Message ID | 20221104110856.364410-1-shaozhengchao@huawei.com |
---|---|
State | Superseded |
Headers | show |
Series | [net] wifi: mac80211: fix WARNING in ieee80211_link_info_change_notify() | expand |
On Fri, 2022-11-04 at 19:08 +0800, Zhengchao Shao wrote: > > The execution process is as follows: > Thread A: > ieee80211_open() > ieee80211_do_open() > drv_add_interface() //set IEEE80211_SDATA_IN_DRIVER flag > ... > cfg80211_shutdown_all_interfaces() > ... > ieee80211_stop() > ieee80211_do_stop() > drv_remove_interface() //clear flag > ... > nl80211_set_mcast_rate() How is that possible after the interface is no longer running? That seems to be the issue? I suppose that should be annotated to not be allowed? johannes
diff --git a/net/mac80211/main.c b/net/mac80211/main.c index 46f3eddc2388..8a727b532f77 100644 --- a/net/mac80211/main.c +++ b/net/mac80211/main.c @@ -284,6 +284,9 @@ void ieee80211_link_info_change_notify(struct ieee80211_sub_if_data *sdata, if (!changed || sdata->vif.type == NL80211_IFTYPE_AP_VLAN) return; + if (!ieee80211_sdata_running(sdata)) + return; + if (!check_sdata_in_driver(sdata)) return;
Syz reports the following WARNING: wlan0: Failed check-sdata-in-driver check, flags: 0x0 WARNING: CPU: 3 PID: 5384 at net/mac80211/main.c:287 ieee80211_link_info_change_notify+0x1c2/0x230 Modules linked in: RIP: 0010:ieee80211_link_info_change_notify+0x1c2/0x230 Call Trace: <TASK> ieee80211_set_mcast_rate+0x3e/0x50 nl80211_set_mcast_rate+0x316/0x650 genl_family_rcv_msg_doit+0x20b/0x300 genl_rcv_msg+0x39f/0x6a0 netlink_rcv_skb+0x13b/0x3b0 genl_rcv+0x24/0x40 netlink_unicast+0x4a2/0x740 netlink_sendmsg+0x83e/0xce0 sock_sendmsg+0xc5/0x100 ____sys_sendmsg+0x583/0x690 ___sys_sendmsg+0xe8/0x160 __sys_sendmsg+0xbf/0x160 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 </TASK> The execution process is as follows: Thread A: ieee80211_open() ieee80211_do_open() drv_add_interface() //set IEEE80211_SDATA_IN_DRIVER flag ... cfg80211_shutdown_all_interfaces() ... ieee80211_stop() ieee80211_do_stop() drv_remove_interface() //clear flag ... nl80211_set_mcast_rate() ieee80211_set_mcast_rate() ieee80211_link_info_change_notify() check_sdata_in_driver() //WARNING because flag is cleared When the wlan device stops, the IEEE80211_SDATA_IN_ DRIVER flag is cleared after the interface is removed. And then after the set mcast rate command is executed, a WARNING is generated because the flag bit is cleared. Fixes: 591e73ee3f73 ("wifi: mac80211: properly skip link info driver update") Reported-by: syzbot+bce2ca140cc00578ed07@syzkaller.appspotmail.com Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com> --- net/mac80211/main.c | 3 +++ 1 file changed, 3 insertions(+)