From nobody Tue Dec 2 01:26:16 2025 Received: from out-185.mta0.migadu.com (out-185.mta0.migadu.com [91.218.175.185]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E23E0191F98 for ; Sat, 22 Nov 2025 06:06:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.185 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763791586; cv=none; b=BhpJrq5EySEsWQ0nVff8lqtU12b/5QNET2ribFvSfaZmoK8zsrjcA/VczrMRhXaWyKD6H++hRPhbUIT+UkTqeTk13gAr+Tug81d21Ga3FqR0CiSjay/Y+XlGNcCOzAx68Nav9ps31HNwh2fnsPULOIX0e50Qyn7uOsuMArdsO2E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763791586; c=relaxed/simple; bh=v2gQqV2v4MySkPZm8o/v3qN3sP/qBtDD243GfIEbq3c=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=ZXO9TsNwOoHpzCWmQiX/W4SwjBhxAMDEK5AvtsUEODxAR9XtjCjA2HrpTItSmgd/FhvZ9923LI4ysjaUN0XsrxopkUP9dJ37MlgqcET0nKbYJRoI59ibMdVk03owtUvmrvWY2PaoqKuzkXjw7mQ1KrwrlxtkmvBGqNaEJGqS/uo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=RWo00ZbN; arc=none smtp.client-ip=91.218.175.185 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="RWo00ZbN" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1763791580; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=svhUYEilH6j7Ll4Ua4xNoOrT+NWniriNxOGLFeE+0DM=; b=RWo00ZbN72p5tKOVhtXWAbC3NBp6Ot3xsyxUUSmj9wmPkaLHuduafdCA42b9TJhZD/6Qhr igikrq1ltjOXUNjtwbyzvOQS1VVWS4iiTcMDSC6ZDUUJDCNSJAg27BKVN3fzqBBNKjwG2n cI9SA0WbdHwfpucYYEEM57qwqLfoYOc= From: Zqiang To: johannes@sipsolutions.net Cc: linux-kernel@vger.kernel.org, qiang.zhang@linux.dev, qiang.zhang1211@gmail.com, syzbot+b59873f5699e941717ca@syzkaller.appspotmail.com Subject: [PATCH] wifi: mac80211: Fix suspicious RCU usage in ieee80211_mesh_csa_beacon() Date: Sat, 22 Nov 2025 14:06:13 +0800 Message-ID: <20251122060614.148101-1-qiang.zhang@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" The ieee80211_mesh_csa_beacon() is protected by wiphy->mtx lock, this commit therefore use sdata_dereference() instead of rcu_dereference() to get ifmsh->csa, to fix following warnings: net/mac80211/mesh.c:1571 suspicious rcu_dereference_check() usage! Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 lockdep_rcu_suspicious+0x140/0x1d0 kernel/locking/lockdep.c:6876 ieee80211_mesh_csa_beacon+0x280/0x2c0 net/mac80211/mesh.c:1571 ieee80211_set_csa_beacon+0x3cc/0x9a0 net/mac80211/cfg.c:4288 __ieee80211_channel_switch net/mac80211/cfg.c:4406 [inline] ieee80211_channel_switch+0x8ef/0xcb0 net/mac80211/cfg.c:4442 rdev_channel_switch+0x108/0x290 net/wireless/rdev-ops.h:1116 nl80211_channel_switch+0xac9/0xd70 net/wireless/nl80211.c:11475 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 ____sys_sendmsg+0x505/0x830 net/socket.c:2630 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2684 __sys_sendmsg net/socket.c:2716 [inline] __do_sys_sendmsg net/socket.c:2721 [inline] __se_sys_sendmsg net/socket.c:2719 [inline] __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2719 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Reported-by: syzbot+b59873f5699e941717ca@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Db59873f5699e941717ca Signed-off-by: Zqiang --- net/mac80211/mesh.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c index f37068a533f4..97eb19416e23 100644 --- a/net/mac80211/mesh.c +++ b/net/mac80211/mesh.c @@ -1568,7 +1568,7 @@ int ieee80211_mesh_csa_beacon(struct ieee80211_sub_if= _data *sdata, =20 ret =3D ieee80211_mesh_rebuild_beacon(sdata); if (ret) { - tmp_csa_settings =3D rcu_dereference(ifmsh->csa); + tmp_csa_settings =3D sdata_dereference(ifmsh->csa, sdata); RCU_INIT_POINTER(ifmsh->csa, NULL); kfree_rcu(tmp_csa_settings, rcu_head); return ret; --=20 2.48.1