Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3957214imm; Mon, 8 Oct 2018 12:17:40 -0700 (PDT) X-Google-Smtp-Source: ACcGV60XixBXGHPlftXr/o+6PL1C8YrQKSWzpPCnXwFhbMYQGD6qn1sG0ACu/xWKKWHIEYocUqPr X-Received: by 2002:a17:902:9696:: with SMTP id n22-v6mr25432526plp.212.1539026260579; Mon, 08 Oct 2018 12:17:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539026260; cv=none; d=google.com; s=arc-20160816; b=zXaN7RWYqAUIYZPK3Q6HNrTKP5bFlOmJTWGeD1uB7sRojI3UhyM6aLKO7QzCmFPni2 4aMnXWa0+q5UAsRYzLNzCDy8cHre2MnZXwMvR9bVIzjx8WFz8nNmcbuPyzi5m9ekJYWU VVJY+NnQx/Lh6sqrwR8hm018lV3A/rMoPcKlrcu+MeJBPtmXUJd5U8GjCg0ox6lMXTbY BQh1z8/RADl5qxJexAAhDX9PmNQWmV1R+OBs3r4T01L7C3IpTlq6axml6vUeLko/6CP0 sKo+fJaFoIq4pgGiavvTvok0OvX7KJE72XHQD0oB0ZCf23xxg0K2+wCh8OMXuDIra3h5 NuGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=7Nu3Ii0qNUpCjWIi+wwejGup53kvvYvOlfNIwVNAIqE=; b=I98GSuaPiQFiepzaBpL6H0ggaJ3PCFk3CfagYFCrXU4Sp4+eAb9w4UN9GDZes2K6nT vTzka+7KI6k2xgloqm3n9clBVDvftlnFZH21D1dU5ziRxPZFcVFRUPZ8okXAGrhU+JRP T3LHekhEZeMpMJ6fMxUOsSBROiNRP2ByFaEqSkqG3v1pYbICKmNOTzSSvDARRLvRwcpa qmOVnydazBDjq2+gim+/zozDLbQ0luVhPEuTfKmjbCMnd5P4onOY9L9ActKrwVa//U6H nuHL3rBzx8cHzPbpDW4/1tWvmpNFi0xJO9cRiF7K19cBiWtkm9HteQjqld/+BGZ5h66H Nvrw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=kNn2Lsjv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i21-v6si17604972pgh.53.2018.10.08.12.17.25; Mon, 08 Oct 2018 12:17:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=kNn2Lsjv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728649AbeJIBti (ORCPT + 99 others); Mon, 8 Oct 2018 21:49:38 -0400 Received: from mail.kernel.org ([198.145.29.99]:34870 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727087AbeJIBth (ORCPT ); Mon, 8 Oct 2018 21:49:37 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CED602064A; Mon, 8 Oct 2018 18:36:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539023793; bh=xsCYapGVmv1QdN8NfxprlzJie2hJJizX+iQQzRQf4eE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kNn2LsjvVZVZ24+xifxw9+DVMYUrY33PDcEJS5ac7lE2+2nrRdJ5A+QIt50uO3cm6 w4g5MgR6rbBzElxk2pdqyqt05vrg2IMBZ10KcAOp+eqq36+I9rKYUk9CJTNH3KeuvQ sk2l5RdFD6eGXQ8jopRt9jAAQlO0rh55xoDDPpds= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Emmanuel Grumbach , Luca Coelho , Johannes Berg , Sasha Levin Subject: [PATCH 4.4 086/113] mac80211: fix a race between restart and CSA flows Date: Mon, 8 Oct 2018 20:31:27 +0200 Message-Id: <20181008175536.087432633@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20181008175530.864641368@linuxfoundation.org> References: <20181008175530.864641368@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Emmanuel Grumbach [ Upstream commit f3ffb6c3a28963657eb8b02a795d75f2ebbd5ef4 ] We hit a problem with iwlwifi that was caused by a bug in mac80211. A bug in iwlwifi caused the firwmare to crash in certain cases in channel switch. Because of that bug, drv_pre_channel_switch would fail and trigger the restart flow. Now we had the hw restart worker which runs on the system's workqueue and the csa_connection_drop_work worker that runs on mac80211's workqueue that can run together. This is obviously problematic since the restart work wants to reconfigure the connection, while the csa_connection_drop_work worker does the exact opposite: it tries to disconnect. Fix this by cancelling the csa_connection_drop_work worker in the restart worker. Note that this can sound racy: we could have: driver iface_work CSA_work restart_work +++++++++++++++++++++++++++++++++++++++++++++ | <--drv_cs ---| -CS FAILED--> | | | cancel_work(CSA) schedule | CSA work | | | Race between those 2 But this is not possible because we flush the workqueue in the restart worker before we cancel the CSA worker. That would be bullet proof if we could guarantee that we schedule the CSA worker only from the iface_work which runs on the workqueue (and not on the system's workqueue), but unfortunately we do have an instance in which we schedule the CSA work outside the context of the workqueue (ieee80211_chswitch_done). Note also that we should probably cancel other workers like beacon_connection_loss_work and possibly others for different types of interfaces, at the very least, IBSS should suffer from the exact same problem, but for now, do the minimum to fix the actual bug that was actually experienced and reproduced. Signed-off-by: Emmanuel Grumbach Signed-off-by: Luca Coelho Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/mac80211/main.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) --- a/net/mac80211/main.c +++ b/net/mac80211/main.c @@ -253,8 +253,27 @@ static void ieee80211_restart_work(struc "%s called with hardware scan in progress\n", __func__); rtnl_lock(); - list_for_each_entry(sdata, &local->interfaces, list) + list_for_each_entry(sdata, &local->interfaces, list) { + /* + * XXX: there may be more work for other vif types and even + * for station mode: a good thing would be to run most of + * the iface type's dependent _stop (ieee80211_mg_stop, + * ieee80211_ibss_stop) etc... + * For now, fix only the specific bug that was seen: race + * between csa_connection_drop_work and us. + */ + if (sdata->vif.type == NL80211_IFTYPE_STATION) { + /* + * This worker is scheduled from the iface worker that + * runs on mac80211's workqueue, so we can't be + * scheduling this worker after the cancel right here. + * The exception is ieee80211_chswitch_done. + * Then we can have a race... + */ + cancel_work_sync(&sdata->u.mgd.csa_connection_drop_work); + } flush_delayed_work(&sdata->dec_tailroom_needed_wk); + } ieee80211_scan_cancel(local); ieee80211_reconfig(local); rtnl_unlock();