* [PATCH] mac80211: fix RCU usage in ieee80211_tx_h_select_key()
@ 2022-02-15 15:47 Jiri Kosina
2022-02-15 15:50 ` Johannes Berg
2022-02-15 21:06 ` [PATCH] mac80211: fix RCU usage in ieee80211_tx_h_select_key() kernel test robot
0 siblings, 2 replies; 6+ messages in thread
From: Jiri Kosina @ 2022-02-15 15:47 UTC (permalink / raw)
To: Johannes Berg; +Cc: linux-wireless, linux-kernel
From: Jiri Kosina <jkosina@suse.cz>
ieee80211_tx_h_select_key() is performing a series of RCU dereferences,
but none of the callers seems to be taking RCU read-side lock; let's
acquire the lock in ieee80211_tx_h_select_key() itself.
Spotted with rtw89 driver.
This fixes the splat below.
=============================
WARNING: suspicious RCU usage
5.17.0-rc4-00003-gccad664b7f14 #3 Tainted: G E
-----------------------------
net/mac80211/tx.c:593 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
2 locks held by kworker/u33:0/184:
#0: ffff9c0b14811d38 ((wq_completion)rtw89_tx_wq){+.+.}-{0:0}, at: process_one_work+0x258/0x660
#1: ffffb97380cf3e78 ((work_completion)(&rtwdev->txq_work)){+.+.}-{0:0}, at: process_one_work+0x258/0x660
stack backtrace:
CPU: 8 PID: 184 Comm: kworker/u33:0 Tainted: G E 5.17.0-rc4-00003-gccad664b7f14 #3 473b49ab0e7c2d6af2900c756bfd04efd7a9de13
Hardware name: LENOVO 20UJS2B905/20UJS2B905, BIOS R1CET63W(1.32 ) 04/09/2021
Workqueue: rtw89_tx_wq rtw89_core_txq_work [rtw89_core]
Call Trace:
<TASK>
dump_stack_lvl+0x58/0x71
ieee80211_tx_h_select_key+0x2c0/0x530 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
ieee80211_tx_dequeue+0x1a7/0x1260 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
rtw89_core_txq_work+0x1a6/0x420 [rtw89_core b39ba493f2e517ad75e0f8187ecc24edf58bbbea]
process_one_work+0x2d8/0x660
worker_thread+0x39/0x3e0
? process_one_work+0x660/0x660
kthread+0xe5/0x110
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x22/0x30
</TASK>
=============================
WARNING: suspicious RCU usage
5.17.0-rc4-00003-gccad664b7f14 #3 Tainted: G E
-----------------------------
net/mac80211/tx.c:607 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
2 locks held by kworker/u33:0/184:
#0: ffff9c0b14811d38 ((wq_completion)rtw89_tx_wq){+.+.}-{0:0}, at: process_one_work+0x258/0x660
#1: ffffb97380cf3e78 ((work_completion)(&rtwdev->txq_work)){+.+.}-{0:0}, at: process_one_work+0x258/0x660
stack backtrace:
CPU: 8 PID: 184 Comm: kworker/u33:0 Tainted: G E 5.17.0-rc4-00003-gccad664b7f14 #3 473b49ab0e7c2d6af2900c756bfd04efd7a9de13
Hardware name: LENOVO 20UJS2B905/20UJS2B905, BIOS R1CET63W(1.32 ) 04/09/2021
Workqueue: rtw89_tx_wq rtw89_core_txq_work [rtw89_core]
Call Trace:
<TASK>
dump_stack_lvl+0x58/0x71
ieee80211_tx_h_select_key+0x464/0x530 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
ieee80211_tx_dequeue+0x1a7/0x1260 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
rtw89_core_txq_work+0x1a6/0x420 [rtw89_core b39ba493f2e517ad75e0f8187ecc24edf58bbbea]
process_one_work+0x2d8/0x660
worker_thread+0x39/0x3e0
? process_one_work+0x660/0x660
kthread+0xe5/0x110
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x22/0x30
</TASK>
Fixes: a0761a301746e ("mac80211: drop data frames without key on encrypted links")
Fixes: 46f6b06050b73 ("mac80211: Encrypt "Group addressed privacy" action frames")
Fixes: 3cfcf6ac6d69d ("mac80211: 802.11w - Use BIP (AES-128-CMAC)")
Fixes: f7e0104c1a4e7 ("mac80211: support separate default keys")
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
Unless I am missing something, this seems to have been buggy for over a
decade ... ?
