Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp943101pxb; Fri, 22 Apr 2022 14:59:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx+ZCx+r7t+AudfU8ek9j8nVlNhzKBDe0c2aixv3LbbBtNnvYccDbMEo8Jy8k+GGNfGxpXZ X-Received: by 2002:a63:358c:0:b0:39c:c97a:ee80 with SMTP id c134-20020a63358c000000b0039cc97aee80mr5621957pga.7.1650664788246; Fri, 22 Apr 2022 14:59:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650664788; cv=none; d=google.com; s=arc-20160816; b=c9FnY3iyvdSphlMAR7qIFbf1Fqz/RlcIy1DZF+0SEFfFB/xySOBIa332NLFR+oJMun Ib0Frw6rJO3oXYcqvKEZlk66yeyIfIbPBBGAJ3m9vNz3G/uLyhW47T3taWtIlOsFqphu WG+dbhXHQ6Y6lMNC+R6uGzt0D9L/L561iU6vo9rqGh/ADzADbMgcApE3I1+bB9K1R8pI FUBrCRbggT40h6jfnp4zad0MehcclF3XgTAlb7nhJ1kqQMQc5LONwTBzn0Ojy4qSGy8W DojDp80eh9QKCNmcK/q87hmi/zILw4EozIZTTkMA+r031rIEAE3TGG9cEw3P/dn5DR9H 8frg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:subject :from:references:cc:to:content-language:user-agent:mime-version:date :message-id:dkim-signature; bh=xrdUu+yKR208snaeMzpnrs+5q8YWPSlam6DSqshiSeE=; b=p6m8Uum3MMVwirn0Tst6oICHyfcaBR1xYII+vu1IRRgsKIUS3OUYozEYOE6Ev8hF3d cYflGV/khEsbbnDo50bEaKb32vN6h4ooxIstiDcvswo7uimK9LRktOTOhWjKfIQD+3UK gq1W3219a64D0aAJuGbTF2U0/89W4tRzheJXnexVRbbsZwjif2nveaP3e6T7qWfVa0g+ 9bA6Ul9kKGJwAPHFDcNaneIPmRT5BdIVjBAapIyeKd+hglmGloYphLhAt/0LKNBJbB86 hG2uTO9lfaNKT9QsxmX6YNeJE/swKFwK/vvRXPGCtqQZu6lQd/iovWr3QLGhyyIFDP8m 4nTg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@nbd.name header.s=20160729 header.b="PUVXTLo/"; spf=softfail (google.com: domain of transitioning linux-wireless-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id lp10-20020a17090b4a8a00b001cb774b33b6si9420489pjb.142.2022.04.22.14.59.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Apr 2022 14:59:48 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-wireless-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=fail header.i=@nbd.name header.s=20160729 header.b="PUVXTLo/"; spf=softfail (google.com: domain of transitioning linux-wireless-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id E7B03249B49; Fri, 22 Apr 2022 13:07:56 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377704AbiDTKn0 (ORCPT + 66 others); Wed, 20 Apr 2022 06:43:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40936 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352334AbiDTKnZ (ORCPT ); Wed, 20 Apr 2022 06:43:25 -0400 Received: from nbd.name (nbd.name [IPv6:2a01:4f8:221:3d45::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DAC58B7D7 for ; Wed, 20 Apr 2022 03:40:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nbd.name; s=20160729; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:Subject: From:References:Cc:To:MIME-Version:Date:Message-ID:Sender:Reply-To:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=xrdUu+yKR208snaeMzpnrs+5q8YWPSlam6DSqshiSeE=; b=PUVXTLo/6+1yhdJtiTu2sJ1hpg NdlydQPxXhonjWFfR+xs2fIETB7bHCvCUIDTLbW/bpkI/soiKk1djeaiW4gTGVTvbHqlUJF+62Lbj rcUL5TnoxMNY+4jr5YWXcr9gwL8jdLDFKpirp36XdWVb7VArC7cWFVZK5qOgj2xB7fzs=; Received: from p200300daa70ef200009e86881025829d.dip0.t-ipconnect.de ([2003:da:a70e:f200:9e:8688:1025:829d] helo=nf.local) by ds12 with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from ) id 1nh7lE-0004wA-4s; Wed, 20 Apr 2022 12:40:36 +0200 Message-ID: Date: Wed, 20 Apr 2022 12:40:35 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 Content-Language: en-US To: Bo Jiao Cc: linux-wireless , Ryder Lee , Sujuan Chen , Shayne Chen , Evelyn Tsai , linux-mediatek References: <20220420031451.6770-1-bo.jiao@mediatek.com> From: Felix Fietkau Subject: Re: [PATCH] mt76: mt7915: fix msta->wcid use-after-free in mt76_tx_status_check() In-Reply-To: <20220420031451.6770-1-bo.jiao@mediatek.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, NICE_REPLY_A,RDNS_NONE,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On 20.04.22 05:14, Bo Jiao wrote: > From: Bo Jiao > > fix msta->wcid use-after-free in mt76_tx_status_check when the sta > has been removed. > > Signed-off-by: Bo Jiao > --- > drivers/net/wireless/mediatek/mt76/mt7915/main.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/main.c b/drivers/net/wireless/mediatek/mt76/mt7915/main.c > index 800f720..160d80e 100644 > --- a/drivers/net/wireless/mediatek/mt76/mt7915/main.c > +++ b/drivers/net/wireless/mediatek/mt76/mt7915/main.c > @@ -701,6 +701,11 @@ void mt7915_mac_sta_remove(struct mt76_dev *mdev, struct ieee80211_vif *vif, > if (!list_empty(&msta->rc_list)) > list_del_init(&msta->rc_list); > spin_unlock_bh(&dev->sta_poll_lock); > + > + spin_lock_bh(&mdev->status_lock); > + if (!list_empty(&msta->wcid.list)) > + list_del_init(&msta->wcid.list); > + spin_unlock_bh(&mdev->status_lock); I'm trying to figure out where this use-after-free bug is coming from, and I can't seem to find the cause of it. Some context: mt7915_mac_sta_remove is called by __mt76_sta_remove, which also calls mt76_packet_id_flush afterwards. mt76_packet_id_flush calls mt76_tx_status_skb_get in a way that makes it iterate over all pending tx status packets and clearing them from the idr. If the idr is empty afterwards, it calls list_del_init(&wcid->list). The only way I can see your patch making a difference would be if clearing the idr fails. That could happen if for some unknown reason, cb->pktid is out of sync with the id that was used to add the packet to the idr. Can you please try the patch below and see if it avoids use-after-free issues and if it also shows the warning I added? Thanks, - Felix --- --- a/drivers/net/wireless/mediatek/mt76/tx.c +++ b/drivers/net/wireless/mediatek/mt76/tx.c @@ -181,7 +181,8 @@ mt76_tx_status_skb_get(struct mt76_dev *dev, struct mt76_wcid *wcid, int pktid, /* It has been too long since DMA_DONE, time out this packet * and stop waiting for TXS callback. */ - idr_remove(&wcid->pktid, cb->pktid); + WARN(id != cb->pktid, "Packet id %d does not match idr id %d\n", cb->pktid, id); + idr_remove(&wcid->pktid, id); __mt76_tx_status_skb_done(dev, skb, MT_TX_CB_TXS_FAILED | MT_TX_CB_TXS_DONE, list); }