Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp724929pxb; Tue, 2 Feb 2021 16:47:45 -0800 (PST) X-Google-Smtp-Source: ABdhPJwuDal6xOPiJRrp0v5ZBqdAcm4U64bZiDgp0NzslWBHhLoRZqJ06soN6bEEWcA/v682kkT/ X-Received: by 2002:aa7:c34f:: with SMTP id j15mr658335edr.120.1612313265064; Tue, 02 Feb 2021 16:47:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612313265; cv=none; d=google.com; s=arc-20160816; b=Z5S7nq7MZc+azthg9r6rG5/scry0+RAjnXeyCp9CMmo6ftCqZe/wTIKfkM7eZLsAGc sjwGhEIDIXjUTJdsv56WxKh66swcQ3OF/0/bg+QnQHNFBWogrJU2W+c8aCZtUqgeJgQR jmXK2NjqUwQejotOSQ1Z6hufmleTPm0rWPSLJ6lM8kSluEYkqT5KiujJDpYKDkvRldLQ B66RZ8HXV4e9bbywzFq+8OmyKBPun4cCsiEXZTzromDpJsNhpF3hvzZ3WO7KPKAtvopE zWIY2p75NcGHADm1cqNhZBlFoTZ3pUWao+/UQbFVfPUlzN7tK1MNIzI8yJm9/lLqs3Sw AM8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=j/3DdXqv0WXjVA45jbc0u8b47VR6gwwxCQHDlZzMo2M=; b=qWINY5mvatAbQn2QKfZckAxFD9qzv+9HiDMieCdV42MMJgPLd8cg89qnNSzNB615PJ yWslT01COow1wczFuYLK1XXmrwBCrcaC1WjGjXksR9K3L9wybcmsCQmEyExbZhSJTUWR IlklQGobKLBHoGpmNu+hXb19Gqc9MONuzq546a1+xBMCTDq3u2tlSvOaFLgoc42vFN9P vqCerq3lsyvwD0PCARUU/SDIqMmjSGXgM729Vo5VROU4Sa6gsn0ytZVvdmmrTCV9ADPx haIVJ192PD0s2yzOkpGhcUHSJTID88bQAwMA6Lcp4kREg1hKkjL1xmG2GC/jf9ylnmHQ jkhA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=nabngrcT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a10si221217edv.164.2021.02.02.16.47.20; Tue, 02 Feb 2021 16:47:45 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=nabngrcT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239899AbhBBTnz (ORCPT + 99 others); Tue, 2 Feb 2021 14:43:55 -0500 Received: from mail.kernel.org ([198.145.29.99]:40306 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233267AbhBBNxS (ORCPT ); Tue, 2 Feb 2021 08:53:18 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3081C64FC7; Tue, 2 Feb 2021 13:43:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1612273438; bh=ipxG6WDr8VSptqAEU9zqm6akg9KbWzRm8xx3mdZVxaU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nabngrcTGmZrKOD3K/RfL0/u7xjKiNZchm/gZnZQFKavfTu3m9Uh9VG2iQl7VEzp2 Hj9upyO6pMMdPYcprur5wmkLKOtF2iMa9/EQwNNF4aRgdPv6wwAyhmiz7R++4ia4Af FDf13IP/nUqhL6YwibXLllp2MPQGGyUQrhN88yT4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+d7a3b15976bf7de2238a@syzkaller.appspotmail.com, Johannes Berg , Sasha Levin Subject: [PATCH 5.10 106/142] mac80211: pause TX while changing interface type Date: Tue, 2 Feb 2021 14:37:49 +0100 Message-Id: <20210202133002.082303954@linuxfoundation.org> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210202132957.692094111@linuxfoundation.org> References: <20210202132957.692094111@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg [ Upstream commit 054c9939b4800a91475d8d89905827bf9e1ad97a ] syzbot reported a crash that happened when changing the interface type around a lot, and while it might have been easy to fix just the symptom there, a little deeper investigation found that really the reason is that we allowed packets to be transmitted while in the middle of changing the interface type. Disallow TX by stopping the queues while changing the type. Fixes: 34d4bc4d41d2 ("mac80211: support runtime interface type changes") Reported-by: syzbot+d7a3b15976bf7de2238a@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20210122171115.b321f98f4d4f.I6997841933c17b093535c31d29355be3c0c39628@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin --- net/mac80211/ieee80211_i.h | 1 + net/mac80211/iface.c | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index 2a21226fb518a..d6913784be2bd 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -1082,6 +1082,7 @@ enum queue_stop_reason { IEEE80211_QUEUE_STOP_REASON_FLUSH, IEEE80211_QUEUE_STOP_REASON_TDLS_TEARDOWN, IEEE80211_QUEUE_STOP_REASON_RESERVE_TID, + IEEE80211_QUEUE_STOP_REASON_IFTYPE_CHANGE, IEEE80211_QUEUE_STOP_REASONS, }; diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c index 44154cc596cd4..f3c3557a9e4c4 100644 --- a/net/mac80211/iface.c +++ b/net/mac80211/iface.c @@ -1654,6 +1654,10 @@ static int ieee80211_runtime_change_iftype(struct ieee80211_sub_if_data *sdata, if (ret) return ret; + ieee80211_stop_vif_queues(local, sdata, + IEEE80211_QUEUE_STOP_REASON_IFTYPE_CHANGE); + synchronize_net(); + ieee80211_do_stop(sdata, false); ieee80211_teardown_sdata(sdata); @@ -1676,6 +1680,8 @@ static int ieee80211_runtime_change_iftype(struct ieee80211_sub_if_data *sdata, err = ieee80211_do_open(&sdata->wdev, false); WARN(err, "type change: do_open returned %d", err); + ieee80211_wake_vif_queues(local, sdata, + IEEE80211_QUEUE_STOP_REASON_IFTYPE_CHANGE); return ret; } -- 2.27.0