From: Wen Gong <quic_wgong@quicinc.com>
To: Felix Fietkau <nbd@nbd.name>, <linux-wireless@vger.kernel.org>
Cc: <johannes@sipsolutions.net>, <ath11k@lists.infradead.org>,
<johannes.berg@intel.com>
Subject: Re: [PATCH 4/5] mac80211: run late dequeue late tx handlers without holding fq->lock
Date: Mon, 12 Dec 2022 16:31:26 +0800 [thread overview]
Message-ID: <e42f6580-b113-46ed-2fc0-cf3cdc099c7b@quicinc.com> (raw)
In-Reply-To: <a918d3ee-edc7-b6a2-d15a-e0d77f0683e2@quicinc.com>
I will send a patch for it to avoid the potential user-after-free risk.
On 12/7/2022 2:30 PM, Wen Gong wrote:
> Hi Johannes,
>
> do you know it?
>
> On 12/5/2022 5:46 PM, Wen Gong wrote:
>> On 3/17/2019 1:06 AM, Felix Fietkau wrote:
>>> Reduces lock contention on enqueue/dequeue of iTXQ packets
>>>
>>> Signed-off-by: Felix Fietkau <nbd@nbd.name>
>>> ---
>>> net/mac80211/tx.c | 10 ++++++++--
>>> 1 file changed, 8 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
>>> index 8127e43e12b1..f85344c9af62 100644
>>> --- a/net/mac80211/tx.c
>>> +++ b/net/mac80211/tx.c
>>> @@ -3544,6 +3544,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct
>>> ieee80211_hw *hw,
>>> ieee80211_tx_result r;
>>> struct ieee80211_vif *vif = txq->vif;
>>> +begin:
>>> spin_lock_bh(&fq->lock);
>> Maybe use-after-free will happened?
>>
>> You can see ieee80211_tx_dequeue() in tx.c as below, after
>> ieee80211_free_txskb(), it will goto begin,
>> If goto out happened in below check, then the skb which is freed will
>> be returned, and use-after-free will happen.
>>
>> https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git/tree/net/mac80211/tx.c?id=ded4698b58cb23c22b0dcbd829ced19ce4e6ce02#n3538
>>
>> begin:
>> spin_lock_bh(&fq->lock);
>>
>> if (test_bit(IEEE80211_TXQ_STOP, &txqi->flags) ||
>> test_bit(IEEE80211_TXQ_STOP_NETIF_TX, &txqi->flags))
>> goto out;
>>
>> if (vif->txqs_stopped[ieee80211_ac_from_tid(txq->tid)]) {
>> set_bit(IEEE80211_TXQ_STOP_NETIF_TX, &txqi->flags);
>> goto out;
>> }
>>
>> /* Make sure fragments stay together. */
>> skb = __skb_dequeue(&txqi->frags);
>> if (skb)
>> goto out;
>>
>> skb = fq_tin_dequeue(fq, tin, fq_tin_dequeue_func);
>> if (!skb)
>> goto out;
>>
>> spin_unlock_bh(&fq->lock);
>>
>> Maybe "skb = NULL;" should be added after "begin:".
>>
>> ...
>>
next prev parent reply other threads:[~2022-12-12 8:31 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-16 17:06 [PATCH 1/5] mac80211: mesh: drop redundant rcu_read_lock/unlock calls Felix Fietkau
2019-03-16 17:06 ` [PATCH 2/5] mac80211: fix memory accounting with A-MSDU aggregation Felix Fietkau
2019-03-16 18:12 ` Toke Høiland-Jørgensen
2019-03-16 17:06 ` [PATCH 3/5] mac80211: calculate hash for fq without holding fq->lock in itxq enqueue Felix Fietkau
2019-03-16 18:13 ` Toke Høiland-Jørgensen
2019-03-16 17:06 ` [PATCH 4/5] mac80211: run late dequeue late tx handlers without holding fq->lock Felix Fietkau
2019-03-16 18:13 ` Toke Høiland-Jørgensen
2022-12-05 9:46 ` Wen Gong
2022-12-07 6:30 ` Wen Gong
2022-12-12 8:31 ` Wen Gong [this message]
2019-03-16 17:06 ` [PATCH 5/5] mac80211: set NETIF_F_LLTX when using intermediate tx queues Felix Fietkau
2019-03-16 18:14 ` Toke Høiland-Jørgensen
2019-04-14 9:44 ` Arend Van Spriel
2019-04-14 11:19 ` Felix Fietkau
2019-04-14 12:34 ` Arend Van Spriel
2019-04-16 7:34 ` Arend Van Spriel
2019-04-16 7:44 ` Herbert Xu
2019-04-16 8:04 ` Arend Van Spriel
2019-04-16 8:36 ` Herbert Xu
2019-04-16 8:37 ` Johannes Berg
2019-04-16 9:17 ` Arend Van Spriel
2019-04-16 9:29 ` Herbert Xu
2019-04-16 9:33 ` Toke Høiland-Jørgensen
2019-04-16 9:33 ` Johannes Berg
2019-04-16 9:37 ` Herbert Xu
2019-04-16 9:39 ` Johannes Berg
2019-04-16 10:02 ` Toke Høiland-Jørgensen
2019-04-17 2:11 ` Herbert Xu
2019-04-17 8:28 ` Toke Høiland-Jørgensen
2019-04-16 13:13 ` Herbert Xu
2019-04-16 13:18 ` Toke Høiland-Jørgensen
2019-04-17 3:38 ` Herbert Xu
2019-04-17 9:09 ` Toke Høiland-Jørgensen
2019-04-17 9:16 ` Arend Van Spriel
2019-04-17 9:17 ` Toke Høiland-Jørgensen
2019-04-23 12:41 ` Johannes Berg
2019-04-25 8:35 ` Herbert Xu
2019-04-25 8:39 ` Johannes Berg
2019-04-25 8:44 ` Herbert Xu
2019-04-25 8:49 ` Johannes Berg
2019-04-16 19:13 ` Johannes Berg
2019-04-17 2:13 ` Herbert Xu
2019-04-16 9:38 ` Toke Høiland-Jørgensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e42f6580-b113-46ed-2fc0-cf3cdc099c7b@quicinc.com \
--to=quic_wgong@quicinc.com \
--cc=ath11k@lists.infradead.org \
--cc=johannes.berg@intel.com \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=nbd@nbd.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).