Commit 4165a108 authored Dec 04, 2024 by Dmitry Antipov Committed by Wang Liang Dec 04, 2024

wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()

stable inclusion
from stable-v5.10.227
commit f232916fab67ca1c3425926df4a866e59ff26908
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYPKT
CVE: CVE-2024-47713

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f232916fab67ca1c3425926df4a866e59ff26908



--------------------------------

[ Upstream commit 9d301de12da6e1bb069a9835c38359b8e8135121 ]

Since '__dev_queue_xmit()' should be called with interrupts enabled,
the following backtrace:

ieee80211_do_stop()
 ...
 spin_lock_irqsave(&local->queue_stop_reason_lock, flags)
 ...
 ieee80211_free_txskb()
  ieee80211_report_used_skb()
   ieee80211_report_ack_skb()
    cfg80211_mgmt_tx_status_ext()
     nl80211_frame_tx_status()
      genlmsg_multicast_netns()
       genlmsg_multicast_netns_filtered()
        nlmsg_multicast_filtered()
	 netlink_broadcast_filtered()
	  do_one_broadcast()
	   netlink_broadcast_deliver()
	    __netlink_sendskb()
	     netlink_deliver_tap()
	      __netlink_deliver_tap_skb()
	       dev_queue_xmit()
	        __dev_queue_xmit() ; with IRQS disabled
 ...
 spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags)

issues the warning (as reported by syzbot reproducer):

WARNING: CPU: 2 PID: 5128 at kernel/softirq.c:362 __local_bh_enable_ip+0xc3/0x120

Fix this by implementing a two-phase skb reclamation in
'ieee80211_do_stop()', where actual work is performed
outside of a section with interrupts disabled.

Fixes: 5061b0c2 ("mac80211: cooperate more with network namespaces")
Reported-by:  <syzbot+1a3986bbd3169c307819@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=1a3986bbd3169c307819


Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Link: https://patch.msgid.link/20240906123151.351647-1-dmantipov@yandex.ru


Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Wang Liang <wangliang74@huawei.com>

parent 0ddd395e

net/mac80211/iface.c

+16 −1

Original line number	Diff line number	Diff line
		@@ -370,6 +370,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
		{
		struct ieee80211_local *local = sdata->local;
		unsigned long flags;
		struct sk_buff_head freeq;
		struct sk_buff skb, tmp;
		u32 hw_reconf_flags = 0;
		int i, flushed;
		@@ -565,18 +566,32 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
		skb_queue_purge(&sdata->skb_queue);
		}

		/*
		* Since ieee80211_free_txskb() may issue __dev_queue_xmit()
		* which should be called with interrupts enabled, reclamation
		* is done in two phases:
		*/
		__skb_queue_head_init(&freeq);

		/* unlink from local queues... */
		spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
		for (i = 0; i < IEEE80211_MAX_QUEUES; i++) {
		skb_queue_walk_safe(&local->pending[i], skb, tmp) {
		struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
		if (info->control.vif == &sdata->vif) {
		__skb_unlink(skb, &local->pending[i]);
		ieee80211_free_txskb(&local->hw, skb);
		__skb_queue_tail(&freeq, skb);
		}
		}
		}
		spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);

		/* ... and perform actual reclamation with interrupts enabled. */
		skb_queue_walk_safe(&freeq, skb, tmp) {
		__skb_unlink(skb, &freeq);
		ieee80211_free_txskb(&local->hw, skb);
		}

		if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
		ieee80211_txq_remove_vlan(local, sdata);