* [PATCH AUTOSEL 4.19 45/97] mt76: fix potential NULL pointer dereference in mt76_stop_tx_queues
[not found] <20181226223557.149329-1-sashal@kernel.org>
@ 2018-12-26 22:35 ` Sasha Levin
2018-12-26 22:35 ` [PATCH AUTOSEL 4.19 65/97] mac80211: fix a kernel panic when TXing after TXQ teardown Sasha Levin
` (2 subsequent siblings)
3 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2018-12-26 22:35 UTC (permalink / raw)
To: stable, linux-kernel
Cc: Lorenzo Bianconi, Kalle Valo, Sasha Levin, linux-wireless, netdev
From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
[ Upstream commit 7c250f4612ae97aa04500c0d0cff69bb87046e3a ]
Starting from mac80211 commit adf8ed01e4fd ("mac80211: add an optional
TXQ for other PS-buffered frames") and commit 0eeb2b674f05 ("mac80211:
add an option for station management TXQ") a new per-sta queue has been
introduced for bufferable management frames.
sta->txq[IEEE80211_NUM_TIDS] is initialized just if the driver reports
the following hw flags:
- IEEE80211_HW_STA_MMPDU_TXQ
- IEEE80211_HW_BUFF_MMPDU_TXQ
This can produce a NULL pointer dereference in mt76_stop_tx_queues
since mt76 iterates on all available sta tx queues assuming they are
initialized by mac80211. This issue has been spotted analyzing the code
(it has not triggered any crash yet)
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/tx.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt76/tx.c b/drivers/net/wireless/mediatek/mt76/tx.c
index af48d43bb7dc..20447fdce4c3 100644
--- a/drivers/net/wireless/mediatek/mt76/tx.c
+++ b/drivers/net/wireless/mediatek/mt76/tx.c
@@ -385,7 +385,12 @@ void mt76_stop_tx_queues(struct mt76_dev *dev, struct ieee80211_sta *sta,
for (i = 0; i < ARRAY_SIZE(sta->txq); i++) {
struct ieee80211_txq *txq = sta->txq[i];
- struct mt76_txq *mtxq = (struct mt76_txq *) txq->drv_priv;
+ struct mt76_txq *mtxq;
+
+ if (!txq)
+ continue;
+
+ mtxq = (struct mt76_txq *)txq->drv_priv;
spin_lock_bh(&mtxq->hwq->lock);
mtxq->send_bar = mtxq->aggr && send_bar;
--
2.19.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH AUTOSEL 4.19 65/97] mac80211: fix a kernel panic when TXing after TXQ teardown
[not found] <20181226223557.149329-1-sashal@kernel.org>
2018-12-26 22:35 ` [PATCH AUTOSEL 4.19 45/97] mt76: fix potential NULL pointer dereference in mt76_stop_tx_queues Sasha Levin
@ 2018-12-26 22:35 ` Sasha Levin
2018-12-26 22:35 ` [PATCH AUTOSEL 4.19 80/97] nl80211: fix memory leak if validate_pae_over_nl80211() fails Sasha Levin
2018-12-26 22:35 ` [PATCH AUTOSEL 4.19 81/97] mac80211: free skb fraglist before freeing the skb Sasha Levin
3 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2018-12-26 22:35 UTC (permalink / raw)
To: stable, linux-kernel
Cc: Sara Sharon, Luca Coelho, Johannes Berg, Sasha Levin,
linux-wireless, netdev
From: Sara Sharon <sara.sharon@intel.com>
[ Upstream commit a50e5fb8db83c5b57392204c21ea6c5c4ccefde6 ]
Recently TXQ teardown was moved earlier in ieee80211_unregister_hw(),
to avoid a use-after-free of the netdev data. However, interfaces
aren't fully removed at the point, and cfg80211_shutdown_all_interfaces
can for example, TX a deauth frame. Move the TXQ teardown to the
point between cfg80211_shutdown_all_interfaces and the free of
netdev queues, so we can be sure they are torn down before netdev
is freed, but after there is no ongoing TX.
