net/mac80211/tx.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-)
From: Jiri Kosina <jkosina@suse.cz>
ieee80211_tx_h_select_key() is performing a series of RCU dereferences,
but none of the callers seems to be taking RCU read-side lock; let's
acquire the lock in ieee80211_tx_h_select_key() itself.
Spotted with rtw89 driver.
This fixes the splat below.
=============================
WARNING: suspicious RCU usage
5.17.0-rc4-00003-gccad664b7f14 #3 Tainted: G E
-----------------------------
net/mac80211/tx.c:593 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
2 locks held by kworker/u33:0/184:
#0: ffff9c0b14811d38 ((wq_completion)rtw89_tx_wq){+.+.}-{0:0}, at: process_one_work+0x258/0x660
#1: ffffb97380cf3e78 ((work_completion)(&rtwdev->txq_work)){+.+.}-{0:0}, at: process_one_work+0x258/0x660
stack backtrace:
CPU: 8 PID: 184 Comm: kworker/u33:0 Tainted: G E 5.17.0-rc4-00003-gccad664b7f14 #3 473b49ab0e7c2d6af2900c756bfd04efd7a9de13
Hardware name: LENOVO 20UJS2B905/20UJS2B905, BIOS R1CET63W(1.32 ) 04/09/2021
Workqueue: rtw89_tx_wq rtw89_core_txq_work [rtw89_core]
Call Trace:
<TASK>
dump_stack_lvl+0x58/0x71
ieee80211_tx_h_select_key+0x2c0/0x530 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
ieee80211_tx_dequeue+0x1a7/0x1260 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
rtw89_core_txq_work+0x1a6/0x420 [rtw89_core b39ba493f2e517ad75e0f8187ecc24edf58bbbea]
process_one_work+0x2d8/0x660
worker_thread+0x39/0x3e0
? process_one_work+0x660/0x660
kthread+0xe5/0x110
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x22/0x30
</TASK>
=============================
WARNING: suspicious RCU usage
5.17.0-rc4-00003-gccad664b7f14 #3 Tainted: G E
-----------------------------
net/mac80211/tx.c:607 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
2 locks held by kworker/u33:0/184:
#0: ffff9c0b14811d38 ((wq_completion)rtw89_tx_wq){+.+.}-{0:0}, at: process_one_work+0x258/0x660
#1: ffffb97380cf3e78 ((work_completion)(&rtwdev->txq_work)){+.+.}-{0:0}, at: process_one_work+0x258/0x660
stack backtrace:
CPU: 8 PID: 184 Comm: kworker/u33:0 Tainted: G E 5.17.0-rc4-00003-gccad664b7f14 #3 473b49ab0e7c2d6af2900c756bfd04efd7a9de13
Hardware name: LENOVO 20UJS2B905/20UJS2B905, BIOS R1CET63W(1.32 ) 04/09/2021
Workqueue: rtw89_tx_wq rtw89_core_txq_work [rtw89_core]
Call Trace:
<TASK>
dump_stack_lvl+0x58/0x71
ieee80211_tx_h_select_key+0x464/0x530 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
ieee80211_tx_dequeue+0x1a7/0x1260 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
rtw89_core_txq_work+0x1a6/0x420 [rtw89_core b39ba493f2e517ad75e0f8187ecc24edf58bbbea]
process_one_work+0x2d8/0x660
worker_thread+0x39/0x3e0
? process_one_work+0x660/0x660
kthread+0xe5/0x110
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x22/0x30
</TASK>
Fixes: a0761a301746e ("mac80211: drop data frames without key on encrypted links")
Fixes: 46f6b06050b73 ("mac80211: Encrypt "Group addressed privacy" action frames")
Fixes: 3cfcf6ac6d69d ("mac80211: 802.11w - Use BIP (AES-128-CMAC)")
Fixes: f7e0104c1a4e7 ("mac80211: support separate default keys")
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
Unless I am missing something, this seems to have been buggy for over a
decade ... ?