net/mac80211/tx.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 6d054fed062f..50b33ef70627 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -580,6 +580,7 @@ ieee80211_tx_h_check_control_port_protocol(struct ieee80211_tx_data *tx)
static ieee80211_tx_result debug_noinline
ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
{
+ int ret;
struct ieee80211_key *key;
struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)tx->skb->data;
@@ -589,6 +590,8 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
return TX_CONTINUE;
}
+ rcu_read_lock();
+
if (tx->sta &&
(key = rcu_dereference(tx->sta->ptk[tx->sta->ptk_idx])))
tx->key = key;
@@ -645,18 +648,23 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
}
if (unlikely(tx->key && tx->key->flags & KEY_FLAG_TAINTED &&
- !ieee80211_is_deauth(hdr->frame_control)))
- return TX_DROP;
+ !ieee80211_is_deauth(hdr->frame_control))) {
+ ret = TX_DROP;
+ goto out;
+ }
if (!skip_hw && tx->key &&
tx->key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE)
info->control.hw_key = &tx->key->conf;
} else if (ieee80211_is_data_present(hdr->frame_control) && tx->sta &&
test_sta_flag(tx->sta, WLAN_STA_USES_ENCRYPTION)) {
- return TX_DROP;
+ ret = TX_DROP;
+ goto out;
}
-
- return TX_CONTINUE;
+ ret = TX_CONTINUE;
+out:
+ rcu_read_unlock();
+ return ret;
}
static ieee80211_tx_result debug_noinline
--
Jiri Kosina
SUSE Labs
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] mac80211: fix RCU usage in ieee80211_tx_h_select_key()
2022-02-15 15:47 [PATCH] mac80211: fix RCU usage in ieee80211_tx_h_select_key() Jiri Kosina
@ 2022-02-15 15:50 ` Johannes Berg
2022-02-15 16:11 ` [PATCH] rtw89: fix RCU usage in rtw89_core_txq_push() (was Re: [PATCH] mac80211: fix RCU usage in ieee80211_tx_h_select_key()) Jiri Kosina
2022-02-15 21:06 ` [PATCH] mac80211: fix RCU usage in ieee80211_tx_h_select_key() kernel test robot
1 sibling, 1 reply; 6+ messages in thread
From: Johannes Berg @ 2022-02-15 15:50 UTC (permalink / raw)
To: Jiri Kosina; +Cc: linux-wireless, linux-kernel
>
> ieee80211_tx_h_select_key() is performing a series of RCU dereferences,
> but none of the callers seems to be taking RCU read-side lock; let's
> acquire the lock in ieee80211_tx_h_select_key() itself.
>
but but ...
> ieee80211_tx_dequeue+0x1a7/0x1260 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
> rtw89_core_txq_work+0x1a6/0x420 [rtw89_core b39ba493f2e517ad75e0f8187ecc24edf58bbbea]
/**
* ieee80211_tx_dequeue - dequeue a packet from a software tx queue
*
* @hw: pointer as obtained from ieee80211_alloc_hw()
* @txq: pointer obtained from station or virtual interface, or from
* ieee80211_next_txq()
*
* Returns the skb if successful, %NULL if no frame was available.
*
* Note that this must be called in an rcu_read_lock() critical section,
* which can only be released after the SKB was handled. Some pointers in
[...]
-> driver bug?
johannes
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] rtw89: fix RCU usage in rtw89_core_txq_push() (was Re: [PATCH] mac80211: fix RCU usage in ieee80211_tx_h_select_key())
2022-02-15 15:50 ` Johannes Berg
@ 2022-02-15 16:11 ` Jiri Kosina
2022-02-15 17:27 ` Kalle Valo
0 siblings, 1 reply; 6+ messages in thread
From: Jiri Kosina @ 2022-02-15 16:11 UTC (permalink / raw)
To: Johannes Berg; +Cc: linux-wireless, linux-kernel, Ping-Ke Shih
On Tue, 15 Feb 2022, Johannes Berg wrote:
> >
> > ieee80211_tx_h_select_key() is performing a series of RCU dereferences,
> > but none of the callers seems to be taking RCU read-side lock; let's
> > acquire the lock in ieee80211_tx_h_select_key() itself.
