From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0224CC43463 for ; Fri, 18 Sep 2020 02:06:13 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 80D812396D for ; Fri, 18 Sep 2020 02:06:12 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="Qz9dIV98"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="fqU3cGrv" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 80D812396D Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-mediatek-bounces+linux-mediatek=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=ZJ9c8/nWgqIn4Y6Awiylvvq3offpd59idE5zjEQAomk=; b=Qz9dIV98H0uNdIBFzkJ0Wh5lM imahfqN4eDiSzbfARuvlt504LL4tnqq5yOCJV3YCnJ6tCYzQownmvtUrpiDW7Tbb1HKh2RU3oad5x 3/dYBz+f40uGy9mk8CXbzR7IYKrYXVp8jrP7SRSKYbgvwBXsuZ1XRhDkE36bvWPy16ukTtRK/dMXk NS/xhYBFVXRjlg4FQDAtW47LjGXu0clyXLZjJli4jGQoyNMifH1+rS3BKirUSBWA6i85sTb4N8gjD Odu5VKbr2YRV4PBTaNFFPH+ggl1lwogwRoiBS1Jn1DicnR8jelCoipH9AF9N+bnn2qwBVj6nvqPEL yftrC7kxg==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kJ5me-0003zf-6p; Fri, 18 Sep 2020 02:05:56 +0000 Received: from mail.kernel.org ([198.145.29.99]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kJ5kb-0002ni-P2; Fri, 18 Sep 2020 02:03:50 +0000 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3D36821734; Fri, 18 Sep 2020 02:03:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1600394629; bh=EkxvQKN2BiZLqAT9vobDmZp+Guijf7tsfKu/d3ty/Qs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fqU3cGrvi56Nv8L89bDbakcTTZOwYQT7M7/JRm/GsuvXOPZEpHoOWH222EfUX1p+Y O/rMNjkbfL3KTgDLsGIToOcUjQQm7FOozJHXsEYUXoU45dk2P364w+TKrSjwUVa++3 2dLz2Tj4obhKopE8QmbbxcSpmx76Lf5NdSAjvw9w= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH AUTOSEL 5.4 129/330] mt76: clear skb pointers from rx aggregation reorder buffer during cleanup Date: Thu, 17 Sep 2020 21:57:49 -0400 Message-Id: <20200918020110.2063155-129-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200918020110.2063155-1-sashal@kernel.org> References: <20200918020110.2063155-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200917_220349_891117_0F8B274F X-CRM114-Status: GOOD ( 11.86 ) X-BeenThere: linux-mediatek@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Sasha Levin , netdev@vger.kernel.org, linux-wireless@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-arm-kernel@lists.infradead.org, Felix Fietkau Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Linux-mediatek" Errors-To: linux-mediatek-bounces+linux-mediatek=archiver.kernel.org@lists.infradead.org From: Felix Fietkau [ Upstream commit 9379df2fd9234e3b67a23101c2370c99f6af6d77 ] During the cleanup of the aggregation session, a rx handler (or release timer) on another CPU might still hold a pointer to the reorder buffer and could attempt to release some packets. Clearing pointers during cleanup avoids a theoretical use-after-free bug here. Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin --- drivers/net/wireless/mediatek/mt76/agg-rx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/wireless/mediatek/mt76/agg-rx.c b/drivers/net/wireless/mediatek/mt76/agg-rx.c index cbff0dfc96311..f8441fd65400c 100644 --- a/drivers/net/wireless/mediatek/mt76/agg-rx.c +++ b/drivers/net/wireless/mediatek/mt76/agg-rx.c @@ -268,6 +268,7 @@ static void mt76_rx_aggr_shutdown(struct mt76_dev *dev, struct mt76_rx_tid *tid) if (!skb) continue; + tid->reorder_buf[i] = NULL; tid->nframes--; dev_kfree_skb(skb); } -- 2.25.1 _______________________________________________ Linux-mediatek mailing list Linux-mediatek@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-mediatek From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AE014C43464 for ; Fri, 18 Sep 2020 03:07:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5AC8B2083B for ; Fri, 18 Sep 2020 03:07:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1600398431; bh=EkxvQKN2BiZLqAT9vobDmZp+Guijf7tsfKu/d3ty/Qs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=yvfsY8ZwPud/ZbCjcADBOruC4bg8+4z9jJ1GoeBbNAlmbRWyd2caze/gEoa4ZfV55 UlkKW1CCOkA32bR4HmX3ug6xqUEe7QZTz77VFi2PFnQc6NG+3nDPRSJNnYT/UdOr8Z RruqnL+9EPWI2JtbDxh5EJ4XcAb3Q3KPF5XWEhhA= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730653AbgIRDHI (ORCPT ); Thu, 17 Sep 2020 23:07:08 -0400 Received: from mail.kernel.org ([198.145.29.99]:50522 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727160AbgIRCDt (ORCPT ); Thu, 17 Sep 2020 22:03:49 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3D36821734; Fri, 18 Sep 2020 02:03:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1600394629; bh=EkxvQKN2BiZLqAT9vobDmZp+Guijf7tsfKu/d3ty/Qs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fqU3cGrvi56Nv8L89bDbakcTTZOwYQT7M7/JRm/GsuvXOPZEpHoOWH222EfUX1p+Y O/rMNjkbfL3KTgDLsGIToOcUjQQm7FOozJHXsEYUXoU45dk2P364w+TKrSjwUVa++3 