mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-22 10:31:08 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/mac80211
History
Zhengchao Shao 7808541869 wifi: mac80211: fix general-protection-fault in ieee80211_subif_start_xmit() 
When device is running and the interface status is changed, the gpf issue
is triggered. The problem triggering process is as follows:
Thread A:                           Thread B
ieee80211_runtime_change_iftype()   process_one_work()
    ...                                 ...
    ieee80211_do_stop()                 ...
    ...                                 ...
        sdata->bss = NULL               ...
        ...                             ieee80211_subif_start_xmit()
                                            ieee80211_multicast_to_unicast
                                    //!sdata->bss->multicast_to_unicast
                                      cause gpf issue

When the interface status is changed, the sending queue continues to send
packets. After the bss is set to NULL, the bss is accessed. As a result,
this causes a general-protection-fault issue.

The following is the stack information:
general protection fault, probably for non-canonical address
0xdffffc000000002f: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000178-0x000000000000017f]
Workqueue: mld mld_ifc_work
RIP: 0010:ieee80211_subif_start_xmit+0x25b/0x1310
Call Trace:
<TASK>
dev_hard_start_xmit+0x1be/0x990
__dev_queue_xmit+0x2c9a/0x3b60
ip6_finish_output2+0xf92/0x1520
ip6_finish_output+0x6af/0x11e0
ip6_output+0x1ed/0x540
mld_sendpack+0xa09/0xe70
mld_ifc_work+0x71c/0xdb0
process_one_work+0x9bf/0x1710
worker_thread+0x665/0x1080
kthread+0x2e4/0x3a0
ret_from_fork+0x1f/0x30
</TASK>