> >
> but but ...
>
> > ieee80211_tx_dequeue+0x1a7/0x1260 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
> > rtw89_core_txq_work+0x1a6/0x420 [rtw89_core b39ba493f2e517ad75e0f8187ecc24edf58bbbea]
>
> /**
> * ieee80211_tx_dequeue - dequeue a packet from a software tx queue
> *
> * @hw: pointer as obtained from ieee80211_alloc_hw()
> * @txq: pointer obtained from station or virtual interface, or from
> * ieee80211_next_txq()
> *
> * Returns the skb if successful, %NULL if no frame was available.
> *
> * Note that this must be called in an rcu_read_lock() critical section,
> * which can only be released after the SKB was handled. Some pointers in
> [...]
>
> -> driver bug?
Right you are, thanks.
CCing Ping-Ke Shih; find updated fix below.
From: Jiri Kosina <jkosina@suse.cz>
Subject: [PATCH] rtw89: fix RCU usage in rtw89_core_txq_push()
ieee80211_tx_h_select_key() is performing a series of RCU dereferences,
but rtw89_core_txq_push() is calling it (via ieee80211_tx_dequeue_ni())
without RCU read-side lock held; fix that.
This addresses the splat below.
=============================
WARNING: suspicious RCU usage
5.17.0-rc4-00003-gccad664b7f14 #3 Tainted: G E
-----------------------------
net/mac80211/tx.c:593 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
2 locks held by kworker/u33:0/184:
#0: ffff9c0b14811d38 ((wq_completion)rtw89_tx_wq){+.+.}-{0:0}, at: process_one_work+0x258/0x660
#1: ffffb97380cf3e78 ((work_completion)(&rtwdev->txq_work)){+.+.}-{0:0}, at: process_one_work+0x258/0x660
stack backtrace:
CPU: 8 PID: 184 Comm: kworker/u33:0 Tainted: G E 5.17.0-rc4-00003-gccad664b7f14 #3 473b49ab0e7c2d6af2900c756bfd04efd7a9de13
Hardware name: LENOVO 20UJS2B905/20UJS2B905, BIOS R1CET63W(1.32 ) 04/09/2021
Workqueue: rtw89_tx_wq rtw89_core_txq_work [rtw89_core]
Call Trace:
<TASK>
dump_stack_lvl+0x58/0x71
ieee80211_tx_h_select_key+0x2c0/0x530 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
ieee80211_tx_dequeue+0x1a7/0x1260 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
rtw89_core_txq_work+0x1a6/0x420 [rtw89_core b39ba493f2e517ad75e0f8187ecc24edf58bbbea]
process_one_work+0x2d8/0x660
worker_thread+0x39/0x3e0
? process_one_work+0x660/0x660
kthread+0xe5/0x110
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x22/0x30
</TASK>
=============================
WARNING: suspicious RCU usage
5.17.0-rc4-00003-gccad664b7f14 #3 Tainted: G E
-----------------------------
net/mac80211/tx.c:607 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
2 locks held by kworker/u33:0/184:
#0: ffff9c0b14811d38 ((wq_completion)rtw89_tx_wq){+.+.}-{0:0}, at: process_one_work+0x258/0x660
#1: ffffb97380cf3e78 ((work_completion)(&rtwdev->txq_work)){+.+.}-{0:0}, at: process_one_work+0x258/0x660
stack backtrace:
CPU: 8 PID: 184 Comm: kworker/u33:0 Tainted: G E 5.17.0-rc4-00003-gccad664b7f14 #3 473b49ab0e7c2d6af2900c756bfd04efd7a9de13
Hardware name: LENOVO 20UJS2B905/20UJS2B905, BIOS R1CET63W(1.32 ) 04/09/2021
Workqueue: rtw89_tx_wq rtw89_core_txq_work [rtw89_core]
Call Trace:
<TASK>
dump_stack_lvl+0x58/0x71
ieee80211_tx_h_select_key+0x464/0x530 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
ieee80211_tx_dequeue+0x1a7/0x1260 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
rtw89_core_txq_work+0x1a6/0x420 [rtw89_core b39ba493f2e517ad75e0f8187ecc24edf58bbbea]
