Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp895289pxf;
        Wed, 7 Apr 2021 14:24:44 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxBjTUpB0A0r53eThqi78MItouRR6uFfrquDokTti9EeWuLnPSsB1z2BWDFwHn3yBgS1IG6
X-Received: by 2002:a92:340e:: with SMTP id b14mr4337220ila.285.1617830684631;
        Wed, 07 Apr 2021 14:24:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1617830684; cv=none;
        d=google.com; s=arc-20160816;
        b=dhkKCzFl/f8tQqpR2zZEnoFSj5M0ovfZ+Rk/iB6QNlCKG0y6IEG4IoMQLhrQO0aoHI
         guc88lCmkpXcZR1sBN+QU4L1OyB8YiXGkwixQlQuzSUm9INoa2exZc/zG6HiEb2K3Mj1
         RgdiumATCY6Zq6XDJXf/Uwgp/4rlnHh7dOFT3qG92wFppOuP4OmdFmzyXA/Mk2+h7YQi
         1nV2UGdXGmTbusR0UKaRiLmW0W7apHseKz1rM9eohzEZo+MITAz0SzdzoebUSKfceW+y
         7RIfNkX1blUx1oeUkrvTc5crtLgMLShxCL3OjUDENzlVhREySNeskhKHeYew5jFSU6S2
         x3Sg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:date:cc:to:from:subject
         :message-id;
        bh=QZTtdfbp0hKKzeEA5oeLryqyYOoAJsUkhzsEUr5u5bs=;
        b=RQbkIQ+wquEFSaGKkoFdIchZlfxsfx/bt3Zkc7wPqeMpNyb9VzRACqGNrebz9qNuv3
         JrqzjHFGQ9Q74pqCY5on4afmzhAoQX+mUZucK7+e3JmomowyOEPuImktXIHfLsLLmTc0
         j1wQLFpB+/nFIEcKQaAt0jd8paoZ6MHbLdE9FusK9dRRqcneJBUbs9fanyebjwGZLBDf
         B1kvRp0Wwmwu09YjGaHvns91s9ZcyKuhvi5N6wc8gi4QOrJMz3gXHtDQNkNPrZNDib+U
         ADKi2ofkwNX8EJb4xqd3YwW8pXnIotTGzd6q3unpM5m08WCGj3ikvn+WIaonq7mWb02a
         q3PA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id x14si3750026jat.96.2021.04.07.14.24.31;
        Wed, 07 Apr 2021 14:24:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1347309AbhDGPvf (ORCPT <rfc822;benjamin.aschenbrenner@gmail.com>
        + 99 others); Wed, 7 Apr 2021 11:51:35 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37986 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1353883AbhDGPvZ (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Wed, 7 Apr 2021 11:51:25 -0400
Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6A532C06175F
        for <linux-wireless@vger.kernel.org>; Wed,  7 Apr 2021 08:51:15 -0700 (PDT)
Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
        (Exim 4.94)
        (envelope-from <johannes@sipsolutions.net>)
        id 1lUASQ-008ckl-R4; Wed, 07 Apr 2021 17:51:06 +0200
Message-ID: <043656c28804db4f8c3dfc9eae5a599ac3a357c7.camel@sipsolutions.net>
Subject: Re: [PATCH] net: wireless: convert WARN_ON() to pr_warn() in
 cfg80211_sme_connect
From:   Johannes Berg <johannes@sipsolutions.net>
To:     Du Cheng <ducheng2@gmail.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc:     linux-wireless@vger.kernel.org,
        Shuah Khan <skhan@linuxfoundation.org>,
        syzbot+5f9392825de654244975@syzkaller.appspotmail.com
Date:   Wed, 07 Apr 2021 17:51:05 +0200
In-Reply-To: <YG3UGW+rLM52/t2V@carbon> (sfid-20210407_174743_958166_F348F0E2)
References: <20210407021903.384158-1-ducheng2@gmail.com>
         <YG1JDsaRpws1FkzI@kroah.com> <YG3UGW+rLM52/t2V@carbon>
         (sfid-20210407_174743_958166_F348F0E2)
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.38.4 (3.38.4-1.fc33) 
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-malware-bazaar: not-scanned
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

Hi,

> I have spent some time to understand the netlink subsystem as a IPC mechanism.
> What I have now is a reliable sequence of steps to reproduce the crash, by
> condensing the syzkaller C reproducer:
> [link to reproducer: https://syzkaller.appspot.com/text?tag=ReproC&x=1414c997900000]
> 
> * hwsim80211_create_device (sendmsg: HWSIM_CMD_NEW_RADIO)
> * nl80211_set_interface (sendmsg: NL80211_CMD_SET_INTERFACE)
> * set_interface_state (ioctl: SIOCSIFFLAGS)
> * nl80211_join_ibss (sendmsg: NL80211_CMD_JOIN_IBSS)
> * sendmsg: NL80211_CMD_SET_INTERFACE
> * 1st sendmsg: NL80211_CMD_CONNECT
> * 2nd sendmsg: NL80211_CMD_CONNECT <- this triggers the WARN_ON(wdev->conn)
> * (if kernel not panic yet) more sendmsg: NL80211_CMD_CONNECT ...
> 
> If the code skips WARN_ON() and instead returns -EINPROGRESS, user application
> will receive error from the following recv(sock, ...). User application can hence
> choose to handle this error accordingly while kernel soldiers on without panicking.
> 
> If dev_warn() is added, for every subsequent NL80211_CMD_CONNECT, the console is
> flooded with the printout.
> 
> Maybe it is ok to silently return -EINPROGRESS for the 2nd NL80211_CMD_CONNECT
> and beyond.
> 

Yeah, I think the right thing to do is to just drop the WARN_ON
entirely. In fact, I can't really seem to figure out now why it was
added there (even if I probably did that myself), nothing else seems to
prevent getting to this code path multiple times directly one after
another.

johannes