From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Alexander Wetzel <alexander@wetzel-home.de>,
Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH 5.10 11/98] wifi: mac80211: sdata can be NULL during AMPDU start
Date: Sun, 22 Jan 2023 16:03:27 +0100 [thread overview]
Message-ID: <20230122150229.899598147@linuxfoundation.org> (raw)
In-Reply-To: <20230122150229.351631432@linuxfoundation.org>
From: Alexander Wetzel <alexander@wetzel-home.de>
commit 69403bad97aa0162e3d7911b27e25abe774093df upstream.
ieee80211_tx_ba_session_handle_start() may get NULL for sdata when a
deauthentication is ongoing.
Here a trace triggering the race with the hostapd test
multi_ap_fronthaul_on_ap:
(gdb) list *drv_ampdu_action+0x46
0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396).
391 int ret = -EOPNOTSUPP;
392
393 might_sleep();
394
395 sdata = get_bss_sdata(sdata);
396 if (!check_sdata_in_driver(sdata))
397 return -EIO;
398
399 trace_drv_ampdu_action(local, sdata, params);
400
wlan0: moving STA 02:00:00:00:03:00 to state 3
wlan0: associated
wlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING)
wlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0
wlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port)
wlan0: moving STA 02:00:00:00:03:00 to state 2
wlan0: moving STA 02:00:00:00:03:00 to state 1
wlan0: Removed STA 02:00:00:00:03:00
wlan0: Destroyed STA 02:00:00:00:03:00
BUG: unable to handle page fault for address: fffffffffffffb48
PGD 11814067 P4D 11814067 PUD 11816067 PMD 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G W 6.1.0-rc8-wt+ #59
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014
Workqueue: phy3 ieee80211_ba_session_work [mac80211]
RIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211]
Code: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 <8b> 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85
RSP: 0018:ffffc900025ebd20 EFLAGS: 00010287
RAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240
RDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40
RBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0
R13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8
FS: 0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0
Call Trace:
<TASK>
ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211]
ieee80211_ba_session_work+0xff/0x2e0 [mac80211]
process_one_work+0x29f/0x620
worker_thread+0x4d/0x3d0
? process_one_work+0x620/0x620
kthread+0xfb/0x120
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x22/0x30
</TASK>
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
Link: https://lore.kernel.org/r/20221230121850.218810-2-alexander@wetzel-home.de
Cc: stable@vger.kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/agg-tx.c | 6 +++++-
net/mac80211/driver-ops.c | 3 +++
2 files changed, 8 insertions(+), 1 deletion(-)
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -491,7 +491,7 @@ void ieee80211_tx_ba_session_handle_star
{
struct tid_ampdu_tx *tid_tx;
struct ieee80211_local *local = sta->local;
- struct ieee80211_sub_if_data *sdata = sta->sdata;
+ struct ieee80211_sub_if_data *sdata;
struct ieee80211_ampdu_params params = {
.sta = &sta->sta,
.action = IEEE80211_AMPDU_TX_START,
@@ -521,6 +521,7 @@ void ieee80211_tx_ba_session_handle_star
*/
synchronize_net();
+ sdata = sta->sdata;
params.ssn = sta->tid_seq[tid] >> 4;
ret = drv_ampdu_action(local, sdata, ¶ms);
tid_tx->ssn = params.ssn;
@@ -534,6 +535,9 @@ void ieee80211_tx_ba_session_handle_star
*/
set_bit(HT_AGG_STATE_DRV_READY, &tid_tx->state);
} else if (ret) {
+ if (!sdata)
+ return;
+
ht_dbg(sdata,
"BA request denied - HW unavailable for %pM tid %d\n",
sta->sta.addr, tid);
--- a/net/mac80211/driver-ops.c
+++ b/net/mac80211/driver-ops.c
@@ -331,6 +331,9 @@ int drv_ampdu_action(struct ieee80211_lo
might_sleep();
+ if (!sdata)
+ return -EIO;
+
sdata = get_bss_sdata(sdata);
if (!check_sdata_in_driver(sdata))
return -EIO;
next prev parent reply other threads:[~2023-01-22 15:11 UTC|newest]
Thread overview: 103+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 01/98] btrfs: fix trace event name typo for FLUSH_DELAYED_REFS Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 02/98] pNFS/filelayout: Fix coalescing test for single DS Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 03/98] selftests/bpf: check null propagation only neither reg is PTR_TO_BTF_ID Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 04/98] tools/virtio: initialize spinlocks in vring_test.c Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 05/98] net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 06/98] RDMA/srp: Move large values to a new enum for gcc13 Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 07/98] btrfs: always report error in run_one_delayed_ref() Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 08/98] x86/asm: Fix an assembler warning with current binutils Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 09/98] f2fs: lets avoid panic if extent_tree is not created Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 10/98] wifi: brcmfmac: fix regression for Broadcom PCIe wifi devices Greg Kroah-Hartman
2023-01-22 15:03 ` Greg Kroah-Hartman [this message]
