Kang Yang <quic_kangyang@xxxxxxxxxxx> writes: > From: Wen Gong <quic_wgong@xxxxxxxxxxx> > > Currently when ath11k gets new channel list, it will mainly do two things > in ath11k_regd_update(): > 1. update channel list to cfg80211 by reg_work. > 2. update cfg80211's channel list to firmware by > ath11k_reg_update_chan_list(). > > Flow: > ath11k_regd_update > ->regulatory_set_wiphy_regd > -> schedule_work(®_work) > ->reg_work->reg_process_self_managed_hint > ->handle_band_custom(update to cfg80211) > -> ath11k_reg_update_chan_list(update to firmware) > > But ath11k_reg_update_chan_list() is immediately called after reg_work > is queued. They are running in different threads. At this time, > ath11k_reg_update_chan_list() may use a wrong channel list because > handle_band_custom() may not be finished. > This may result in out-of-bounds write errors: > BUG: KASAN: slab-out-of-bounds in ath11k_reg_update_chan_list > Call Trace: > ath11k_reg_update_chan_list+0xbfe/0xfe0 [ath11k] > kfree+0x109/0x3a0 > ath11k_regd_update+0x1cf/0x350 [ath11k] > ath11k_regd_update_work+0x14/0x20 [ath11k] > process_one_work+0xe35/0x14c0 > > So should make sure ath11k_reg_update_chan_list() is called after > handle_band_custom() is finished. > > reg_process_self_managed_hint() will call reg_call_notifier() after > handle_band_custom(). This function will call ath11k_reg_notifier(), so > move ath11k_reg_update_chan_list() to ath11k_reg_notifier(). Then > ath11k can update correct channel list to firmware. > > Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3 > > Fixes: f45cb6b29cd3 ("wifi: ath11k: avoid deadlock during regulatory update in ath11k_regd_update()") > Signed-off-by: Wen Gong <quic_wgong@xxxxxxxxxxx> > Signed-off-by: Kang Yang <quic_kangyang@xxxxxxxxxxx> I think the commit message should be completely rewritten, the idea here is not to list functions and their call orders. -- https://patchwork.kernel.org/project/linux-wireless/list/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches