Received: by 2002:ab2:6309:0:b0:1fb:d597:ff75 with SMTP id s9csp1220667lqt;
        Fri, 7 Jun 2024 11:17:39 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCX056hJmhXxE4URntCta5ufiZjuucjm0smJdmjISOUFg0u9xhuwTYQ5EKhmRIxw5rhoNT5CXKqe011ZfEt9p99zd19bnZLA5IifByXnsg==
X-Google-Smtp-Source: AGHT+IGMqfA+HKsuvYoaAd6OosnwZ6El3Vqo9eHqtw+A3QN96dFyqYe+GMIcIt+G4EuI1vAPOe74
X-Received: by 2002:a05:6830:1d6a:b0:6f9:5118:156c with SMTP id 46e09a7af769-6f9572ddab6mr3200540a34.37.1717784258822;
        Fri, 07 Jun 2024 11:17:38 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1717784258; cv=pass;
        d=google.com; s=arc-20160816;
        b=bgL1sQKmoR+xh51g5rTZDPA+JVddP5txCHrWlIV0kAkEt0FPH3kn8AQcMj+eq3tSSg
         z/nD8LoT6Yt3R89svhK16wbZV8U1uJEae25lcNwxMWpU92udD0jzYQuHifh8pvaGels1
         F9Bf1N67+LN+qisnmtR5bkozuSKmtLAb8RcGbu6biGiiEIQJLgl2hNLINSMh7Qnv6TVh
         vHhPaZNz94bCUAYf+1m/dKYvDsWQrU5nCvDwfXIpO5zXZDxBP77k9IF1E9AZlgofXms0
         Vyt8UI+Tl2pCA8wC5wOc6yQWVho9NiO0TK5R02tiZ9daz06udmImxDszTHSuqE6p3Nok
         cu/w==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=DJaAfeQoMYs56G95x6nzqWoKtWm9btBU54CELr3rkCg=;
        fh=sx3DqJdmpWCR2LVCFxTUnqbdl0Fn2YiLbASam4qe6+E=;
        b=mlrJAC8cLt0Ol1ow9vZ6ku9Fgkre/NXMc3U7igd2jkFM0CW/SW16TApp7+RKALP0lQ
         /wnNRuMg8X280RtNjMhskLb1mN61TbNK7lmURCg68Dr5C5rZNESpbo/P2ljJ5zZO31Ar
         EMq/UOnYUxyuRVMVIVEAAvlhJJjSYCtVmn5cfmCsbnB1yppnGuDTlc3XuEArNfJ1VuNH
         xc8mc5qwpX4t/B0dscSn5GogvUJmYbrko5q/cQySpV1ygsUA+ANg0eqB3SnNmPomZ2+o
         HXY/zngxklOQ/g4nQNu/aOr4DV1oXCMxOcixV14EnAT8GqnT6EwawVrnTbgBLgZptWCD
         pYBg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@sipsolutions.net header.s=mail header.b=ShmjWLKK;
       arc=pass (i=1 spf=pass spfdomain=sipsolutions.net dkim=pass dkdomain=sipsolutions.net dmarc=pass fromdomain=sipsolutions.net);
       spf=pass (google.com: domain of linux-wireless+bounces-8716-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-wireless+bounces-8716-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=sipsolutions.net
Return-Path: <linux-wireless+bounces-8716-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id af79cd13be357-795515510b0si26792185a.356.2024.06.07.11.17.38
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 07 Jun 2024 11:17:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless+bounces-8716-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@sipsolutions.net header.s=mail header.b=ShmjWLKK;
       arc=pass (i=1 spf=pass spfdomain=sipsolutions.net dkim=pass dkdomain=sipsolutions.net dmarc=pass fromdomain=sipsolutions.net);
       spf=pass (google.com: domain of linux-wireless+bounces-8716-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-wireless+bounces-8716-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=sipsolutions.net
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 87F951C21738
	for <linux.lists.archive@gmail.com>; Fri,  7 Jun 2024 18:17:38 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id AF08F481A3;
