Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp197627rwi; Tue, 25 Oct 2022 23:00:08 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6d/Sts2TryZqza3/g5tg8nuonVEEH83Jx0kzQGAUx6GtPKScwXImeXiE5qa3TCP85MpGpD X-Received: by 2002:a05:6402:5207:b0:462:2426:48fc with SMTP id s7-20020a056402520700b00462242648fcmr5903581edd.93.1666764007900; Tue, 25 Oct 2022 23:00:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666764007; cv=none; d=google.com; s=arc-20160816; b=Hjtwb2/vsZ3HTn3NKNiC2caSPG9N1tctz0OQokP3O04wbFQ4d12mMQOxVHOEkqSlnV Zi1duZcHMdaPlAcIYTErPa5L5KK1et8cn2aby4JcRzvpudAd8ck8XFzvU6wKTqnUnPmO MrlKMsESdZtcsTayoIXDAPqG0BAYHGijGhm6NlBrypEUkSfqry8Lj5/VFg5kqJO27fEh btr6XrGXro3Klh+0syCd815OheKUV0OJJgOJ5sR2PBmN0mpT2OsUAoxwUiOTGnrxCNRH NodMGRgZ482uuU+M/z0H1vTuvRz45m7WEuEhucgEQJgVU9zoPRoL5LvbPDfIoYxjfm7+ 01Ug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:cc:to:from:authenticated-by; bh=UY8J/Yy7cN0pnAp2I3BWivym39vAoPcKfT6wIPY1FYw=; b=uV3QrEV+KiiaRuJOWXj238lW1LpxoleAEyC4U9C86rOPKt//8AXnOMNn5em+1vi2ko GP8G8etdLGaSH9DBLIEP7v1JD9qV/C00WZo+EYFhsma5VzKVO7nKXtkHBSILKhhVG3+Q s3BmXy5RRqdIJcizakISPAyzljYlyM6hw9/5U2ixRV9RdRp4fM53APSRK1qJmg+1vNSO kCzHv+2Shz4y1UwLF6FT9xV5IzTA7fGA6ivgV6WhQ8a10uFr3McJjoz+wiouVf2ZU4rA nbokjQk/SsGVNIG1rSC5g4QW6GZwm5fh+n3nmAA2Rz943dfdFUYF5VwnAb+gyka2c3Sb Wu0Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id qa9-20020a170907868900b00772fe97b31esi4737374ejc.901.2022.10.25.22.59.45; Tue, 25 Oct 2022 23:00:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232654AbiJZFsK convert rfc822-to-8bit (ORCPT + 65 others); Wed, 26 Oct 2022 01:48:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37578 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229551AbiJZFsJ (ORCPT ); Wed, 26 Oct 2022 01:48:09 -0400 Received: from rtits2.realtek.com.tw (rtits2.realtek.com [211.75.126.72]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 9AB7374BAC; Tue, 25 Oct 2022 22:48:06 -0700 (PDT) Authenticated-By: X-SpamFilter-By: ArmorX SpamTrap 5.77 with qID 29Q5jQSw9023109, This message is accepted by code: ctloc85258 Received: from mail.realtek.com (rtexh36505.realtek.com.tw[172.21.6.25]) by rtits2.realtek.com.tw (8.15.2/2.81/5.90) with ESMTPS id 29Q5jQSw9023109 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=FAIL); Wed, 26 Oct 2022 13:45:26 +0800 Received: from RTEXDAG01.realtek.com.tw (172.21.6.100) by RTEXH36505.realtek.com.tw (172.21.6.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.32; Wed, 26 Oct 2022 13:46:00 +0800 Received: from RTEXMBS04.realtek.com.tw (172.21.6.97) by RTEXDAG01.realtek.com.tw (172.21.6.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.7; Wed, 26 Oct 2022 13:46:00 +0800 Received: from RTEXMBS04.realtek.com.tw ([fe80::add3:284:fd3d:8adb]) by RTEXMBS04.realtek.com.tw ([fe80::add3:284:fd3d:8adb%5]) with mapi id 15.01.2375.007; Wed, 26 Oct 2022 13:46:00 +0800 From: Ping-Ke Shih To: Zhengchao Shao , "linux-wireless@vger.kernel.org" , "netdev@vger.kernel.org" , "johannes@sipsolutions.net" , "davem@davemloft.net" , "edumazet@google.com" , "kuba@kernel.org" , "pabeni@redhat.com" CC: "toke@kernel.org" , "alexander@wetzel-home.de" , "nbd@nbd.name" , "weiyongjun1@huawei.com" , "yuehaibing@huawei.com" Subject: RE: [PATCH net,v2] wifi: mac80211: fix general-protection-fault in ieee80211_subif_start_xmit() Thread-Topic: [PATCH net,v2] wifi: mac80211: fix general-protection-fault in ieee80211_subif_start_xmit() Thread-Index: AQHY6OQ2YSFc3FHQQ06V00aJhcK/Nq4gKhgA Date: Wed, 26 Oct 2022 05:46:00 +0000 Message-ID: <147c69bcc88f4cb28774bd60346325ff@realtek.com> References: <20221026024703.150668-1-shaozhengchao@huawei.com> In-Reply-To: <20221026024703.150668-1-shaozhengchao@huawei.com> Accept-Language: en-US, zh-TW Content-Language: zh-TW X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.21.69.188] x-kse-serverinfo: RTEXDAG01.realtek.com.tw, 9 x-kse-attachmentfiltering-interceptor-info: no applicable attachment filtering rules found x-kse-antivirus-interceptor-info: scan successful x-kse-antivirus-info: =?us-ascii?Q?Clean,_bases:_2022/10/25_=3F=3F_10:00:00?= x-kse-bulkmessagesfiltering-scan-result: protection disabled Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 X-KSE-ServerInfo: RTEXH36505.realtek.com.tw, 9 X-KSE-AntiSpam-Interceptor-Info: fallback X-KSE-Antivirus-Interceptor-Info: fallback X-KSE-AntiSpam-Interceptor-Info: fallback X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org > -----Original Message----- > From: Zhengchao Shao > Sent: Wednesday, October 26, 2022 10:47 AM > To: linux-wireless@vger.kernel.org; netdev@vger.kernel.org; johannes@sipsolutions.net; > davem@davemloft.net; edumazet@google.com; kuba@kernel.org; pabeni@redhat.com > Cc: toke@kernel.org; alexander@wetzel-home.de; nbd@nbd.name; weiyongjun1@huawei.com; > yuehaibing@huawei.com; shaozhengchao@huawei.com > Subject: [PATCH net,v2] wifi: mac80211: fix general-protection-fault in ieee80211_subif_start_xmit() > > When device is running and the interface status is changed, the gpf issue > is triggered. The problem triggering process is as follows: > Thread A: Thread B > ieee80211_runtime_change_iftype() process_one_work() > ... ... > ieee80211_do_stop() ... > ... ... > sdata->bss = NULL ... > ... ieee80211_subif_start_xmit() > ieee80211_multicast_to_unicast > //!sdata->bss->multicast_to_unicast > cause gpf issue > > When the interface status is changed, the sending queue continues to send > packets. After the bss is set to NULL, the bss is accessed. As a result, > this causes a general-protection-fault issue. > > The following is the stack information: > general protection fault, probably for non-canonical address > 0xdffffc000000002f: 0000 [#1] PREEMPT SMP KASAN > KASAN: null-ptr-deref in range [0x0000000000000178-0x000000000000017f] > Workqueue: mld mld_ifc_work > RIP: 0010:ieee80211_subif_start_xmit+0x25b/0x1310 > Call Trace: > > dev_hard_start_xmit+0x1be/0x990 > __dev_queue_xmit+0x2c9a/0x3b60 > ip6_finish_output2+0xf92/0x1520 > ip6_finish_output+0x6af/0x11e0 > ip6_output+0x1ed/0x540 > mld_sendpack+0xa09/0xe70 > mld_ifc_work+0x71c/0xdb0 > process_one_work+0x9bf/0x1710 > worker_thread+0x665/0x1080 > kthread+0x2e4/0x3a0 > ret_from_fork+0x1f/0x30 > > > Fixes: f856373e2f31 ("wifi: mac80211: do not wake queues on a vif that is being stopped") > Reported-by: syzbot+c6e8fca81c294fd5620a@syzkaller.appspotmail.com > Signed-off-by: Zhengchao Shao > --- > net/mac80211/tx.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c > index a364148149f9..c38485f39d2b 100644 > --- a/net/mac80211/tx.c > +++ b/net/mac80211/tx.c > @@ -4418,6 +4418,11 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb, > if (likely(!is_multicast_ether_addr(eth->h_dest))) > goto normal; > > + if (unlikely(!ieee80211_sdata_running(sdata))) { > + kfree_skb(skb); > + return NETDEV_TX_OK; > + } > + The indent looks odd. It seems like you use spaces instead of tabs? > if (unlikely(ieee80211_multicast_to_unicast(skb, dev))) { > struct sk_buff_head queue; > > -- > 2.17.1 > > > ------Please consider the environment before printing this e-mail.