Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp6258677rwl;
        Mon, 9 Jan 2023 06:16:33 -0800 (PST)
X-Google-Smtp-Source: AMrXdXtw98kZLfH2nrSjrxNiZ+f2IDQD+QnuDBhQRZxN1V/5URf2J+sS1j8WHeda/2pYhU5P9Zyy
X-Received: by 2002:a17:907:3e26:b0:839:74cf:7c4f with SMTP id hp38-20020a1709073e2600b0083974cf7c4fmr74766465ejc.8.1673273792951;
        Mon, 09 Jan 2023 06:16:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1673273792; cv=none;
        d=google.com; s=arc-20160816;
        b=RYe6wF8umRBJdu3XgFgFbYmTu5dej26FiLwuU/vZFF+BAM3lY8EpnPwBGrAewEvXIO
         kTZwATTQ0YpHvpw9yTSbAO2XeusMS0H2+qz4U8n1omePyzDPWIAGeEKnV6koZT+7RL8l
         wdpr5nyNi818P3lm2Ti5mRiYg+IwzHEt5pDAeSAJEkfDp/5XPtUKh66xuyWjaU3+a65M
         iDwemzyt6P24WwhXYQGh8GenEWhX6R/Thi8X56HjjbyMkMw186EyP8D4O16RAQi7DR7F
         5MXIX4O/0fghtPT9uDAMT2uQak9VvskR6CQnWvhmu71DwcRvDzkg1q6o5j/lDQlK9DYw
         4MxA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to
         :content-language:references:cc:to:subject:from:user-agent
         :mime-version:date:dkim-signature:message-id;
        bh=xJhed5OPVOePZnvsJovIM0VvcbE56bQGpGPJ1rlz0BE=;
        b=VklzFef2McjrE0UDC65diZ6DwSfp2jh5PBGKkzWQhA3SegY6fnar8mUyogyVkuU4dY
         h2rMPq7vH1ULWYsqTXJOZNEEIU0zIY1rHah4bCMqtNscj7WYnr1pL/r3Ava/UlAsHzeC
         Tvneh76PRtLbNfQpc7VmAxG7ipEtsV4BE1sz4/bbjOEOsqOZoAGT1EX0WyCERmAQm77h
         zFM90ICz9UuUIisfs0vI3L+GWme99lLY91fib6RJG3rqQntS280vAhNcABYFMIVuOcxS
         RrK4rr4xpYDqx01oxCtZisf0SVKsyKrv8RQq1+sfX29poXJf4IVdWS0pbvcIBklkNPyk
         KlWw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@wetzel-home.de header.s=wetzel-home header.b=j8RoYYRl;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=wetzel-home.de
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id ht19-20020a170907609300b007c0f2185e37si9977948ejc.868.2023.01.09.06.16.12;
        Mon, 09 Jan 2023 06:16:32 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@wetzel-home.de header.s=wetzel-home header.b=j8RoYYRl;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=wetzel-home.de
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233159AbjAIOGf (ORCPT <rfc822;vishalrao@gmail.com> + 65 others);
        Mon, 9 Jan 2023 09:06:35 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44356 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S236511AbjAIOF5 (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Mon, 9 Jan 2023 09:05:57 -0500
Received: from ns2.wdyn.eu (ns2.wdyn.eu [5.252.227.236])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id B261EF0F
        for <linux-wireless@vger.kernel.org>; Mon,  9 Jan 2023 06:05:54 -0800 (PST)
Message-ID: <d28c6340-7ad2-d7f6-939d-3a1a057cb7da@wetzel-home.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wetzel-home.de;
        s=wetzel-home; t=1673273151;
        bh=4NGAakIbuen1X1A4D+gVp+ybsFKBfg8XIHb2/10NUww=;
        h=Date:From:Subject:To:Cc:References:In-Reply-To;
        b=j8RoYYRllBwdlALKhSb21I4ts4c6WMArTKpJeLwVpAFwngnCHqvoOt+uqYbqNIbmi
         4JFHGCcbtgre5wVSwZCvRlpakyoleZacPRxJpF6bg0OktJ4nuPSNa5/lkfgmFqJX6X
         mc1JDQfTBa5yukN6AYhy5iyY1NEQEMtZ+klOmmNI=
Date:   Mon, 9 Jan 2023 15:05:47 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.6.0
From:   Alexander Wetzel <alexander@wetzel-home.de>
Subject: Re: [PATCH] wifi: mac80211: change initialize for sk_buff in
 ieee80211_tx_dequeue()
To:     Guenter Roeck <linux@roeck-us.net>,
        Wen Gong <quic_wgong@quicinc.com>
Cc:     johannes@sipsolutions.net, ath11k@lists.infradead.org,
        linux-wireless@vger.kernel.org
References: <20221212083607.21536-1-quic_wgong@quicinc.com>
 <20230105052647.GA2477583@roeck-us.net>
Content-Language: en-US
In-Reply-To: <20230105052647.GA2477583@roeck-us.net>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,SPF_HELO_NONE,
        SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

On 05.01.23 06:26, Guenter Roeck wrote:
> On Mon, Dec 12, 2022 at 03:36:07AM -0500, Wen Gong wrote:
>> The sk_buff is only set to NULL when initialize, sometimes it will goto
>> label "begin" after ieee80211_free_txskb(), then it points to a sk_buff
>> which is already freed. If it run into the "goto out" after arrived to
>> label "begin", then it will return a sk_buff which is freed, it is a
>> risk for use-after-free.
>>
>> Fixes: ded4698b58cb ("mac80211: run late dequeue late tx handlers without holding fq->lock")
>> Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
> 
> I don't see any progress on this patch. Is there a problem with it ?
> Did it get lost ?
> 

Looks ok for me. But I just noticed that my patch
https://patchwork.kernel.org/project/linux-wireless/patch/20221230121850.218810-1-alexander@wetzel-home.de/

should also fix the issue as an unintended side effect.

Alexander

> Thanks,
> Guenter
> 
>> ---
>>   net/mac80211/tx.c | 4 +++-
>>   1 file changed, 3 insertions(+), 1 deletion(-)
>>
>>
>> base-commit: 922932ca02191a390f7f52fb6e21c44b50e14025
>>
>> diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
>> index 2171cd1ca807..0b23cc9ab9c7 100644
>> --- a/net/mac80211/tx.c
>> +++ b/net/mac80211/tx.c
>> @@ -3776,7 +3776,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
>>   	struct ieee80211_local *local = hw_to_local(hw);
>>   	struct txq_info *txqi = container_of(txq, struct txq_info, txq);
>>   	struct ieee80211_hdr *hdr;
>> -	struct sk_buff *skb = NULL;
>> +	struct sk_buff *skb;
>>   	struct fq *fq = &local->fq;
>>   	struct fq_tin *tin = &txqi->tin;
>>   	struct ieee80211_tx_info *info;
>> @@ -3790,6 +3790,8 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
>>   		return NULL;
>>   
>>   begin:
>> +	skb = NULL;
>> +
>>   	spin_lock_bh(&fq->lock);
>>   
>>   	if (test_bit(IEEE80211_TXQ_STOP, &txqi->flags) ||