	Fri,  7 Jun 2024 18:17:35 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=sipsolutions.net header.i=@sipsolutions.net header.b="ShmjWLKK"
X-Original-To: linux-wireless@vger.kernel.org
Received: from sipsolutions.net (s3.sipsolutions.net [168.119.38.16])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B31BE20328
	for <linux-wireless@vger.kernel.org>; Fri,  7 Jun 2024 18:17:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=168.119.38.16
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1717784255; cv=none; b=M2bcgVV0LUI1iUjsuYAbWMXwSMjA/KVKvgiR8BUyYaJU/WtiIL7zUnUXr0PDR04wbl/Wdk/8ttLygAz8RAGcQZ+LzFDO9seUOxS5KOplP+ROGua0PD6lYc4zWz4o+6uHqHhU5Cq63hlQYdt5sBr1C//H9k+isBcVTcP5SWZLKZU=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1717784255; c=relaxed/simple;
	bh=0jMXe772U0kEu4+svUG7QhkVWWcmfuU0CghXpR40F+s=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=qFdwbaYtikkYnnLy9YECX6DrxJGnO7P+L9OWrlsJ+ht9MARvZwIkDcgdFvpLXCdCBNJ70rz1IMTi5IV0S7fd2sOT6IOLLtOp67wCysdoos8VRnz0lgrHreFHangRLe+JsEsgYQcD6+t1Htnz1PvEED7YVOerq+jKLHyFJxhnwAA=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sipsolutions.net; spf=pass smtp.mailfrom=sipsolutions.net; dkim=pass (2048-bit key) header.d=sipsolutions.net header.i=@sipsolutions.net header.b=ShmjWLKK; arc=none smtp.client-ip=168.119.38.16
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sipsolutions.net
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sipsolutions.net
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=sipsolutions.net; s=mail; h=Content-Transfer-Encoding:MIME-Version:
	Message-ID:Date:Subject:Cc:To:From:Content-Type:Sender:Reply-To:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-To:Resent-Cc:
	Resent-Message-ID:In-Reply-To:References;
	bh=DJaAfeQoMYs56G95x6nzqWoKtWm9btBU54CELr3rkCg=; t=1717784253; x=1718993853; 
	b=ShmjWLKK1H+SlZtZQ544dciNACKp592I+pCPMVqxGzQwog1WLLtIm4MBWKJQilqpHOk0QmXOQHb
	Ds+PahM+VbmP9CSIqgyuQe3zxqP2dTtQdEu3SIrlrPj9WSaIdn7sNQfeqf3dzQXc4eupHQunNwl/3
	vtavGcFmyYqgeMuzQHlzzJK+Z1zVgUQGaWxEhXwN0z54CXUcZnfudKU0OHsoI7OoGt5tVjNNsAfLN
	4C8UWH1dmYhVbBFCA96dkUVqA+hXMLFgrlcOScjqxg06MUgBB6ffMAFwxGXl/5IdEDBXDRyQHZzQx
	Gg/14NtKTaD/t97XEOTYWvTBBq2OkIR8WEEw==;
Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
	(Exim 4.97)
	(envelope-from <johannes@sipsolutions.net>)
	id 1sFe9a-00000001Rs2-0y0K;
	Fri, 07 Jun 2024 20:17:30 +0200
From: Johannes Berg <johannes@sipsolutions.net>
To: linux-wireless@vger.kernel.org
Cc: Jiazi Li <jqqlijiazi@gmail.com>,
	Jiazi Li <jiazi.li@transsion.com>,
	Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH] wifi: cfg80211: make hash table duplicates more survivable
Date: Fri,  7 Jun 2024 20:17:17 +0200
Message-ID: <20240607181726.36835-2-johannes@sipsolutions.net>
X-Mailer: git-send-email 2.45.2
Precedence: bulk
X-Mailing-List: linux-wireless@vger.kernel.org
List-Id: <linux-wireless.vger.kernel.org>
List-Subscribe: <mailto:linux-wireless+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-wireless+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

