Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp3851372pxb; Tue, 17 Nov 2020 05:23:35 -0800 (PST) X-Google-Smtp-Source: ABdhPJyCOxUcI/meVO5O0TVHbN+HISM2JJ1Nwh+DpHVdio7iHfTi8ggtZyNKKyxSCbCvceb2du7b X-Received: by 2002:a17:906:fcc2:: with SMTP id qx2mr19959155ejb.549.1605619415230; Tue, 17 Nov 2020 05:23:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605619415; cv=none; d=google.com; s=arc-20160816; b=dyZVNvdcD+YQsfdH6kDaf5kQein7Q1Bi28YEx5zMtfRd/jiHChG9oOJZDtgl+MP3ml lJF7e53iqIrnuMO5JIB9ufW6n1cktvYZwALiKqELn8Iw3gw4N46Lv05F2v70FwsMT0w6 +B6FlyXpXEds2u+V8rs2Ba6xwzYbSa+0DPwDEzeCzEgkpculgJOJy/8//H8B99fUQ43+ G+DkxMxQnWojVnnu5TmIymC/+yO9ul2ROCKt7L85aNosOgLiW6hZhdOMn8md1S2MbuwV RqtezTGR92iSHqYtUjMdxU9oBtjLZ9sGfkAF83KCc6TJ+Y7IFL8mNZC5P5mYeuiV7qlg F4fQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=eGEaiu92ksUy70dJftH1zEIZ3pV/E9gcW/CGZGYFQ7U=; b=IiFz+JJoed8rirZRuBR0WOANV2AI0Nb8RtLrNf1oHdsZuQxUGPKUHuVLcafmgaYYeb UPJDw11P18USObbFeGBehRUIGMLfX9JzPwMlpLHFfD2+LaBBF26+iSbYv9WVoAit/AFT dxPpJHhtYOb6/mBbhIJLYkJuJGryC9cMLPX3afyAB7mDwfhCpj7BDvaDwhiZeEzrfNDM CG1WBanQk/V6A+gO54FbJvLTWO8H3h2+qbpvwsZcBhNxf8Hl33N4WIEWf6FhNL2T/Hf6 oUAvRNEnApJqUm09Cg1fB6NESXv/75SBc+JOIC1AX1XOYERfyVCCwGwMLMKFllE4MA6V RYTQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Wcw1qHpe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cd24si12924585ejb.213.2020.11.17.05.23.11; Tue, 17 Nov 2020 05:23:35 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Wcw1qHpe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730820AbgKQNU5 (ORCPT + 99 others); Tue, 17 Nov 2020 08:20:57 -0500 Received: from mail.kernel.org ([198.145.29.99]:54580 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730810AbgKQNUz (ORCPT ); Tue, 17 Nov 2020 08:20:55 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BDBB2241A5; Tue, 17 Nov 2020 13:20:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1605619254; bh=YlQnmF3j6u9xI+c2Jvnq7pftCVEMAfxHdf5m87zRk4w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Wcw1qHpeXbHMRRQmD2uyZKlwkLF2vz9D06fYmh6VJBFwZ8pj/dmLQs3n0bTa7L4Y+ iemRT0rNBS5HwUct1TUOKbqYFVO9WkP4rj+osyFJ4DmCbi4GEqQNk0pT0Uso3gTJ9b IZRnRqRJDCIuLzWXwMZeXi0BkSKeVU0szRbl9G8k= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+2e293dbd67de2836ba42@syzkaller.appspotmail.com, Johannes Berg , Sasha Levin Subject: [PATCH 4.19 040/101] mac80211: always wind down STA state Date: Tue, 17 Nov 2020 14:05:07 +0100 Message-Id: <20201117122115.042659064@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201117122113.128215851@linuxfoundation.org> References: <20201117122113.128215851@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg [ Upstream commit dcd479e10a0510522a5d88b29b8f79ea3467d501 ] When (for example) an IBSS station is pre-moved to AUTHORIZED before it's inserted, and then the insertion fails, we don't clean up the fast RX/TX states that might already have been created, since we don't go through all the state transitions again on the way down. Do that, if it hasn't been done already, when the station is freed. I considered only freeing the fast TX/RX state there, but we might add more state so it's more robust to wind down the state properly. Note that we warn if the station was ever inserted, it should have been properly cleaned up in that case, and the driver will probably not like things happening out of order. Reported-by: syzbot+2e293dbd67de2836ba42@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20201009141710.7223b322a955.I95bd08b9ad0e039c034927cce0b75beea38e059b@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin --- net/mac80211/sta_info.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c index 9968b8a976f19..d11eb5139c92a 100644 --- a/net/mac80211/sta_info.c +++ b/net/mac80211/sta_info.c @@ -244,6 +244,24 @@ struct sta_info *sta_info_get_by_idx(struct ieee80211_sub_if_data *sdata, */ void sta_info_free(struct ieee80211_local *local, struct sta_info *sta) { + /* + * If we had used sta_info_pre_move_state() then we might not + * have gone through the state transitions down again, so do + * it here now (and warn if it's inserted). + * + * This will clear state such as fast TX/RX that may have been + * allocated during state transitions. + */ + while (sta->sta_state > IEEE80211_STA_NONE) { + int ret; + + WARN_ON_ONCE(test_sta_flag(sta, WLAN_STA_INSERTED)); + + ret = sta_info_move_state(sta, sta->sta_state - 1); + if (WARN_ONCE(ret, "sta_info_move_state() returned %d\n", ret)) + break; + } + if (sta->rate_ctrl) rate_control_free_sta(sta); -- 2.27.0