Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ieee80211_register_hw failure when loading the module is not handled cleanly #93

Open
Avamander opened this issue Apr 17, 2024 · 0 comments
Open

ieee80211_register_hw failure when loading the module is not handled cleanly #93

Avamander opened this issue Apr 17, 2024 · 0 comments

Comments

@Avamander
Copy link
Contributor

When ieee80211_register_hw fails for some reason (and returns EINVAL/-22), the error handling and cleanup is unsafe.

For example:

------------[ cut here ]------------
WARNING: CPU: 3 PID: 1105 at net/mac80211/main.c:972 ieee80211_register_hw+0x8bc/0xbf8 [mac80211]
Modules linked in: nrc(O+) spi_ft232h(O) vc4 snd_soc_hdmi_codec drm_display_helper cec snd_soc_core brcmfmac raspberrypi_hwmon brcmutil snd_compress snd_pcm_dmaengine snd_bcm2835(C) bcm2835_v4l2(C) bcm2835_isp(C) i2c_bcm2835 snd_pcm videobuf2_vmalloc bcm2835_codec(C) bcm2835_mmal_vchiq(C) v4l2_mem2mem videobuf2_dma_contig videobuf2_memops videobuf2_v4l2 videobuf2_common videodev snd_timer snd mc vc_sm_cma(C) spi_bcm2835 uio_pdrv_genirq uio mac80211 libarc4 cfg80211 rfkill sharp(O) drm_dma_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops i2c_dev drm fuse drm_panel_orientation_quirks backlight ip_tables x_tables ipv6
CPU: 3 PID: 1105 Comm: insmod Tainted: G         C O       6.1.21-v8+ #1642
Hardware name: Raspberry Pi Zero 2 W Rev 1.0 (DT)
pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : ieee80211_register_hw+0x8bc/0xbf8 [mac80211]
lr : nrc_register_hw+0x3b0/0x4e4 [nrc]
sp : ffffffc008b9b700
x29: ffffffc008b9b700 x28: ffffffd5ab1af230 x27: ffffffd5ab1b5770
x26: ffffffd5ab1af220 x25: ffffff80084ac020 x24: ffffffd5c5cad858
x23: 0000000000000006 x22: ffffff80084aa268 x21: 0000000000000005
x20: ffffff80084aa020 x19: ffffff80084a88a0 x18: 0000000000000001
x17: 20666f207265626d x16: ffffffd5c57a13e0 x15: ffffffffffffffff
x14: 0000000000000000 x13: 30333a736c656e6e x12: ffffffd5c61e73b0
x11: 0000000000000003 x10: 0000000000000007 x9 : ffffffd5ab1966c0
x8 : ffffff8006868a00 x7 : ffffff80084a83a0 x6 : 000000000000000f
x5 : 0000000000000001 x4 : 0000000000003370 x3 : ffffff80084a83a0
x2 : ffffff80084ad390 x1 : ffffff80084ad390 x0 : 0000000000000000
Call trace:
 ieee80211_register_hw+0x8bc/0xbf8 [mac80211]
 nrc_register_hw+0x3b0/0x4e4 [nrc]
 nrc_nw_start+0x128/0x20c [nrc]
 nrc_cspi_probe+0x1a8/0x290 [nrc]
 spi_probe+0x8c/0xf0
 really_probe+0xc4/0x2b0
 __driver_probe_device+0x80/0xe8
 driver_probe_device+0x44/0x110
 __driver_attach+0x7c/0x130
 bus_for_each_dev+0x7c/0xd0
 driver_attach+0x2c/0x38
 bus_add_driver+0x194/0x208
 driver_register+0x6c/0x128
 __spi_register_driver+0xd4/0xe8
 nrc_cspi_init+0x198/0x1000 [nrc]
 do_one_initcall+0x54/0x2a0
 do_init_module+0x50/0x208
 load_module+0x1a3c/0x1d90
 __do_sys_finit_module+0xc4/0x110
 __arm64_sys_finit_module+0x28/0x38
 invoke_syscall+0x4c/0x110
 el0_svc_common.constprop.3+0xfc/0x120
 do_el0_svc+0x34/0xd0
 el0_svc+0x30/0x88
 el0t_64_sync_handler+0x98/0xc0
 el0t_64_sync+0x18c/0x190
---[ end trace 0000000000000000 ]---
nrc80211 spi3.0: ieee80211_register_hw failed (-22)
