Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp1173788pxb; Fri, 20 Nov 2020 03:08:25 -0800 (PST) X-Google-Smtp-Source: ABdhPJzOAF9DoT+u5TOhpLBnDCJaESPMmR1o5zTXLeyiayDhtr1sFT8wpWCulvhljQmvQr+0DcJZ X-Received: by 2002:a17:906:36d9:: with SMTP id b25mr15470751ejc.155.1605870504878; Fri, 20 Nov 2020 03:08:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605870504; cv=none; d=google.com; s=arc-20160816; b=fg3cMnX3DOSgRXeUgLscPHMNiYX+IS87ydTMDgEFyp3pbLuYJouJ7/cbZiM6jAo/Im y4xjQRgkbhWYwUG74hnzCuxRGw3ICqwnRw4Lj4tB7WUHvk5MNWVTtjkAS7cH95VQ37Th +6azRScRdQE/c7lXiSBZqimDwT6QoIWJMaLOJgbevZgqEIpibkdCyuv55Oc+C+cvnRSy CVPKGtLbz5C0A5Z5HCEMp+7OtWlwapIvQzq+bYI/z7zp8IS/1vdYqFGA9LOk1KxeAOwf 30y0bnqfbzABOCRy62n/s0d0eAe+wAVDj9b0Ur0r0UkAYS8Ahlsfcjf9E71v2XZ2gRSp 5wnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=GDJH6ud7rV2G5q9SH/lAjJFHX2SBXZ3NZm2bc8SzqTo=; b=rSzGyaewIzs8rBq0tjHXnFEYd6Jnr+eFgXZmjyPX84KrSPHbO0nmYIMfB8tvj5tg1k DquyzYliSglYJg5+HxqykMZfRHkdvl8Jl5NvtFl+8FAIR3relsmZFblIJW6/xKl4MgwU 0AW6wyZm3lmqB2k5zFRL1CQGTmNxQaDDJLKWS7sYrxo++JpT8n9JKL1iKRRRR5nAQ/Vb iUOmQn9vMGtXguO/kgzpeXEY+wLw331hmRf65Kdx6id2XFxXvLc0vnfBojo9u6MV9FET m2lGetCfoOECzdnpYU3gkHNI4FNCwCQQpJVuWkDFkbL9hDHgcJi3S1sKc2fVzqyHWf0r G9JQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=WT3YJICO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r19si1583029edb.489.2020.11.20.03.07.59; Fri, 20 Nov 2020 03:08:24 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=WT3YJICO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727925AbgKTLET (ORCPT + 99 others); Fri, 20 Nov 2020 06:04:19 -0500 Received: from mail.kernel.org ([198.145.29.99]:51524 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727479AbgKTLER (ORCPT ); Fri, 20 Nov 2020 06:04:17 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 38CB122264; Fri, 20 Nov 2020 11:04:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1605870256; bh=YyNMP4s+fAVEs4wzrJXXlfuTu+zbfEM82cunMjayh9g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WT3YJICOZyB3K55uaQonRd1TdGQBFL98lQrkwGGlJ1UfLS8HUztrxZrpTGA8NZ3dq l/6PqBGlCN2UDwYqPrtIa1mDVwTFTMM5SX1Kw6GJ34ymVVzIyb5ozM4aKpdKLE3itU F75vWIiqXlfYDnHOQDMfNJnb8Mhpgb/FIhdHEgGE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+2e293dbd67de2836ba42@syzkaller.appspotmail.com, Johannes Berg Subject: [PATCH 4.9 14/16] mac80211: always wind down STA state Date: Fri, 20 Nov 2020 12:03:19 +0100 Message-Id: <20201120104540.427104816@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201120104539.706905067@linuxfoundation.org> References: <20201120104539.706905067@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg commit dcd479e10a0510522a5d88b29b8f79ea3467d501 upstream. When (for example) an IBSS station is pre-moved to AUTHORIZED before it's inserted, and then the insertion fails, we don't clean up the fast RX/TX states that might already have been created, since we don't go through all the state transitions again on the way down. Do that, if it hasn't been done already, when the station is freed. I considered only freeing the fast TX/RX state there, but we might add more state so it's more robust to wind down the state properly. Note that we warn if the station was ever inserted, it should have been properly cleaned up in that case, and the driver will probably not like things happening out of order. Reported-by: syzbot+2e293dbd67de2836ba42@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20201009141710.7223b322a955.I95bd08b9ad0e039c034927cce0b75beea38e059b@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/mac80211/sta_info.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) --- a/net/mac80211/sta_info.c +++ b/net/mac80211/sta_info.c @@ -243,6 +243,24 @@ struct sta_info *sta_info_get_by_idx(str */ void sta_info_free(struct ieee80211_local *local, struct sta_info *sta) { + /* + * If we had used sta_info_pre_move_state() then we might not + * have gone through the state transitions down again, so do + * it here now (and warn if it's inserted). + * + * This will clear state such as fast TX/RX that may have been + * allocated during state transitions. + */ + while (sta->sta_state > IEEE80211_STA_NONE) { + int ret; + + WARN_ON_ONCE(test_sta_flag(sta, WLAN_STA_INSERTED)); + + ret = sta_info_move_state(sta, sta->sta_state - 1); + if (WARN_ONCE(ret, "sta_info_move_state() returned %d\n", ret)) + break; + } + if (sta->rate_ctrl) rate_control_free_sta(sta);