Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 78bf3c61 authored by Johannes Berg's avatar Johannes Berg Committed by Sasha Levin
Browse files

mac80211_hwsim: drop pending frames on stop 



[ Upstream commit bd18de517923903a177508fc8813f44e717b1c00 ]

Syzbot reports that we may be able to get into a situation where
mac80211 has pending ACK frames on shutdown with hwsim. It appears
that the reason for this is that syzbot uses the wmediumd hooks to
intercept/injection frames, and may shut down hwsim, removing the
radio(s), while frames are pending in the air simulation.

Clean out the pending queue when the interface is stopped, after
this the frames can't be reported back to mac80211 properly anyway.

Reported-by: default avatar <syzbot+a063bbf0b15737362592@syzkaller.appspotmail.com>
Link: https://lore.kernel.org/r/20210517170429.b0f85ab0eda1.Ie42a6ec6b940c971f3441286aeaaae2fe368e29a@changeid


Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent ae9de944

drivers/net/wireless/mac80211_hwsim.c

+5 −0
Original line number Diff line number Diff line
@@ -1458,8 +1458,13 @@ static int mac80211_hwsim_start(struct ieee80211_hw *hw) 
static void mac80211_hwsim_stop(struct ieee80211_hw *hw)

{

	struct mac80211_hwsim_data *data = hw->priv;



	data->started = false;

	hrtimer_cancel(&data->beacon_timer);



	while (!skb_queue_empty(&data->pending))

		ieee80211_free_txskb(hw, skb_dequeue(&data->pending));



	wiphy_dbg(hw->wiphy, "%s\n", __func__);

}