2023-01-22 15:03 ` [PATCH 5.10 12/98] Add exception protection processing for vd in axi_chan_handle_err function Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 13/98] zonefs: Detect append writes at invalid locations Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 14/98] nilfs2: fix general protection fault in nilfs_btree_insert() Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 15/98] efi: fix userspace infinite retry read efivars after EFI runtime services page fault Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 16/98] ALSA: hda/realtek - Turn on power early Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 17/98] drm/i915/gt: Reset twice Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 18/98] Bluetooth: hci_qca: Wait for timeout during suspend Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 19/98] Bluetooth: hci_qca: Fix driver shutdown on closed serdev Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 20/98] io_uring: dont gate task_work run on TIF_NOTIFY_SIGNAL Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 21/98] io_uring: improve send/recv error handling Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 22/98] io_uring: ensure recv and recvmsg handle MSG_WAITALL correctly Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 23/98] io_uring: add flag for disabling provided buffer recycling Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 24/98] io_uring: support MSG_WAITALL for IORING_OP_SEND(MSG) Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 25/98] io_uring: allow re-poll if we made progress Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 26/98] io_uring: fix async accept on O_NONBLOCK sockets Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 27/98] io_uring: check for valid register opcode earlier Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 28/98] io_uring: lock overflowing for IOPOLL Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 29/98] io_uring: fix CQ waiting timeout handling Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 30/98] io_uring: ensure that cached task references are always put on exit Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 31/98] io_uring: remove duplicated calls to io_kiocb_ppos Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 32/98] io_uring: update kiocb->ki_pos at execution time Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 33/98] io_uring: do not recalculate ppos unnecessarily Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 34/98] io_uring/rw: defer fsnotify calls to task context Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 35/98] xhci-pci: set the dma max_seg_size Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 36/98] usb: xhci: Check endpoint is valid before dereferencing it Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 37/98] xhci: Fix null pointer dereference when host dies Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 38/98] xhci: Add update_hub_device override for PCI xHCI hosts Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 39/98] xhci: Add a flag to disable USB3 lpm on a xhci root port level Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 40/98] usb: acpi: add helper to check port lpm capability using acpi _DSM Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 41/98] xhci: Detect lpm incapable xHC USB3 roothub ports from ACPI tables Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 42/98] prlimit: do_prlimit needs to have a speculation check Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 43/98] USB: serial: option: add Quectel EM05-G (GR) modem Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 44/98] USB: serial: option: add Quectel EM05-G (CS) modem Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 45/98] USB: serial: option: add Quectel EM05-G (RS) modem Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 46/98] USB: serial: option: add Quectel EC200U modem Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 47/98] USB: serial: option: add Quectel EM05CN (SG) modem Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 48/98] USB: serial: option: add Quectel EM05CN modem Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 49/98] staging: vchiq_arm: fix enum vchiq_status return types Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 50/98] USB: misc: iowarrior: fix up header size for USB_DEVICE_ID_CODEMERCS_IOW100 Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 51/98] misc: fastrpc: Dont remove map on creater_process and device_release Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 52/98] misc: fastrpc: Fix use-after-free race condition for maps Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 53/98] usb: core: hub: disable autosuspend for TI TUSB8041 Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 54/98] comedi: adv_pci1760: Fix PWM instruction handling Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 55/98] mmc: sunxi-mmc: Fix clock refcount imbalance during unbind Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 56/98] mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 57/98] btrfs: fix race between quota