From patchwork Wed May 13 09:16:49 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michal Kazior X-Patchwork-Id: 6395641 X-Patchwork-Delegate: johannes@sipsolutions.net Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 5B26D9F399 for ; Wed, 13 May 2015 09:17:10 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 46F7020412 for ; Wed, 13 May 2015 09:17:09 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6082E203EB for ; Wed, 13 May 2015 09:17:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753374AbbEMJRG (ORCPT ); Wed, 13 May 2015 05:17:06 -0400 Received: from mail-la0-f52.google.com ([209.85.215.52]:35668 "EHLO mail-la0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752022AbbEMJRA (ORCPT ); Wed, 13 May 2015 05:17:00 -0400 Received: by labbd9 with SMTP id bd9so24704327lab.2 for ; Wed, 13 May 2015 02:16:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tieto.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=2FpbLFkatqYiLizYGICfr7F3p9kYyThh0DyJ6w/XjUQ=; b=5gd/VpssLgIKMMk7IorF9xAFX14a5UoPc3ABQ6ESilsDvL3cc5xr32E4ss2WRob+sq guVT7M68+rMrmsCA9xLBuwQiu8E7gV1MhEFiDp99bnKa6j4aOdVdncAmjq6F/kczSrfh 9sIDSNKPK/8Bfo3AUMgID63Pp94xy1BxRWoZw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=2FpbLFkatqYiLizYGICfr7F3p9kYyThh0DyJ6w/XjUQ=; b=A/FIk8/q2C1zzEVY40DqtQJ92ZQcMrh+Tx7vwI+3VemHic1JNR1QF8ND/UUPKUYA7n 2PYQIPKpSa81S4DfB47ac8ChkrrYfkBX6NmQWiPza9wPwjElUKaE8ICJUC57eZfS0WeK DEMKGnWzWxLbVSgR03g4AqfxeW6A1vQN3ui+Af+IusJ596EfB/q4yk0c8v05lZBPlrLq axHDKSUXMwGzDv8KZIKvZquzZmb1oZetF4m0M9trIgVaSrVXjZLJdaWdoMRbfuYOznRL SnfvS0H6budX5pU5S2etLJuUEILHqh5UOXdENobV7RWH1Rcl0H9o5LuOvJoZt2i4lp18 jyTg== X-Gm-Message-State: ALoCoQk7Wv+zNAds6USBapauPNnGPwrhml0YnmzOCQMX4UR4WkFbA8s4q7ad8X0TDSevNnJpb3nsO5k+ci3oM1UKpqrkWBcQk4aOZDi3mBx0o2noTQJNHaJKWsIWpEhwFMNHVjaUUesTJEQkKpohoL1l2QiTLQyVpotNObjVVlb8fuWhDWwQQHX2YMQwhVPeRit5PswUZuZK X-Received: by 10.112.29.180 with SMTP id l20mr14659530lbh.95.1431508619468; Wed, 13 May 2015 02:16:59 -0700 (PDT) Received: from localhost.localdomain ([91.198.246.8]) by mx.google.com with ESMTPSA id am7sm4767479lbc.3.2015.05.13.02.16.58 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 13 May 2015 02:16:58 -0700 (PDT) From: Michal Kazior To: linux-wireless@vger.kernel.org Cc: johannes@sipsolutions.net, Michal Kazior Subject: [PATCH v2 2/2] mac80211: prevent possible crypto tx tailroom corruption Date: Wed, 13 May 2015 09:16:49 +0000 Message-Id: <1431508609-9841-2-git-send-email-michal.kazior@tieto.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1431508609-9841-1-git-send-email-michal.kazior@tieto.com> References: <1431349503-5461-1-git-send-email-michal.kazior@tieto.com> <1431508609-9841-1-git-send-email-michal.kazior@tieto.com> X-DomainID: tieto.com Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP There was a possible race between ieee80211_reconfig() and ieee80211_delayed_tailroom_dec(). This could result in inability to transmit data if driver crashed during roaming or rekeying and subsequent skbs with insufficient tailroom appeared. This race was probably never seen in the wild because a device driver would have to crash AND recover within 0.5s which is very unlikely. I was able to prove this race exists after changing the delay to 10s locally and crashing ath10k via debugfs immediately after GTK rekeying. In case of ath10k the counter went below 0. This was harmless but other drivers which actually require tailroom (e.g. for WEP ICV or MMIC) could end up with the counter at 0 instead of >0 and introduce insufficient skb tailroom failures because mac80211 would not resize skbs appropriately anymore. Fixes: 8d1f7ecd2af5 ("mac80211: defer tailroom counter manipulation when roaming") Signed-off-by: Michal Kazior --- Notes: While doing PATCH v2 [1/2] I've noticed a subtle bug in the delayed tailroom counter logic. Since this touches the codepaths [1/2] does I'm posting this as a pair. net/mac80211/key.c | 5 ++++- net/mac80211/main.c | 3 +++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/net/mac80211/key.c b/net/mac80211/key.c index 577a11a13cdf..4c6f8c97d11a 100644 --- a/net/mac80211/key.c +++ b/net/mac80211/key.c @@ -695,10 +695,13 @@ void ieee80211_reset_crypto_tx_tailroom(struct ieee80211_sub_if_data *sdata) mutex_lock(&sdata->local->key_mtx); sdata->crypto_tx_tailroom_needed_cnt = 0; + sdata->crypto_tx_tailroom_pending_dec = 0; if (sdata->vif.type == NL80211_IFTYPE_AP) { - list_for_each_entry(vlan, &sdata->u.ap.vlans, u.vlan.list) + list_for_each_entry(vlan, &sdata->u.ap.vlans, u.vlan.list) { vlan->crypto_tx_tailroom_needed_cnt = 0; + vlan->crypto_tx_tailroom_pending_dec = 0; + } } mutex_unlock(&sdata->local->key_mtx); diff --git a/net/mac80211/main.c b/net/mac80211/main.c index 3c956c5f99b2..d8e1cbdcbc43 100644 --- a/net/mac80211/main.c +++ b/net/mac80211/main.c @@ -246,6 +246,7 @@ static void ieee80211_restart_work(struct work_struct *work) { struct ieee80211_local *local = container_of(work, struct ieee80211_local, restart_work); + struct ieee80211_sub_if_data *sdata; /* wait for scan work complete */ flush_workqueue(local->workqueue); @@ -254,6 +255,8 @@ static void ieee80211_restart_work(struct work_struct *work) "%s called with hardware scan in progress\n", __func__); rtnl_lock(); + list_for_each_entry(sdata, &local->interfaces, list) + cancel_delayed_work_sync(&sdata->dec_tailroom_needed_wk); ieee80211_scan_cancel(local); ieee80211_reconfig(local); rtnl_unlock();