net/mac80211/tx.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 6d054fed062f..50b33ef70627 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -580,6 +580,7 @@ ieee80211_tx_h_check_control_port_protocol(struct ieee80211_tx_data *tx)
static ieee80211_tx_result debug_noinline
ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
{
+ int ret;
struct ieee80211_key *key;
struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)tx->skb->data;
@@ -589,6 +590,8 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
return TX_CONTINUE;
}
+ rcu_read_lock();
+
if (tx->sta &&
(key = rcu_dereference(tx->sta->ptk[tx->sta->ptk_idx])))
tx->key = key;
@@ -645,18 +648,23 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
}
if (unlikely(tx->key && tx->key->flags & KEY_FLAG_TAINTED &&
- !ieee80211_is_deauth(hdr->frame_control)))
- return TX_DROP;
+ !ieee80211_is_deauth(hdr->frame_control))) {
+ ret = TX_DROP;
+ goto out;
+ }
if (!skip_hw && tx->key &&
tx->key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE)
info->control.hw_key = &tx->key->conf;
} else if (ieee80211_is_data_present(hdr->frame_control) && tx->sta &&
test_sta_flag(tx->sta, WLAN_STA_USES_ENCRYPTION)) {
- return TX_DROP;
+ ret = TX_DROP;
+ goto out;
}
-
- return TX_CONTINUE;
+ ret = TX_CONTINUE;
+out:
+ rcu_read_unlock();
+ return ret;
}
static ieee80211_tx_result debug_noinline
--
Jiri Kosina
SUSE Labs
> > ieee80211_tx_h_select_key() is performing a series of RCU dereferences, > but none of the callers seems to be taking RCU read-side lock; let's > acquire the lock in ieee80211_tx_h_select_key() itself. > but but ... > ieee80211_tx_dequeue+0x1a7/0x1260 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365] > rtw89_core_txq_work+0x1a6/0x420 [rtw89_core b39ba493f2e517ad75e0f8187ecc24edf58bbbea] /** * ieee80211_tx_dequeue - dequeue a packet from a software tx queue * * @hw: pointer as obtained from ieee80211_alloc_hw() * @txq: pointer obtained from station or virtual interface, or from * ieee80211_next_txq() * * Returns the skb if successful, %NULL if no frame was available. * * Note that this must be called in an rcu_read_lock() critical section, * which can only be released after the SKB was handled. Some pointers in [...] -> driver bug? johannes
On Tue, 15 Feb 2022, Johannes Berg wrote:
> >
> > ieee80211_tx_h_select_key() is performing a series of RCU dereferences,
> > but none of the callers seems to be taking RCU read-side lock; let's
> > acquire the lock in ieee80211_tx_h_select_key() itself.
> >
> but but ...
>
> > ieee80211_tx_dequeue+0x1a7/0x1260 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
> > rtw89_core_txq_work+0x1a6/0x420 [rtw89_core b39ba493f2e517ad75e0f8187ecc24edf58bbbea]
>
> /**
> * ieee80211_tx_dequeue - dequeue a packet from a software tx queue
> *
> * @hw: pointer as obtained from ieee80211_alloc_hw()
> * @txq: pointer obtained from station or virtual interface, or from
> * ieee80211_next_txq()
> *
> * Returns the skb if successful, %NULL if no frame was available.
> *
> * Note that this must be called in an rcu_read_lock() critical section,
> * which can only be released after the SKB was handled. Some pointers in
> [...]
>
> -> driver bug?
Right you are, thanks.
CCing Ping-Ke Shih; find updated fix below.
From: Jiri Kosina <jkosina@suse.cz>
Subject: [PATCH] rtw89: fix RCU usage in rtw89_core_txq_push()
ieee80211_tx_h_select_key() is performing a series of RCU dereferences,
but rtw89_core_txq_push() is calling it (via ieee80211_tx_dequeue_ni())
without RCU read-side lock held; fix that.
This addresses the splat below.
