Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1906323pxb; Tue, 26 Oct 2021 19:16:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxewCLe1DA6eV4wZize9Pz9W/WZGURcZJqyR+nMOSV9h4b/TEhYO/WGp1wHPXNI/0mOwfET X-Received: by 2002:a17:907:971e:: with SMTP id jg30mr34889352ejc.375.1635300970799; Tue, 26 Oct 2021 19:16:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635300970; cv=none; d=google.com; s=arc-20160816; b=VrDTk1QEhn1jAfp35DTJG96+kBCr8gtRDDdWzj3/741Lu/2Q7jATKJ706KraVJfBBF yI6qNb359CpXsna+1pJY3dhG4xWuBvJ/Pq5G7aC8LAEtf27KOwSPYzHbXuQeIBQ/ka31 J1Y5PU3LbQY96nVosTqbWu8gZrQvLe+inlsfZinfR11PZ8uI6NWEYMO3Z/Z0sXF7vjDg cfIZK5oVyUnHJBR7n1gw4PbVB8aWfXPzdHJEfcbhXkSam+YljZQkna4xKc3449YIud1t a10i3pynzV2iOqAYNTaoe0BBAfb/PFdWkIfUM1b+bJS5deuqzD7tzq1HI2LPYfjWAGek I//Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature; bh=pfphubtXlVlvS9hX4ZJ7SgocMKfDYL4zV2zOpJgBDF0=; b=tBsVAPaUETcVvjf8Jpf53roqjDE3FXO2HETacxt+7mCZYqzFAtaI27buWIazqO5Xr7 pp1Spbqr7r0t7+8QXVmann3//ob9n9YHl/8iR3/TSnV5HQlzLKjNc9PQ/GctUeIas6SG 55aO1F0RbEZdcqxojSgqlYauB2aomSsG5SN1X5RR2xbOe7szDLgXId79lISxFESn1w8s JMh812VHHAuFahKGsTfxnTVRii7hfbNE2qIloZVPSFRkVtJHmVekd/7OFZ5tyl7b89r4 Fxg4AZW+0cjMflxvn2clGp58s5GShbCv8V3kufAejXV0l+lRuaa4DFH/Zqir+qnejpIx BxPQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sipsolutions.net header.s=mail header.b=uoPmpMFs; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=sipsolutions.net Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n18si1227225edw.329.2021.10.26.19.15.41; Tue, 26 Oct 2021 19:16:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@sipsolutions.net header.s=mail header.b=uoPmpMFs; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=sipsolutions.net Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237785AbhJZRd1 (ORCPT + 67 others); Tue, 26 Oct 2021 13:33:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41596 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236343AbhJZRdZ (ORCPT ); Tue, 26 Oct 2021 13:33:25 -0400 Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D0457C061745 for ; Tue, 26 Oct 2021 10:31:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sipsolutions.net; s=mail; h=Content-Transfer-Encoding:MIME-Version: Content-Type:References:In-Reply-To:Date:Cc:To:From:Subject:Message-ID:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-To: Resent-Cc:Resent-Message-ID; bh=pfphubtXlVlvS9hX4ZJ7SgocMKfDYL4zV2zOpJgBDF0=; t=1635269461; x=1636479061; b=uoPmpMFsD9kdTMUFldqWgP8l/6b/gA+UW3yOjZC68P0DOiL rUjFoSSFACKJMMhQkEPxvipGLgkr63PLjt8yXd4s9Ha4bjr/TCK2Wgpa29uEX5/C0uyJCn/QrsznK H+JuK7xsI1pnoqsLIJzNDlZSxXvRqG+p7fmQMHBnsz8SWE99l8FIQYyFZnSI2ImudP8Q5csayxM8+ HeN4bheKx8P8BfNt+ii0VTH68LOtX+NYgZECnsuNfvHypr0u+ZxGJZLfHFdlGqfN6c3PHd/nbLMYU I6UoIRhRZcjY5HVTLIKWlYtWz5E31l0oFIO97r64gU3R8+sVqMJS4db+PQBiqrSg==; Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.95) (envelope-from ) id 1mfQHr-007Ch8-Gg; Tue, 26 Oct 2021 19:30:59 +0200 Message-ID: <6c757e851f2cac76b0e63e10cc6aabe1839f07aa.camel@sipsolutions.net> Subject: Re: [RFC v2] mac80211: fix rx blockack session race condition From: Johannes Berg To: Jean-Pierre TOSONI Cc: "linux-wireless@vger.kernel.org" Date: Tue, 26 Oct 2021 19:30:58 +0200 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.38.4 (3.38.4-1.fc33) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-malware-bazaar: not-scanned Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On Tue, 2021-10-26 at 14:19 +0000, Jean-Pierre TOSONI wrote: > When used with ath10k, the following may happen: > a) radio card firmware receives ADDBA-REQ from peer > b) radio sends back ADDBA-RESP to peer and signals the ath10k driver > c) ath10k calls back ieee80211_manage_rx_ba_offl() in mac80211 >    to signal rx ba offloading > d) mac80211::agg-rx.c::ieee80211_manage_rx_ba_offl() >   d1) sets a flag: sta->ampdu_mlme.tid_rx_manage_offl >   d2) queues a call to ht.c::ieee80211_ba_session_work() > e) ...scheduler runs... > f) ht.c::ieee80211_ba_session_work() checks the flag, clears it >    and sets up the rx ba session. > > During (e), a fast peer may already have sent a BAREQ which is > propagated to rx.c::ieee80211_rx_h_ctrl(). Since the session is not > yet established, mac80211 sends back a DELBA to the peer, which can > hang the BA session. > > The phenomenon can be observed between two QCA988X fw 10.2.4 radios, > using a loop of associate/arping from client to AP/disconnect. After > a few thousand loops, arping does not get a response and a sniffer > detects a DELBA action frame from the client, following an ADDBA. > > Fix: > 1) check the offload flag in addition to the check for a valid >    aggregation session > 2) surround the checks with the existing dedicated mutex, to avoid >    interference from ieee80211_ba_session_work() during the check. > > Note 1: there is another dubious DELBA generation in > ieee80211_rx_reorder_ampdu(), where the same kind of fix should fit, > but I did not fix it since I knew no easy way to test. > > Note 2: this fix applies to wireless backports from 5.4-rc8. > --- > V2: remove debugging code leftovers, sorry for that > > Index: b/net/mac80211/rx.c > =================================================================== > --- a/net/mac80211/rx.c > +++ b/net/mac80211/rx.c > Index: bp/net/mac80211/rx.c > =================================================================== > --- bp.orig/net/mac80211/rx.c > +++ bp/net/mac80211/rx.c > @@ -3008,11 +3008,18 @@ ieee80211_rx_h_ctrl(struct ieee80211_rx_ >   > >   tid = le16_to_cpu(bar_data.control) >> 12; >   > > + mutex_lock(&rx->sta->ampdu_mlme.mtx); You cannot take a mutex in this context. johannes