nrc80211 spi3.0: Failed to nrc_register_hw
nrc_netlink_exit
nrc80211 spi3.0: Failed to nrc_nw_start (-22)
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 3 PID: 1105 at lib/refcount.c:28 refcount_warn_saturate+0xf8/0x148
Modules linked in: nrc(O+) spi_ft232h(O) vc4 snd_soc_hdmi_codec drm_display_helper cec snd_soc_core brcmfmac raspberrypi_hwmon brcmutil snd_compress snd_pcm_dmaengine snd_bcm2835(C) bcm2835_v4l2(C) bcm2835_isp(C) i2c_bcm2835 snd_pcm videobuf2_vmalloc bcm2835_codec(C) bcm2835_mmal_vchiq(C) v4l2_mem2mem videobuf2_dma_contig videobuf2_memops videobuf2_v4l2 videobuf2_common videodev snd_timer snd mc vc_sm_cma(C) spi_bcm2835 uio_pdrv_genirq uio mac80211 libarc4 cfg80211 rfkill sharp(O) drm_dma_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops i2c_dev drm fuse drm_panel_orientation_quirks backlight ip_tables x_tables ipv6
CPU: 3 PID: 1105 Comm: insmod Tainted: G        WC O       6.1.21-v8+ #1642
Hardware name: Raspberry Pi Zero 2 W Rev 1.0 (DT)
pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0xf8/0x148
lr : refcount_warn_saturate+0xf8/0x148
sp : ffffffc008b9b7d0
x29: ffffffc008b9b7d0 x28: ffffffc008b9bce0 x27: 0000000000000001
x26: 0000000000000000 x25: ffffffd5ab1b70d8 x24: ffffffd5ab1ada80
x23: ffffff80084c2800 x22: ffffff80084aa020 x21: ffffff8006ce1b00
x20: ffffff80084a88a0 x19: ffffff80084a8518 x18: ffffffd5c61718b0
x17: 0000000000000000 x16: ffffffd5c555bd88 x15: ffffff8007231e78
x14: 0000000000000040 x13: 2e656572662d7265 x12: ffffffd5c61e73b0
x11: 0000000000000003 x10: 0000000000000001 x9 : ffffffd5c4ef054c
x8 : 0000000000017fe8 x7 : c0000000ffffefff x6 : ffffffd5c61cf370
x5 : ffffffaa56075000 x4 : 0000000000000000 x3 : 0000000000000002
x2 : 0000000000000001 x1 : 46d833d1e1567d00 x0 : 0000000000000000
Call trace:
 refcount_warn_saturate+0xf8/0x148
 kobject_put+0x110/0x120
 put_device+0x1c/0x30
 wiphy_free+0x1c/0x28 [cfg80211]
 ieee80211_free_hw+0x8c/0xb0 [mac80211]
 nrc_mac_free_hw+0x18/0x2c [nrc]
 nrc_nw_free+0xb4/0xe0 [nrc]
 nrc_cspi_probe+0x248/0x290 [nrc]
 spi_probe+0x8c/0xf0
 really_probe+0xc4/0x2b0
 __driver_probe_device+0x80/0xe8
 driver_probe_device+0x44/0x110
 __driver_attach+0x7c/0x130
 bus_for_each_dev+0x7c/0xd0
 driver_attach+0x2c/0x38
 bus_add_driver+0x194/0x208
 driver_register+0x6c/0x128
 __spi_register_driver+0xd4/0xe8
 nrc_cspi_init+0x198/0x1000 [nrc]
 do_one_initcall+0x54/0x2a0
 do_init_module+0x50/0x208
 load_module+0x1a3c/0x1d90
 __do_sys_finit_module+0xc4/0x110
 __arm64_sys_finit_module+0x28/0x38
 invoke_syscall+0x4c/0x110
 el0_svc_common.constprop.3+0xfc/0x120
 do_el0_svc+0x34/0xd0
 el0_svc+0x30/0x88
 el0t_64_sync_handler+0x98/0xc0
 el0t_64_sync+0x18c/0x190
---[ end trace 0000000000000000 ]---
nrc80211: probe of spi3.0 failed with error -22
Succeed to register spi driver(nrc80211).
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
Mem abort info:
  ESR = 0x0000000096000005
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x05: level 1 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000005
  CM = 0, WnR = 0
user pgtable: 4k pages, 39-bit VAs, pgdp=0000000004680000
