From: Jiri Kosina <jikos@kernel.org>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] mac80211: fix RCU usage in ieee80211_tx_h_select_key()
Date: Tue, 15 Feb 2022 16:47:00 +0100 (CET) [thread overview]
Message-ID: <nycvar.YFH.7.76.2202151643220.11721@cbobk.fhfr.pm> (raw)
From: Jiri Kosina <jkosina@suse.cz>
ieee80211_tx_h_select_key() is performing a series of RCU dereferences,
but none of the callers seems to be taking RCU read-side lock; let's
acquire the lock in ieee80211_tx_h_select_key() itself.
Spotted with rtw89 driver.
This fixes the splat below.
=============================
WARNING: suspicious RCU usage
5.17.0-rc4-00003-gccad664b7f14 #3 Tainted: G E
-----------------------------
net/mac80211/tx.c:593 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
2 locks held by kworker/u33:0/184:
#0: ffff9c0b14811d38 ((wq_completion)rtw89_tx_wq){+.+.}-{0:0}, at: process_one_work+0x258/0x660
#1: ffffb97380cf3e78 ((work_completion)(&rtwdev->txq_work)){+.+.}-{0:0}, at: process_one_work+0x258/0x660
stack backtrace:
CPU: 8 PID: 184 Comm: kworker/u33:0 Tainted: G E 5.17.0-rc4-00003-gccad664b7f14 #3 473b49ab0e7c2d6af2900c756bfd04efd7a9de13
Hardware name: LENOVO 20UJS2B905/20UJS2B905, BIOS R1CET63W(1.32 ) 04/09/2021
Workqueue: rtw89_tx_wq rtw89_core_txq_work [rtw89_core]
Call Trace:
<TASK>
dump_stack_lvl+0x58/0x71
ieee80211_tx_h_select_key+0x2c0/0x530 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
ieee80211_tx_dequeue+0x1a7/0x1260 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
rtw89_core_txq_work+0x1a6/0x420 [rtw89_core b39ba493f2e517ad75e0f8187ecc24edf58bbbea]
process_one_work+0x2d8/0x660
worker_thread+0x39/0x3e0
? process_one_work+0x660/0x660
kthread+0xe5/0x110
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x22/0x30
</TASK>
=============================
WARNING: suspicious RCU usage
5.17.0-rc4-00003-gccad664b7f14 #3 Tainted: G E
-----------------------------
net/mac80211/tx.c:607 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
2 locks held by kworker/u33:0/184:
#0: ffff9c0b14811d38 ((wq_completion)rtw89_tx_wq){+.+.}-{0:0}, at: process_one_work+0x258/0x660
#1: ffffb97380cf3e78 ((work_completion)(&rtwdev->txq_work)){+.+.}-{0:0}, at: process_one_work+0x258/0x660
stack backtrace:
CPU: 8 PID: 184 Comm: kworker/u33:0 Tainted: G E 5.17.0-rc4-00003-gccad664b7f14 #3 473b49ab0e7c2d6af2900c756bfd04efd7a9de13
Hardware name: LENOVO 20UJS2B905/20UJS2B905, BIOS R1CET63W(1.32 ) 04/09/2021
Workqueue: rtw89_tx_wq rtw89_core_txq_work [rtw89_core]
Call Trace:
<TASK>
dump_stack_lvl+0x58/0x71
ieee80211_tx_h_select_key+0x464/0x530 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
ieee80211_tx_dequeue+0x1a7/0x1260 [mac80211 911c23e2351c0ae60b597a67b1204a5ea955e365]
rtw89_core_txq_work+0x1a6/0x420 [rtw89_core b39ba493f2e517ad75e0f8187ecc24edf58bbbea]
process_one_work+0x2d8/0x660
worker_thread+0x39/0x3e0
? process_one_work+0x660/0x660
kthread+0xe5/0x110
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x22/0x30
</TASK>
Fixes: a0761a301746e ("mac80211: drop data frames without key on encrypted links")
Fixes: 46f6b06050b73 ("mac80211: Encrypt "Group addressed privacy" action frames")
Fixes: 3cfcf6ac6d69d ("mac80211: 802.11w - Use BIP (AES-128-CMAC)")
Fixes: f7e0104c1a4e7 ("mac80211: support separate default keys")
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
Unless I am missing something, this seems to have been buggy for over a
decade ... ?
net/mac80211/tx.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 6d054fed062f..50b33ef70627 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -580,6 +580,7 @@ ieee80211_tx_h_check_control_port_protocol(struct ieee80211_tx_data *tx)
static ieee80211_tx_result debug_noinline
ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
{
+ int ret;
struct ieee80211_key *key;
struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)tx->skb->data;
@@ -589,6 +590,8 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
return TX_CONTINUE;
}
+ rcu_read_lock();
+
if (tx->sta &&
(key = rcu_dereference(tx->sta->ptk[tx->sta->ptk_idx])))
tx->key = key;
@@ -645,18 +648,23 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
}
if (unlikely(tx->key && tx->key->flags & KEY_FLAG_TAINTED &&
- !ieee80211_is_deauth(hdr->frame_control)))
- return TX_DROP;
+ !ieee80211_is_deauth(hdr->frame_control))) {
+ ret = TX_DROP;
+ goto out;
+ }
if (!skip_hw && tx->key &&
tx->key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE)
info->control.hw_key = &tx->key->conf;
} else if (ieee80211_is_data_present(hdr->frame_control) && tx->sta &&
test_sta_flag(tx->sta, WLAN_STA_USES_ENCRYPTION)) {
- return TX_DROP;
+ ret = TX_DROP;
+ goto out;
}
-
- return TX_CONTINUE;
+ ret = TX_CONTINUE;
+out:
+ rcu_read_unlock();
+ return ret;
}
static ieee80211_tx_result debug_noinline
--
Jiri Kosina
SUSE Labs
next reply other threads:[~2022-02-15 15:48 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-15 15:47 Jiri Kosina [this message]
2022-02-15 15:50 ` [PATCH] mac80211: fix RCU usage in ieee80211_tx_h_select_key() Johannes Berg
2022-02-15 16:11 ` [PATCH] rtw89: fix RCU usage in rtw89_core_txq_push() (was Re: [PATCH] mac80211: fix RCU usage in ieee80211_tx_h_select_key()) Jiri Kosina
2022-02-15 17:27 ` Kalle Valo
2022-02-16 15:27 ` Jiri Kosina
2022-02-15 21:06 ` [PATCH] mac80211: fix RCU usage in ieee80211_tx_h_select_key() kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=nycvar.YFH.7.76.2202151643220.11721@cbobk.fhfr.pm \
--to=jikos@kernel.org \
--cc=johannes@sipsolutions.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).