Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8b32ee8a authored by Jeongik Cha's avatar Jeongik Cha Committed by Weilun Du
Browse files

UPSTREAM: wifi: mac80211_hwsim: fix race condition in pending packet 



commit 4ee186fa7e40ae06ebbfbad77e249e3746e14114 upstream.

A pending packet uses a cookie as an unique key, but it can be duplicated
because it didn't use atomic operators.

And also, a pending packet can be null in hwsim_tx_info_frame_received_nl
due to race condition with mac80211_hwsim_stop.

For this,
 * Use an atomic type and operator for a cookie
 * Add a lock around the loop for pending packets

Signed-off-by: default avatarJeongik Cha <jeongik@google.com>
Link: https://lore.kernel.org/r/20220704084354.3556326-1-jeongik@google.com


Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit eb8fc4277b628ac81db806c130a500dd48a9e524)
Signed-off-by: default avatarCarlos Llamas <cmllamas@google.com>
Bug: 236994625
Change-Id: Ic6613c8869a51b5de303e40406f023af689b9d64
parent 7e6cbbe7

drivers/net/wireless/mac80211_hwsim.c

+8 −6
Original line number Diff line number Diff line
@@ -534,7 +534,7 @@ struct mac80211_hwsim_data { 
	bool ps_poll_pending;

	struct dentry *debugfs;



	uintptr_t pending_cookie;

	atomic64_t pending_cookie;

	struct sk_buff_head pending;	/* packets pending */

	/*

	 * Only radios in the same group can communicate together (the
@@ -1097,7 +1097,7 @@ static void mac80211_hwsim_tx_frame_nl(struct ieee80211_hw *hw, 
	int i;

	struct hwsim_tx_rate tx_attempts[IEEE80211_TX_MAX_RATES];

	struct hwsim_tx_rate_flag tx_attempts_flags[IEEE80211_TX_MAX_RATES];

	uintptr_t cookie;

	u64 cookie;



	if (data->ps != PS_DISABLED)

		hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM);
@@ -1166,8 +1166,7 @@ static void mac80211_hwsim_tx_frame_nl(struct ieee80211_hw *hw, 
		goto nla_put_failure;



	/* We create a cookie to identify this skb */

	data->pending_cookie++;

	cookie = data->pending_cookie;

	cookie = (u64)atomic64_inc_return(&data->pending_cookie);

	info->rate_driver_data[0] = (void *)cookie;

	if (nla_put_u64_64bit(skb, HWSIM_ATTR_COOKIE, cookie, HWSIM_ATTR_PAD))

		goto nla_put_failure;
@@ -3321,6 +3320,7 @@ static int hwsim_tx_info_frame_received_nl(struct sk_buff *skb_2, 
	const u8 *src;

	unsigned int hwsim_flags;

	int i;

	unsigned long flags;

	bool found = false;



	if (!info->attrs[HWSIM_ATTR_ADDR_TRANSMITTER] ||
@@ -3348,18 +3348,20 @@ static int hwsim_tx_info_frame_received_nl(struct sk_buff *skb_2, 
	}



	/* look for the skb matching the cookie passed back from user */

	spin_lock_irqsave(&data2->pending.lock, flags);

	skb_queue_walk_safe(&data2->pending, skb, tmp) {

		u64 skb_cookie;



		txi = IEEE80211_SKB_CB(skb);

		skb_cookie = (u64)(uintptr_t)txi->rate_driver_data[0];

		skb_cookie = (u64)txi->rate_driver_data[0];



		if (skb_cookie == ret_skb_cookie) {

			skb_unlink(skb, &data2->pending);

			__skb_unlink(skb, &data2->pending);

			found = true;

			break;

		}

	}

	spin_unlock_irqrestore(&data2->pending.lock, flags);



	/* not found */

	if (!found)