From: Johannes Berg <johannes@sipsolutions.net>
To: Masi Osmani <mas-i@hotmail.de>
Cc: linux-wireless@vger.kernel.org,
Christian Lamparter <chunkeey@googlemail.com>
Subject: Re: [PATCH] mac80211: stop hardware before clearing driver state on reconfig failure
Date: Fri, 13 Mar 2026 08:08:36 +0100 [thread overview]
Message-ID: <e7f3ba3acca1308bc0871a3892da9e15525d5038.camel@sipsolutions.net> (raw)
In-Reply-To: <AM7PPF5613FA0B697F9C2D2DC13F462DC029444A@AM7PPF5613FA0B6.EURP251.PROD.OUTLOOK.COM>
On Thu, 2026-03-12 at 15:30 +0100, Masi Osmani wrote:
> When ieee80211_handle_reconfig_failure() is called after a failed HW
> reconfiguration, it clears IEEE80211_SDATA_IN_DRIVER flags on all
> interfaces but does not stop the hardware.
Yeah, but ieee80211_do_stop() via cfg80211_shutdown_all_interfaces()
should call it later? Now you're calling it twice, which seems odd?
> This creates a race window:
> cfg80211_shutdown_all_interfaces() subsequently calls ieee80211_do_stop()
> which runs sta_info_flush() to destroy stations, while the driver's RX
> path may still be delivering frames that reference station data being
> freed.
How is that possible?
> This race was observed with the carl9170 driver: when firmware
> deadlocks during a restart attempt, ieee80211_reconfig() fails
> at drv_add_interface(). The subsequent interface teardown triggers
> sta_info_destroy_part2() while the USB RX tasklet still calls
> ieee80211_rx_napi(), causing a use-after-free kernel panic.
That doesn't make sense, station lookups should be protected, either by
locking or by RCU; there's synchronize_net() in __sta_info_flush() for
that.
Can you please report the actual bug?
> The fix stops the hardware in ieee80211_handle_reconfig_failure() before
> clearing IN_DRIVER state, ensuring no driver can deliver RX frames once
> the teardown begins.
I don't think that really is a good fix, and if it that crash can happen
here then it can likely also happen during normal teardown, and we
should fix it differently.
johannes
next prev parent reply other threads:[~2026-03-13 7:08 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-12 14:30 [PATCH] mac80211: stop hardware before clearing driver state on reconfig failure Masi Osmani
2026-03-13 7:08 ` Johannes Berg [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-03-31 10:00 Masi Osmani
2026-04-07 10:53 ` Johannes Berg
2026-03-31 18:58 Masi Osmani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e7f3ba3acca1308bc0871a3892da9e15525d5038.camel@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=chunkeey@googlemail.com \
--cc=linux-wireless@vger.kernel.org \
--cc=mas-i@hotmail.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox