commit Message

Marcin Ślusarz May 28, 2024, 11:02 a.m. UTC

From: Marcin Ślusarz <mslusarz@renau.com>

Right now it's possible to hit NULL pointer dereference in
rtw_rx_fill_rx_status on hw object and/or its fields because
initialization routine can start getting USB replies before
rtw_dev is fully setup.

The stack trace looks like this:

rtw_rx_fill_rx_status
rtw8821c_query_rx_desc
rtw_usb_rx_handler
...
queue_work
rtw_usb_read_port_complete
...
usb_submit_urb
rtw_usb_rx_resubmit
rtw_usb_init_rx
rtw_usb_probe

So while we do the async stuff rtw_usb_probe continues and calls
rtw_register_hw, which does all kinds of initialization (e.g.
via ieee80211_register_hw) that rtw_rx_fill_rx_status relies on.

Fix this by moving the first usb_submit_urb after everything
is set up.

For me, this bug manifested as:
[    8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped
[    8.910904] rtw_8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtw_rx_fill_rx_status
because I'm using Larry's backport of rtw88 driver with the NULL
checks in rtw_rx_fill_rx_status.

Reported-by: Tim K <tpkuester@gmail.com>
Closes: https://lore.kernel.org/linux-wireless/CA+shoWQ7P49jhQasofDcTdQhiuarPTjYEDa--NiVVx494WcuQw@mail.gmail.com/
Signed-off-by: Marcin Ślusarz <mslusarz@renau.com>
Cc: Ping-Ke Shih <pkshih@realtek.com>
Cc: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Kalle Valo <kvalo@kernel.org>
Cc: linux-wireless@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
---
 drivers/net/wireless/realtek/rtw88/usb.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

Comments

Ping-Ke Shih May 29, 2024, 1:28 a.m. UTC | #1

Marcin Ślusarz <marcin.slusarz@gmail.com> wrote:
> From: Marcin Ślusarz <mslusarz@renau.com>
> 
> Reported-by: Tim K <tpkuester@gmail.com>
> Closes:
> https://lore.kernel.org/linux-wireless/CA+shoWQ7P49jhQasofDcTdQhiuarPTjYEDa--NiVVx494WcuQw@mail.gmail.
> com/

I gave this suggestions too early, since we have not gotten test result from Tim.
I will change them to "Link:" if no ACK from Tim while merging. 

> Signed-off-by: Marcin Ślusarz <mslusarz@renau.com>
> Cc: Ping-Ke Shih <pkshih@realtek.com>
> Cc: Larry Finger <Larry.Finger@lwfinger.net>
> Cc: Kalle Valo <kvalo@kernel.org>
> Cc: linux-wireless@vger.kernel.org
> Cc: linux-kernel@vger.kernel.org

This is v2 version, so mail subject should be "[PATCH v2] ....", and add 
change log here, like:

---  (delimiter is important here)

v2: add Reported-by and Closes.

> ---
>  drivers/net/wireless/realtek/rtw88/usb.c | 13 ++++++++++---
>  1 file changed, 10 insertions(+), 3 deletions(-)
> 

Also I would prefer to point out "usb" in subject, please use "wifi: rtw88: usb: "
as prefix.

[...]

Tim K May 30, 2024, 2:33 p.m. UTC | #2

> I gave this suggestions too early, since we have not gotten test result from Tim.
> I will change them to "Link:" if no ACK from Tim while merging.

Hey all, thanks for reaching out!

Sadly I'm not able to work on this project right now, but I've
forwarded this email to a few colleagues to bring them in the loop.
Did you have a timeline you were looking at to close this off?

- Tim

Ping-Ke Shih May 31, 2024, 12:35 a.m. UTC | #3

Tim K <tpkuester@gmail.com> wrote:
> 
> > I gave this suggestions too early, since we have not gotten test result from Tim.
> > I will change them to "Link:" if no ACK from Tim while merging.
> 
> Hey all, thanks for reaching out!
> 
> Sadly I'm not able to work on this project right now, but I've
> forwarded this email to a few colleagues to bring them in the loop.
> Did you have a timeline you were looking at to close this off?

Thanks for your reply. I would take this patch to 6.11, so you have about
4-5 weeks. Is it enough to you?

Ping-Ke

diff --git a/drivers/net/wireless/realtek/rtw88/usb.c b/drivers/net/wireless/realtek/rtw88/usb.c
index a0188511099a..98f81e3ae13e 100644
--- a/drivers/net/wireless/realtek/rtw88/usb.c
+++ b/drivers/net/wireless/realtek/rtw88/usb.c
@@ -740,7 +740,6 @@  static struct rtw_hci_ops rtw_usb_ops = {
 static int rtw_usb_init_rx(struct rtw_dev *rtwdev)
 {
 	struct rtw_usb *rtwusb = rtw_get_usb_priv(rtwdev);
-	int i;
 
 	rtwusb->rxwq = create_singlethread_workqueue("rtw88_usb: rx wq");
 	if (!rtwusb->rxwq) {
@@ -752,13 +751,19 @@  static int rtw_usb_init_rx(struct rtw_dev *rtwdev)
 
 	INIT_WORK(&rtwusb->rx_work, rtw_usb_rx_handler);
 
+	return 0;
+}
+
+static void rtw_usb_setup_rx(struct rtw_dev *rtwdev)
+{
+	struct rtw_usb *rtwusb = rtw_get_usb_priv(rtwdev);
+	int i;
+
 	for (i = 0; i < RTW_USB_RXCB_NUM; i++) {
 		struct rx_usb_ctrl_block *rxcb = &rtwusb->rx_cb[i];
 
 		rtw_usb_rx_resubmit(rtwusb, rxcb);
 	}
-
-	return 0;
 }
 
 static void rtw_usb_deinit_rx(struct rtw_dev *rtwdev)
@@ -895,6 +900,8 @@  int rtw_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
 		goto err_destroy_rxwq;
 	}
 
+	rtw_usb_setup_rx(rtwdev);
+
 	return 0;
 
 err_destroy_rxwq:

wifi: rtw88: schedule rx work after everything is set up

Commit Message

Comments

Patch