* Re: [PATCH] wifi: mac80211: change initialize for sk_buff in ieee80211_tx_dequeue()
@ 2023-01-09 14:05 ` Alexander Wetzel
0 siblings, 0 replies; 12+ messages in thread
From: Alexander Wetzel @ 2023-01-09 14:05 UTC (permalink / raw)
To: Guenter Roeck, Wen Gong; +Cc: johannes, ath11k, linux-wireless
On 05.01.23 06:26, Guenter Roeck wrote:
> On Mon, Dec 12, 2022 at 03:36:07AM -0500, Wen Gong wrote:
>> The sk_buff is only set to NULL when initialize, sometimes it will goto
>> label "begin" after ieee80211_free_txskb(), then it points to a sk_buff
>> which is already freed. If it run into the "goto out" after arrived to
>> label "begin", then it will return a sk_buff which is freed, it is a
>> risk for use-after-free.
>>
>> Fixes: ded4698b58cb ("mac80211: run late dequeue late tx handlers without holding fq->lock")
>> Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
>
> I don't see any progress on this patch. Is there a problem with it ?
> Did it get lost ?
>
Looks ok for me. But I just noticed that my patch
https://patchwork.kernel.org/project/linux-wireless/patch/20221230121850.218810-1-alexander@wetzel-home.de/
should also fix the issue as an unintended side effect.
Alexander
> Thanks,
> Guenter
>
>> ---
>> net/mac80211/tx.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>>
>> base-commit: 922932ca02191a390f7f52fb6e21c44b50e14025
>>
>> diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
>> index 2171cd1ca807..0b23cc9ab9c7 100644
>> --- a/net/mac80211/tx.c
>> +++ b/net/mac80211/tx.c
>> @@ -3776,7 +3776,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
>> struct ieee80211_local *local = hw_to_local(hw);
>> struct txq_info *txqi = container_of(txq, struct txq_info, txq);
>> struct ieee80211_hdr *hdr;
>> - struct sk_buff *skb = NULL;
>> + struct sk_buff *skb;
>> struct fq *fq = &local->fq;
>> struct fq_tin *tin = &txqi->tin;
>> struct ieee80211_tx_info *info;
>> @@ -3790,6 +3790,8 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
>> return NULL;
>>
>> begin:
>> + skb = NULL;
>> +
>> spin_lock_bh(&fq->lock);
>>
>> if (test_bit(IEEE80211_TXQ_STOP, &txqi->flags) ||
--
ath11k mailing list
ath11k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath11k
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: [PATCH] wifi: mac80211: change initialize for sk_buff in ieee80211_tx_dequeue()
2023-01-09 14:05 ` Alexander Wetzel
@ 2023-01-09 14:22 ` Alexander Wetzel
-1 siblings, 0 replies; 12+ messages in thread
From: Alexander Wetzel @ 2023-01-09 14:22 UTC (permalink / raw)
To: Guenter Roeck, Wen Gong; +Cc: johannes, ath11k, linux-wireless
On 09.01.23 15:05, Alexander Wetzel wrote:
> On 05.01.23 06:26, Guenter Roeck wrote:
>> On Mon, Dec 12, 2022 at 03:36:07AM -0500, Wen Gong wrote:
>>> The sk_buff is only set to NULL when initialize, sometimes it will goto
>>> label "begin" after ieee80211_free_txskb(), then it points to a sk_buff
>>> which is already freed. If it run into the "goto out" after arrived to
>>> label "begin", then it will return a sk_buff which is freed, it is a
>>> risk for use-after-free.
>>>
>>> Fixes: ded4698b58cb ("mac80211: run late dequeue late tx handlers
>>> without holding fq->lock")
>>> Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
>>
>> I don't see any progress on this patch. Is there a problem with it ?
>> Did it get lost ?
>>
>
> Looks ok for me. But I just noticed that my patch
> https://patchwork.kernel.org/project/linux-wireless/patch/20221230121850.218810-1-alexander@wetzel-home.de/
>
> should also fix the issue as an unintended side effect.
Sorry that statement was incomplete: It's only fixed when
https://patchwork.kernel.org/project/linux-wireless/patch/20221230121850.218810-1-alexander@wetzel-home.de/
and
https://patchwork.kernel.org/project/linux-wireless/patch/20230106223141.98696-1-alexander@wetzel-home.de/
are applied.
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: [PATCH] wifi: mac80211: change initialize for sk_buff in ieee80211_tx_dequeue()
@ 2023-01-09 14:22 ` Alexander Wetzel
0 siblings, 0 replies; 12+ messages in thread
From: Alexander Wetzel @ 2023-01-09 14:22 UTC (permalink / raw)
To: Guenter Roeck, Wen Gong; +Cc: johannes, ath11k, linux-wireless
On 09.01.23 15:05, Alexander Wetzel wrote:
> On 05.01.23 06:26, Guenter Roeck wrote:
>> On Mon, Dec 12, 2022 at 03:36:07AM -0500, Wen Gong wrote:
>>> The sk_buff is only set to NULL when initialize, sometimes it will goto
>>> label "begin" after ieee80211_free_txskb(), then it points to a sk_buff
>>> which is already freed. If it run into the "goto out" after arrived to
>>> label "begin", then it will return a sk_buff which is freed, it is a
>>> risk for use-after-free.
>>>
>>> Fixes: ded4698b58cb ("mac80211: run late dequeue late tx handlers
>>> without holding fq->lock")
>>> Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
>>
>> I don't see any progress on this patch. Is there a problem with it ?
>> Did it get lost ?
>>
>
> Looks ok for me. But I just noticed that my patch
> https://patchwork.kernel.org/project/linux-wireless/patch/20221230121850.218810-1-alexander@wetzel-home.de/
>
> should also fix the issue as an unintended side effect.
Sorry that statement was incomplete: It's only fixed when
https://patchwork.kernel.org/project/linux-wireless/patch/20221230121850.218810-1-alexander@wetzel-home.de/
and
https://patchwork.kernel.org/project/linux-wireless/patch/20230106223141.98696-1-alexander@wetzel-home.de/
are applied.
--
ath11k mailing list
ath11k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath11k
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: [PATCH] wifi: mac80211: change initialize for sk_buff in ieee80211_tx_dequeue()
2023-01-09 14:22 ` Alexander Wetzel
@ 2023-01-09 15:43 ` Guenter Roeck
-1 siblings, 0 replies; 12+ messages in thread
From: Guenter Roeck @ 2023-01-09 15:43 UTC (permalink / raw)
To: Alexander Wetzel, Wen Gong; +Cc: johannes, ath11k, linux-wireless
On 1/9/23 06:22, Alexander Wetzel wrote:
> On 09.01.23 15:05, Alexander Wetzel wrote:
>> On 05.01.23 06:26, Guenter Roeck wrote:
>>> On Mon, Dec 12, 2022 at 03:36:07AM -0500, Wen Gong wrote:
>>>> The sk_buff is only set to NULL when initialize, sometimes it will goto
>>>> label "begin" after ieee80211_free_txskb(), then it points to a sk_buff
>>>> which is already freed. If it run into the "goto out" after arrived to
>>>> label "begin", then it will return a sk_buff which is freed, it is a
>>>> risk for use-after-free.
>>>>
>>>> Fixes: ded4698b58cb ("mac80211: run late dequeue late tx handlers without holding fq->lock")
>>>> Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
>>>
>>> I don't see any progress on this patch. Is there a problem with it ?
>>> Did it get lost ?
>>>
>>
>> Looks ok for me. But I just noticed that my patch
>> https://patchwork.kernel.org/project/linux-wireless/patch/20221230121850.218810-1-alexander@wetzel-home.de/
>>
>> should also fix the issue as an unintended side effect.
>
> Sorry that statement was incomplete: It's only fixed when
> https://patchwork.kernel.org/project/linux-wireless/patch/20221230121850.218810-1-alexander@wetzel-home.de/
> and
> https://patchwork.kernel.org/project/linux-wireless/patch/20230106223141.98696-1-alexander@wetzel-home.de/
>
> are applied.
>
Ah, yes. That is indeed correct. Let's just hope those patches will apply (and are
going to be applied) to stable releases since this is a real problem there which
does cause UAF and crashes.
Guenter
--
ath11k mailing list
ath11k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath11k
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: [PATCH] wifi: mac80211: change initialize for sk_buff in ieee80211_tx_dequeue()
@ 2023-01-09 15:43 ` Guenter Roeck
0 siblings, 0 replies; 12+ messages in thread
From: Guenter Roeck @ 2023-01-09 15:43 UTC (permalink / raw)
To: Alexander Wetzel, Wen Gong; +Cc: johannes, ath11k, linux-wireless
On 1/9/23 06:22, Alexander Wetzel wrote:
> On 09.01.23 15:05, Alexander Wetzel wrote:
>> On 05.01.23 06:26, Guenter Roeck wrote:
>>> On Mon, Dec 12, 2022 at 03:36:07AM -0500, Wen Gong wrote:
>>>> The sk_buff is only set to NULL when initialize, sometimes it will goto
>>>> label "begin" after ieee80211_free_txskb(), then it points to a sk_buff
>>>> which is already freed. If it run into the "goto out" after arrived to
>>>> label "begin", then it will return a sk_buff which is freed, it is a
>>>> risk for use-after-free.
>>>>
>>>> Fixes: ded4698b58cb ("mac80211: run late dequeue late tx handlers without holding fq->lock")
>>>> Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
>>>
>>> I don't see any progress on this patch. Is there a problem with it ?
>>> Did it get lost ?
>>>
>>
>> Looks ok for me. But I just noticed that my patch
>> https://patchwork.kernel.org/project/linux-wireless/patch/20221230121850.218810-1-alexander@wetzel-home.de/
>>
>> should also fix the issue as an unintended side effect.
>
> Sorry that statement was incomplete: It's only fixed when
> https://patchwork.kernel.org/project/linux-wireless/patch/20221230121850.218810-1-alexander@wetzel-home.de/
> and
> https://patchwork.kernel.org/project/linux-wireless/patch/20230106223141.98696-1-alexander@wetzel-home.de/
>
> are applied.
>
Ah, yes. That is indeed correct. Let's just hope those patches will apply (and are
going to be applied) to stable releases since this is a real problem there which
does cause UAF and crashes.
Guenter
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] wifi: mac80211: change initialize for sk_buff in ieee80211_tx_dequeue()
2023-01-09 14:05 ` Alexander Wetzel
@ 2023-01-09 15:39 ` Guenter Roeck
-1 siblings, 0 replies; 12+ messages in thread
From: Guenter Roeck @ 2023-01-09 15:39 UTC (permalink / raw)
To: Alexander Wetzel, Wen Gong; +Cc: johannes, ath11k, linux-wireless
On 1/9/23 06:05, Alexander Wetzel wrote:
> On 05.01.23 06:26, Guenter Roeck wrote:
>> On Mon, Dec 12, 2022 at 03:36:07AM -0500, Wen Gong wrote:
>>> The sk_buff is only set to NULL when initialize, sometimes it will goto
>>> label "begin" after ieee80211_free_txskb(), then it points to a sk_buff
>>> which is already freed. If it run into the "goto out" after arrived to
>>> label "begin", then it will return a sk_buff which is freed, it is a
>>> risk for use-after-free.
>>>
>>> Fixes: ded4698b58cb ("mac80211: run late dequeue late tx handlers without holding fq->lock")
>>> Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
>>
>> I don't see any progress on this patch. Is there a problem with it ?
>> Did it get lost ?
>>
>
> Looks ok for me. But I just noticed that my patch
> https://patchwork.kernel.org/project/linux-wireless/patch/20221230121850.218810-1-alexander@wetzel-home.de/
>
> should also fix the issue as an unintended side effect.
>
Unless I am missing something, there is still a path
begin:
...
if (unlikely(test_bit(IEEE80211_TXQ_STOP, &txqi->flags)))
goto out;
...
skb = ...
...
ieee80211_free_txskb(&local->hw, skb);
goto begin;
after your patch is applied. Unless the IEEE80211_TXQ_STOP can never be true
after the first iteration I don't see how your patch would fix the problem.
Guenter
> Alexander
>
>> Thanks,
>> Guenter
>>
>>> ---
>>> net/mac80211/tx.c | 4 +++-
>>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>>
>>>
>>> base-commit: 922932ca02191a390f7f52fb6e21c44b50e14025
>>>
>>> diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
>>> index 2171cd1ca807..0b23cc9ab9c7 100644
>>> --- a/net/mac80211/tx.c
>>> +++ b/net/mac80211/tx.c
>>> @@ -3776,7 +3776,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
>>> struct ieee80211_local *local = hw_to_local(hw);
>>> struct txq_info *txqi = container_of(txq, struct txq_info, txq);
>>> struct ieee80211_hdr *hdr;
>>> - struct sk_buff *skb = NULL;
>>> + struct sk_buff *skb;
>>> struct fq *fq = &local->fq;
>>> struct fq_tin *tin = &txqi->tin;
>>> struct ieee80211_tx_info *info;
>>> @@ -3790,6 +3790,8 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
>>> return NULL;
>>> begin:
>>> + skb = NULL;
>>> +
>>> spin_lock_bh(&fq->lock);
>>> if (test_bit(IEEE80211_TXQ_STOP, &txqi->flags) ||
>
--
ath11k mailing list
ath11k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath11k
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: [PATCH] wifi: mac80211: change initialize for sk_buff in ieee80211_tx_dequeue()
@ 2023-01-09 15:39 ` Guenter Roeck
0 siblings, 0 replies; 12+ messages in thread
From: Guenter Roeck @ 2023-01-09 15:39 UTC (permalink / raw)
To: Alexander Wetzel, Wen Gong; +Cc: johannes, ath11k, linux-wireless
On 1/9/23 06:05, Alexander Wetzel wrote:
> On 05.01.23 06:26, Guenter Roeck wrote:
>> On Mon, Dec 12, 2022 at 03:36:07AM -0500, Wen Gong wrote:
>>> The sk_buff is only set to NULL when initialize, sometimes it will goto
>>> label "begin" after ieee80211_free_txskb(), then it points to a sk_buff
>>> which is already freed. If it run into the "goto out" after arrived to
>>> label "begin", then it will return a sk_buff which is freed, it is a
>>> risk for use-after-free.
>>>
>>> Fixes: ded4698b58cb ("mac80211: run late dequeue late tx handlers without holding fq->lock")
>>> Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
>>
>> I don't see any progress on this patch. Is there a problem with it ?
>> Did it get lost ?
>>
>
> Looks ok for me. But I just noticed that my patch
> https://patchwork.kernel.org/project/linux-wireless/patch/20221230121850.218810-1-alexander@wetzel-home.de/
>
> should also fix the issue as an unintended side effect.
>
Unless I am missing something, there is still a path
begin:
...
if (unlikely(test_bit(IEEE80211_TXQ_STOP, &txqi->flags)))
goto out;
...
skb = ...
...
ieee80211_free_txskb(&local->hw, skb);
goto begin;
after your patch is applied. Unless the IEEE80211_TXQ_STOP can never be true
after the first iteration I don't see how your patch would fix the problem.
Guenter
> Alexander
>
>> Thanks,
>> Guenter
>>
>>> ---
>>> net/mac80211/tx.c | 4 +++-
>>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>>
>>>
>>> base-commit: 922932ca02191a390f7f52fb6e21c44b50e14025
>>>
>>> diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
>>> index 2171cd1ca807..0b23cc9ab9c7 100644
>>> --- a/net/mac80211/tx.c
>>> +++ b/net/mac80211/tx.c
>>> @@ -3776,7 +3776,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
>>> struct ieee80211_local *local = hw_to_local(hw);
>>> struct txq_info *txqi = container_of(txq, struct txq_info, txq);
>>> struct ieee80211_hdr *hdr;
>>> - struct sk_buff *skb = NULL;
>>> + struct sk_buff *skb;
>>> struct fq *fq = &local->fq;
>>> struct fq_tin *tin = &txqi->tin;
>>> struct ieee80211_tx_info *info;
>>> @@ -3790,6 +3790,8 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
>>> return NULL;
>>> begin:
>>> + skb = NULL;
>>> +
>>> spin_lock_bh(&fq->lock);
>>> if (test_bit(IEEE80211_TXQ_STOP, &txqi->flags) ||
>
^ permalink raw reply [flat|nested] 12+ messages in thread