[0000000000000010] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in: nrc(O) spi_ft232h(O) vc4 snd_soc_hdmi_codec drm_display_helper cec snd_soc_core brcmfmac raspberrypi_hwmon brcmutil snd_compress snd_pcm_dmaengine snd_bcm2835(C) bcm2835_v4l2(C) bcm2835_isp(C) i2c_bcm2835 snd_pcm videobuf2_vmalloc bcm2835_codec(C) bcm2835_mmal_vchiq(C) v4l2_mem2mem videobuf2_dma_contig videobuf2_memops videobuf2_v4l2 videobuf2_common videodev snd_timer snd mc vc_sm_cma(C) spi_bcm2835 uio_pdrv_genirq uio mac80211 libarc4 cfg80211 rfkill sharp(O) drm_dma_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops i2c_dev drm fuse drm_panel_orientation_quirks backlight ip_tables x_tables ipv6
CPU: 2 PID: 1111 Comm: irq/185-nrc-spi Tainted: G        WC O       6.1.21-v8+ #1642
Hardware name: Raspberry Pi Zero 2 W Rev 1.0 (DT)
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : spi_update_status+0x664/0xc84 [nrc]
lr : spi_update_status+0xc4/0xc84 [nrc]
sp : ffffffc008c0bcd0
x29: ffffffc008c0bcd0 x28: ffffff8006b2e000 x27: ffffff8006b2eedc
x26: ffffff8006b2e098 x25: ffffffd5c5cad858 x24: 0000000000000001
x23: 0000000000000000 x22: ffffff8006ce1b00 x21: ffffffd5ab1b73a8
x20: ffffff80084c2800 x19: ffffff80084aa020 x18: 0000000000000000
x17: ffffffaa56058000 x16: ffffffd5c5969bb0 x15: 0000000000004000
x14: 0000000000000000 x13: ffffff8003eebf88 x12: 0000000000000000
x11: 00000000ffff8c6d x10: 0000000000001a60 x9 : ffffffd5ab1a2510
x8 : ffffff8007443980 x7 : ffffffc008c0c000 x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000a20 x1 : 0000000000000020 x0 : 0000000000000000
Call trace:
 spi_update_status+0x664/0xc84 [nrc]
 spi_irq+0x24/0x50 [nrc]
 irq_thread_fn+0x34/0xb0
 irq_thread+0x124/0x228
 kthread+0xfc/0x110
 ret_from_fork+0x10/0x20
Code: f9403e83 52814402 52800401 d2800000 (f9400875)
---[ end trace 0000000000000000 ]---
genirq: exiting task "irq/185-nrc-spi" (1111) is an active IRQ thread (irq 185)
irq 185: nobody cared (try booting with the "irqpoll" option)
CPU: 2 PID: 0 Comm: swapper/2 Tainted: G      D WC O       6.1.21-v8+ #1642
Hardware name: Raspberry Pi Zero 2 W Rev 1.0 (DT)
Call trace:
 dump_backtrace+0x120/0x130
 show_stack+0x20/0x30
 dump_stack_lvl+0x8c/0xb8
 dump_stack+0x18/0x34
 __report_bad_irq+0x54/0xe4
 note_interrupt+0x16c/0x388
 handle_irq_event_percpu+0x54/0x68
 handle_irq_event+0x50/0xa8
 handle_level_irq+0xe8/0x178
 generic_handle_domain_irq+0x34/0x50
 bcm2835_gpio_irq_handle_bank+0x80/0xb0
 bcm2835_gpio_irq_handler+0x94/0x150
 generic_handle_domain_irq+0x34/0x50
 bcm2836_chained_handle_irq+0x2c/0x60
 generic_handle_domain_irq+0x34/0x50
 bcm2836_arm_irqchip_handle_irq+0x58/0x68
 call_on_irq_stack+0x2c/0x54
 do_interrupt_handler+0xe0/0xf8
 el1_interrupt+0x38/0x70
 el1h_64_irq_handler+0x18/0x28
 el1h_64_irq+0x64/0x68
 arch_cpu_idle+0x18/0x28
 default_idle_call+0x50/0x188
 do_idle+0x234/0x240
 cpu_startup_entry+0x30/0x38
 secondary_start_kernel+0x128/0x150
 __secondary_switched+0xb0/0xb4
handlers:
[<00000000f5174a08>] irq_default_primary_handler threaded [<00000000d9f5c77b>] spi_irq [nrc]
Disabling IRQ #185