Fixes: f856373e2f ("wifi: mac80211: do not wake queues on a vif that is being stopped")
Reported-by: syzbot+c6e8fca81c294fd5620a@syzkaller.appspotmail.com
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Link: https://lore.kernel.org/r/20221026063959.177813-1-shaozhengchao@huawei.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2022-11-02 09:46:11 +01:00
..
aead_api.c mac80211: Check crypto_aead_encrypt for errors 2021-03-16 21:20:41 +01:00
aead_api.h
aes_ccm.h
aes_cmac.c mac80211: aes_cmac: check crypto_shash_setkey() return value 2021-04-19 12:01:40 +02:00
aes_cmac.h
aes_gcm.h
aes_gmac.c mac80211: Check crypto_aead_encrypt for errors 2021-03-16 21:20:41 +01:00
aes_gmac.h
agg-rx.c wifi: mac80211: fix multi-BSSID element parsing 2022-07-15 11:43:17 +02:00
agg-tx.c wifi: mac80211: expand ieee80211_mgmt_tx() for MLO 2022-07-22 14:28:35 +02:00
airtime.c wifi: mac80211: move some future per-link data to bss_conf 2022-06-20 12:55:01 +02:00
cfg.c wifi: mac80211: prevent 4-addr use on MLDs 2022-09-03 16:57:34 +02:00
chan.c wifi: mac80211: isolate driver from inactive links 2022-09-06 10:12:44 +02:00
debug.h wifi: mac80211: debug: omit link if non-MLO connection 2022-07-15 11:43:14 +02:00
debugfs.c wifi: mac80211: optionally implement MLO multicast TX 2022-07-22 14:28:36 +02:00
debugfs.h
debugfs_key.c wifi: mac80211: reorg some iface data structs for MLD 2022-06-20 12:55:06 +02:00
debugfs_key.h
debugfs_netdev.c wifi: mac80211: implement link switching 2022-09-06 10:17:20 +02:00
debugfs_netdev.h
debugfs_sta.c wifi: mac80211: make sta airtime deficit field s32 instead of s64 2022-07-01 10:51:48 +02:00
debugfs_sta.h
driver-ops.c wifi: mac80211: isolate driver from inactive links 2022-09-06 10:12:44 +02:00
driver-ops.h wifi: mac80211: isolate driver from inactive links 2022-09-06 10:12:44 +02:00
eht.c wifi: cfg80211/mac80211: check EHT capability size correctly 2022-08-25 10:41:24 +02:00
ethtool.c wifi: mac80211: read ethtool's sta_stats from sinfo 2022-08-26 09:56:54 +02:00
fils_aead.c mac80211: fils: use cfg80211_find_ext_elem() 2021-10-21 17:01:16 +02:00
fils_aead.h
he.c wifi: mac80211: keep A-MSDU data in sta and per-link 2022-09-06 10:17:08 +02:00
ht.c wifi: mac80211: keep A-MSDU data in sta and per-link 2022-09-06 10:17:08 +02:00
ibss.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-09-01 12:58:02 -07:00
ieee80211_i.h wifi: mac80211: fix MBSSID parsing use-after-free 2022-10-10 09:50:23 +02:00
iface.c wifi: mac80211: netdev compatible TX stop for iTXQ drivers 2022-10-07 14:48:14 +02:00
Kconfig ath9k: fix build error with LEDS_CLASS=m 2021-01-28 09:29:34 +02:00
key.c wifi: mac80211: implement link switching 2022-09-06 10:17:20 +02:00
key.h wifi: mac80211: implement link switching 2022-09-06 10:17:20 +02:00
led.c mac80211: don't open-code LED manipulations 2021-06-23 11:29:12 +02:00
led.h mac80211: fix throughput LED trigger 2021-11-15 10:56:57 +01:00
link.c wifi: mac80211: implement link switching 2022-09-06 10:17:20 +02:00
main.c wifi: mac80211: fix memory free error when registering wiphy fail 2022-10-21 12:34:59 +02:00
Makefile wifi: mac80211: move link code to a new file 2022-09-03 17:02:25 +02:00
mesh.c wifi: mac80211: correct SMPS mode in HE 6 GHz capability 2022-08-26 09:56:36 +02:00
mesh.h mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh 2022-01-04 15:11:49 +01:00
mesh_hwmp.c wifi: mac80211: fix multi-BSSID element parsing 2022-07-15 11:43:17 +02:00
mesh_pathtbl.c mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh 2022-01-04 15:11:49 +01:00
mesh_plink.c wifi: mac80211: fix up link station creation/insertion 2022-07-15 11:43:23 +02:00
mesh_ps.c mac80211: mesh: fix potentially unaligned access 2021-09-23 13:25:09 +02:00
mesh_sync.c mac80211: mesh: clean up rx_bcn_presp API 2021-09-23 16:26:33 +02:00
michael.c
michael.h
mlme.c wifi: mac80211: remove/avoid misleading prints 2022-10-07 14:40:33 +02:00
ocb.c wifi: mac80211: fix up link station creation/insertion 2022-07-15 11:43:23 +02:00
offchannel.c wifi: mac80211: expand ieee80211_mgmt_tx() for MLO 2022-07-22 14:28:35 +02:00
pm.c mac80211: Prevent AP probing during suspend 2021-10-21 17:27:51 +02:00
rate.c wifi: mac80211: make ieee80211_check_rate_mask() link-aware 2022-07-15 11:43:21 +02:00
rate.h wifi: mac80211: make ieee80211_check_rate_mask() link-aware 2022-07-15 11:43:21 +02:00
rc80211_minstrel_ht.c treewide: use get_random_bytes() when possible 2022-10-11 17:42:58 -06:00
rc80211_minstrel_ht.h mac80211: minstrel_ht: support ieee80211_rate_status 2022-05-16 10:07:58 +02:00
rc80211_minstrel_ht_debugfs.c mac80211: minstrel_ht: show sampling rates in debugfs 2021-02-12 08:58:11 +01:00
rx.c Merge branch 'cve-fixes-2022-10-13' 2022-10-13 11:59:56 +02:00
s1g.c mac80211: prepare sta handling for MLO support 2022-04-11 16:42:03 +02:00
scan.c treewide: use get_random_{u8,u16}() when possible, part 1 2022-10-11 17:42:58 -06:00
spectmgmt.c wifi: mac80211: separate out connection downgrade flags 2022-07-15 11:43:14 +02:00
sta_info.c wifi: mac80211: keep A-MSDU data in sta and per-link 2022-09-06 10:17:08 +02:00
sta_info.h wifi: mac80211: keep A-MSDU data in sta and per-link 2022-09-06 10:17:08 +02:00
status.c wifi: mac80211: don't start TX with fq->lock to fix deadlock 2022-09-27 10:29:04 +02:00
tdls.c wifi: mac80211: optionally implement MLO multicast TX 2022-07-22 14:28:36 +02:00
tkip.c
tkip.h
trace.c
trace.h wifi: mac80211: remove link_id parameter from link_info_changed() 2022-07-15 11:43:20 +02:00
trace_msg.h mac80211: tracing: Use the new __vstring() helper 2022-07-24 19:11:17 -04:00
tx.c wifi: mac80211: fix general-protection-fault in ieee80211_subif_start_xmit() 2022-11-02 09:46:11 +01:00
util.c Merge branch 'cve-fixes-2022-10-13' 2022-10-13 11:59:56 +02:00
vht.c wifi: mac80211: keep A-MSDU data in sta and per-link 2022-09-06 10:17:08 +02:00
wep.c
wep.h
wme.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-07-14 15:27:35 -07:00
wme.h
wpa.c wifi: use struct_group to copy addresses 2022-09-03 16:40:06 +02:00
wpa.h wifi: mac80211: remove cipher scheme support 2022-06-10 15:35:53 +02:00