On 08. 04. 25, 12:39, Greg Kroah-Hartman wrote:
6.14-stable review patch. If anyone has any objections, please let me know.
From: Wen Gong quic_wgong@quicinc.com
[ Upstream commit 933ab187e679e6fbdeea1835ae39efcc59c022d2 ]
Currently when ath11k gets a new channel list, it will be processed according to the following steps:
- update new channel list to cfg80211 and queue reg_work.
- cfg80211 handles new channel list during reg_work.
- update cfg80211's handled channel list to firmware by
ath11k_reg_update_chan_list().
But ath11k will immediately execute step 3 after reg_work is just queued. Since step 2 is asynchronous, cfg80211 may not have completed handling the new channel list, which may leading to an out-of-bounds write error: BUG: KASAN: slab-out-of-bounds in ath11k_reg_update_chan_list Call Trace: ath11k_reg_update_chan_list+0xbfe/0xfe0 [ath11k] kfree+0x109/0x3a0 ath11k_regd_update+0x1cf/0x350 [ath11k] ath11k_regd_update_work+0x14/0x20 [ath11k] process_one_work+0xe35/0x14c0
Should ensure step 2 is completely done before executing step 3. Thus Wen raised patch[1]. When flag NL80211_REGDOM_SET_BY_DRIVER is set, cfg80211 will notify ath11k after step 2 is done.
So enable the flag NL80211_REGDOM_SET_BY_DRIVER then cfg80211 will notify ath11k after step 2 is done. At this time, there will be no KASAN bug during the execution of the step 3.
[1] https://patchwork.kernel.org/project/linux-wireless/patch/20230201065313.272...
Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3
Fixes: f45cb6b29cd3 ("wifi: ath11k: avoid deadlock during regulatory update in ath11k_regd_update()") Signed-off-by: Wen Gong quic_wgong@quicinc.com Signed-off-by: Kang Yang quic_kangyang@quicinc.com Reviewed-by: Aditya Kumar Singh quic_adisi@quicinc.com Link: https://patch.msgid.link/20250117061737.1921-2-quic_kangyang@quicinc.com Signed-off-by: Jeff Johnson jeff.johnson@oss.qualcomm.com Signed-off-by: Sasha Levin sashal@kernel.org
drivers/net/wireless/ath/ath11k/reg.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/reg.c b/drivers/net/wireless/ath/ath11k/reg.c index b0f289784dd3a..7bfe47ad62a07 100644 --- a/drivers/net/wireless/ath/ath11k/reg.c +++ b/drivers/net/wireless/ath/ath11k/reg.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: BSD-3-Clause-Clear /*
- Copyright (c) 2018-2019 The Linux Foundation. All rights reserved.
- Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved.
*/ #include <linux/rtnetlink.h>
- Copyright (c) 2021-2025 Qualcomm Innovation Center, Inc. All rights reserved.
@@ -55,6 +55,19 @@ ath11k_reg_notifier(struct wiphy *wiphy, struct regulatory_request *request) ath11k_dbg(ar->ab, ATH11K_DBG_REG, "Regulatory Notification received for %s\n", wiphy_name(wiphy));
- if (request->initiator == NL80211_REGDOM_SET_BY_DRIVER) {
ath11k_dbg(ar->ab, ATH11K_DBG_REG,"driver initiated regd update\n");if (ar->state != ATH11K_STATE_ON)return;ret = ath11k_reg_update_chan_list(ar, true);if (ret)ath11k_warn(ar->ab, "failed to update channel list: %d\n", ret);return;- }
I suspect this causes stalls for me.
Workqueues are waiting for rtnl_lock:
Showing busy workqueues and worker pools: workqueue events_unbound: flags=0x2 pwq 64: cpus=0-15 flags=0x4 nice=0 active=1 refcnt=2 in-flight: 107692:linkwatch_event workqueue netns: flags=0x6000a pwq 64: cpus=0-15 flags=0x4 nice=0 active=1 refcnt=18 in-flight: 107676:cleanup_net workqueue pm: flags=0x4 pwq 2: cpus=0 node=0 flags=0x0 nice=0 active=5 refcnt=6 in-flight: 107843:pm_runtime_work ,100179:pm_runtime_work ,50846:pm_runtime_work ,107845:pm_runtime_work ,107652:pm_runtime_work workqueue ipv6_addrconf: flags=0x6000a pwq 64: cpus=0-15 flags=0x4 nice=0 active=1 refcnt=18 in-flight: 107705:addrconf_dad_work
While the above reg_notifier is stuck too:
workqueue events: flags=0x0 pwq 14: cpus=3 node=0 flags=0x0 nice=0 active=1 refcnt=2 in-flight: 107807:reg_todo [cfg80211]
waiting for:
Workqueue: events reg_todo [cfg80211] Call Trace:
<TASK> __schedule+0x437/0x1470 schedule+0x27/0xf0 schedule_timeout+0x73/0xe0 __wait_for_common+0x8e/0x1c0 ath11k_reg_update_chan_list+0x23c/0x290 [ath11k 30c4a145118dc3331f552d6275ec7d6272671444] ath11k_reg_notifier+0x5a/0x80 [ath11k 30c4a145118dc3331f552d6275ec7d6272671444] reg_process_self_managed_hint+0x170/0x1b0 [cfg80211 2571f504aa68d55c11440c869062c668de1a2dce] reg_process_self_managed_hints+0x47/0xf0 [cfg80211 2571f504aa68d55c11440c869062c668de1a2dce] reg_todo+0x207/0x290 [cfg80211 2571f504aa68d55c11440c869062c668de1a2dce] process_one_work+0x17b/0x330 worker_thread+0x2ce/0x3f0
Is stable missing some backport or is this a problem in 6.15-rc too?
/me looking...
Ah, what about: commit 02aae8e2f957adc1b15b6b8055316f8a154ac3f5 Author: Wen Gong quic_wgong@quicinc.com Date: Fri Jan 17 14:17:37 2025 +0800
wifi: ath11k: update channel list in worker when wait flag is set
?
thanks,