From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Eric Dumazet <edumazet@google.com>,
Johannes Berg <johannes.berg@intel.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.1 37/38] wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values
Date: Thu, 15 Aug 2024 15:26:11 +0200 [thread overview]
Message-ID: <20240815131834.380356813@linuxfoundation.org> (raw)
In-Reply-To: <20240815131832.944273699@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d1cba2ea8121e7fdbe1328cea782876b1dd80993 ]
syzbot is able to trigger softlockups, setting NL80211_ATTR_TXQ_QUANTUM
to 2^31.
We had a similar issue in sch_fq, fixed with commit
d9e15a273306 ("pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM")
watchdog: BUG: soft lockup - CPU#1 stuck for 26s! [kworker/1:0:24]
Modules linked in:
irq event stamp: 131135
hardirqs last enabled at (131134): [<ffff80008ae8778c>] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:85 [inline]
hardirqs last enabled at (131134): [<ffff80008ae8778c>] exit_to_kernel_mode+0xdc/0x10c arch/arm64/kernel/entry-common.c:95
hardirqs last disabled at (131135): [<ffff80008ae85378>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]
hardirqs last disabled at (131135): [<ffff80008ae85378>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551
softirqs last enabled at (125892): [<ffff80008907e82c>] neigh_hh_init net/core/neighbour.c:1538 [inline]
softirqs last enabled at (125892): [<ffff80008907e82c>] neigh_resolve_output+0x268/0x658 net/core/neighbour.c:1553
softirqs last disabled at (125896): [<ffff80008904166c>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
CPU: 1 PID: 24 Comm: kworker/1:0 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Workqueue: mld mld_ifc_work
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __list_del include/linux/list.h:195 [inline]
pc : __list_del_entry include/linux/list.h:218 [inline]
pc : list_move_tail include/linux/list.h:310 [inline]
pc : fq_tin_dequeue include/net/fq_impl.h:112 [inline]
pc : ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854
lr : __list_del_entry include/linux/list.h:218 [inline]
lr : list_move_tail include/linux/list.h:310 [inline]
lr : fq_tin_dequeue include/net/fq_impl.h:112 [inline]
lr : ieee80211_tx_dequeue+0x67c/0x3b4c net/mac80211/tx.c:3854
sp : ffff800093d36700
x29: ffff800093d36a60 x28: ffff800093d36960 x27: dfff800000000000
x26: ffff0000d800ad50 x25: ffff0000d800abe0 x24: ffff0000d800abf0
x23: ffff0000e0032468 x22: ffff0000e00324d4 x21: ffff0000d800abf0
x20: ffff0000d800abf8 x19: ffff0000d800abf0 x18: ffff800093d363c0
x17: 000000000000d476 x16: ffff8000805519dc x15: ffff7000127a6cc8
x14: 1ffff000127a6cc8 x13: 0000000000000004 x12: ffffffffffffffff
x11: ffff7000127a6cc8 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : ffff80009287aa08 x4 : 0000000000000008 x3 : ffff80008034c7fc
x2 : ffff0000e0032468 x1 : 00000000da0e46b8 x0 : ffff0000e0032470
Call trace:
__list_del include/linux/list.h:195 [inline]
__list_del_entry include/linux/list.h:218 [inline]
list_move_tail include/linux/list.h:310 [inline]
fq_tin_dequeue include/net/fq_impl.h:112 [inline]
ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854
wake_tx_push_queue net/mac80211/util.c:294 [inline]
ieee80211_handle_wake_tx_queue+0x118/0x274 net/mac80211/util.c:315
drv_wake_tx_queue net/mac80211/driver-ops.h:1350 [inline]
schedule_and_wake_txq net/mac80211/driver-ops.h:1357 [inline]
ieee80211_queue_skb+0x18e8/0x2244 net/mac80211/tx.c:1664
ieee80211_tx+0x260/0x400 net/mac80211/tx.c:1966
ieee80211_xmit+0x278/0x354 net/mac80211/tx.c:2062
__ieee80211_subif_start_xmit+0xab8/0x122c net/mac80211/tx.c:4338
ieee80211_subif_start_xmit+0xe0/0x438 net/mac80211/tx.c:4532
__netdev_start_xmit include/linux/netdevice.h:4903 [inline]
netdev_start_xmit include/linux/netdevice.h:4917 [inline]
xmit_one net/core/dev.c:3531 [inline]
dev_hard_start_xmit+0x27c/0x938 net/core/dev.c:3547
__dev_queue_xmit+0x1678/0x33fc net/core/dev.c:4341
dev_queue_xmit include/linux/netdevice.h:3091 [inline]
neigh_resolve_output+0x558/0x658 net/core/neighbour.c:1563
neigh_output include/net/neighbour.h:542 [inline]
ip6_finish_output2+0x104c/0x1ee8 net/ipv6/ip6_output.c:137
ip6_finish_output+0x428/0x7a0 net/ipv6/ip6_output.c:222
NF_HOOK_COND include/linux/netfilter.h:303 [inline]
ip6_output+0x270/0x594 net/ipv6/ip6_output.c:243
dst_output include/net/dst.h:450 [inline]
NF_HOOK+0x160/0x4f0 include/linux/netfilter.h:314
mld_sendpack+0x7b4/0x10f4 net/ipv6/mcast.c:1818
mld_send_cr net/ipv6/mcast.c:2119 [inline]
mld_ifc_work+0x840/0xd0c net/ipv6/mcast.c:2650
process_one_work+0x7b8/0x15d4 kernel/workqueue.c:3267
process_scheduled_works kernel/workqueue.c:3348 [inline]
worker_thread+0x938/0xef4 kernel/workqueue.c:3429
kthread+0x288/0x310 kernel/kthread.c:388
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
Fixes: 52539ca89f36 ("cfg80211: Expose TXQ stats and parameters to userspace")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20240615160800.250667-1-edumazet@google.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/wireless/nl80211.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -463,6 +463,10 @@ nl80211_sta_wme_policy[NL80211_STA_WME_M
[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
};