Trying to guard against the double free it results in a NULL pointer dereference.

nrc80211 spi3.0: sband->n_channels:30
------------[ cut here ]------------
WARNING: CPU: 2 PID: 1750 at net/mac80211/main.c:972 ieee80211_register_hw+0x8bc/0xbf8 [mac80211]
Modules linked in: nrc(O+) spi_ft232h(O) vc4 snd_soc_hdmi_codec drm_display_helper cec snd_soc_core brcmfmac raspberrypi_hwmon brcmutil snd_compress snd_pcm_dmaengine snd_bcm2835(C) bcm2835_v4l2(C) bcm2835_isp(C) i2c_bcm2835 snd_pcm videobuf2_vmalloc bcm2835_codec(C) bcm2835_mmal_vchiq(C) v4l2_mem2mem videobuf2_dma_contig videobuf2_memops videobuf2_v4l2 videobuf2_common videodev snd_timer snd mc vc_sm_cma(C) spi_bcm2835 uio_pdrv_genirq uio mac80211 libarc4 cfg80211 rfkill sharp(O) drm_dma_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops i2c_dev drm fuse drm_panel_orientation_quirks backlight ip_tables x_tables ipv6 [last unloaded: nrc(O)]
CPU: 2 PID: 1750 Comm: insmod Tainted: G      D WC O       6.1.21-v8+ #1642
Hardware name: Raspberry Pi Zero 2 W Rev 1.0 (DT)
pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : ieee80211_register_hw+0x8bc/0xbf8 [mac80211]
lr : nrc_register_hw+0x3b0/0x4e4 [nrc]
sp : ffffffc008beb700
x29: ffffffc008beb700 x28: ffffffd5ab1af230 x27: ffffffd5ab1b5770
x26: ffffffd5ab1af220 x25: ffffff8007e54020 x24: ffffffd5c5cad858
x23: 0000000000000006 x22: ffffff8007e52268 x21: 0000000000000005
x20: ffffff8007e52020 x19: ffffff8007e508a0 x18: 0000000000000020
x17: 0000000000000020 x16: ffffffd5c57a13e0 x15: 0000000000000004
x14: 0000000000000000 x13: 0000000000000000 x12: ffffffd5c61e73b0
x11: 0000000000000003 x10: 0000000000000007 x9 : ffffffd5ab1966c0
x8 : ffffff8006824080 x7 : ffffff8007e503a0 x6 : 000000000000000f
x5 : 0000000000000001 x4 : 0000000000003370 x3 : ffffff8007e503a0
x2 : ffffff8007e55390 x1 : ffffff8007e55390 x0 : 0000000000000000
Call trace:
 ieee80211_register_hw+0x8bc/0xbf8 [mac80211]
 nrc_register_hw+0x3b0/0x4e4 [nrc]
 nrc_nw_start+0x128/0x20c [nrc]
 nrc_cspi_probe+0x1a8/0x290 [nrc]
 spi_probe+0x8c/0xf0
 really_probe+0xc4/0x2b0
 __driver_probe_device+0x80/0xe8
 driver_probe_device+0x44/0x110
 __driver_attach+0x7c/0x130
 bus_for_each_dev+0x7c/0xd0
 driver_attach+0x2c/0x38
 bus_add_driver+0x194/0x208
 driver_register+0x6c/0x128
 __spi_register_driver+0xd4/0xe8
 nrc_cspi_init+0x198/0x1000 [nrc]
 do_one_initcall+0x54/0x2a0
 do_init_module+0x50/0x208
 load_module+0x1a3c/0x1d90
 __do_sys_finit_module+0xc4/0x110
 __arm64_sys_finit_module+0x28/0x38
 invoke_syscall+0x4c/0x110
 el0_svc_common.constprop.3+0xfc/0x120
 do_el0_svc+0x34/0xd0
 el0_svc+0x30/0x88
 el0t_64_sync_handler+0x98/0xc0
 el0t_64_sync+0x18c/0x190
---[ end trace 0000000000000000 ]---
nrc80211 spi3.0: ieee80211_register_hw failed (-22)
nrc80211 spi3.0: Failed to nrc_register_hw
nrc_netlink_exit
nrc80211 spi3.0: Failed to nrc_nw_start (-22)
nrc80211: probe of spi3.0 failed with error -22
Succeed to register spi driver(nrc80211).
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
Mem abort info:
  ESR = 0x0000000096000005
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x05: level 1 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000005
  CM = 0, WnR = 0
user pgtable: 4k pages, 39-bit VAs, pgdp=0000000007606000
[0000000000000010] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
Internal error: Oops: 0000000096000005 [#2] PREEMPT SMP
Modules linked in: nrc(O) spi_ft232h(O) vc4 snd_soc_hdmi_codec drm_display_helper cec snd_soc_core brcmfmac raspberrypi_hwmon brcmutil snd_compress snd_pcm_dmaengine snd_bcm2835(C) bcm2835_v4l2(C) bcm2835_isp(C) i2c_bcm2835 snd_pcm videobuf2_vmalloc bcm2835_codec(C) bcm2835_mmal_vchiq(C) v4l2_mem2mem videobuf2_dma_contig videobuf2_memops videobuf2_v4l2 videobuf2_common videodev snd_timer snd mc vc_sm_cma(C) spi_bcm2835 uio_pdrv_genirq uio mac80211 libarc4 cfg80211 rfkill sharp(O) drm_dma_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops i2c_dev drm fuse drm_panel_orientation_quirks backlight ip_tables x_tables ipv6 [last unloaded: nrc(O)]
CPU: 0 PID: 1754 Comm: spi-poll Tainted: G      D WC O       6.1.21-v8+ #1642
Hardware name: Raspberry Pi Zero 2 W Rev 1.0 (DT)
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : spi_update_status+0x664/0xc84 [nrc]
lr : spi_update_status+0xc4/0xc84 [nrc]
sp : ffffffc008c03d30
x29: ffffffc008c03d30 x28: ffffff800740a400 x27: 0000000000000000
x26: ffffff800740a498 x25: 0000000000001388 x24: ffffff800740a400
x23: 0000000000000000 x22: ffffff8005f71400 x21: ffffffd5ab1b73a8