process_one_work+0x2d8/0x660
worker_thread+0x39/0x3e0
? process_one_work+0x660/0x660
kthread+0xe5/0x110
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x22/0x30
</TASK>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
drivers/net/wireless/realtek/rtw89/core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c
index a0737eea9f81..9632e7f218dd 100644
--- a/drivers/net/wireless/realtek/rtw89/core.c
+++ b/drivers/net/wireless/realtek/rtw89/core.c
@@ -1509,11 +1509,12 @@ static void rtw89_core_txq_push(struct rtw89_dev *rtwdev,
unsigned long i;
int ret;
+ rcu_read_lock();
for (i = 0; i < frame_cnt; i++) {
skb = ieee80211_tx_dequeue_ni(rtwdev->hw, txq);
if (!skb) {
rtw89_debug(rtwdev, RTW89_DBG_TXRX, "dequeue a NULL skb\n");
- return;
+ goto out;
}
rtw89_core_txq_check_agg(rtwdev, rtwtxq, skb);
ret = rtw89_core_tx_write(rtwdev, vif, sta, skb, NULL);
@@ -1523,6 +1524,8 @@ static void rtw89_core_txq_push(struct rtw89_dev *rtwdev,
break;
}
}
+out:
+ rcu_read_unlock();
}
static u32 rtw89_check_and_reclaim_tx_resource(struct rtw89_dev *rtwdev, u8 tid)
--
Jiri Kosina
SUSE Labs
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] rtw89: fix RCU usage in rtw89_core_txq_push() (was Re: [PATCH] mac80211: fix RCU usage in ieee80211_tx_h_select_key())
2022-02-15 16:11 ` [PATCH] rtw89: fix RCU usage in rtw89_core_txq_push() (was Re: [PATCH] mac80211: fix RCU usage in ieee80211_tx_h_select_key()) Jiri Kosina
@ 2022-02-15 17:27 ` Kalle Valo
2022-02-16 15:27 ` Jiri Kosina
0 siblings, 1 reply; 6+ messages in thread
From: Kalle Valo @ 2022-02-15 17:27 UTC (permalink / raw)
To: Jiri Kosina; +Cc: Johannes Berg, linux-wireless, linux-kernel, Ping-Ke Shih
Jiri Kosina <jikos@kernel.org> writes:
> On Tue, 15 Feb 2022, Johannes Berg wrote:
>
>> >
>> > ieee80211_tx_h_select_key() is performing a series of RCU dereferences,
>> > but none of the callers seems to be taking RCU read-side lock; let's
>> > acquire the lock in ieee80211_tx_h_select_key() itself.
>> >
>> but but ...
>>
>> > ieee80211_tx_dequeue+0x1a7/0x1260 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
>> > rtw89_core_txq_work+0x1a6/0x420 [rtw89_core b39ba493f2e517ad75e0f8187ecc24edf58bbbea]
>>
>> /**
>> * ieee80211_tx_dequeue - dequeue a packet from a software tx queue
>> *
>> * @hw: pointer as obtained from ieee80211_alloc_hw()
>> * @txq: pointer obtained from station or virtual interface, or from
>> * ieee80211_next_txq()
>> *
>> * Returns the skb if successful, %NULL if no frame was available.
>> *
>> * Note that this must be called in an rcu_read_lock() critical section,
>> * which can only be released after the SKB was handled. Some pointers in
>> [...]
>>
>> -> driver bug?
>
> Right you are, thanks.
>
> CCing Ping-Ke Shih; find updated fix below.
>
>
>
>
> From: Jiri Kosina <jkosina@suse.cz>
> Subject: [PATCH] rtw89: fix RCU usage in rtw89_core_txq_push()
>
> ieee80211_tx_h_select_key() is performing a series of RCU dereferences,
> but rtw89_core_txq_push() is calling it (via ieee80211_tx_dequeue_ni())
> without RCU read-side lock held; fix that.
I think we have discussed this before, but patchwork can't handle
patches the way you embed them in email discussions:
https://patchwork.kernel.org/project/linux-wireless/patch/nycvar.YFH.7.76.2202151700540.11721@cbobk.fhfr.pm/
Please resubmit.
