From patchwork Tue Mar 18 13:53:14 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michal Kazior X-Patchwork-Id: 3853591 Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 19C5DBF540 for ; Wed, 19 Mar 2014 17:45:40 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 3B2882011B for ; Wed, 19 Mar 2014 17:45:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 66B9D200DF for ; Wed, 19 Mar 2014 17:45:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755065AbaCRN7c (ORCPT ); Tue, 18 Mar 2014 09:59:32 -0400 Received: from mail-ee0-f47.google.com ([74.125.83.47]:46809 "EHLO mail-ee0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754680AbaCRN7V (ORCPT ); Tue, 18 Mar 2014 09:59:21 -0400 Received: by mail-ee0-f47.google.com with SMTP id b15so5417747eek.34 for ; Tue, 18 Mar 2014 06:59:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tieto.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=ybYyDT42/NK1wKKvs4EZ4p+YJQNZe9DcrQhNVYES4b8=; b=iCldtnnzGTcLqanaegy4tG7TDctzOmcSMXdqDzinXDKl0daD6wlhG02sVoy3O0QUt9 7yNYWCzxL4Sp6VjkCTkZ51pPY32J6Q3mkktwYEJa7JquqI7th7Pm7crzuFtRXWQGdCRR 8q69vhyMdYu7CHdIN8Jw6oRPUoiSuOINcjDio= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=ybYyDT42/NK1wKKvs4EZ4p+YJQNZe9DcrQhNVYES4b8=; b=LJAqUUmwbDZ6b8TbQF/S4axT6Z0KXZvifZjbjFhTjzIrCZ4FBnJlUkNvzqboStSFNb 86Ivx8UY/2CD5L6EAUSXSP0TeUXVeLQWpxPXWi7fVhlwoNPvyZJD6jasVQcTadmLGpgH h+aqSuR8N2yazVp9dfTkLWK31QR++oQnY/YQXEjleWScqg6/GMzQ2+qUxkO2cZWcgom3 NKzD4JQyaHBMrsqR5d6CnIelcvhsEWv48WNIWv1kJNAJMKVNl71xXW01qJNVPvNLd/Xr ynfK6h3q35lRsRMEEwc/aNVOPRVv+0+jqlLC/onxkwI5oV0iiwzhvCO/zWbkFVlsHiB1 3wxw== X-Gm-Message-State: ALoCoQng2xQFBfVzlp7yXkSBAjzvzVHiQQmimgViFEuirYC8KsVta9s+LSwfWf7UO/7N6BkhoGz0K7uC7oeEARQQnzROfVu+K8xuZ7S6VAkL8y3QPutniGc= X-Received: by 10.15.52.195 with SMTP id p43mr1476500eew.112.1395151160390; Tue, 18 Mar 2014 06:59:20 -0700 (PDT) Received: from localhost.localdomain ([91.198.246.8]) by mx.google.com with ESMTPSA id x45sm35223167eeu.23.2014.03.18.06.59.18 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Mar 2014 06:59:19 -0700 (PDT) From: Michal Kazior To: linux-wireless@vger.kernel.org Cc: johannes@sipsolutions.net, Michal Kazior Subject: [RFC 11/21] mac80211: fix racy usage of chanctx->refcount Date: Tue, 18 Mar 2014 14:53:14 +0100 Message-Id: <1395150804-24090-12-git-send-email-michal.kazior@tieto.com> X-Mailer: git-send-email 1.8.5.3 In-Reply-To: <1395150804-24090-1-git-send-email-michal.kazior@tieto.com> References: <1395150804-24090-1-git-send-email-michal.kazior@tieto.com> X-DomainID: tieto.com Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Channel context refcount is protected by chanctx_mtx. Accessing the value without holding the mutex is racy. RCU section didn't guarantee anything here. Theoretically ieee80211_channel_switch() could fail to see refcount change and read "1" instead of, e.g. "2". This means mac80211 could accept CSA even though it shouldn't have. Signed-off-by: Michal Kazior --- net/mac80211/cfg.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index 137d379..61b62f4 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -3225,7 +3225,7 @@ int ieee80211_channel_switch(struct wiphy *wiphy, struct net_device *dev, { struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev); struct ieee80211_local *local = sdata->local; - struct ieee80211_chanctx_conf *chanctx_conf; + struct ieee80211_chanctx_conf *conf; struct ieee80211_chanctx *chanctx; int err, num_chanctx, changed = 0; @@ -3241,23 +3241,24 @@ int ieee80211_channel_switch(struct wiphy *wiphy, struct net_device *dev, &sdata->vif.bss_conf.chandef)) return -EINVAL; - rcu_read_lock(); - chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf); - if (!chanctx_conf) { - rcu_read_unlock(); + mutex_lock(&local->chanctx_mtx); + conf = rcu_dereference_protected(sdata->vif.chanctx_conf, + lockdep_is_held(&local->chanctx_mtx)); + if (!conf) { + mutex_unlock(&local->chanctx_mtx); return -EBUSY; } /* don't handle for multi-VIF cases */ - chanctx = container_of(chanctx_conf, struct ieee80211_chanctx, conf); + chanctx = container_of(conf, struct ieee80211_chanctx, conf); if (chanctx->refcount > 1) { - rcu_read_unlock(); + mutex_unlock(&local->chanctx_mtx); return -EBUSY; } num_chanctx = 0; list_for_each_entry_rcu(chanctx, &local->chanctx_list, list) num_chanctx++; - rcu_read_unlock(); + mutex_unlock(&local->chanctx_mtx); if (num_chanctx > 1) return -EBUSY;