Message from syslogd at Apr 11 02:37:27 ...
 kernel:[ 4565.214158] Internal error: Oops: 0000000096000005 [#2] PREEMPT SMP
x20: ffffff800512e000 x19: ffffff8007e52020 x18: 0000000000000000
x17: 0000000000000000 x16: ffffffd5c5969bb0 x15: 0000005579c68c70
x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
x11: 00000000ffff8c6d x10: 0000000000001a60 x9 : ffffffd5ab1a2510
x8 : ffffff80024f7700 x7 : ffffffc008c04000 x6 : 0000000000000001
x5 : 0000000000000001 x4 : 0000000000000000 x3 : 0000000000000000
x2 : 0000000000000a20 x1 : 0000000000000020 x0 : 0000000000000000
Call trace:
 spi_update_status+0x664/0xc84 [nrc]
 spi_irq+0x24/0x50 [nrc]
 spi_poll_thread+0xf8/0x150 [nrc]

Message from syslogd at Apr 11 02:37:27 ...
 kernel:[ 4565.263073] Code: f9403e83 52814402 52800401 d2800000 (f9400875)
 kthread+0xfc/0x110
 ret_from_fork+0x10/0x20
Code: f9403e83 52814402 52800401 d2800000 (f9400875)
---[ end trace 0000000000000000 ]---

Unfortunately that does not seem to be sufficient and I'm not familiar enough with these kernel interfaces to try and solve this better.

I (and I think many others) would really appreciate if you/@newracom would improve the module's error handling to improve cases such as these so that the module could at least be unloaded/reloaded.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Avamander