From: Brian Norris <briannorris@chromium.org>
To: Zheng Hacker <hackerzheng666@gmail.com>
Cc: Zheng Wang <zyytlz.wz@163.com>,
ganapathi017@gmail.com, alex000young@gmail.com,
amitkarwar@gmail.com, sharvari.harisangam@nxp.com,
huxinming820@gmail.com, kvalo@kernel.org, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] mwifiex: Fix use-after-free bug due to race condition between main thread thread and timer thread
Date: Wed, 22 Feb 2023 13:20:29 -0800 [thread overview]
Message-ID: <Y/aHHSkUOsOsU+Kq@google.com> (raw)
In-Reply-To: <CAJedcCzmnZCR=XF+zKHiJ+8PNK88sXFDm5n=RnwcTnJfO0ihOw@mail.gmail.com>
On Wed, Feb 22, 2023 at 12:17:21PM +0800, Zheng Hacker wrote:
> Could you please provide some advice about the fix?
This entire driver's locking patterns (or lack
thereof) need rewritten. This driver was probably written by someone
that doesn't really understand concurrent programming. It really only
works because the bulk of normal operation is sequentialized into the
main loop (mwifiex_main_process()). Any time you get outside that,
you're likely to find bugs.
But now that I've looked a little further, I'm not confident you pointed
out a real bug. How does mwifiex_sdio_card_reset_work() get past
mwifiex_shutdown_sw() -> wait_for_completion(adapter->fw_done) ? That
should ensure that _mwifiex_fw_dpc() is finished, and so we can't hit
the race you point out.
Note to self: ignore most "static analysis" reports of race conditions,
unless they have thorough analysis or a runtime reproduction.
Brian
next prev parent reply other threads:[~2023-02-22 21:20 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-18 7:59 [PATCH] mwifiex: Fix use-after-free bug due to race condition between main thread thread and timer thread Zheng Wang
2023-02-21 21:59 ` Brian Norris
2023-02-22 4:17 ` Zheng Hacker
2023-02-22 21:20 ` Brian Norris [this message]
2023-02-24 5:37 ` Zheng Hacker
2023-02-24 6:17 ` Zheng Hacker
2023-02-24 21:39 ` Brian Norris
2023-03-02 9:48 ` Zheng Hacker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y/aHHSkUOsOsU+Kq@google.com \
--to=briannorris@chromium.org \
--cc=alex000young@gmail.com \
--cc=amitkarwar@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=ganapathi017@gmail.com \
--cc=hackerzheng666@gmail.com \
--cc=huxinming820@gmail.com \
--cc=kuba@kernel.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sharvari.harisangam@nxp.com \
--cc=zyytlz.wz@163.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).