From patchwork Fri Mar 14 11:04:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Remi Pommarel X-Patchwork-Id: 874000 Received: from e3i103.smtp2go.com (e3i103.smtp2go.com [158.120.84.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C67FF1FDE35 for ; Fri, 14 Mar 2025 11:25:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=158.120.84.103 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741951553; cv=none; b=aZHzBmtOgZ2d9KMj7VAn6KTs/OOPWVMEyFtnzOvZJ9q+xCrbc1Yfe35pyfEcROHf/at7+NU4+O/k+hg8XfQVgQeQYS2fHxyvukzUHySvpIFQrQ5Af61gHlEXzkTkPclf7v9yEyX42Mt1HBYVgs8v16reffiKUtw6psMXrwgf2Nk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741951553; c=relaxed/simple; bh=+GCDnhCVENB9ccgHWdz5sHs7o66RfWThuEhyb96qY28=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=LBuqeeLubJAFq+Rh/MUrTxvgn7fUyNRzKa0JTXMYALTuhlz//ucku07hyPv695w15yr92ObZcAwHba7n2hIwaEPgm/p10/ae2zxdKbkIDVy/GL0AkNP8pFxHtz7/CuwHx/LkYRCyA/ZzZi8ynVdfJUKgHkbwE4PUDSLPkh1cbjk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=triplefau.lt; spf=pass smtp.mailfrom=em510616.triplefau.lt; dkim=pass (2048-bit key) header.d=smtpservice.net header.i=@smtpservice.net header.b=AOGRSY3B; dkim=pass (2048-bit key) header.d=triplefau.lt header.i=@triplefau.lt header.b=WrUOydwH; arc=none smtp.client-ip=158.120.84.103 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=triplefau.lt Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=em510616.triplefau.lt Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=smtpservice.net header.i=@smtpservice.net header.b="AOGRSY3B"; dkim=pass (2048-bit key) header.d=triplefau.lt header.i=@triplefau.lt header.b="WrUOydwH" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smtpservice.net; i=@smtpservice.net; q=dns/txt; s=a1-4; t=1741950642; h=feedback-id : x-smtpcorp-track : date : message-id : to : subject : from : reply-to : sender : list-unsubscribe : list-unsubscribe-post; bh=k83jL6abdzplA61er+1290FaFsq0kTkbedeZU7FpSSU=; b=AOGRSY3BUn1ynkDEtnkQTXsBuYk9lQdWSA1x7hSnPzV/tQEB2OfKGxZK1GdUtDcXcSJcB 60AZhnmJnAvq5COPjeEK+wLsmVV6OlokHJJwqU/8jnS7TAHOM9N6hdiXT8gAti16YwXQzrP 1WXqTKlNyJVQyREAYyqVxradJSCZRIioWSxUluvaWP9tsQJPK1VAH76BQXlFo5BYQ10Dmyt T+BZE2cTFUpZHuGrJ9FVcJ3hY1HOGTth28y8iXvyMnc3mgE5RGEIzrHp8Q27buppvIUGlse fFmVNXqp7KHQkRSuTjomer5n7nKA8H5pq8Hkt0p6eNwQ4mLk7senpLx4pXjQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=triplefau.lt; i=@triplefau.lt; q=dns/txt; s=s510616; t=1741950642; h=from : subject : to : message-id : date; bh=k83jL6abdzplA61er+1290FaFsq0kTkbedeZU7FpSSU=; b=WrUOydwHdjqGY7esG2sdL8SnBwi/q9N/APBGdTacYSjBJSW/2wz2sCpPW3GLhu/IVEH/A GtmuXfWgoIcGfAsJjNbl7kqdBug/R4kCnXzPxIxupiI98DFb4acw7ShITv+a6h/h5OMC1FV 9okcMPa1ML/V0jf9hs1VPHft41nMZ4u712KcPtkZHvRNlufKSpcHpSSrQLasnkpMHwWa5iH J5spItXKqHC3rBJdqdwOWuFemGW4zGbtMrCsYD8NN3z+WCAq0ECu8UTeXovWwajDWthyWv1 GMrX8KcMFaRVEiERxt3VWyKHlaTYMjQGF96mZsrUiKQDYuBfq6DS63rBJthg== Received: from [10.12.239.196] (helo=localhost) by smtpcorp.com with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.97.1-S2G) (envelope-from ) id 1tt2vx-4o5NDgroSBC-sFj8; Fri, 14 Mar 2025 11:10:33 +0000 From: Remi Pommarel To: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Johannes Berg , Remi Pommarel Subject: [PATCH 1/2] wifi: mac80211: Update skb's NULL key in ieee80211_tx_h_select_key() Date: Fri, 14 Mar 2025 12:04:24 +0100 Message-Id: <95269f93724a94ee0b22f8107fe5b5e8f2fbea76.1741950009.git.repk@triplefau.lt> X-Mailer: git-send-email 2.40.