Received: by 2002:a19:771d:0:0:0:0:0 with SMTP id s29csp1259421lfc; Wed, 1 Jun 2022 13:21:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwhfwSjl4t52IJ26Hf1brpbt2vG8usR+MoWXvconUPRsXkmfp17A22QIxUR51mmKvgriXGb X-Received: by 2002:a17:902:ea57:b0:15a:6173:87dd with SMTP id r23-20020a170902ea5700b0015a617387ddmr1215780plg.147.1654114903476; Wed, 01 Jun 2022 13:21:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654114903; cv=none; d=google.com; s=arc-20160816; b=mDsT9j3QsoL4+YYjQ8fhu9eB6xg6ABq71X8yPR1VNM9mZN25lIL5uPZ28Nr4cXHwX9 3VEAZL0iPtFS2IOYHDwyjHDaarBeXqiQytkPcx4BSmIr3N2evoSW2rYiAwvlCNXZvaf5 12nCqQOz8J0z52fJYPznLNwi6nrtJ6Mhl0ccLEbxTs+OWLtlP/hiq7WHcN60h6P3EBsu Zw+c8RJKMS6od7ek8i0ZwgiEM1kjp8ih0m6rsei/dIEkw6/Z0X8ZpnWpmNe5w/2nXs+P Uz5XKSY2XP3Fg73Bu0dAP/9LI/hhCXsX7DIHqHHoLpUNSTxu+DUNo3jLbLGXzowMwqu0 BQ1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=myfRFZ6iGedozI4C++x4z8+jqwntaT49/bPQRhS+KtM=; b=oXFIhTOdAnF9avxCBZC0S2RmbRwGAO6RhqL+SWokY/Q0fRpAvaDRn38g7PwC5pAQ52 DSUSGhWmPMa/YVjG1j+QPYbWulqa2QtQRMBPE6s+rS82v4/WBSOtKehRVBnBeleTHZNc gfvLJ7VV77PQo2SiOqhnKi/N8bHicnyjj06fVNi07gBQQWuYxTA+F5qlqBogv30i/WOu +EazckcUF02qQRqLoVSFdg3vywy7ctIu/tqy+5O51G7jIteyLpZlcCzyBJYM9apNeNAV BXzm8kADSBsgc6A1E0oL9OvCFVoauezO/D48Ga7jKaNjA+CbWVrBH4WXE+6SaGSZk3wN jrBg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@nbd.name header.s=20160729 header.b="H/jT3oDJ"; spf=softfail (google.com: domain of transitioning linux-wireless-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id k11-20020a170902ce0b00b0015f13887fe4si3346793plg.200.2022.06.01.13.21.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 Jun 2022 13:21:43 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-wireless-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=fail header.i=@nbd.name header.s=20160729 header.b="H/jT3oDJ"; spf=softfail (google.com: domain of transitioning linux-wireless-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id A0C2E254EE3; Wed, 1 Jun 2022 12:34:07 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241388AbiEaTIc (ORCPT + 67 others); Tue, 31 May 2022 15:08:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52790 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231464AbiEaTIb (ORCPT ); Tue, 31 May 2022 15:08:31 -0400 Received: from nbd.name (nbd.name [IPv6:2a01:4f8:221:3d45::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AE3D372E07 for ; Tue, 31 May 2022 12:08:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nbd.name; s=20160729; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject :Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=myfRFZ6iGedozI4C++x4z8+jqwntaT49/bPQRhS+KtM=; b=H/jT3oDJw8QdLyzkfJTJU0CKTc 84bGf7k9MBAkDqO3Fze1dCqJ5JaR6qK0oWKoi2jqjJ8TPAu0XDcIS9Ubd0L7PE0FbGV/uA4ByhyJZ h8frsnUkfi3xCLzjcBqrOxjlWJty9aAEdxAfhi3keG5R0dacUTpxlzgyoJV9C5TgFi1o=; Received: from p200300daa70ef20054e87cd6cce3e129.dip0.t-ipconnect.de ([2003:da:a70e:f200:54e8:7cd6:cce3:e129] helo=Maecks.lan) by ds12 with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from ) id 1nw7EC-0002sD-Hq; Tue, 31 May 2022 21:08:28 +0200 From: Felix Fietkau To: linux-wireless@vger.kernel.org Cc: johannes@sipsolutions.net Subject: [PATCH] mac80211: do not wake queues on a vif that is being stopped Date: Tue, 31 May 2022 21:08:24 +0200 Message-Id: <20220531190824.60019-1-nbd@nbd.name> X-Mailer: git-send-email 2.36.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org When a vif is being removed and sdata->bss is cleared, __ieee80211_wake_txqs can still be called on it, which crashes as soon as sdata->bss is being dereferenced. To fix this properly, check for SDATA_STATE_RUNNING before waking queues, and take the fq lock when setting it (to ensure that __ieee80211_wake_txqs observes the change when running on a different CPU Signed-off-by: Felix Fietkau --- net/mac80211/iface.c | 2 ++ net/mac80211/util.c | 3 +++ 2 files changed, 5 insertions(+) diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c index 41531478437c..15a73b7fdd75 100644 --- a/net/mac80211/iface.c +++ b/net/mac80211/iface.c @@ -377,7 +377,9 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, bool going_do bool cancel_scan; struct cfg80211_nan_func *func; + spin_lock_bh(&local->fq.lock); clear_bit(SDATA_STATE_RUNNING, &sdata->state); + spin_unlock_bh(&local->fq.lock); cancel_scan = rcu_access_pointer(local->scan_sdata) == sdata; if (cancel_scan) diff --git a/net/mac80211/util.c b/net/mac80211/util.c index 1e26b5235add..dad42d42aa84 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -301,6 +301,9 @@ static void __ieee80211_wake_txqs(struct ieee80211_sub_if_data *sdata, int ac) local_bh_disable(); spin_lock(&fq->lock); + if (!test_bit(SDATA_STATE_RUNNING, &sdata->state)) + goto out; + if (sdata->vif.type == NL80211_IFTYPE_AP) ps = &sdata->bss->ps; -- 2.36.1