From: Wen Gong <quic_wgong@quicinc.com>
To: Felix Fietkau <nbd@nbd.name>, <linux-wireless@vger.kernel.org>
Cc: <johannes@sipsolutions.net>, <ath11k@lists.infradead.org>,
<johannes.berg@intel.com>
Subject: Re: [PATCH 4/5] mac80211: run late dequeue late tx handlers without holding fq->lock
Date: Wed, 7 Dec 2022 14:30:45 +0800 [thread overview]
Message-ID: <a918d3ee-edc7-b6a2-d15a-e0d77f0683e2@quicinc.com> (raw)
In-Reply-To: <9bce39db-1de4-f129-8d2f-77f51a64a5db@quicinc.com>
Hi Johannes,
do you know it?
On 12/5/2022 5:46 PM, Wen Gong wrote:
> On 3/17/2019 1:06 AM, Felix Fietkau wrote:
>> Reduces lock contention on enqueue/dequeue of iTXQ packets
>>
>> Signed-off-by: Felix Fietkau <nbd@nbd.name>
>> ---
>> net/mac80211/tx.c | 10 ++++++++--
>> 1 file changed, 8 insertions(+), 2 deletions(-)
>>
>> diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
>> index 8127e43e12b1..f85344c9af62 100644
>> --- a/net/mac80211/tx.c
>> +++ b/net/mac80211/tx.c
>> @@ -3544,6 +3544,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct
>> ieee80211_hw *hw,
>> ieee80211_tx_result r;
>> struct ieee80211_vif *vif = txq->vif;
>> +begin:
>> spin_lock_bh(&fq->lock);
> Maybe use-after-free will happened?
>
> You can see ieee80211_tx_dequeue() in tx.c as below, after
> ieee80211_free_txskb(), it will goto begin,
> If goto out happened in below check, then the skb which is freed will
> be returned, and use-after-free will happen.
>
> https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git/tree/net/mac80211/tx.c?id=ded4698b58cb23c22b0dcbd829ced19ce4e6ce02#n3538
>
> begin:
> spin_lock_bh(&fq->lock);
>
> if (test_bit(IEEE80211_TXQ_STOP, &txqi->flags) ||
> test_bit(IEEE80211_TXQ_STOP_NETIF_TX, &txqi->flags))
> goto out;
>
> if (vif->txqs_stopped[ieee80211_ac_from_tid(txq->tid)]) {
> set_bit(IEEE80211_TXQ_STOP_NETIF_TX, &txqi->flags);
> goto out;
> }
>
> /* Make sure fragments stay together. */
> skb = __skb_dequeue(&txqi->frags);
> if (skb)
> goto out;
>
> skb = fq_tin_dequeue(fq, tin, fq_tin_dequeue_func);
> if (!skb)
> goto out;
>
> spin_unlock_bh(&fq->lock);
>
> Maybe "skb = NULL;" should be added after "begin:".
>
> ...
>
next prev parent reply other threads:[~2022-12-07 6:31 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-16 17:06 [PATCH 1/5] mac80211: mesh: drop redundant rcu_read_lock/unlock calls Felix Fietkau
2019-03-16 17:06 ` [PATCH 2/5] mac80211: fix memory accounting with A-MSDU aggregation Felix Fietkau
2019-03-16 18:12 ` Toke Høiland-Jørgensen
2019-03-16 17:06 ` [PATCH 3/5] mac80211: calculate hash for fq without holding fq->lock in itxq enqueue Felix Fietkau
2019-03-16 18:13 ` Toke Høiland-Jørgensen
2019-03-16 17:06 ` [PATCH 4/5] mac80211: run late dequeue late tx handlers without holding fq->lock Felix Fietkau
2019-03-16 18:13 ` Toke Høiland-Jørgensen
2022-12-05 9:46 ` Wen Gong
2022-12-07 6:30 ` Wen Gong [this message]
2022-12-12 8:31 ` Wen Gong
2019-03-16 17:06 ` [PATCH 5/5] mac80211: set NETIF_F_LLTX when using intermediate tx queues Felix Fietkau
2019-03-16 18:14 ` Toke Høiland-Jørgensen
2019-04-14 9:44 ` Arend Van Spriel
2019-04-14 11:19 ` Felix Fietkau
2019-04-14 12:34 ` Arend Van Spriel
2019-04-16 7:34 ` Arend Van Spriel
2019-04-16 7:44 ` Herbert Xu
2019-04-16 8:04 ` Arend Van Spriel
2019-04-16 8:36 ` Herbert Xu
2019-04-16 8:37 ` Johannes Berg
2019-04-16 9:17 ` Arend Van Spriel
2019-04-16 9:29 ` Herbert Xu
2019-04-16 9:33 ` Toke Høiland-Jørgensen
2019-04-16 9:33 ` Johannes Berg
2019-04-16 9:37 ` Herbert Xu
2019-04-16 9:39 ` Johannes Berg
2019-04-16 10:02 ` Toke Høiland-Jørgensen
2019-04-17 2:11 ` Herbert Xu
2019-04-17 8:28 ` Toke Høiland-Jørgensen
2019-04-16 13:13 ` Herbert Xu
2019-04-16 13:18 ` Toke Høiland-Jørgensen
2019-04-17 3:38 ` Herbert Xu
2019-04-17 9:09 ` Toke Høiland-Jørgensen
2019-04-17 9:16 ` Arend Van Spriel
2019-04-17 9:17 ` Toke Høiland-Jørgensen
2019-04-23 12:41 ` Johannes Berg
2019-04-25 8:35 ` Herbert Xu
2019-04-25 8:39 ` Johannes Berg
2019-04-25 8:44 ` Herbert Xu
2019-04-25 8:49 ` Johannes Berg
2019-04-16 19:13 ` Johannes Berg
2019-04-17 2:13 ` Herbert Xu
2019-04-16 9:38 ` Toke Høiland-Jørgensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a918d3ee-edc7-b6a2-d15a-e0d77f0683e2@quicinc.com \
--to=quic_wgong@quicinc.com \
--cc=ath11k@lists.infradead.org \
--cc=johannes.berg@intel.com \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=nbd@nbd.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).