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Report-Abuse: Please forward a copy of this message, including all headers, to Feedback-ID: 510616m:510616apGKSTK:510616slWdbAx55O X-smtpcorp-track: -fTu9t52FSAS.4DvCyr1jahd8.6frMrA3JjZR The ieee80211 skb control block key (set when skb was queued) could have been removed before ieee80211_tx_dequeue() call. ieee80211_tx_dequeue() already called ieee80211_tx_h_select_key() to get the current key, but the latter do not update the key in skb control block in case it is NULL. Because some drivers actually use this key in their TX callbacks (e.g. ath1{1,2}k_mac_op_tx()) this could lead to the use after free below: BUG: KASAN: slab-use-after-free in ath11k_mac_op_tx+0x590/0x61c Read of size 4 at addr ffffff803083c248 by task kworker/u16:4/1440 CPU: 3 UID: 0 PID: 1440 Comm: kworker/u16:4 Not tainted 6.13.0-ge128f627f404 #2 Hardware name: HW (DT) Workqueue: bat_events batadv_send_outstanding_bcast_packet Call trace: show_stack+0x14/0x1c (C) dump_stack_lvl+0x58/0x74 print_report+0x164/0x4c0 kasan_report+0xac/0xe8 __asan_report_load4_noabort+0x1c/0x24 ath11k_mac_op_tx+0x590/0x61c ieee80211_handle_wake_tx_queue+0x12c/0x1c8 ieee80211_queue_skb+0xdcc/0x1b4c ieee80211_tx+0x1ec/0x2bc ieee80211_xmit+0x224/0x324 __ieee80211_subif_start_xmit+0x85c/0xcf8 ieee80211_subif_start_xmit+0xc0/0xec4 dev_hard_start_xmit+0xf4/0x28c __dev_queue_xmit+0x6ac/0x318c batadv_send_skb_packet+0x38c/0x4b0 batadv_send_outstanding_bcast_packet+0x110/0x328 process_one_work+0x578/0xc10 worker_thread+0x4bc/0xc7c kthread+0x2f8/0x380 ret_from_fork+0x10/0x20 Allocated by task 1906: kasan_save_stack+0x28/0x4c kasan_save_track+0x1c/0x40 kasan_save_alloc_info+0x3c/0x4c __kasan_kmalloc+0xac/0xb0 __kmalloc_noprof+0x1b4/0x380 ieee80211_key_alloc+0x3c/0xb64 ieee80211_add_key+0x1b4/0x71c nl80211_new_key+0x2b4/0x5d8 genl_family_rcv_msg_doit+0x198/0x240 <...> Freed by task 1494: kasan_save_stack+0x28/0x4c kasan_save_track+0x1c/0x40 kasan_save_free_info+0x48/0x94 __kasan_slab_free+0x48/0x60 kfree+0xc8/0x31c kfree_sensitive+0x70/0x80 ieee80211_key_free_common+0x10c/0x174 ieee80211_free_keys+0x188/0x46c ieee80211_stop_mesh+0x70/0x2cc ieee80211_leave_mesh+0x1c/0x60 cfg80211_leave_mesh+0xe0/0x280 cfg80211_leave+0x1e0/0x244 <...> Update SKB control block key even when key is NULL to avoid that. Signed-off-by: Remi Pommarel --- net/mac80211/tx.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index a24636bda679..79c217c2f801 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c @@ -668,6 +668,12 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx) } else if (ieee80211_is_data_present(hdr->frame_control) && tx->sta && test_sta_flag(tx->sta, WLAN_STA_USES_ENCRYPTION)) { return TX_DROP; + } else { + /* Clear SKB CB key reference, ieee80211_tx_h_select_key() + * could have been called to update key info after its removal + * (e.g. by ieee80211_tx_dequeue()). + */ + info->control.hw_key = NULL; } return TX_CONTINUE; From patchwork Fri Mar 14 11:04:25 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Remi Pommarel X-Patchwork-Id: 873803 Received: from e3i103.smtp2go.com (e3i103.smtp2go.com [158.120.84.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 74F911FDA7A for ; Fri, 14 Mar 2025 11:25:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=158.120.84.103 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741951551; cv=none; b=i/4dtiW+qCY+zJvV/tH+8DyDaJr8q2N7JaPBy/OGZlrpvTwHR1IZEPvgLpeH6tvldTj5uotVsCFrXHv22PMXwGasOeu4JOLhuqnWBfIzxbpfEjpWd/VYxFFbiO0xL8I6e8Dahf68r4qOh7myVcmT2ypRYCVz9DJh3a6t4qCoka0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741951551; c=relaxed/simple; bh=bui+sgPyzR2G8LRYmNaQRxDDZhKG5Gh4x3fA0txGOy0=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=HWwYW2DROOCjz6zO/bgUD9s/yPmduCf9KrBgmLYLwMsRRbv3FBBJM7UdqZEs9/tjYwhyCrAL9emGZkqMdLF6ApF/Ak9thbOdiScq00u25e06hAt4Vz715ApVP2ZjOwnptLxOPp3FMrkqtsw63KmYyu5HBX1WU3H9TRxWuHmXh3g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=triplefau.lt; spf=pass smtp.mailfrom=em510616.triplefau.lt; dkim=pass (2048-bit key) header.d=smtpservice.net header.i=@smtpservice.net header.b=Gzx7nlWP; dkim=pass (2048-bit key) header.d=triplefau.lt header.i=@triplefau.lt header.b=Q9Lkrh/k; arc=none smtp.client-ip=158.120.84.103 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=triplefau.lt Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=em510616.triplefau.lt Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=smtpservice.net header.i=@smtpservice.net header.b="Gzx7nlWP"; dkim=pass (2048-bit key) header.d=triplefau.lt header.i=@triplefau.lt header.b="Q9Lkrh/k" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smtpservice.net; i=@smtpservice.net; q=dns/txt; s=a1-4; t=1741950641; h=feedback-id : x-smtpcorp-track : date : message-id : to : subject : from : reply-to : sender : list-unsubscribe : list-unsubscribe-post; bh=Tf4BrW1vWLMedPyDJ2iLarCXnf06nMp0xpM83vTGV/w=; b=Gzx7nlWPUXiRV7GFE84SA8oACifiTOHZz7UScBGXAmKx2VyquXEKAKtMi61cIoBuidaFo Psb8q9O2qyoAjkdfr70oHxW+H0sh6moU7g2qMfKUrUakTS+5azSo2OD+PyhNl0JhA/fAPZl qkYi6Ihet+mdejVfT0bdxdBJOk//THX2tbdOUISomZkf+9jLAvGmmT/4KmvY/3dWX9V1S61 s5fP0ZPF99I74D+AJ5EvEC5d35yiOlVo7aDqbjin1OfaxoD61A7+wfkvhKKnFLKAMpiCKaX BMFd7EFoVDn5YW5ZXhHDSlEdyfGt6wkRLuQkUbYOCkm1W+YuFqc74x1f4Wzw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=triplefau.lt; i=@triplefau.lt; q=dns/txt; s=s510616; t=1741950641; h=from : subject : to : message-id : date; bh=Tf4BrW1vWLMedPyDJ2iLarCXnf06nMp0xpM83vTGV/w=; b=Q9Lkrh/kcv0ldNxO1RlSynp+LH0Xzw1kCYgPYZ6aE03ZuraVvyjG01v2FOtjfsZT+Udcg 1+naRidtNxZRbKi+t7HxCVIw0CZWw9+HsJldpExeRiBu192jSLktZMLxcdU+2SZFNTVhCi4 KQi0aqvVbfdv1SZUcBFANtOyBr0hMH85lA340RjMISAEuZy1vra6tAPYBARUtdkQVJpavFi d9pONV1ihs1xvXb2seU38LD7htg3NPN/U411+WhGbK1h7KvTm9Nn1V//w7hP/GCilihF2So jdtMv6aVevX6xcZXDw4uR+w7+O6VcKVz5f8/7YoNDbik4VpSrEBJikgGhnyQ== Received: from [10.12.239.196] (helo=localhost) by smtpcorp.com with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.97.1-S2G) (envelope-from ) id 1tt2w0-FnQW0hPoaKZ-lQRB; Fri, 14 Mar 2025 11:10:36 +0000 From: Remi Pommarel To: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Johannes Berg , Remi Pommarel Subject: [PATCH 2/2] wifi: mac80211: Purge vif txq in ieee80211_do_stop() Date: Fri, 14 Mar 2025 12:04:25 +0100 Message-Id: <54c3c83ea8f58af89d275d410682d73cc6289dc8.1741950009.git.repk@triplefau.lt> X-Mailer: git-send-email 2.40.