From: Johannes Berg <johannes@sipsolutions.net>
To: Michal Kazior <michal.kazior@tieto.com>
Cc: linux-wireless@vger.kernel.org, greearb@candelatech.com,
mohammed@qti.qualcomm.com
Subject: Re: [PATCH] mac80211: prevent skb/txq mismatch
Date: Fri, 13 Jan 2017 09:16:23 +0100 [thread overview]
Message-ID: <1484295383.19860.7.camel@sipsolutions.net> (raw)
In-Reply-To: <1484231321-3179-1-git-send-email-michal.kazior@tieto.com> (sfid-20170112_152717_498584_751EA79A)
On Thu, 2017-01-12 at 15:28 +0100, Michal Kazior wrote:
> Station structure is considered as not uploaded
> (to driver) until drv_sta_state() finishes. This
> call is however done after the structure is
> attached to mac80211 internal lists and hashes.
> This means mac80211 can lookup (and use) station
> structure before it is uploaded to a driver.
>
> If this happens (structure exists, but
> sta->uploaded is false) fast_tx path can still be
> taken. Deep in the fastpath call the sta->uploaded
> is checked against to derive "pubsta" argument for
> ieee80211_get_txq(). If sta->uploaded is false
> (and sta is actually non-NULL) ieee80211_get_txq()
> effectively downgraded to vif->txq.
>
> At first glance this may look innocent but coerces
> mac80211 into a state that is almost guaranteed
> (codel may drop offending skb) to crash because a
> station-oriented skb gets queued up on
> vif-oriented txq. The ieee80211_tx_dequeue() ends
> up looking at info->control.flags and tries to use
> txq->sta which in the fail case is NULL.
>
> It's probably pointless to pretend one can
> downgrade skb from sta-txq to vif-txq.
Ok. I understand things until this point, more or less.
What I don't understand - and you haven't really described - is how the
changes fix it? Could you resend with a paragraph added that explains
that?
Also, you're adding a test:
> if (sta && !sta->uploaded)
but couldn't do move that into the existing "if (sta)" block?
Everything before that only ever returns NULL anyway.
johannes
next prev parent reply other threads:[~2017-01-13 8:17 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-12 14:28 [PATCH] mac80211: prevent skb/txq mismatch Michal Kazior
2017-01-12 14:45 ` Mohammed Shafi Shajakhan
2017-01-12 14:51 ` Johannes Berg
2017-01-12 14:54 ` Mohammed Shafi Shajakhan
2017-01-12 18:11 ` Felix Fietkau
2017-01-12 19:05 ` Dave Taht
2017-01-13 8:16 ` Johannes Berg [this message]
2017-01-13 9:04 ` Michal Kazior
2017-01-13 10:13 ` Johannes Berg
2017-01-13 12:32 ` [PATCH v2] " Michal Kazior
2017-01-13 13:57 ` Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1484295383.19860.7.camel@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=greearb@candelatech.com \
--cc=linux-wireless@vger.kernel.org \
--cc=michal.kazior@tieto.com \
--cc=mohammed@qti.qualcomm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.