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] mac80211: fix RCU usage in ieee80211_tx_h_select_key()
2022-02-15 15:47 [PATCH] mac80211: fix RCU usage in ieee80211_tx_h_select_key() Jiri Kosina
2022-02-15 15:50 ` Johannes Berg
@ 2022-02-15 21:06 ` kernel test robot
1 sibling, 0 replies; 6+ messages in thread
From: kernel test robot @ 2022-02-15 21:06 UTC (permalink / raw)
To: Jiri Kosina, Johannes Berg; +Cc: kbuild-all, linux-wireless, linux-kernel
Hi Jiri,
I love your patch! Perhaps something to improve:
[auto build test WARNING on wireless-next/main]
[also build test WARNING on wireless/main jberg-mac80211-next/master jberg-mac80211/master v5.17-rc4 next-20220215]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Jiri-Kosina/mac80211-fix-RCU-usage-in-ieee80211_tx_h_select_key/20220215-234935
base: https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git main
config: i386-randconfig-s002-20220214 (https://download.01.org/0day-ci/archive/20220216/202202160406.p1c7XduC-lkp@intel.com/config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
reproduce:
# apt-get install sparse
# sparse version: v0.6.4-dirty
# https://github.com/0day-ci/linux/commit/cdfe17d7fc283e125686bdd9a6bbc6fd60909bd7
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Jiri-Kosina/mac80211-fix-RCU-usage-in-ieee80211_tx_h_select_key/20220215-234935
git checkout cdfe17d7fc283e125686bdd9a6bbc6fd60909bd7
# save the config file to linux build tree
mkdir build_dir
make W=1 C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' O=build_dir ARCH=i386 SHELL=/bin/bash net/mac80211/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
sparse warnings: (new ones prefixed by >>)
>> net/mac80211/tx.c:652:29: sparse: sparse: incorrect type in assignment (different base types) @@ expected int ret @@ got restricted ieee80211_tx_result [usertype] @@
net/mac80211/tx.c:652:29: sparse: expected int ret
net/mac80211/tx.c:652:29: sparse: got restricted ieee80211_tx_result [usertype]
net/mac80211/tx.c:661:21: sparse: sparse: incorrect type in assignment (different base types) @@ expected int ret @@ got restricted ieee80211_tx_result [usertype] @@
net/mac80211/tx.c:661:21: sparse: expected int ret
net/mac80211/tx.c:661:21: sparse: got restricted ieee80211_tx_result [usertype]
net/mac80211/tx.c:664:13: sparse: sparse: incorrect type in assignment (different base types) @@ expected int ret @@ got restricted ieee80211_tx_result [usertype] @@
net/mac80211/tx.c:664:13: sparse: expected int ret
net/mac80211/tx.c:664:13: sparse: got restricted ieee80211_tx_result [usertype]
>> net/mac80211/tx.c:667:16: sparse: sparse: incorrect type in return expression (different base types) @@ expected restricted ieee80211_tx_result @@ got int ret @@
net/mac80211/tx.c:667:16: sparse: expected restricted ieee80211_tx_result
net/mac80211/tx.c:667:16: sparse: got int ret
vim +652 net/mac80211/tx.c
579
580 static ieee80211_tx_result debug_noinline
581 ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
582 {
583 int ret;
584 struct ieee80211_key *key;
585 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
586 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)tx->skb->data;
587
588 if (unlikely(info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT)) {
589 tx->key = NULL;
590 return TX_CONTINUE;
591 }
592
593 rcu_read_lock();
594
595 if (tx->sta &&
596 (key = rcu_dereference(tx->sta->ptk[tx->sta->ptk_idx])))
597 tx->key = key;
598 else if (ieee80211_is_group_privacy_action(tx->skb) &&
599 (key = rcu_dereference(tx->sdata->default_multicast_key)))
600 tx->key = key;