From: Johannes Berg <johannes.berg@intel.com>

Jiazi Li reported that they occasionally see hash table duplicates
as evidenced by the WARN_ON() in rb_insert_bss() in this code.  It
isn't clear how that happens, nor have I been able to reproduce it,
but if it does happen, the kernel crashes later, when it tries to
unhash the entry that's now not hashed.

Try to make this situation more survivable by removing the BSS from
the list(s) as well, that way it's fully leaked here (as had been
the intent in the hash insert error path), and no longer reachable
through the list(s) so it shouldn't be unhashed again later.

Link: https://lore.kernel.org/r/20231026013528.GA24122@Jiazi.Li
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 net/wireless/scan.c | 46 +++++++++++++++++++++++++++++++++------------
 1 file changed, 34 insertions(+), 12 deletions(-)

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 127853877a0a..f02e8880da50 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1589,7 +1589,7 @@ struct cfg80211_bss *__cfg80211_get_bss(struct wiphy *wiphy,
 }
 EXPORT_SYMBOL(__cfg80211_get_bss);
 
-static void rb_insert_bss(struct cfg80211_registered_device *rdev,
+static bool rb_insert_bss(struct cfg80211_registered_device *rdev,
 			  struct cfg80211_internal_bss *bss)
 {
 	struct rb_node **p = &rdev->bss_tree.rb_node;
@@ -1605,7 +1605,7 @@ static void rb_insert_bss(struct cfg80211_registered_device *rdev,
 
 		if (WARN_ON(!cmp)) {
 			/* will sort of leak this BSS */
-			return;
+			return false;
 		}
 
 		if (cmp < 0)
@@ -1616,6 +1616,7 @@ static void rb_insert_bss(struct cfg80211_registered_device *rdev,
 
 	rb_link_node(&bss->rbn, parent, p);
 	rb_insert_color(&bss->rbn, &rdev->bss_tree);
+	return true;
 }
 
 static struct cfg80211_internal_bss *
@@ -1642,6 +1643,34 @@ rb_find_bss(struct cfg80211_registered_device *rdev,
 	return NULL;
 }
 
+static void cfg80211_insert_bss(struct cfg80211_registered_device *rdev,
+				struct cfg80211_internal_bss *bss)
+{
+	lockdep_assert_held(&rdev->bss_lock);
+
+	if (!rb_insert_bss(rdev, bss))
+		return;
+	list_add_tail(&bss->list, &rdev->bss_list);
+	rdev->bss_entries++;
+}
+
+static void cfg80211_rehash_bss(struct cfg80211_registered_device *rdev,
+                                struct cfg80211_internal_bss *bss)
+{
+	lockdep_assert_held(&rdev->bss_lock);
+
+	rb_erase(&bss->rbn, &rdev->bss_tree);
+	if (!rb_insert_bss(rdev, bss)) {
+		list_del(&bss->list);
+		if (!list_empty(&bss->hidden_list))
+			list_del_init(&bss->hidden_list);
+		if (!list_empty(&bss->pub.nontrans_list))
+			list_del_init(&bss->pub.nontrans_list);
+		rdev->bss_entries--;
+	}
+	rdev->bss_generation++;
+}
+
 static bool cfg80211_combine_bsses(struct cfg80211_registered_device *rdev,
 				   struct cfg80211_internal_bss *new)
 {
@@ -1954,9 +1983,7 @@ __cfg80211_bss_update(struct cfg80211_registered_device *rdev,
 			bss_ref_get(rdev, bss_from_pub(tmp->pub.transmitted_bss));
 		}
 
-		list_add_tail(&new->list, &rdev->bss_list);
-		rdev->bss_entries++;
-		rb_insert_bss(rdev, new);
+		cfg80211_insert_bss(rdev, new);
 		found = new;
 	}
 
@@ -3333,19 +3360,14 @@ void cfg80211_update_assoc_bss_entry(struct wireless_dev *wdev,
 		if (!WARN_ON(!__cfg80211_unlink_bss(rdev, new)))
 			rdev->bss_generation++;
 	}
-
-	rb_erase(&cbss->rbn, &rdev->bss_tree);
-	rb_insert_bss(rdev, cbss);
-	rdev->bss_generation++;
+	cfg80211_rehash_bss(rdev, cbss);
 
 	list_for_each_entry_safe(nontrans_bss, tmp,
 				 &cbss->pub.nontrans_list,
 				 nontrans_list) {
 		bss = bss_from_pub(nontrans_bss);
 		bss->pub.channel = chan;
-		rb_erase(&bss->rbn, &rdev->bss_tree);
-		rb_insert_bss(rdev, bss);
-		rdev->bss_generation++;
+		cfg80211_rehash_bss(rdev, bss);
 	}
 
 done:
-- 
2.45.2