diff options
| author | Michal Kazior <michal.kazior@tieto.com> | 2017-01-13 07:32:51 -0500 |
|---|---|---|
| committer | Johannes Berg <johannes.berg@intel.com> | 2017-01-13 08:47:21 -0500 |
| commit | dbef53621116474bb883f76f0ba6b7640bc42332 (patch) | |
| tree | bf146f634cdb9db11cd5e692512fe08e248a0a98 | |
| parent | 43071d8fb3b7f589d72663c496a6880fb097533c (diff) | |
mac80211: prevent skb/txq mismatch
Station structure is considered as not uploaded
(to driver) until drv_sta_state() finishes. This
call is however done after the structure is
attached to mac80211 internal lists and hashes.
This means mac80211 can lookup (and use) station
structure before it is uploaded to a driver.
If this happens (structure exists, but
sta->uploaded is false) fast_tx path can still be
taken. Deep in the fastpath call the sta->uploaded
is checked against to derive "pubsta" argument for
ieee80211_get_txq(). If sta->uploaded is false
(and sta is actually non-NULL) ieee80211_get_txq()
effectively downgraded to vif->txq.
At first glance this may look innocent but coerces
mac80211 into a state that is almost guaranteed
(codel may drop offending skb) to crash because a
station-oriented skb gets queued up on
vif-oriented txq. The ieee80211_tx_dequeue() ends
up looking at info->control.flags and tries to use
txq->sta which in the fail case is NULL.
It's probably pointless to pretend one can
downgrade skb from sta-txq to vif-txq.
Since downgrading unicast traffic to vif->txq must
not be done there's no txq to put a frame on if
sta->uploaded is false. Therefore the code is made
to fall back to regular tx() op path if the
described condition is hit.
Only drivers using wake_tx_queue were affected.
Example crash dump before fix:
Unable to handle kernel paging request at virtual address ffffe26c
PC is at ieee80211_tx_dequeue+0x204/0x690 [mac80211]
[<bf4252a4>] (ieee80211_tx_dequeue [mac80211]) from
[<bf4b1388>] (ath10k_mac_tx_push_txq+0x54/0x1c0 [ath10k_core])
[<bf4b1388>] (ath10k_mac_tx_push_txq [ath10k_core]) from
[<bf4bdfbc>] (ath10k_htt_txrx_compl_task+0xd78/0x11d0 [ath10k_core])
[<bf4bdfbc>] (ath10k_htt_txrx_compl_task [ath10k_core])
[<bf51c5a4>] (ath10k_pci_napi_poll+0x54/0xe8 [ath10k_pci])
[<bf51c5a4>] (ath10k_pci_napi_poll [ath10k_pci]) from
[<c0572e90>] (net_rx_action+0xac/0x160)
Reported-by: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| -rw-r--r-- | net/mac80211/tx.c | 17 |
1 files changed, 7 insertions, 10 deletions
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index 0d8b716e509e..797e847cbc49 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c | |||
| @@ -1243,7 +1243,7 @@ ieee80211_tx_prepare(struct ieee80211_sub_if_data *sdata, | |||
| 1243 | 1243 | ||
| 1244 | static struct txq_info *ieee80211_get_txq(struct ieee80211_local *local, | 1244 | static struct txq_info *ieee80211_get_txq(struct ieee80211_local *local, |
| 1245 | struct ieee80211_vif *vif, | 1245 | struct ieee80211_vif *vif, |
| 1246 | struct ieee80211_sta *pubsta, | 1246 | struct sta_info *sta, |
| 1247 | struct sk_buff *skb) | 1247 | struct sk_buff *skb) |
| 1248 | { | 1248 | { |
| 1249 | struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; | 1249 | struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; |
| @@ -1257,10 +1257,13 @@ static struct txq_info *ieee80211_get_txq(struct ieee80211_local *local, | |||
| 1257 | if (!ieee80211_is_data(hdr->frame_control)) | 1257 | if (!ieee80211_is_data(hdr->frame_control)) |
| 1258 | return NULL; | 1258 | return NULL; |
| 1259 | 1259 | ||
| 1260 | if (pubsta) { | 1260 | if (sta) { |
| 1261 | u8 tid = skb->priority & IEEE80211_QOS_CTL_TID_MASK; | 1261 | u8 tid = skb->priority & IEEE80211_QOS_CTL_TID_MASK; |
| 1262 | 1262 | ||
| 1263 | txq = pubsta->txq[tid]; | 1263 | if (!sta->uploaded) |
| 1264 | return NULL; | ||
| 1265 | |||
| 1266 | txq = sta->sta.txq[tid]; | ||
| 1264 | } else if (vif) { | 1267 | } else if (vif) { |
| 1265 | txq = vif->txq; | 1268 | txq = vif->txq; |
| 1266 | } | 1269 | } |
| @@ -1503,23 +1506,17 @@ static bool ieee80211_queue_skb(struct ieee80211_local *local, | |||
| 1503 | struct fq *fq = &local->fq; | 1506 | struct fq *fq = &local->fq; |
| 1504 | struct ieee80211_vif *vif; | 1507 | struct ieee80211_vif *vif; |
| 1505 | struct txq_info *txqi; | 1508 | struct txq_info *txqi; |
| 1506 | struct ieee80211_sta *pubsta; | ||
| 1507 | 1509 | ||
| 1508 | if (!local->ops->wake_tx_queue || | 1510 | if (!local->ops->wake_tx_queue || |
| 1509 | sdata->vif.type == NL80211_IFTYPE_MONITOR) | 1511 | sdata->vif.type == NL80211_IFTYPE_MONITOR) |
| 1510 | return false; | 1512 | return false; |
| 1511 | 1513 | ||
| 1512 | if (sta && sta->uploaded) | ||
| 1513 | pubsta = &sta->sta; | ||
| 1514 | else | ||
| 1515 | pubsta = NULL; | ||
| 1516 | |||
| 1517 | if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN) | 1514 | if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN) |
| 1518 | sdata = container_of(sdata->bss, | 1515 | sdata = container_of(sdata->bss, |
| 1519 | struct ieee80211_sub_if_data, u.ap); | 1516 | struct ieee80211_sub_if_data, u.ap); |
| 1520 | 1517 | ||
| 1521 | vif = &sdata->vif; | 1518 | vif = &sdata->vif; |
| 1522 | txqi = ieee80211_get_txq(local, vif, pubsta, skb); | 1519 | txqi = ieee80211_get_txq(local, vif, sta, skb); |
| 1523 | 1520 | ||
| 1524 | if (!txqi) | 1521 | if (!txqi) |
| 1525 | return false; | 1522 | return false; |