Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1308582pxu; Mon, 23 Nov 2020 17:57:21 -0800 (PST) X-Google-Smtp-Source: ABdhPJzjNUYTHuFv939j3Y4NU8IYS6i9Uo/ob4lhdAqIqb1RCFbNBYyMKxeS6y0Txa4p2JAmHi9A X-Received: by 2002:a17:907:2657:: with SMTP id ar23mr2165380ejc.386.1606183041523; Mon, 23 Nov 2020 17:57:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606183041; cv=none; d=google.com; s=arc-20160816; b=rt+qlexgGrbzLHyy4rqTI2gPTjDh2Sjwqht/49TCFgZjQp0oBEQudmxmuq4wVZ+gXZ tTBr5Zrn3NqnkFBrgW2bqCY2N49eDI4CY/K5ZqjMv0bdL54X1dYmKaKoF0nDKAJ61h2R hAtVLSJqS6irCbaPse1FvrcjIGMDXQKgqAqGAHclBJyXGslzz5OSuVVn45DgaFJeve6S jFn2jrUctIa5P2zGXidg/by5MiscuDJQIGm+FdMyBnnaV2UWlCae+X37OzxAveBzAcWi D26h9VzZgAwToexOlpredX1J2JVAzJMRLUpao1lAfiRXLF9k1ICKBE7PndHcAz/ONTWm gvmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=t3Zd607jeJPaHroIMJQ5T5jPGiVzhwrWSdpj6/fVmRE=; b=QiL5eIr4bfi4IOMvbem7phAzl6Dyo2dwu3d2u0+xPJnYcnJIxTOR8CocOypBbzFDMC yeBHFCef+WqfNi/DRlR7wlmi8sljjRVfEnaptQv1VmRHCejlknA4XCHUBFmk2oTvS3nF rQ5iqb7YNF8LAt366eqws6ilHXSdRktTc9v2lLw9eZ9C9+KbzvOQHa4qvKANrNGU8iCW GUn8nsxqJijKDM8xWw6pFW0fMGO4YhYG0JdM7gg8xH2/1ex5nO3yIKpyLmMZrg3Pe8bI n1oQTlsbP9/PomYj0m6Klv4tokMBXHjZlqhLa4sOGJura8BhJ41+7i2F6F5MXMjK2+Vl YFGA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=gsEeN0S4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id re10si8632049ejb.427.2020.11.23.17.56.58; Mon, 23 Nov 2020 17:57:21 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=gsEeN0S4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732438AbgKWMkP (ORCPT + 99 others); Mon, 23 Nov 2020 07:40:15 -0500 Received: from mail.kernel.org ([198.145.29.99]:52908 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732429AbgKWMkM (ORCPT ); Mon, 23 Nov 2020 07:40:12 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 348DC20732; Mon, 23 Nov 2020 12:40:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1606135211; bh=xbDw9W3N8VKee/+dPlml5wJDxTAdzFFQ5bOeBv4Cd58=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gsEeN0S4zfj9cciWeMZxwnJixmyapjFyn/lvnJYgM8voUs5mu2/mdXZdBf/aGMc9l 4xWBhiPMb+6Dxo6oBwrqhQgoyCOZnLaymk8WbZAU+rxc0qU/llcDnysQ8Nm5velvXp BdJ+xW8uSvzZhhSquD5XMu5qfpGbWRMHClYWjwtQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+32c6c38c4812d22f2f0b@syzkaller.appspotmail.com, syzbot+4c81fe92e372d26c4246@syzkaller.appspotmail.com, syzbot+6a7fe9faf0d1d61bc24a@syzkaller.appspotmail.com, syzbot+abed06851c5ffe010921@syzkaller.appspotmail.com, syzbot+b7aeb9318541a1c709f1@syzkaller.appspotmail.com, syzbot+d5a9416c6cafe53b5dd0@syzkaller.appspotmail.com, Johannes Berg Subject: [PATCH 5.4 145/158] mac80211: free sta in sta_info_insert_finish() on errors Date: Mon, 23 Nov 2020 13:22:53 +0100 Message-Id: <20201123121826.926326711@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201123121819.943135899@linuxfoundation.org> References: <20201123121819.943135899@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg commit 7bc40aedf24d31d8bea80e1161e996ef4299fb10 upstream. If sta_info_insert_finish() fails, we currently keep the station around and free it only in the caller, but there's only one such caller and it always frees it immediately. As syzbot found, another consequence of this split is that we can put things that sleep only into __cleanup_single_sta() and not in sta_info_free(), but this is the only place that requires such of sta_info_free() now. Change this to free the station in sta_info_insert_finish(), in which case we can still sleep. This will also let us unify the cleanup code later. Cc: stable@vger.kernel.org Fixes: dcd479e10a05 ("mac80211: always wind down STA state") Reported-by: syzbot+32c6c38c4812d22f2f0b@syzkaller.appspotmail.com Reported-by: syzbot+4c81fe92e372d26c4246@syzkaller.appspotmail.com Reported-by: syzbot+6a7fe9faf0d1d61bc24a@syzkaller.appspotmail.com Reported-by: syzbot+abed06851c5ffe010921@syzkaller.appspotmail.com Reported-by: syzbot+b7aeb9318541a1c709f1@syzkaller.appspotmail.com Reported-by: syzbot+d5a9416c6cafe53b5dd0@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20201112112201.ee6b397b9453.I9c31d667a0ea2151441cc64ed6613d36c18a48e0@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/mac80211/sta_info.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) --- a/net/mac80211/sta_info.c +++ b/net/mac80211/sta_info.c @@ -688,7 +688,7 @@ static int sta_info_insert_finish(struct out_drop_sta: local->num_sta--; synchronize_net(); - __cleanup_single_sta(sta); + cleanup_single_sta(sta); out_err: mutex_unlock(&local->sta_mtx); kfree(sinfo); @@ -707,19 +707,13 @@ int sta_info_insert_rcu(struct sta_info err = sta_info_insert_check(sta); if (err) { + sta_info_free(local, sta); mutex_unlock(&local->sta_mtx); rcu_read_lock(); - goto out_free; + return err; } - err = sta_info_insert_finish(sta); - if (err) - goto out_free; - - return 0; - out_free: - sta_info_free(local, sta); - return err; + return sta_info_insert_finish(sta); } int sta_info_insert(struct sta_info *sta)