rescan and disable leading to NULL pointer deref Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 58/98] cifs: do not include page data when checking signature Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 59/98] thunderbolt: Use correct function to calculate maximum USB3 link rate Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 60/98] tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 61/98] USB: gadgetfs: Fix race between mounting and unmounting Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 62/98] USB: serial: cp210x: add SCALANCE LPE-9000 device id Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 63/98] usb: host: ehci-fsl: Fix module alias Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 64/98] usb: typec: altmodes/displayport: Add pin assignment helper Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 65/98] usb: typec: altmodes/displayport: Fix pin assignment calculation Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 66/98] usb: gadget: g_webcam: Send color matching descriptor per frame Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 67/98] usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate() Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 68/98] usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210 Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 69/98] dt-bindings: phy: g12a-usb2-phy: fix compatible string documentation Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 70/98] dt-bindings: phy: g12a-usb3-pcie-phy: " Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 71/98] serial: pch_uart: Pass correct sg to dma_unmap_sg() Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 72/98] dmaengine: tegra210-adma: fix global intr clear Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 73/98] serial: atmel: fix incorrect baudrate setup Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 74/98] gsmi: fix null-deref in gsmi_get_variable Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 75/98] mei: me: add meteor lake point M DID Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 76/98] drm/i915: re-disable RC6p on Sandy Bridge Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 77/98] drm/amd/display: Fix set scaling doesns work Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 78/98] drm/amd/display: Calculate output_color_space after pixel encoding adjustment Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 79/98] drm/amd/display: Fix COLOR_SPACE_YCBCR2020_TYPE matrix Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 80/98] arm64: efi: Execute runtime services from a dedicated stack Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 81/98] efi: rt-wrapper: Add missing include Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 82/98] Revert "drm/amdgpu: make display pinning more flexible (v2)" Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 83/98] x86/fpu: Use _Alignof to avoid undefined behavior in TYPE_ALIGN Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 84/98] tracing: Use alignof__(struct {type b;}) instead of offsetof() Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 85/98] arch: fix broken BuildID for arm64 and riscv Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 86/98] s390: define RUNTIME_DISCARD_EXIT to fix link error with GNU ld < 2.36 Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 87/98] powerpc/vmlinux.lds: Define RUNTIME_DISCARD_EXIT Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 88/98] powerpc/vmlinux.lds: Dont discard .rela* for relocatable builds Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 89/98] powerpc/vmlinux.lds: Dont discard .comment Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 90/98] io_uring: io_kiocb_update_pos() should not touch file for non -1 offset Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 91/98] io_uring/net: fix fast_iov assignment in io_setup_async_msg() Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 92/98] net/ulp: use consistent error code when blocking ULP Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 93/98] net/mlx5: fix missing mutex_unlock in mlx5_fw_fatal_reporter_err_work() Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 94/98] Revert "wifi: mac80211: fix memory leak in ieee80211_if_add()" Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 95/98] soc: qcom: apr: Make qcom,protection-domain optional again Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 96/98] Bluetooth: hci_qca: Wait for SSR completion during suspend Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 97/98] Bluetooth: hci_qca: check for SSR triggered flag while suspend Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 98/98] Bluetooth: hci_qca: Fixed issue during suspend Greg Kroah-Hartman
2023-01-23 7:16 ` [PATCH 5.10 00/98] 5.10.165-rc1 review Naresh Kamboju
2023-01-23 11:18 ` Sudip Mukherjee
2023-01-23 11:31 ` Pavel Machek
2023-01-23 11:46 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230122150229.899598147@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander@wetzel-home.de \
--cc=johannes.berg@intel.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.