=============================
WARNING: suspicious RCU usage
5.17.0-rc4-00003-gccad664b7f14 #3 Tainted: G E
-----------------------------
net/mac80211/tx.c:593 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
2 locks held by kworker/u33:0/184:
#0: ffff9c0b14811d38 ((wq_completion)rtw89_tx_wq){+.+.}-{0:0}, at: process_one_work+0x258/0x660
#1: ffffb97380cf3e78 ((work_completion)(&rtwdev->txq_work)){+.+.}-{0:0}, at: process_one_work+0x258/0x660
stack backtrace:
CPU: 8 PID: 184 Comm: kworker/u33:0 Tainted: G E 5.17.0-rc4-00003-gccad664b7f14 #3 473b49ab0e7c2d6af2900c756bfd04efd7a9de13
Hardware name: LENOVO 20UJS2B905/20UJS2B905, BIOS R1CET63W(1.32 ) 04/09/2021
Workqueue: rtw89_tx_wq rtw89_core_txq_work [rtw89_core]
Call Trace:
<TASK>
dump_stack_lvl+0x58/0x71
ieee80211_tx_h_select_key+0x2c0/0x530 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
ieee80211_tx_dequeue+0x1a7/0x1260 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
rtw89_core_txq_work+0x1a6/0x420 [rtw89_core b39ba493f2e517ad75e0f8187ecc24edf58bbbea]
process_one_work+0x2d8/0x660
worker_thread+0x39/0x3e0
? process_one_work+0x660/0x660
kthread+0xe5/0x110
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x22/0x30
</TASK>
=============================
WARNING: suspicious RCU usage
5.17.0-rc4-00003-gccad664b7f14 #3 Tainted: G E
-----------------------------
net/mac80211/tx.c:607 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
2 locks held by kworker/u33:0/184:
#0: ffff9c0b14811d38 ((wq_completion)rtw89_tx_wq){+.+.}-{0:0}, at: process_one_work+0x258/0x660
#1: ffffb97380cf3e78 ((work_completion)(&rtwdev->txq_work)){+.+.}-{0:0}, at: process_one_work+0x258/0x660
stack backtrace:
CPU: 8 PID: 184 Comm: kworker/u33:0 Tainted: G E 5.17.0-rc4-00003-gccad664b7f14 #3 473b49ab0e7c2d6af2900c756bfd04efd7a9de13
Hardware name: LENOVO 20UJS2B905/20UJS2B905, BIOS R1CET63W(1.32 ) 04/09/2021
Workqueue: rtw89_tx_wq rtw89_core_txq_work [rtw89_core]
Call Trace:
<TASK>
dump_stack_lvl+0x58/0x71
ieee80211_tx_h_select_key+0x464/0x530 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
ieee80211_tx_dequeue+0x1a7/0x1260 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
rtw89_core_txq_work+0x1a6/0x420 [rtw89_core b39ba493f2e517ad75e0f8187ecc24edf58bbbea]
process_one_work+0x2d8/0x660
worker_thread+0x39/0x3e0
? process_one_work+0x660/0x660
kthread+0xe5/0x110
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x22/0x30
</TASK>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
drivers/net/wireless/realtek/rtw89/core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c
index a0737eea9f81..9632e7f218dd 100644
--- a/drivers/net/wireless/realtek/rtw89/core.c
+++ b/drivers/net/wireless/realtek/rtw89/core.c
@@ -1509,11 +1509,12 @@ static void rtw89_core_txq_push(struct rtw89_dev *rtwdev,
unsigned long i;
int ret;
+ rcu_read_lock();
for (i = 0; i < frame_cnt; i++) {
skb = ieee80211_tx_dequeue_ni(rtwdev->hw, txq);
if (!skb) {
rtw89_debug(rtwdev, RTW89_DBG_TXRX, "dequeue a NULL skb\n");
- return;
+ goto out;
}
rtw89_core_txq_check_agg(rtwdev, rtwtxq, skb);
ret = rtw89_core_tx_write(rtwdev, vif, sta, skb, NULL);
@@ -1523,6 +1524,8 @@ static void rtw89_core_txq_push(struct rtw89_dev *rtwdev,
break;
}
}
+out:
+ rcu_read_unlock();
}
static u32 rtw89_check_and_reclaim_tx_resource(struct rtw89_dev *rtwdev, u8 tid)
--
Jiri Kosina
SUSE Labs
