From nobody Sun Apr 19 09:20:09 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 30608C43334 for ; Mon, 4 Jul 2022 08:44:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231755AbiGDIoi (ORCPT ); Mon, 4 Jul 2022 04:44:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47194 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232649AbiGDIoe (ORCPT ); Mon, 4 Jul 2022 04:44:34 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E89ADB7FC for ; Mon, 4 Jul 2022 01:44:33 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id k18-20020a25fe12000000b0066e21b72767so4253880ybe.5 for ; Mon, 04 Jul 2022 01:44:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=auOTRbYq5IQ7VGf4mWr9uR5suqYTHw8ybacsAeqMeSw=; b=EZ9yu2ay5nqh0vsC0uyJNu9nOdm3bB0199Ud/DYqT+taW8LG3i/cnllUoM/dkfb2MQ bOVGPXfRj0/NTRTKQDHR1N1ThJUg/6EuzwVzqEowKJ03n5sQ2+ZkdgHGpATbspYkEXcv Ow9GV9cLgYl3xQIFhTIbXyIVqKIXzsNplEINpylCBw064LjvNjiGaWVS3XdqayAu6Bxu AQSepfMTEchYZLSui8/QWEvyxpNxcUAQk5B1OPp1OR7gt/GAHZ6BaYJiHK1IkKitQPSz aM0T679uRunB3hfsEkXuU0F8RXK+xrMWqfIYpbfbFbRPYxuSj4xD6yNwg4RIfIanzYS5 WJcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=auOTRbYq5IQ7VGf4mWr9uR5suqYTHw8ybacsAeqMeSw=; b=0OKK7sLOeOHARZMa9vyLr0Lp0jOprvcWeyPVbfTDvjQA1EBF7XdvNpNP/6QAa+xpP0 NmUYuATska7BUCH5i+uAI5SLTlpn+psbxPTYr6z1C0njTKXkmP6BAtiSKKC4hM/x5Wa4 NIHqkdy4X1BvSnZcdC10fippqUM+iON55vKecp4tToDscpO7wiz8xmkynx5PO47YsKU0 AABdfw0EfeHO7xViGLxp3EEE0eAb123UqIjQRKDsgXJnL83/hozx1Cw5F7VpOLNbp6H2 efkmfQLfPhcx0jqPL0+iZ8H8mqwsgd9HCOqrkd1XGDKMU8IrL3OkpZASdMZ/P3c3uSZm KFWg== X-Gm-Message-State: AJIora/kPeWe/1MuAtTTJSfKGESKMD2OHahd2xvFhXv7ddcKGfaJK6/K Et7gNeUJGWr5kq1QCm43Fy18RSplAadI X-Google-Smtp-Source: AGRyM1uK0OrarQn4Is+pvY7wtJypAuIfqiih90NjOUib0E6p65n3J3/suHZswDlCDVuN6+5Xpy9bEyv9xHYN X-Received: from jeongik.seo.corp.google.com ([2401:fa00:d:11:b90:150b:7488:26ea]) (user=jeongik job=sendgmr) by 2002:a25:9ac9:0:b0:66e:4531:d3aa with SMTP id t9-20020a259ac9000000b0066e4531d3aamr5178728ybo.182.1656924273211; Mon, 04 Jul 2022 01:44:33 -0700 (PDT) Date: Mon, 4 Jul 2022 17:43:54 +0900 Message-Id: <20220704084354.3556326-1-jeongik@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.37.0.rc0.161.g10f37bed90-goog Subject: [PATCH v1] wifi: mac80211_hwsim: fix race condition in pending packet From: Jeongik Cha To: Johannes Berg , Kalle Valo , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni Cc: adelva@google.com, kernel-team@android.com, jaeman@google.com, Jeongik Cha , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A pending packet uses a cookie as an unique key, but it can be duplicated because it didn't use atomic operators. And also, a pending packet can be null in hwsim_tx_info_frame_received_nl due to race condition with mac80211_hwsim_stop. For this, * Use an atomic type and operator for a cookie * Add a lock around the loop for pending packets Signed-off-by: Jeongik Cha --- drivers/net/wireless/mac80211_hwsim.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/m= ac80211_hwsim.c index c5bb97b381cf..ea006248ffcd 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -687,7 +687,7 @@ struct mac80211_hwsim_data { bool ps_poll_pending; struct dentry *debugfs; =20 - uintptr_t pending_cookie; + atomic64_t pending_cookie; struct sk_buff_head pending; /* packets pending */ /* * Only radios in the same group can communicate together (the @@ -1358,7 +1358,7 @@ static void mac80211_hwsim_tx_frame_nl(struct ieee802= 11_hw *hw, int i; struct hwsim_tx_rate tx_attempts[IEEE80211_TX_MAX_RATES]; struct hwsim_tx_rate_flag tx_attempts_flags[IEEE80211_TX_MAX_RATES]; - uintptr_t cookie; + u64 cookie; =20 if (data->ps !=3D PS_DISABLED) hdr->frame_control |=3D cpu_to_le16(IEEE80211_FCTL_PM); @@ -1427,8 +1427,7 @@ static void mac80211_hwsim_tx_frame_nl(struct ieee802= 11_hw *hw, goto nla_put_failure; =20 /* We create a cookie to identify this skb */ - data->pending_cookie++; - cookie =3D data->pending_cookie; + cookie =3D (u64)atomic64_inc_return(&data->pending_cookie); info->rate_driver_data[0] =3D (void *)cookie; if (nla_put_u64_64bit(skb, HWSIM_ATTR_COOKIE, cookie, HWSIM_ATTR_PAD)) goto nla_put_failure; @@ -4178,6 +4177,7 @@ static int hwsim_tx_info_frame_received_nl(struct sk_= buff *skb_2, const u8 *src; unsigned int hwsim_flags; int i; + unsigned long flags; bool found =3D false; =20 if (!info->attrs[HWSIM_ATTR_ADDR_TRANSMITTER] || @@ -4205,18 +4205,20 @@ static int hwsim_tx_info_frame_received_nl(struct s= k_buff *skb_2, } =20 /* look for the skb matching the cookie passed back from user */ + spin_lock_irqsave(&data2->pending.lock, flags); skb_queue_walk_safe(&data2->pending, skb, tmp) { u64 skb_cookie; =20 txi =3D IEEE80211_SKB_CB(skb); - skb_cookie =3D (u64)(uintptr_t)txi->rate_driver_data[0]; + skb_cookie =3D (u64)txi->rate_driver_data[0]; =20 if (skb_cookie =3D=3D ret_skb_cookie) { - skb_unlink(skb, &data2->pending); + __skb_unlink(skb, &data2->pending); found =3D true; break; } } + spin_unlock_irqrestore(&data2->pending.lock, flags); =20 /* not found */ if (!found) --=20 2.37.0.rc0.161.g10f37bed90-goog