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Report-Abuse: Please forward a copy of this message, including all headers, to Feedback-ID: 510616m:510616apGKSTK:510616s0w53aj45L X-smtpcorp-track: D3nc27VYU7tH.Wa8odZlMPFiX.r_NO_wlP4Rn After ieee80211_do_stop() SKB from vif's txq could still be processed. Indeed another concurrent vif schedule_and_wake_txq call could cause those packets to be dequeued (see ieee80211_handle_wake_tx_queue()) without checking the sdata current state. Because vif.drv_priv is now cleared in this function, this could lead to driver crash. For example in ath12k, ahvif is store in vif.drv_priv. Thus if ath12k_mac_op_tx() is called after ieee80211_do_stop(), ahvif->ah can be NULL, leading the ath12k_warn(ahvif->ah,...) call in this function to trigger the NULL deref below. Unable to handle kernel paging request at virtual address dfffffc000000001 KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] batman_adv: bat0: Interface deactivated: brbh1337 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [dfffffc000000001] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] SMP CPU: 1 UID: 0 PID: 978 Comm: lbd Not tainted 6.13.0-g633f875b8f1e #114 Hardware name: HW (DT) pstate: 10000005 (nzcV daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k] lr : ath12k_mac_op_tx+0x174/0x29b8 [ath12k] sp : ffffffc086ace450 x29: ffffffc086ace450 x28: 0000000000000000 x27: 1ffffff810d59ca4 x26: ffffff801d05f7c0 x25: 0000000000000000 x24: 000000004000001e x23: ffffff8009ce4926 x22: ffffff801f9c0800 x21: ffffff801d05f7f0 x20: ffffff8034a19f40 x19: 0000000000000000 x18: ffffff801f9c0958 x17: ffffff800bc0a504 x16: dfffffc000000000 x15: ffffffc086ace4f8 x14: ffffff801d05f83c x13: 0000000000000000 x12: ffffffb003a0bf03 x11: 0000000000000000 x10: ffffffb003a0bf02 x9 : ffffff8034a19f40 x8 : ffffff801d05f818 x7 : 1ffffff0069433dc x6 : ffffff8034a19ee0 x5 : ffffff801d05f7f0 x4 : 0000000000000000 x3 : 0000000000000001 x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000008 Call trace: ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k] (P) ieee80211_handle_wake_tx_queue+0x16c/0x260 ieee80211_queue_skb+0xeec/0x1d20 ieee80211_tx+0x200/0x2c8 ieee80211_xmit+0x22c/0x338 __ieee80211_subif_start_xmit+0x7e8/0xc60 ieee80211_subif_start_xmit+0xc4/0xee0 __ieee80211_subif_start_xmit_8023.isra.0+0x854/0x17a0 ieee80211_subif_start_xmit_8023+0x124/0x488 dev_hard_start_xmit+0x160/0x5a8 __dev_queue_xmit+0x6f8/0x3120 br_dev_queue_push_xmit+0x120/0x4a8 __br_forward+0xe4/0x2b0 deliver_clone+0x5c/0xd0 br_flood+0x398/0x580 br_dev_xmit+0x454/0x9f8 dev_hard_start_xmit+0x160/0x5a8 __dev_queue_xmit+0x6f8/0x3120 ip6_finish_output2+0xc28/0x1b60 __ip6_finish_output+0x38c/0x638 ip6_output+0x1b4/0x338 ip6_local_out+0x7c/0xa8 ip6_send_skb+0x7c/0x1b0 ip6_push_pending_frames+0x94/0xd0 rawv6_sendmsg+0x1a98/0x2898 inet_sendmsg+0x94/0xe0 __sys_sendto+0x1e4/0x308 __arm64_sys_sendto+0xc4/0x140 do_el0_svc+0x110/0x280 el0_svc+0x20/0x60 el0t_64_sync_handler+0x104/0x138 el0t_64_sync+0x154/0x158 To avoid that, empty vif's txq at ieee80211_do_stop() so no packet could be dequeued after ieee80211_do_stop() (new packets cannot be queued because SDATA_STATE_RUNNING is cleared at this point). Signed-off-by: Remi Pommarel --- net/mac80211/iface.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c index 738de269e13f..e60c1ffebaea 100644 --- a/net/mac80211/iface.c +++ b/net/mac80211/iface.c @@ -660,6 +660,9 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, bool going_do if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN) ieee80211_txq_remove_vlan(local, sdata); + if (sdata->vif.txq) + ieee80211_txq_purge(sdata->local, to_txq_info(sdata->vif.txq)); + sdata->bss = NULL; if (local->open_count == 0)