xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

UPSTREAM: wifi: mac80211_hwsim: fix race condition in pending packet

Browse Source 
commit 4ee186fa7e40ae06ebbfbad77e249e3746e14114 upstream.

A pending packet uses a cookie as an unique key, but it can be duplicated
because it didn't use atomic operators.

And also, a pending packet can be null in hwsim_tx_info_frame_received_nl
due to race condition with mac80211_hwsim_stop.

For this,
 * Use an atomic type and operator for a cookie
 * Add a lock around the loop for pending packets

Signed-off-by: Jeongik Cha <jeongik@google.com>
Link: https://lore.kernel.org/r/20220704084354.3556326-1-jeongik@google.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit eb8fc4277b)
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Bug: 236994625
Change-Id: Ic6613c8869a51b5de303e40406f023af689b9d64
This commit is contained in:
Jeongik Cha
2022-07-04 17:43:54 +09:00
committed by Weilun Du
parent 5545801f5c
commit 9b080edfbd
1 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
drivers/net/wireless/mac80211_hwsim.c
View File

@@ -597,7 +597,7 @@ struct mac80211_hwsim_data {
bool ps_poll_pending; bool ps_poll_pending;
struct dentry *debugfs; struct dentry *debugfs;
uintptr_t pending_cookie; atomic64_t pending_cookie;
struct sk_buff_head pending; /* packets pending */ struct sk_buff_head pending; /* packets pending */
/* /*
* Only radios in the same group can communicate together (the * Only radios in the same group can communicate together (the
@@ -1204,7 +1204,7 @@ static void mac80211_hwsim_tx_frame_nl(struct ieee80211_hw *hw,
int i; int i;
struct hwsim_tx_rate tx_attempts[IEEE80211_TX_MAX_RATES]; struct hwsim_tx_rate tx_attempts[IEEE80211_TX_MAX_RATES];
struct hwsim_tx_rate_flag tx_attempts_flags[IEEE80211_TX_MAX_RATES]; struct hwsim_tx_rate_flag tx_attempts_flags[IEEE80211_TX_MAX_RATES];
uintptr_t cookie; u64 cookie;
if (data->ps != PS_DISABLED) if (data->ps != PS_DISABLED)
hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM); hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM);
@@ -1273,8 +1273,7 @@ static void mac80211_hwsim_tx_frame_nl(struct ieee80211_hw *hw,
goto nla_put_failure; goto nla_put_failure;
/* We create a cookie to identify this skb */ /* We create a cookie to identify this skb */
data->pending_cookie++; cookie = (u64)atomic64_inc_return(&data->pending_cookie);
cookie = data->pending_cookie;
info->rate_driver_data[0] = (void *)cookie; info->rate_driver_data[0] = (void *)cookie;
if (nla_put_u64_64bit(skb, HWSIM_ATTR_COOKIE, cookie, HWSIM_ATTR_PAD)) if (nla_put_u64_64bit(skb, HWSIM_ATTR_COOKIE, cookie, HWSIM_ATTR_PAD))
goto nla_put_failure; goto nla_put_failure;
@@ -3514,6 +3513,7 @@ static int hwsim_tx_info_frame_received_nl(struct sk_buff *skb_2,
const u8 *src; const u8 *src;
unsigned int hwsim_flags; unsigned int hwsim_flags;
int i; int i;
unsigned long flags;
bool found = false; bool found = false;
if (!info->attrs[HWSIM_ATTR_ADDR_TRANSMITTER] || if (!info->attrs[HWSIM_ATTR_ADDR_TRANSMITTER] ||
@@ -3541,18 +3541,20 @@ static int hwsim_tx_info_frame_received_nl(struct sk_buff *skb_2,
} }
/* look for the skb matching the cookie passed back from user */ /* look for the skb matching the cookie passed back from user */
spin_lock_irqsave(&data2->pending.lock, flags);
skb_queue_walk_safe(&data2->pending, skb, tmp) { skb_queue_walk_safe(&data2->pending, skb, tmp) {
u64 skb_cookie; u64 skb_cookie;
txi = IEEE80211_SKB_CB(skb); txi = IEEE80211_SKB_CB(skb);
skb_cookie = (u64)(uintptr_t)txi->rate_driver_data[0]; skb_cookie = (u64)txi->rate_driver_data[0];
if (skb_cookie == ret_skb_cookie) { if (skb_cookie == ret_skb_cookie) {
skb_unlink(skb, &data2->pending); __skb_unlink(skb, &data2->pending);
found = true; found = true;
break; break;
} }
} }
spin_unlock_irqrestore(&data2->pending.lock, flags);
/* not found */ /* not found */
if (!found) if (!found)