Jiri Kosina <jikos@kernel.org> writes: > On Tue, 15 Feb 2022, Johannes Berg wrote: > >> > >> > ieee80211_tx_h_select_key() is performing a series of RCU dereferences, >> > but none of the callers seems to be taking RCU read-side lock; let's >> > acquire the lock in ieee80211_tx_h_select_key() itself. >> > >> but but ... >> >> > ieee80211_tx_dequeue+0x1a7/0x1260 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365] >> > rtw89_core_txq_work+0x1a6/0x420 [rtw89_core b39ba493f2e517ad75e0f8187ecc24edf58bbbea] >> >> /** >> * ieee80211_tx_dequeue - dequeue a packet from a software tx queue >> * >> * @hw: pointer as obtained from ieee80211_alloc_hw() >> * @txq: pointer obtained from station or virtual interface, or from >> * ieee80211_next_txq() >> * >> * Returns the skb if successful, %NULL if no frame was available. >> * >> * Note that this must be called in an rcu_read_lock() critical section, >> * which can only be released after the SKB was handled. Some pointers in >> [...] >> >> -> driver bug? > > Right you are, thanks. > > CCing Ping-Ke Shih; find updated fix below. > > > > > From: Jiri Kosina <jkosina@suse.cz> > Subject: [PATCH] rtw89: fix RCU usage in rtw89_core_txq_push() > > ieee80211_tx_h_select_key() is performing a series of RCU dereferences, > but rtw89_core_txq_push() is calling it (via ieee80211_tx_dequeue_ni()) > without RCU read-side lock held; fix that. I think we have discussed this before, but patchwork can't handle patches the way you embed them in email discussions: https://patchwork.kernel.org/project/linux-wireless/patch/nycvar.YFH.7.76.2202151700540.11721@cbobk.fhfr.pm/ Please resubmit. -- https://patchwork.kernel.org/project/linux-wireless/list/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
On Tue, 15 Feb 2022, Kalle Valo wrote: > I think we have discussed this before, but patchwork can't handle > patches the way you embed them in email discussions: > > https://patchwork.kernel.org/project/linux-wireless/patch/nycvar.YFH.7.76.2202151700540.11721@cbobk.fhfr.pm/ > > Please resubmit. Ok, I've resubmitted in a separate thread https://lore.kernel.org/r/nycvar.YFH.7.76.2202152037000.11721@cbobk.fhfr.pm Thanks, -- Jiri Kosina SUSE Labs
Hi Jiri,
I love your patch! Perhaps something to improve:
[auto build test WARNING on wireless-next/main]
[also build test WARNING on wireless/main jberg-mac80211-next/master jberg-mac80211/master v5.17-rc4 next-20220215]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Jiri-Kosina/mac80211-fix-RCU-usage-in-ieee80211_tx_h_select_key/20220215-234935
base: https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main
config: i386-randconfig-s002-20220214 (https://download.01.org/0day-ci/archive/20220216/202202160406.p1c7XduC-lkp@intel.com/config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
reproduce:
# apt-get install sparse
# sparse version: v0.6.4-dirty
# https://github.com/0day-ci/linux/commit/cdfe17d7fc283e125686bdd9a6bbc6fd60909bd7
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Jiri-Kosina/mac80211-fix-RCU-usage-in-ieee80211_tx_h_select_key/20220215-234935
git checkout cdfe17d7fc283e125686bdd9a6bbc6fd60909bd7
# save the config file to linux build tree
mkdir build_dir
make W=1 C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' O=build_dir ARCH=i386 SHELL=/bin/bash net/mac80211/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
sparse warnings: (new ones prefixed by >>)
>> net/mac80211/tx.c:652:29: sparse: sparse: incorrect type in assignment (different base types) @@ expected int ret @@ got restricted ieee80211_tx_result [usertype] @@
net/mac80211/tx.c:652:29: sparse: expected int ret
net/mac80211/tx.c:652:29: sparse: got restricted ieee80211_tx_result [usertype]
net/mac80211/tx.c:661:21: sparse: sparse: incorrect type in assignment (different base types) @@ expected int ret @@ got restricted ieee80211_tx_result [usertype] @@