2dLz2Tj4obhKopE8QmbbxcSpmx76Lf5NdSAjvw9w= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Felix Fietkau , Sasha Levin , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org Subject: [PATCH AUTOSEL 5.4 129/330] mt76: clear skb pointers from rx aggregation reorder buffer during cleanup Date: Thu, 17 Sep 2020 21:57:49 -0400 Message-Id: <20200918020110.2063155-129-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200918020110.2063155-1-sashal@kernel.org> References: <20200918020110.2063155-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Felix Fietkau [ Upstream commit 9379df2fd9234e3b67a23101c2370c99f6af6d77 ] During the cleanup of the aggregation session, a rx handler (or release timer) on another CPU might still hold a pointer to the reorder buffer and could attempt to release some packets. Clearing pointers during cleanup avoids a theoretical use-after-free bug here. Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin --- drivers/net/wireless/mediatek/mt76/agg-rx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/wireless/mediatek/mt76/agg-rx.c b/drivers/net/wireless/mediatek/mt76/agg-rx.c index cbff0dfc96311..f8441fd65400c 100644 --- a/drivers/net/wireless/mediatek/mt76/agg-rx.c +++ b/drivers/net/wireless/mediatek/mt76/agg-rx.c @@ -268,6 +268,7 @@ static void mt76_rx_aggr_shutdown(struct mt76_dev *dev, struct mt76_rx_tid *tid) if (!skb) continue; + tid->reorder_buf[i] = NULL; tid->nframes--; dev_kfree_skb(skb); } -- 2.25.1 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8BA7AC43463 for ; Fri, 18 Sep 2020 02:07:29 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 36A112389E for ; Fri, 18 Sep 2020 02:07:29 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="E7A+aeNz"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="fqU3cGrv" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 36A112389E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=xli7/zsqO+MBNXd1NOaiTA0R4whqxkxgnkgUdL+fZWQ=; b=E7A+aeNzZbixTY8RijlgkRnBB uP3uZYyoxDhswoK0G/uFjWmBhaRNtshFi4nDPII28MlOB2mFbkD+ARXHFknU91qryhOqhlChZvvjH XcejHP0g92yISPIRahyqm+/YiEZ3vxaVdy79Yau439X3zzY7tvTT8RKU1J01jrpk2x38+RIQzzDMJ BhQKsKIJx58PslUzGRwzVrqDs3Re5l56gQJKzUgOrnxhQ3Z9TquS6DU6JxSp0xckxGZdWwjCAPmZ5 bVL5ZCRsh9DxAa9AlKn3sw2EHjDzPlczGAVpJG4xKcKIUoZJwUWQA0CJVY454j3aaUtf29x/wXI35 UGjkES9wA==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kJ5m6-0003de-2z; Fri, 18 Sep 2020 02:05:22 +0000 Received: from mail.kernel.org ([198.145.29.99]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kJ5kb-0002ni-P2; Fri, 18 Sep 2020 02:03:50 +0000 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3D36821734; Fri, 18 Sep 2020 02:03:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1600394629; bh=EkxvQKN2BiZLqAT9vobDmZp+Guijf7tsfKu/d3ty/Qs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fqU3cGrvi56Nv8L89bDbakcTTZOwYQT7M7/JRm/GsuvXOPZEpHoOWH222EfUX1p+Y O/rMNjkbfL3KTgDLsGIToOcUjQQm7FOozJHXsEYUXoU45dk2P364w+TKrSjwUVa++3 2dLz2Tj4obhKopE8QmbbxcSpmx76Lf5NdSAjvw9w= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH AUTOSEL 5.4 129/330] mt76: clear skb pointers from rx aggregation reorder buffer during cleanup Date: Thu, 17 Sep 2020 21:57:49 -0400 Message-Id: <20200918020110.2063155-129-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200918020110.2063155-1-sashal@kernel.org> References: <20200918020110.2063155-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200917_220349_891117_0F8B274F X-CRM114-Status: GOOD ( 11.86 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Sasha Levin , netdev@vger.kernel.org, linux-wireless@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-arm-kernel@lists.infradead.org, Felix Fietkau Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org From: Felix Fietkau [ Upstream commit 9379df2fd9234e3b67a23101c2370c99f6af6d77 ] During the cleanup of the aggregation session, a rx handler (or release timer) on another CPU might still hold a pointer to the reorder buffer and could attempt to release some packets. Clearing pointers during cleanup avoids a theoretical use-after-free bug here. Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin --- drivers/net/wireless/mediatek/mt76/agg-rx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/wireless/mediatek/mt76/agg-rx.c b/drivers/net/wireless/mediatek/mt76/agg-rx.c index cbff0dfc96311..f8441fd65400c 100644 --- a/drivers/net/wireless/mediatek/mt76/agg-rx.c +++ b/drivers/net/wireless/mediatek/mt76/agg-rx.c @@ -268,6 +268,7 @@ static void mt76_rx_aggr_shutdown(struct mt76_dev *dev, struct mt76_rx_tid *tid) if (!skb) continue; + tid->reorder_buf[i] = NULL; tid->nframes--; dev_kfree_skb(skb); } -- 2.25.1 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel