From patchwork Wed Jun  3 06:36:13 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michal Kazior <michal.kazior@tieto.com>
X-Patchwork-Id: 6532511
X-Patchwork-Delegate: johannes@sipsolutions.net
Return-Path: <linux-wireless-owner@kernel.org>
X-Original-To: patchwork-linux-wireless@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 5EB33C0020
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed,  3 Jun 2015 06:36:27 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 3C6ED206B6
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed,  3 Jun 2015 06:36:26 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 03EEA206B1
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed,  3 Jun 2015 06:36:25 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753169AbbFCGgX (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Wed, 3 Jun 2015 02:36:23 -0400
Received: from mail-wi0-f178.google.com ([209.85.212.178]:33616 "EHLO
	mail-wi0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752529AbbFCGgW (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Wed, 3 Jun 2015 02:36:22 -0400
Received: by wiwd19 with SMTP id d19so41139527wiw.0
	for <linux-wireless@vger.kernel.org>;
	Tue, 02 Jun 2015 23:36:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tieto.com; s=google;
	h=from:to:cc:subject:date:message-id;
	bh=YUz2s/hf50m4OJtxRSY6JImRp1icLhsEm9jEZFTRtUg=;
	b=f4yr0dvQ5gyRtlceosPZveWlqF64Jhe0/tVtDznXlOnmivi/P3vdAhfV/frxWaGDG1
	r0rOCYtYVQxNNmLQ6Yp355Hm6rNU3Vuk/N8jF5UwUlNMKfVVWXIvDbisW5oLIXZmyTWS
	iuUqiZcCH8OUIoklp0w29Db/pVPkNAxL2G8DQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=YUz2s/hf50m4OJtxRSY6JImRp1icLhsEm9jEZFTRtUg=;
	b=f/0HyNyJdYVfuXa1c9KOL9W77D9DnyAV37nVg6Xu0adDYkTi4A0KM9MthK9JR8nT/v
	jf0erZtHzjdPFJsp9PQEg1WMbR4+CqQ5/PoAZWOj6gKYwGo8zZ5ciC8i1co0jXDsQlOk
	fIhw8dNyIfiOAa9R90XFOyDCjqCcdcVKWm2+6Sky6Gki0qb/d2TfQ1PwRUfaX2xQBlqY
	E0kG97EKkNaBSRBOggfDtyvYMluNZAv/ZrGoBit8SJ3RHJTJW6P2UqhJ/6JWv2PQWHxL
	p9mcdhv/1BTbVVngh8Yh0mHhWPg0vAqINRNc7QoLzX5gNkaAZKZG8EloapmQ4GQZB/eE
	q/rA==
X-Gm-Message-State: 
 ALoCoQlKzFXmpKETJm3MtCLpCtbxFMYkpT3/PXJBdzlvG6knw2aR2K4OAyrpjSBjwniugYG9ud0s1Y5cCzDIEDwwnUJfVWUz0D8t4Mc+nee37oENAarMNYD1M8ol7awIikcG5511FARXDtjTfbgeE1r5r0AdPdWJFXvGgengSFPPUSfFadDOU6bLGfnFGA2tyXkhFpq4CFty
X-Received: by 10.180.100.74 with SMTP id ew10mr39232784wib.12.1433313381273;
	Tue, 02 Jun 2015 23:36:21 -0700 (PDT)
Received: from localhost.localdomain ([91.198.246.8])
	by mx.google.com with ESMTPSA id
	ny7sm24948908wic.11.2015.06.02.23.36.20
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Tue, 02 Jun 2015 23:36:20 -0700 (PDT)
From: Michal Kazior <michal.kazior@tieto.com>
To: linux-wireless@vger.kernel.org
Cc: johannes@sipsolutions.net, Michal Kazior <michal.kazior@tieto.com>
Subject: [PATCH] mac80211: release channel on auth failure
Date: Wed,  3 Jun 2015 08:36:13 +0200
Message-Id: <1433313373-28216-1-git-send-email-michal.kazior@tieto.com>
X-Mailer: git-send-email 2.1.4
X-DomainID: tieto.com
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

There were a few rare cases when upon
authentication failure channel wasn't released.
This could cause stale pointers to remain in
chanctx assigned_vifs after interface removal and
trigger general protection fault later.

This could be triggered, e.g. on ath10k with the
following steps:

 1. start an AP
 2. create 2 extra vifs on ath10k host
 3. connect vif1 to the AP
 4. connect vif2 to the AP
    (auth fails because ath10k firmware isn't able
     to maintain 2 peers with colliding AP mac
     addresses across vifs and consequently
     refuses sta_info_insert() in
     ieee80211_prep_connection())
 5. remove the 2 extra vifs
 6. goto step 2; at step 3 kernel was crashing:

 general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
 Modules linked in: ath10k_pci ath10k_core ath
 ...
 Call Trace:
  [<ffffffff81a2dabb>] ieee80211_check_combinations+0x22b/0x290
  [<ffffffff819fb825>] ? ieee80211_check_concurrent_iface+0x125/0x220
  [<ffffffff8180f664>] ? netpoll_poll_disable+0x84/0x100
  [<ffffffff819fb833>] ieee80211_check_concurrent_iface+0x133/0x220
  [<ffffffff81a0029e>] ieee80211_open+0x3e/0x80
  [<ffffffff817f2d26>] __dev_open+0xb6/0x130
  [<ffffffff817f3051>] __dev_change_flags+0xa1/0x170
 ...
 RIP  [<ffffffff81a23140>] ieee80211_chanctx_radar_detect+0xa0/0x170

 (gdb) l * ieee80211_chanctx_radar_detect+0xa0
 0xffffffff81a23140 is in ieee80211_chanctx_radar_detect (/devel/src/linux/net/mac80211/util.c:3182).
 3177             */
 3178            WARN_ON(ctx->replace_state == IEEE80211_CHANCTX_REPLACES_OTHER &&
 3179                    !list_empty(&ctx->assigned_vifs));
 3180
 3181            list_for_each_entry(sdata, &ctx->assigned_vifs, assigned_chanctx_list)
 3182                    if (sdata->radar_required)
 3183                            radar_detect |= BIT(sdata->vif.bss_conf.chandef.width);
 3184
 3185            return radar_detect;

Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
---
 net/mac80211/mlme.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 387fe70ab126..e7ef6f15b687 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -4589,6 +4589,9 @@ int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata,
 	eth_zero_addr(ifmgd->bssid);
 	ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BSSID);
 	ifmgd->auth_data = NULL;
+	mutex_lock(&sdata->local->mtx);
+	ieee80211_vif_release_channel(sdata);
+	mutex_unlock(&sdata->local->mtx);
  err_free:
 	kfree(auth_data);
 	return err;