mac80211_hwsim: drop pending frames on stop

Message ID	20210517170429.b0f85ab0eda1.Ie42a6ec6b940c971f3441286aeaaae2fe368e29a@changeid
State	New
Headers	show Return-Path: <linux-wireless-owner@kernel.org> From: Johannes Berg <johannes@sipsolutions.net> To: linux-wireless@vger.kernel.org Cc: Johannes Berg <johannes.berg@intel.com>, syzbot+a063bbf0b15737362592@syzkaller.appspotmail.com Subject: [PATCH] mac80211_hwsim: drop pending frames on stop Date: Mon, 17 May 2021 17:04:31 +0200 Message-Id: <20210517170429.b0f85ab0eda1.Ie42a6ec6b940c971f3441286aeaaae2fe368e29a@changeid> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	mac80211_hwsim: drop pending frames on stop \| expand mac80211_hwsim: drop pending frames on stop

Message ID

20210517170429.b0f85ab0eda1.Ie42a6ec6b940c971f3441286aeaaae2fe368e29a@changeid

State

New

Headers

From: Johannes Berg <johannes@sipsolutions.net>
To: linux-wireless@vger.kernel.org
Cc: Johannes Berg <johannes.berg@intel.com>,
	syzbot+a063bbf0b15737362592@syzkaller.appspotmail.com
Subject: [PATCH] mac80211_hwsim: drop pending frames on stop
Date: Mon, 17 May 2021 17:04:31 +0200
Message-Id: <20210517170429.b0f85ab0eda1.Ie42a6ec6b940c971f3441286aeaaae2fe368e29a@changeid>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

mac80211_hwsim: drop pending frames on stop | expand

Commit Message

Johannes Berg May 17, 2021, 3:04 p.m. UTC

From: Johannes Berg <johannes.berg@intel.com>

Syzbot reports that we may be able to get into a situation where
mac80211 has pending ACK frames on shutdown with hwsim. It appears
that the reason for this is that syzbot uses the wmediumd hooks to
intercept/injection frames, and may shut down hwsim, removing the
radio(s), while frames are pending in the air simulation.

Clean out the pending queue when the interface is stopped, after
this the frames can't be reported back to mac80211 properly anyway.

Reported-by: syzbot+a063bbf0b15737362592@syzkaller.appspotmail.com
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ master
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 drivers/net/wireless/mac80211_hwsim.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

syzbot May 17, 2021, 3:52 p.m. UTC | #1

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+a063bbf0b15737362592@syzkaller.appspotmail.com

Tested on:

commit:         d07f6ca9 Linux 5.13-rc2
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ master
kernel config:  https://syzkaller.appspot.com/x/.config?x=81ee2b1d45eadfce
dashboard link: https://syzkaller.appspot.com/bug?extid=a063bbf0b15737362592
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=158f811dd00000

Note: testing is done by a robot and is best-effort only.

diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index 51ce767eaf88..7a6fd46d0c6e 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -1693,8 +1693,13 @@  static int mac80211_hwsim_start(struct ieee80211_hw *hw)
 static void mac80211_hwsim_stop(struct ieee80211_hw *hw)
 {
 	struct mac80211_hwsim_data *data = hw->priv;
+
 	data->started = false;
 	hrtimer_cancel(&data->beacon_timer);
+
+	while (!skb_queue_empty(&data->pending))
+		ieee80211_free_txskb(hw, skb_dequeue(&data->pending));
+
 	wiphy_dbg(hw->wiphy, "%s\n", __func__);
 }

mac80211_hwsim: drop pending frames on stop

Commit Message

Comments

Patch