Fixes: 77cfaf52eca5 ("mac80211: Run TXQ teardown code before de-registering interfaces")
Signed-off-by: Sara Sharon <sara.sharon@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/iface.c | 3 +++
net/mac80211/main.c | 2 --
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 5f3c81e705c7..3a0171a65db3 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -7,6 +7,7 @@
* Copyright 2008, Johannes Berg <johannes@sipsolutions.net>
* Copyright 2013-2014 Intel Mobile Communications GmbH
* Copyright (c) 2016 Intel Deutschland GmbH
+ * Copyright (C) 2018 Intel Corporation
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -1951,6 +1952,8 @@ void ieee80211_remove_interfaces(struct ieee80211_local *local)
WARN(local->open_count, "%s: open count remains %d\n",
wiphy_name(local->hw.wiphy), local->open_count);
+ ieee80211_txq_teardown_flows(local);
+
mutex_lock(&local->iflist_mtx);
list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
list_del(&sdata->list);
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index 513627896204..68db2a356443 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -1198,7 +1198,6 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
rtnl_unlock();
ieee80211_led_exit(local);
ieee80211_wep_free(local);
- ieee80211_txq_teardown_flows(local);
fail_flows:
destroy_workqueue(local->workqueue);
fail_workqueue:
@@ -1224,7 +1223,6 @@ void ieee80211_unregister_hw(struct ieee80211_hw *hw)
#if IS_ENABLED(CONFIG_IPV6)
unregister_inet6addr_notifier(&local->ifa6_notifier);
#endif
- ieee80211_txq_teardown_flows(local);
rtnl_lock();
--
2.19.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH AUTOSEL 4.19 80/97] nl80211: fix memory leak if validate_pae_over_nl80211() fails
[not found] <20181226223557.149329-1-sashal@kernel.org>
2018-12-26 22:35 ` [PATCH AUTOSEL 4.19 45/97] mt76: fix potential NULL pointer dereference in mt76_stop_tx_queues Sasha Levin
2018-12-26 22:35 ` [PATCH AUTOSEL 4.19 65/97] mac80211: fix a kernel panic when TXing after TXQ teardown Sasha Levin
@ 2018-12-26 22:35 ` Sasha Levin
2018-12-26 22:35 ` [PATCH AUTOSEL 4.19 81/97] mac80211: free skb fraglist before freeing the skb Sasha Levin
3 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2018-12-26 22:35 UTC (permalink / raw)
To: stable, linux-kernel; +Cc: Johannes Berg, Sasha Levin, linux-wireless, netdev
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit d350a0f431189517b1af0dbbb605c273231a8966 ]
If validate_pae_over_nl80211() were to fail in nl80211_crypto_settings(),
we might leak the 'connkeys' allocation. Fix this.
Fixes: 64bf3d4bc2b0 ("nl80211: Add CONTROL_PORT_OVER_NL80211 attribute")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/nl80211.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 176edfefcbaa..295cd8d5554f 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -8993,8 +8993,10 @@ static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
int r = validate_pae_over_nl80211(rdev, info);
- if (r < 0)
+ if (r < 0) {
+ kzfree(connkeys);
return r;
+ }
ibss.control_port_over_nl80211 = true;
}
--
2.19.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH AUTOSEL 4.19 81/97] mac80211: free skb fraglist before freeing the skb
[not found] <20181226223557.149329-1-sashal@kernel.org>
` (2 preceding siblings ...)
2018-12-26 22:35 ` [PATCH AUTOSEL 4.19 80/97] nl80211: fix memory leak if validate_pae_over_nl80211() fails Sasha Levin
@ 2018-12-26 22:35 ` Sasha Levin
3 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2018-12-26 22:35 UTC (permalink / raw)
To: stable, linux-kernel
Cc: Sara Sharon, Luca Coelho, Johannes Berg, Sasha Levin,
linux-wireless, netdev
From: Sara Sharon <sara.sharon@intel.com>
[ Upstream commit 34b1e0e9efe101822e83cc62d22443ed3867ae7a ]
mac80211 uses the frag list to build AMSDU. When freeing
the skb, it may not be really freed, since someone is still
holding a reference to it.
In that case, when TCP skb is being retransmitted, the
pointer to the frag list is being reused, while the data
in there is no longer valid.
Since we will never get frag list from the network stack,
as mac80211 doesn't advertise the capability, we can safely
free and nullify it before releasing the SKB.
Signed-off-by: Sara Sharon <sara.sharon@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/status.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index 7fa10d06cc51..534a604b75c2 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -556,6 +556,11 @@ static void ieee80211_report_used_skb(struct ieee80211_local *local,
}
ieee80211_led_tx(local);
+
+ if (skb_has_frag_list(skb)) {
+ kfree_skb_list(skb_shinfo(skb)->frag_list);
+ skb_shinfo(skb)->frag_list = NULL;
+ }
}
/*
--
2.19.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-12-26 22:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20181226223557.149329-1-sashal@kernel.org>
2018-12-26 22:35 ` [PATCH AUTOSEL 4.19 45/97] mt76: fix potential NULL pointer dereference in mt76_stop_tx_queues Sasha Levin
2018-12-26 22:35 ` [PATCH AUTOSEL 4.19 65/97] mac80211: fix a kernel panic when TXing after TXQ teardown Sasha Levin
2018-12-26 22:35 ` [PATCH AUTOSEL 4.19 80/97] nl80211: fix memory leak if validate_pae_over_nl80211() fails Sasha Levin
2018-12-26 22:35 ` [PATCH AUTOSEL 4.19 81/97] mac80211: free skb fraglist before freeing the skb Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).