Commit 112ff69d authored Mar 18, 2025 by Duoming Zhou Committed by Tong Tiangen Mar 18, 2025

drivers: staging: rtl8192e: Fix deadlock in rtllib_beacons_stop()

stable inclusion
from stable-v4.19.247
commit 08bacf871c019163ccd1389d0bc957a43324967a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP731
CVE: CVE-2022-49315

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=08bacf871c019163ccd1389d0bc957a43324967a



--------------------------------

[ Upstream commit 9b6bdbd9 ]

There is a deadlock in rtllib_beacons_stop(), which is shown
below:

   (Thread 1)              |      (Thread 2)
                           | rtllib_send_beacon()
rtllib_beacons_stop()      |  mod_timer()
 spin_lock_irqsave() //(1) |  (wait a time)
 ...                       | rtllib_send_beacon_cb()
 del_timer_sync()          |  spin_lock_irqsave() //(2)
 (wait timer to stop)      |  ...

We hold ieee->beacon_lock in position (1) of thread 1 and
use del_timer_sync() to wait timer to stop, but timer handler
also need ieee->beacon_lock in position (2) of thread 2.
As a result, rtllib_beacons_stop() will block forever.

This patch extracts del_timer_sync() from the protection of
spin_lock_irqsave(), which could let timer handler to obtain
the needed lock.

Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Link: https://lore.kernel.org/r/20220417141641.124388-1-duoming@zju.edu.cn


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Tong Tiangen <tongtiangen@huawei.com>

parent a304375c

drivers/staging/rtl8192e/rtllib_softmac.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -654,9 +654,9 @@ static void rtllib_beacons_stop(struct rtllib_device *ieee)
		spin_lock_irqsave(&ieee->beacon_lock, flags);

		ieee->beacon_txing = 0;
		del_timer_sync(&ieee->beacon_timer);

		spin_unlock_irqrestore(&ieee->beacon_lock, flags);
		del_timer_sync(&ieee->beacon_timer);

		}