Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp3262096lqo;
        Wed, 15 May 2024 04:53:33 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCXhl2X3GFAqGpZgqgG6uhtMPKmTTwjs6W7G7M3uRQIzkrTDaqNTomkccc1oOKjXZJgFKPfDnd4KMMoOxU07blKRZJtyMrOgruqur2FU0g==
X-Google-Smtp-Source: AGHT+IF6GevJ/08D4DyNIohiHACPTNBwq+/77t9Qgn6okPDoPl56br5MhU8pecJZYjKK/eIU8PeL
X-Received: by 2002:a17:902:a98b:b0:1e5:28cd:4ef9 with SMTP id d9443c01a7336-1ef43e25328mr149243865ad.30.1715774013155;
        Wed, 15 May 2024 04:53:33 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1715774013; cv=pass;
        d=google.com; s=arc-20160816;
        b=DesvJSpxTFKtv+Ml6Ck3Hka45LpkrFHd1cTs/9vG7ob6l0tw/tDXGmPxEtjbhMBguR
         +KLQl4Q/65OlyuOh9Tq+bHGijW16Rlk973b28ygEpQPX8MVbpKENTqkCYste7kBE2EiY
         mFPPm5hv+fAG6lvZNg6h7tzN9Y8fnQCDOp8cHRc4HaVFI7SeGpMsSsAevi6GYgfPGoFB
         OVHrYAOSCmUVqLSbUtrnhSzuGtgh41BC82Zu/B4j0UQRicBXh889YQFil2yAT0emBpvc
         xy43qV1UDbZoSQb+2gm3/rUqETj8mdeO97eIZNzUt8+MFlBWz0RIGpNuy871bHaCC1Jq
         VxsQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=5WnmkJFj+rsESnSmD7hvH+HuBu8gCHaMVTynHZk4ed8=;
        fh=fd9c4gpfl4/MX+2pQV+h8De75E4WwGSG67f3qkxFCkw=;
        b=NiruomPbTR/nO8zrGX5bUIWFmu7euhlM3SMiBNgV5BPl4mMu8aKzNaeNIMpAMgwv+l
         9k5B//PqTgCjXuwVIR0pt+N5j5vwMXfQ0djG4t2N3wprUV7AaSB7mM3Y2Ez9WJOrWV1L
         H7zAh/QO3kEgYREN5d1FPnadxFj3IjL/B0kZzB7z0a6w1R/7gVb0FyZdiOEVwm58ycMc
         3eId6kWnQMesl3dqtldTuEyY9ZeWib3F823bjG/6SCMjNE+xC2/V5GZ49UwTtBKxrpC0
         1gR6CroutSjyzi51zWSiJg+WRIw3/lNjuthcEJ64LeCIbcJ8R/Gc+tdJO5GUytgB0UJE
         CAtQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@sipsolutions.net header.s=mail header.b=StEGbr+A;
       arc=pass (i=1 spf=pass spfdomain=sipsolutions.net dkim=pass dkdomain=sipsolutions.net dmarc=pass fromdomain=sipsolutions.net);
       spf=pass (google.com: domain of linux-wireless+bounces-7683-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-wireless+bounces-7683-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=sipsolutions.net
Return-Path: <linux-wireless+bounces-7683-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1])
        by mx.google.com with ESMTPS id d9443c01a7336-1ef0b9d0aa5si137495405ad.45.2024.05.15.04.53.32
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 15 May 2024 04:53:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless+bounces-7683-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@sipsolutions.net header.s=mail header.b=StEGbr+A;
       arc=pass (i=1 spf=pass spfdomain=sipsolutions.net dkim=pass dkdomain=sipsolutions.net dmarc=pass fromdomain=sipsolutions.net);
       spf=pass (google.com: domain of linux-wireless+bounces-7683-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-wireless+bounces-7683-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=sipsolutions.net
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id C7D74B22B79
	for <linux.lists.archive@gmail.com>; Wed, 15 May 2024 11:53:29 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 7D73F6EB4D;
	Wed, 15 May 2024 11:53:25 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=sipsolutions.net header.i=@sipsolutions.net header.b="StEGbr+A"
X-Original-To: linux-wireless@vger.kernel.org
Received: from sipsolutions.net (s3.sipsolutions.net [168.119.38.16])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B902F14AB4
	for <linux-wireless@vger.kernel.org>; Wed, 15 May 2024 11:53:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=168.119.38.16
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715774005; cv=none; b=MWSry1xdnmMa+BatH74tv4mzIOxb+P9Dvfocmh80GumgkovBNUf93H1wiuUEvUs7ZiDNApr+UROxbX+sqxsg1E75YGslFzSUKq6Hnx2cTduEjFKPyJbz46yaPxi4EovfT2KakNO69sqqZDnPIUz1MGaY1jZKnwo+JRSfwwKyzVI=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715774005; c=relaxed/simple;
	bh=pVNDgRz398dZgAEB3vrq6vXgyyNug5BUTd0OcYkFOlY=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=IcvCSnZbcxZtR5BaxZCacqxMKmkvlXIU06p8oWXXkB4mAA2VpedGoJF7RnkO/DxQXSSaLne7q9C9fPF7Q/CMVzInfTv+P+7NWVfp+xldVU9uYq12RCNwh7+4Xxmh+G3JqBm2KaL3Z9hfTMmwcgtzYSZJ49X8hi+vrRwN+6FpHuQ=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sipsolutions.net; spf=pass smtp.mailfrom=sipsolutions.net; dkim=pass (2048-bit key) header.d=sipsolutions.net header.i=@sipsolutions.net header.b=StEGbr+A; arc=none smtp.client-ip=168.119.38.16
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sipsolutions.net
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sipsolutions.net
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=sipsolutions.net; s=mail; h=Content-Transfer-Encoding:MIME-Version:
	Message-ID:Date:Subject:Cc:To:From:Content-Type:Sender:Reply-To:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-To:Resent-Cc:
	Resent-Message-ID:In-Reply-To:References;
	bh=5WnmkJFj+rsESnSmD7hvH+HuBu8gCHaMVTynHZk4ed8=; t=1715774003; x=1716983603; 
	b=StEGbr+Aqhdmwa9UmXlLM8MYpWBrTSo6oSxC0pIVtbQz90iZvz/PCLlNVXMpUqD4AdGyVtUDvwV
	WgTJHnpSQGx+fwlTdrMymBCUoMzlLprBp/EIFlw4ux1V3k7PGLsHo/DIaD7WOlS+scDdQhAu3e6Uk
	NB2YkajxtAdjgZpxMzwUFKO0H7102Pr9uOY4cNwGYlFCkNx5MAp0FDzy/JI3mI1sSoWZoplkheXDl
	8Lp8jubrlasl0vJ5QmgmZxSUtZZUHOFx72FS4sHIu1kE/ptdX+ktF1Dinu5eDfYdggCeEEMJAFhGw
	eydqW9d4cFIET4iBbZVzI3rh55vWQvLknF5g==;
Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
	(Exim 4.97)
	(envelope-from <johannes@sipsolutions.net>)
	id 1s7DCC-00000006OBC-2fW9;
	Wed, 15 May 2024 13:53:20 +0200
From: Johannes Berg <johannes@sipsolutions.net>
To: linux-wireless@vger.kernel.org
Cc: Johannes Berg <johannes.berg@intel.com>,
	syzbot+8830db5d3593b5546d2e@syzkaller.appspotmail.com
Subject: [PATCH] wifi: mac80211: handle tasklet frames before stopping
Date: Wed, 15 May 2024 13:53:19 +0200
Message-ID: <20240515135318.b05f11385c9a.I41c1b33a2e1814c3a7ef352cd7f2951b91785617@changeid>
X-Mailer: git-send-email 2.45.0
Precedence: bulk
X-Mailing-List: linux-wireless@vger.kernel.org
List-Id: <linux-wireless.vger.kernel.org>
List-Subscribe: <mailto:linux-wireless+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-wireless+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

