From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.4 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 210F5C49361 for ; Mon, 28 Jun 2021 14:31:09 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0763161CBF for ; Mon, 28 Jun 2021 14:31:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234530AbhF1Odc (ORCPT ); Mon, 28 Jun 2021 10:33:32 -0400 Received: from mail.kernel.org ([198.145.29.99]:36744 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234588AbhF1OaK (ORCPT ); Mon, 28 Jun 2021 10:30:10 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 8DC0B61CA6; Mon, 28 Jun 2021 14:26:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1624890393; bh=9QELizn/eVJ4Vy64PO6RFUDWTkCe/8iWmOq9SJTNLZw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VM1FM54WM91BGSUwIUFjG3l98CswohBmp7VFSFb1xzh928JBteKbmqFGQbZrAhUzF Lb5aj71OnbXp4aAhMTPvy+OfxTX4iEsd4CEgpW8k0NtHMMXn2/WkayEtIDRl1V+wvi NVpEiCyCJKdS+KL3Dd8fMVxCe5ZAjWJUMsTw94jAa+MYnlnJni8P5oK1gEHqeZn9b2 OS83RVrJbVBE7M5nRlOy3xovxesfdXW0G2bo7auPQglJSAPT27yzznqKu49ZTL8+ZX w+rASrxTTBNTb4Cs3kZzOUOJTP/u2pVp/d7TvvJbLsZlJjDQsluStLVow0CwwjnJtM /lkyQhxsrdBmA== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Johannes Berg , syzbot+a063bbf0b15737362592@syzkaller.appspotmail.com, Sasha Levin Subject: [PATCH 5.10 027/101] mac80211_hwsim: drop pending frames on stop Date: Mon, 28 Jun 2021 10:24:53 -0400 Message-Id: <20210628142607.32218-28-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210628142607.32218-1-sashal@kernel.org> References: <20210628142607.32218-1-sashal@kernel.org> MIME-Version: 1.0 X-KernelTest-Patch: http://kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.47-rc1.gz X-KernelTest-Tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git X-KernelTest-Branch: linux-5.10.y X-KernelTest-Patches: git://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git X-KernelTest-Version: 5.10.47-rc1 X-KernelTest-Deadline: 2021-06-30T14:25+00:00 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg [ Upstream commit bd18de517923903a177508fc8813f44e717b1c00 ] Syzbot reports that we may be able to get into a situation where mac80211 has pending ACK frames on shutdown with hwsim. It appears that the reason for this is that syzbot uses the wmediumd hooks to intercept/injection frames, and may shut down hwsim, removing the radio(s), while frames are pending in the air simulation. Clean out the pending queue when the interface is stopped, after this the frames can't be reported back to mac80211 properly anyway. Reported-by: syzbot+a063bbf0b15737362592@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20210517170429.b0f85ab0eda1.Ie42a6ec6b940c971f3441286aeaaae2fe368e29a@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin --- drivers/net/wireless/mac80211_hwsim.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c index 3b3fc7c9c91d..f147d4feedb9 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -1623,8 +1623,13 @@ static int mac80211_hwsim_start(struct ieee80211_hw *hw) static void mac80211_hwsim_stop(struct ieee80211_hw *hw) { struct mac80211_hwsim_data *data = hw->priv; + data->started = false; hrtimer_cancel(&data->beacon_timer); + + while (!skb_queue_empty(&data->pending)) + ieee80211_free_txskb(hw, skb_dequeue(&data->pending)); + wiphy_dbg(hw->wiphy, "%s\n", __func__); } -- 2.30.2