From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Thomas Gleixner <tglx@linutronix.de>,
Dmitry Vyukov <dvyukov@google.com>,
syzbot+0e964fad69a9c462bc1e@syzkaller.appspotmail.com,
Johannes Berg <johannes.berg@intel.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 18/56] mac80211-hwsim: fix late beacon hrtimer handling
Date: Mon, 4 Oct 2021 14:52:38 +0200 [thread overview]
Message-ID: <20211004125030.582583434@linuxfoundation.org> (raw)
In-Reply-To: <20211004125030.002116402@linuxfoundation.org>
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 313bbd1990b6ddfdaa7da098d0c56b098a833572 ]
Thomas explained in https://lore.kernel.org/r/87mtoeb4hb.ffs@tglx
that our handling of the hrtimer here is wrong: If the timer fires
late (e.g. due to vCPU scheduling, as reported by Dmitry/syzbot)
then it tries to actually rearm the timer at the next deadline,
which might be in the past already:
1 2 3 N N+1
| | | ... | |
^ intended to fire here (1)
^ next deadline here (2)
^ actually fired here
The next time it fires, it's later, but will still try to schedule
for the next deadline (now 3), etc. until it catches up with N,
but that might take a long time, causing stalls etc.
Now, all of this is simulation, so we just have to fix it, but
note that the behaviour is wrong even per spec, since there's no
value then in sending all those beacons unaligned - they should be
aligned to the TBTT (1, 2, 3, ... in the picture), and if we're a
bit (or a lot) late, then just resume at that point.
Therefore, change the code to use hrtimer_forward_now() which will
ensure that the next firing of the timer would be at N+1 (in the
picture), i.e. the next interval point after the current time.
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reported-by: syzbot+0e964fad69a9c462bc1e@syzkaller.appspotmail.com
Fixes: 01e59e467ecf ("mac80211_hwsim: hrtimer beacon")
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20210915112936.544f383472eb.I3f9712009027aa09244b65399bf18bf482a8c4f1@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mac80211_hwsim.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index 1033513d3d9d..07b070b14d75 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -1603,8 +1603,8 @@ mac80211_hwsim_beacon(struct hrtimer *timer)
bcn_int -= data->bcn_delta;
data->bcn_delta = 0;
}
- hrtimer_forward(&data->beacon_timer, hrtimer_get_expires(timer),
- ns_to_ktime(bcn_int * NSEC_PER_USEC));
+ hrtimer_forward_now(&data->beacon_timer,
+ ns_to_ktime(bcn_int * NSEC_PER_USEC));
return HRTIMER_RESTART;
}
--
2.33.0
next prev parent reply other threads:[~2021-10-04 13:15 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-04 12:52 [PATCH 5.4 00/56] 5.4.151-rc1 review Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 01/56] tty: Fix out-of-bound vmalloc access in imageblit Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 02/56] cpufreq: schedutil: Use kobject release() method to free sugov_tunables Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 03/56] cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 04/56] usb: cdns3: fix race condition before setting doorbell Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 05/56] fs-verity: fix signed integer overflow with i_size near S64_MAX Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 06/56] hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 07/56] hwmon: (w83792d) " Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 08/56] hwmon: (w83791d) " Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 09/56] scsi: ufs: Fix illegal offset in UPIU event trace Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 10/56] mac80211: fix use-after-free in CCMP/GCMP RX Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 11/56] x86/kvmclock: Move this_cpu_pvti into kvmclock.h Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 12/56] drm/amd/display: Pass PCI deviceid into DC Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 13/56] ipvs: check that ip_vs_conn_tab_bits is between 8 and 20 Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 14/56] hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 15/56] mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 16/56] mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 17/56] mac80211: mesh: fix potentially unaligned access Greg Kroah-Hartman
2021-10-04 12:52 ` Greg Kroah-Hartman [this message]
2021-10-04 12:52 ` [PATCH 5.4 19/56] sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 20/56] hwmon: (tmp421) report /PVLD condition as fault Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 21/56] hwmon: (tmp421) fix rounding for negative values Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 22/56] net: ipv4: Fix rtnexthop len when RTA_FLOW is present Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 23/56] e100: fix length calculation in e100_get_regs_len Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 24/56] e100: fix buffer overrun in e100_get_regs Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 25/56] selftests, bpf: test_lwt_ip_encap: Really disable rp_filter Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 26/56] Revert "block, bfq: honor already-setup queue merges" Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 27/56] scsi: csiostor: Add module softdep on cxgb4 Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 28/56] net: hns3: do not allow call hns3_nic_net_open repeatedly Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 29/56] net: phy: bcm7xxx: request and manage GPHY clock Greg Kroah-Hartman
2021-10-04 20:35 ` Florian Fainelli
2021-10-05 6:56 ` Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 30/56] net: phy: bcm7xxx: Fixed indirect MMD operations Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 31/56] net: sched: flower: protect fl_walk() with rcu Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 32/56] af_unix: fix races in sk_peer_pid and sk_peer_cred accesses Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 33/56] perf/x86/intel: Update event constraints for ICX Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 34/56] elf: dont use MAP_FIXED_NOREPLACE for elf interpreter mappings Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 35/56] debugfs: debugfs_create_file_size(): use IS_ERR to check for error Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 36/56] ipack: ipoctal: fix stack information leak Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 37/56] ipack: ipoctal: fix tty registration race Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 38/56] ipack: ipoctal: fix tty-registration error handling Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 39/56] ipack: ipoctal: fix missing allocation-failure check Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 40/56] ipack: ipoctal: fix module reference leak Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 41/56] ext4: fix loff_t overflow in ext4_max_bitmap_size() Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 42/56] ext4: fix reserved space counter leakage Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 43/56] ext4: fix potential infinite loop in ext4_dx_readdir() Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 44/56] HID: u2fzero: ignore incomplete packets without data Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 45/56] net: udp: annotate data race around udp_sk(sk)->corkflag Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 46/56] net: stmmac: dont attach interface until resume finishes Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 47/56] PCI: Fix pci_host_bridge struct device release/free handling Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 48/56] libnvdimm/pmem: Fix crash triggered when I/O in-flight during unbind Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 49/56] hso: fix bailout in error case of probe Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 50/56] usb: hso: fix error handling code of hso_create_net_device Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 51/56] usb: hso: remove the bailout parameter Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 52/56] crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd() Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 53/56] HID: betop: fix slab-out-of-bounds Write in betop_probe Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 54/56] netfilter: ipset: Fix oversized kvmalloc() calls Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 55/56] HID: usbhid: free raw_report buffers in usbhid_stop Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 56/56] net: mdiobus: Fix memory leak in __mdiobus_register Greg Kroah-Hartman
2021-10-04 20:36 ` Florian Fainelli
2021-10-04 19:47 ` [PATCH 5.4 00/56] 5.4.151-rc1 review Shuah Khan
2021-10-05 2:17 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211004125030.582583434@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dvyukov@google.com \
--cc=johannes.berg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+0e964fad69a9c462bc1e@syzkaller.appspotmail.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox