From patchwork Mon Mar 31 10:39:29 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michal Kazior X-Patchwork-Id: 3913641 Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 7B0829F357 for ; Mon, 31 Mar 2014 11:43:41 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 9D66A203AC for ; Mon, 31 Mar 2014 11:43:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C13AF20386 for ; Mon, 31 Mar 2014 11:43:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753061AbaCaLnc (ORCPT ); Mon, 31 Mar 2014 07:43:32 -0400 Received: from mail-we0-f174.google.com ([74.125.82.174]:36404 "EHLO mail-we0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752980AbaCaLn3 (ORCPT ); Mon, 31 Mar 2014 07:43:29 -0400 Received: by mail-we0-f174.google.com with SMTP id t60so4689184wes.33 for ; Mon, 31 Mar 2014 04:43:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tieto.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=/BNyJs8icnvgTy1tqJeO+CtX4U9j7DvRZASKveDaIX4=; b=Mi0JkYjq+a9VTD0p+c/7uglt36A85wzDqfc9D6hjFSFUS05rWZ9mk5lddhQY0B/sbq v9j+SrhmXquABBBG877ilNDqWbbpvjirL+08lUlcmoWQ5b2MWumL3NN7hCuM8gQ1oBRY mNlyPjJJB+enVw0P5XqiNjT9uChPzfInSPMFU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=/BNyJs8icnvgTy1tqJeO+CtX4U9j7DvRZASKveDaIX4=; b=GO+g+0hIRg1RLVLYVInmsrw4ZVH4NantkarD7eefZGfC14W9BnvFDTe2zYUU0LvWHv 156yhAJQyasIWtsozooCHO6mVJuWwTQNDZl8vfA8A8aaGPVCeTzAjr9L+k7cJdQEW8RU RGcmRxMlb4NXDqNXp20tVogkXLFR5QEKRZE2VUxWSi9C5hmm3Bhz9dxI7RimKWO65ZF0 wd+IDgTseacLaViC79YfjEfGMXzHVyNELZXkItpYpQjvkGn4dComIXMw4n7Gk+vdI+po NQSyQ9bIIHP7U1H9kiOX2MCvNnE2jJ5Izd4X6XoO0FPy3joX16s5F+b788df08JtMkmL rf/A== X-Gm-Message-State: ALoCoQm2EyjNEUEBwFsLffnoPZTixtWJthb3+OobwoLubyp/2mDHHuSGH1zRtCtUYIn+bNEp/ThmVr4Xk/zvKlaJno0cDNOjUES8wqdM74wufMCUD9Y+AWY= X-Received: by 10.180.219.44 with SMTP id pl12mr11825173wic.12.1396266208387; Mon, 31 Mar 2014 04:43:28 -0700 (PDT) Received: from localhost.localdomain ([91.198.246.8]) by mx.google.com with ESMTPSA id q49sm32467516eem.34.2014.03.31.04.43.25 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 31 Mar 2014 04:43:27 -0700 (PDT) From: Michal Kazior To: linux-wireless@vger.kernel.org Cc: johannes@sipsolutions.net, Michal Kazior Subject: [PATCH v3 11/13] mac80211: fix racy usage of chanctx->refcount Date: Mon, 31 Mar 2014 12:39:29 +0200 Message-Id: <1396262371-6466-12-git-send-email-michal.kazior@tieto.com> X-Mailer: git-send-email 1.8.5.3 In-Reply-To: <1396262371-6466-1-git-send-email-michal.kazior@tieto.com> References: <1395409651-26120-1-git-send-email-michal.kazior@tieto.com> <1396262371-6466-1-git-send-email-michal.kazior@tieto.com> X-DomainID: tieto.com Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Channel context refcount is protected by chanctx_mtx. Accessing the value without holding the mutex is racy. RCU section didn't guarantee anything here. Theoretically ieee80211_channel_switch() could fail to see refcount change and read "1" instead of, e.g. "2". This means mac80211 could accept CSA even though it shouldn't have. Signed-off-by: Michal Kazior --- v2: * use rcu_dereference_protected() [Eliad/Johannes] net/mac80211/cfg.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index 821143c..caa351b 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -3282,7 +3282,7 @@ int __ieee80211_channel_switch(struct wiphy *wiphy, struct net_device *dev, { struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev); struct ieee80211_local *local = sdata->local; - struct ieee80211_chanctx_conf *chanctx_conf; + struct ieee80211_chanctx_conf *conf; struct ieee80211_chanctx *chanctx; int err, num_chanctx, changed = 0; @@ -3299,23 +3299,24 @@ int __ieee80211_channel_switch(struct wiphy *wiphy, struct net_device *dev, &sdata->vif.bss_conf.chandef)) return -EINVAL; - rcu_read_lock(); - chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf); - if (!chanctx_conf) { - rcu_read_unlock(); + mutex_lock(&local->chanctx_mtx); + conf = rcu_dereference_protected(sdata->vif.chanctx_conf, + lockdep_is_held(&local->chanctx_mtx)); + if (!conf) { + mutex_unlock(&local->chanctx_mtx); return -EBUSY; } /* don't handle for multi-VIF cases */ - chanctx = container_of(chanctx_conf, struct ieee80211_chanctx, conf); + chanctx = container_of(conf, struct ieee80211_chanctx, conf); if (chanctx->refcount > 1) { - rcu_read_unlock(); + mutex_unlock(&local->chanctx_mtx); return -EBUSY; } num_chanctx = 0; list_for_each_entry_rcu(chanctx, &local->chanctx_list, list) num_chanctx++; - rcu_read_unlock(); + mutex_unlock(&local->chanctx_mtx); if (num_chanctx > 1) return -EBUSY;