From: Johannes Berg <johannes.berg@intel.com>

The code itself doesn't want to handle frames from the driver
if it's already stopped, but if the tasklet was queued before
and runs after the stop, then all bets are off. Flush queues
before actually stopping, RX should be off at this point since
all the interfaces are removed already, etc.

Reported-by: syzbot+8830db5d3593b5546d2e@syzkaller.appspotmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 net/mac80211/ieee80211_i.h |  2 ++
 net/mac80211/main.c        | 10 ++++++++--
 net/mac80211/util.c        |  2 ++
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index eb62b7d4b4f7..3cedfdc9099b 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1845,6 +1845,8 @@ void ieee80211_link_info_change_notify(struct ieee80211_sub_if_data *sdata,
 void ieee80211_configure_filter(struct ieee80211_local *local);
 u64 ieee80211_reset_erp_info(struct ieee80211_sub_if_data *sdata);
 
+void ieee80211_handle_queued_frames(struct ieee80211_local *local);
+
 u64 ieee80211_mgmt_tx_cookie(struct ieee80211_local *local);
 int ieee80211_attach_ack_skb(struct ieee80211_local *local, struct sk_buff *skb,
 			     u64 *cookie, gfp_t gfp);
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index 4eaea0a9975b..1132dea0e290 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -423,9 +423,8 @@ u64 ieee80211_reset_erp_info(struct ieee80211_sub_if_data *sdata)
 	       BSS_CHANGED_ERP_SLOT;
 }
 
-static void ieee80211_tasklet_handler(struct tasklet_struct *t)
+void ieee80211_handle_queued_frames(struct ieee80211_local *local)
 {
-	struct ieee80211_local *local = from_tasklet(local, t, tasklet);
 	struct sk_buff *skb;
 
 	while ((skb = skb_dequeue(&local->skb_queue)) ||
@@ -450,6 +449,13 @@ static void ieee80211_tasklet_handler(struct tasklet_struct *t)
 	}
 }
 
+static void ieee80211_tasklet_handler(struct tasklet_struct *t)
+{
+	struct ieee80211_local *local = from_tasklet(local, t, tasklet);
+
+	ieee80211_handle_queued_frames(local);
+}
+
 static void ieee80211_restart_work(struct work_struct *work)
 {
 	struct ieee80211_local *local =
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 0b893e958959..283bfc99417e 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1567,6 +1567,8 @@ u32 ieee80211_sta_get_rates(struct ieee80211_sub_if_data *sdata,
 
 void ieee80211_stop_device(struct ieee80211_local *local)
 {
+	ieee80211_handle_queued_frames(local);
+
 	ieee80211_led_radio(local, false);
 	ieee80211_mod_tpt_led_trig(local, 0, IEEE80211_TPT_LEDTRIG_FL_RADIO);
 
-- 
2.45.0