601 else if (ieee80211_is_mgmt(hdr->frame_control) &&
602 is_multicast_ether_addr(hdr->addr1) &&
603 ieee80211_is_robust_mgmt_frame(tx->skb) &&
604 (key = rcu_dereference(tx->sdata->default_mgmt_key)))
605 tx->key = key;
606 else if (is_multicast_ether_addr(hdr->addr1) &&
607 (key = rcu_dereference(tx->sdata->default_multicast_key)))
608 tx->key = key;
609 else if (!is_multicast_ether_addr(hdr->addr1) &&
610 (key = rcu_dereference(tx->sdata->default_unicast_key)))
611 tx->key = key;
612 else
613 tx->key = NULL;
614
615 if (tx->key) {
616 bool skip_hw = false;
617
618 /* TODO: add threshold stuff again */
619
620 switch (tx->key->conf.cipher) {
621 case WLAN_CIPHER_SUITE_WEP40:
622 case WLAN_CIPHER_SUITE_WEP104:
623 case WLAN_CIPHER_SUITE_TKIP:
624 if (!ieee80211_is_data_present(hdr->frame_control))
625 tx->key = NULL;
626 break;
627 case WLAN_CIPHER_SUITE_CCMP:
628 case WLAN_CIPHER_SUITE_CCMP_256:
629 case WLAN_CIPHER_SUITE_GCMP:
630 case WLAN_CIPHER_SUITE_GCMP_256:
631 if (!ieee80211_is_data_present(hdr->frame_control) &&
632 !ieee80211_use_mfp(hdr->frame_control, tx->sta,
633 tx->skb) &&
634 !ieee80211_is_group_privacy_action(tx->skb))
635 tx->key = NULL;
636 else
637 skip_hw = (tx->key->conf.flags &
638 IEEE80211_KEY_FLAG_SW_MGMT_TX) &&
639 ieee80211_is_mgmt(hdr->frame_control);
640 break;
641 case WLAN_CIPHER_SUITE_AES_CMAC:
642 case WLAN_CIPHER_SUITE_BIP_CMAC_256:
643 case WLAN_CIPHER_SUITE_BIP_GMAC_128:
644 case WLAN_CIPHER_SUITE_BIP_GMAC_256:
645 if (!ieee80211_is_mgmt(hdr->frame_control))
646 tx->key = NULL;
647 break;
648 }
649
650 if (unlikely(tx->key && tx->key->flags & KEY_FLAG_TAINTED &&
651 !ieee80211_is_deauth(hdr->frame_control))) {
> 652 ret = TX_DROP;
653 goto out;
654 }
655
656 if (!skip_hw && tx->key &&
657 tx->key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE)
658 info->control.hw_key = &tx->key->conf;
659 } else if (ieee80211_is_data_present(hdr->frame_control) && tx->sta &&
660 test_sta_flag(tx->sta, WLAN_STA_USES_ENCRYPTION)) {
661 ret = TX_DROP;
662 goto out;
663 }
664 ret = TX_CONTINUE;
665 out:
666 rcu_read_unlock();
> 667 return ret;
668 }
669
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] rtw89: fix RCU usage in rtw89_core_txq_push() (was Re: [PATCH] mac80211: fix RCU usage in ieee80211_tx_h_select_key())
2022-02-15 17:27 ` Kalle Valo
@ 2022-02-16 15:27 ` Jiri Kosina
0 siblings, 0 replies; 6+ messages in thread
From: Jiri Kosina @ 2022-02-16 15:27 UTC (permalink / raw)
To: Kalle Valo; +Cc: Johannes Berg, linux-wireless, linux-kernel, Ping-Ke Shih
On Tue, 15 Feb 2022, Kalle Valo wrote:
> I think we have discussed this before, but patchwork can't handle
> patches the way you embed them in email discussions:
>
> https://patchwork.kernel.org/project/linux-wireless/patch/nycvar.YFH.7.76.2202151700540.11721@cbobk.fhfr.pm/
>
> Please resubmit.
Ok, I've resubmitted in a separate thread
https://lore.kernel.org/r/nycvar.YFH.7.76.2202152037000.11721@cbobk.fhfr.pm
Thanks,
--
Jiri Kosina
SUSE Labs
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-02-16 15:27 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-15 15:47 [PATCH] mac80211: fix RCU usage in ieee80211_tx_h_select_key() Jiri Kosina
2022-02-15 15:50 ` Johannes Berg
2022-02-15 16:11 ` [PATCH] rtw89: fix RCU usage in rtw89_core_txq_push() (was Re: [PATCH] mac80211: fix RCU usage in ieee80211_tx_h_select_key()) Jiri Kosina
2022-02-15 17:27 ` Kalle Valo
2022-02-16 15:27 ` Jiri Kosina
2022-02-15 21:06 ` [PATCH] mac80211: fix RCU usage in ieee80211_tx_h_select_key() kernel test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).