net/mac80211/tx.c:661:21: sparse: expected int ret
net/mac80211/tx.c:661:21: sparse: got restricted ieee80211_tx_result [usertype]
net/mac80211/tx.c:664:13: sparse: sparse: incorrect type in assignment (different base types) @@ expected int ret @@ got restricted ieee80211_tx_result [usertype] @@
net/mac80211/tx.c:664:13: sparse: expected int ret
net/mac80211/tx.c:664:13: sparse: got restricted ieee80211_tx_result [usertype]
>> net/mac80211/tx.c:667:16: sparse: sparse: incorrect type in return expression (different base types) @@ expected restricted ieee80211_tx_result @@ got int ret @@
net/mac80211/tx.c:667:16: sparse: expected restricted ieee80211_tx_result
net/mac80211/tx.c:667:16: sparse: got int ret
vim +652 net/mac80211/tx.c
579
580 static ieee80211_tx_result debug_noinline
581 ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
582 {
583 int ret;
584 struct ieee80211_key *key;
585 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
586 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)tx->skb->data;
587
588 if (unlikely(info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT)) {
589 tx->key = NULL;
590 return TX_CONTINUE;
591 }
592
593 rcu_read_lock();
594
595 if (tx->sta &&
596 (key = rcu_dereference(tx->sta->ptk[tx->sta->ptk_idx])))
597 tx->key = key;
598 else if (ieee80211_is_group_privacy_action(tx->skb) &&
599 (key = rcu_dereference(tx->sdata->default_multicast_key)))
600 tx->key = key;
601 else if (ieee80211_is_mgmt(hdr->frame_control) &&
602 is_multicast_ether_addr(hdr->addr1) &&
603 ieee80211_is_robust_mgmt_frame(tx->skb) &&
604 (key = rcu_dereference(tx->sdata->default_mgmt_key)))
605 tx->key = key;
606 else if (is_multicast_ether_addr(hdr->addr1) &&
607 (key = rcu_dereference(tx->sdata->default_multicast_key)))
608 tx->key = key;
609 else if (!is_multicast_ether_addr(hdr->addr1) &&
610 (key = rcu_dereference(tx->sdata->default_unicast_key)))
611 tx->key = key;
612 else
613 tx->key = NULL;
614
615 if (tx->key) {
616 bool skip_hw = false;
617
618 /* TODO: add threshold stuff again */
619
620 switch (tx->key->conf.cipher) {
621 case WLAN_CIPHER_SUITE_WEP40:
622 case WLAN_CIPHER_SUITE_WEP104:
623 case WLAN_CIPHER_SUITE_TKIP:
624 if (!ieee80211_is_data_present(hdr->frame_control))
625 tx->key = NULL;
626 break;
627 case WLAN_CIPHER_SUITE_CCMP:
628 case WLAN_CIPHER_SUITE_CCMP_256:
629 case WLAN_CIPHER_SUITE_GCMP:
630 case WLAN_CIPHER_SUITE_GCMP_256:
631 if (!ieee80211_is_data_present(hdr->frame_control) &&
632 !ieee80211_use_mfp(hdr->frame_control, tx->sta,
633 tx->skb) &&
634 !ieee80211_is_group_privacy_action(tx->skb))
635 tx->key = NULL;
636 else
637 skip_hw = (tx->key->conf.flags &
638 IEEE80211_KEY_FLAG_SW_MGMT_TX) &&
639 ieee80211_is_mgmt(hdr->frame_control);
640 break;
641 case WLAN_CIPHER_SUITE_AES_CMAC:
642 case WLAN_CIPHER_SUITE_BIP_CMAC_256:
643 case WLAN_CIPHER_SUITE_BIP_GMAC_128:
644 case WLAN_CIPHER_SUITE_BIP_GMAC_256:
645 if (!ieee80211_is_mgmt(hdr->frame_control))
646 tx->key = NULL;
647 break;
648 }
649
650 if (unlikely(tx->key && tx->key->flags & KEY_FLAG_TAINTED &&
651 !ieee80211_is_deauth(hdr->frame_control))) {
> 652 ret = TX_DROP;
653 goto out;
654 }
655
656 if (!skip_hw && tx->key &&
657 tx->key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE)
658 info->control.hw_key = &tx->key->conf;
659 } else if (ieee80211_is_data_present(hdr->frame_control) && tx->sta &&
660 test_sta_flag(tx->sta, WLAN_STA_USES_ENCRYPTION)) {
661 ret = TX_DROP;
662 goto out;
663 }
664 ret = TX_CONTINUE;
665 out:
666 rcu_read_unlock();
> 667 return ret;
668 }
669
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
© 2016 - 2026 Red Hat, Inc.