+static struct netlink_range_validation q_range = {
+ .max = INT_MAX,
+};
+
static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
@@ -745,7 +749,7 @@ static const struct nla_policy nl80211_p
[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
- [NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
+ [NL80211_ATTR_TXQ_QUANTUM] = NLA_POLICY_FULL_RANGE(NLA_U32, &q_range),
[NL80211_ATTR_HE_CAPABILITY] =
NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
NL80211_HE_MAX_CAPABILITY_LEN),
next prev parent reply other threads:[~2024-08-15 14:06 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-15 13:25 [PATCH 6.1 00/38] 6.1.106-rc1 review Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 01/38] mptcp: pass addr to mptcp_pm_alloc_anno_list Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 02/38] mptcp: pm: reduce indentation blocks Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 03/38] mptcp: pm: dont try to create sf if alloc failed Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 04/38] mptcp: pm: do not ignore subflow if signal flag is also set Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 05/38] selftests: mptcp: join: test both signal & subflow Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 06/38] ASoC: topology: Clean up route loading Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 07/38] ASoC: topology: Fix route memory corruption Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 08/38] exec: Fix ToCToU between perm check and set-uid/gid usage Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 09/38] LoongArch: Define __ARCH_WANT_NEW_STAT in unistd.h Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 10/38] nfsd: move reply cache initialization into nfsd startup Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 11/38] nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 12/38] NFSD: Refactor nfsd_reply_cache_free_locked() Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 13/38] NFSD: Rename nfsd_reply_cache_alloc() Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 14/38] NFSD: Replace nfsd_prune_bucket() Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 15/38] NFSD: Refactor the duplicate reply cache shrinker Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 16/38] NFSD: Rewrite synopsis of nfsd_percpu_counters_init() Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 17/38] NFSD: Fix frame size warning in svc_export_parse() Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 18/38] sunrpc: dont change ->sv_stats if it doesnt exist Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 19/38] nfsd: stop setting ->pg_stats for unused stats Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 20/38] sunrpc: pass in the sv_stats struct through svc_create_pooled Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 21/38] sunrpc: remove ->pg_stats from svc_program Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 22/38] sunrpc: use the struct net as the svc proc private Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 23/38] nfsd: rename NFSD_NET_* to NFSD_STATS_* Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 24/38] nfsd: expose /proc/net/sunrpc/nfsd in net namespaces Greg Kroah-Hartman
2024-08-15 13:25 ` [PATCH 6.1 25/38] nfsd: make all of the nfsd stats per-network namespace Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.1 26/38] nfsd: remove nfsd_stats, make th_cnt a global counter Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.1 27/38] nfsd: make svc_stat per-network namespace instead of global Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.1 28/38] nvme/pci: Add APST quirk for Lenovo N60z laptop Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.1 29/38] mptcp: fully established after ADD_ADDR echo on MPJ Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.1 30/38] drm/i915/gem: Fix Virtual Memory mapping boundaries calculation Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.1 31/38] cgroup: Make operations on the cgroup root_list RCU safe Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.1 32/38] drm/i915: Add a function to mmap framebuffer obj Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.1 33/38] drm/i915: Fix a NULL vs IS_ERR() bug Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.1 34/38] drm/i915/gem: Adjust vma offset for framebuffer mmap offset Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.1 35/38] binfmt_flat: Fix corruption when not offsetting data start Greg Kroah-Hartman
2024-08-15 13:26 ` [PATCH 6.1 36/38] cgroup: Move rcu_head up near the top of cgroup_root Greg Kroah-Hartman
2024-08-15 13:26 ` Greg Kroah-Hartman [this message]
2024-08-15 13:26 ` [PATCH 6.1 38/38] KVM: arm64: Dont pass a TLBI level hint when zapping table entries Greg Kroah-Hartman
2024-08-15 18:54 ` [PATCH 6.1 00/38] 6.1.106-rc1 review Pavel Machek
2024-08-15 18:55 ` Peter Schneider
2024-08-15 21:43 ` Florian Fainelli
2024-08-16 8:47 ` Anders Roxell
2024-08-16 11:24 ` Mark Brown
2024-08-16 19:44 ` Jon Hunter
2024-08-16 20:44 ` Ron Economos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240815131834.380356813@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=johannes.berg@intel.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.