Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp586699pxf;
        Wed, 7 Apr 2021 07:04:07 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyISSXLnp/f3eIX9rcdlH+TOEV7Ez0WKEHr3DiaHadnyEh5DJPO0wokWm6MiZ+NEpx08cBZ
X-Received: by 2002:a17:907:7684:: with SMTP id jv4mr3991088ejc.231.1617804247582;
        Wed, 07 Apr 2021 07:04:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1617804247; cv=none;
        d=google.com; s=arc-20160816;
        b=gigGPf7higTc3Je5JGjFUUMrVHtET01ktsJ0n4QQn+hha5hSdNAKuUg9DdadfXIacU
         hQLuJZzW5ITN6+cIB4XBwowdb0owwTZkuqXk2170ysnFLEhyQJHtC1DS47hR6IumduAl
         5trlInXepwAmSNN0ucBc8D2Ayp5T5sw9lUHPlR7WjOAAflVzXnIZT2rib/g5iTTt7rrD
         UADwbfNCvfFIydEN9WGGPylS4pW5e8UdGGwmi+wUYwDyc/YLHCi4SG59lpdQjza+md69
         zttaIJmRgzEqsN1qTLZr1H08KRQuCNlUYDrT1xWjGE1IJ7O5bQkGkuASjfHjtSue5UJm
         u42Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=R5ftgXbb+KVQyjP80P099SNuu0mSDE7rKZztUK1dnRA=;
        b=qOir/bD2G5dWeBa1RFP/ffDXKZQuca3DlqJJ/ZRG/EOAKaAyrAKeXd+b7e2odPVbLM
         LgwFG80RtQY79l7z1LS6VGW/E3SyKwVdISwiRVQKwvwl0b19z++5vIOl04gbmuwIpJ1p
         m5unTWKONoTTzJOG/JQp0fPx2VfiyWIH3BitPspcV/cKPyg2yGWuOeM0GibZYqcvBrjq
         sK43m7J4spJPnbn2gBZVF6Z7mamqYHEjF7YmSOqvzS/XDV8xtwDNi+tmCL26Pai67muZ
         rn70m1cGeA+DVjW27UkCz5L/ZkBQ+yI/BWVobQip13FC/9sMZoNfoeZUVkMqGxpqYlzn
         9Y3w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=UyeUjla4;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id c2si12586532edq.459.2021.04.07.07.03.38;
        Wed, 07 Apr 2021 07:04:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=UyeUjla4;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1344381AbhDGCT1 (ORCPT <rfc822;benjamin.aschenbrenner@gmail.com>
        + 99 others); Tue, 6 Apr 2021 22:19:27 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57186 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234067AbhDGCTY (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Tue, 6 Apr 2021 22:19:24 -0400
Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 67B9FC06174A
        for <linux-wireless@vger.kernel.org>; Tue,  6 Apr 2021 19:19:15 -0700 (PDT)
Received: by mail-pj1-x102c.google.com with SMTP id k23-20020a17090a5917b02901043e35ad4aso445510pji.3
        for <linux-wireless@vger.kernel.org>; Tue, 06 Apr 2021 19:19:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=R5ftgXbb+KVQyjP80P099SNuu0mSDE7rKZztUK1dnRA=;
        b=UyeUjla4ieFbQqjOxbSY05+00qAZd85yaru96bjvYehszGSV+0hFYr60pGvTsDwAN0
         JSZmQumxkyZKRLOWjk6BYnJ3aZvPXth3VJe658MniHOi/6/udyciSv0pMK079YUvNNbJ
         OpgQmtoZS7zgDCXVcmmUKH0cN06BzzfAZFIDWU7FWq9ZBpB/DHAtfknCbiGK6V5im9nv
         EFYuTT0QQNBm5xVtPrsxlkluCnN0TKJu84xJ7OSFHIK0jZr3OklG/Gj7Ur0C0xoO2lzn
         KnnvWJ43xV9eTApjkz1ZirszypMkJSXeE/jbNxeal5+2rPAA5Poz3MxbuTJDE+vrEXIE
         RGHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=R5ftgXbb+KVQyjP80P099SNuu0mSDE7rKZztUK1dnRA=;
        b=TVwWoH7P6V7VVJDvQV8zdRalrzLVggatGQidD04U+Y+KWdeDnzmeoyEENBKiIDE3F/
         hsCcCZmyzZRHNxBwh5SbQ3AKrat3GKYKCt79LWlsZ1cS/hKu0BW2t1RH2Cb5IY7ApUxn
         Fw7IbnRiZDRRkjhmKXHM2iZLVE/FExqy5Ewi3j2HOJbzRyX/9Xd0/prMDsa6iLk6mlOb
         RvEcwKNhWSiidJyeRrZqwzwRXr9z/5bJ/t0Myvjzqwzi6F+4qdgmORsADNRKsWtdcxJj
         jE3YUfVjupT16HM/kq1jnhbvG0GfOUsbMK6A2jYcbH9o43xVivRfLtUBe1cY5blj6ybL
         63jQ==
X-Gm-Message-State: AOAM532NeZx5cZ0eO2bTgy2uR/ltRxIHDevAxaUSefSbnhsPJFeoOt+7
        2vnfIXRwDpEKffFf3Qg/fCc=
X-Received: by 2002:a17:902:bc89:b029:e9:2cd7:382e with SMTP id bb9-20020a170902bc89b02900e92cd7382emr1061664plb.68.1617761954814;
        Tue, 06 Apr 2021 19:19:14 -0700 (PDT)
Received: from nuc.c.rabbit-hole-integration-007.internal ([202.133.196.154])
        by smtp.gmail.com with ESMTPSA id x19sm19646288pfc.152.2021.04.06.19.19.11
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 06 Apr 2021 19:19:13 -0700 (PDT)
From:   Du Cheng <ducheng2@gmail.com>
To:     Johannes Berg <johannes@sipsolutions.net>
Cc:     linux-wireless@vger.kernel.org,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Shuah Khan <skhan@linuxfoundation.org>,
        Du Cheng <ducheng2@gmail.com>,
        syzbot+5f9392825de654244975@syzkaller.appspotmail.com
Subject: [PATCH] net: wireless: convert WARN_ON() to pr_warn() in cfg80211_sme_connect
Date:   Wed,  7 Apr 2021 10:19:03 +0800
Message-Id: <20210407021903.384158-1-ducheng2@gmail.com>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

A WARN_ON(wdev->conn) would trigger in cfg80211_sme_connect(), if
multiple send_msg() system calls are made from the userland, which
should be anticipated and handled by the wireless driver. Convert this
WARN() to pr_warn to prevent a kernel panic if kernel is configured to
"panic on warn".

Bug reported by syzbot.

Reported-by: syzbot+5f9392825de654244975@syzkaller.appspotmail.com
Signed-off-by: Du Cheng <ducheng2@gmail.com>
---
link to syzkaller:
https://syzkaller.appspot.com/bug?extid=5f9392825de654244975
this patch has passed syzbot test.
 net/wireless/sme.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index 07756ca5e3b5..87a65a4c40ae 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -529,8 +529,10 @@ static int cfg80211_sme_connect(struct wireless_dev *wdev,
 		cfg80211_sme_free(wdev);
 	}
 
-	if (WARN_ON(wdev->conn))
+	if (wdev->conn) {
+		pr_warn("%s: wdev->conn != NULL, sme connect in progress", __func__);
 		return -EINPROGRESS;
+	}
 
 	wdev->conn = kzalloc(sizeof(*wdev->conn), GFP_KERNEL);
 	if (!wdev->conn)
-- 
2.30.2