From patchwork Fri Dec 30 18:49:50 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ben Greear X-Patchwork-Id: 9492385 X-Patchwork-Delegate: johannes@sipsolutions.net Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 6F3BA60417 for ; Fri, 30 Dec 2016 18:50:02 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5F08E1FF1D for ; Fri, 30 Dec 2016 18:50:02 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 51A0022689; Fri, 30 Dec 2016 18:50:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EFE031FF1D for ; Fri, 30 Dec 2016 18:50:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754084AbcL3St7 (ORCPT ); Fri, 30 Dec 2016 13:49:59 -0500 Received: from mail2.candelatech.com ([208.74.158.173]:55292 "EHLO mail2.candelatech.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753491AbcL3St6 (ORCPT ); Fri, 30 Dec 2016 13:49:58 -0500 Received: from ben-dt3.candelatech.com (firewall.candelatech.com [50.251.239.81]) by mail2.candelatech.com (Postfix) with ESMTP id 3677C40A5C4; Fri, 30 Dec 2016 10:49:57 -0800 (PST) From: greearb@candelatech.com To: linux-wireless@vger.kernel.org Cc: johannes@sipsolutions.net, Ben Greear Subject: [PATCH] mac80211: Fix invalid 'info' access in xmit-fast. Date: Fri, 30 Dec 2016 10:49:50 -0800 Message-Id: <1483123790-14412-1-git-send-email-greearb@candelatech.com> X-Mailer: git-send-email 2.4.11 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Ben Greear ieee80211_xmit_fast assigns info from the passed-in skb, but then later it also checks for skb_shared(skb), and may create a new skb based on that check. But, the code did not re-assign 'info', so it pointed into the old shared skb. This leads to all sorts of problems, most obviously crashes since the new skb's info->hw_queue is not properly initialized. Bug was seen by sending pktgen packets on a bridge that had an AP network interface in it. hw-queue was out of range, which made it crash like this: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [] ieee80211_tx_frags+0x232/0x4c0 [mac80211] PGD 0 Oops: 0002 [#1] PREEMPT SMP CPU: 0 PID: 1512 Comm: kpktgend_0 Tainted: G O 4.7.10+ #24 Hardware name: To be filled by O.E.M. To be filled by O.E.M./ChiefRiver, BIOS 4.6.5 06/07/2013 task: ffff8802132f3a00 ti: ffff8800362ac000 task.ti: ffff8800362ac000 RIP: 0010:[] [] ieee80211_tx_frags+0x232/0x4c0 [mac80211] RSP: 0018:ffff8800362afa28 EFLAGS: 00010086 RAX: ffff8802130a22c0 RBX: ffff8802130a13a0 RCX: ffff880035ef2200 RDX: ffff880035ef2200 RSI: 0000000000000292 RDI: 0000000000000000 RBP: ffff8800362afa90 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000088 R11: 0000000000000001 R12: ffff880035ef2200 R13: ffff880035dabb90 R14: ffff8800362afb18 R15: 0000000000000cc0 FS: 0000000000000000(0000) GS:ffff88021e200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000001e06000 CR4: 00000000001406f0 Stack: 0000000000000292 ffff880035daa880 ffff8802130a0b20 ffff8800d4f01808 00ff8800362afaa0 ffff8800362afb18 ffff8802130a13c0 ffff88021e20db68 ffff880035daa880 ffff8800362afb18 ffff880035ef2200 ffff88020f6ca300 Call Trace: [] __ieee80211_subif_start_xmit+0xc13/0xc30 [mac80211] [] ? find_busiest_group+0x35/0x4a0 [] ieee80211_subif_start_xmit+0xb/0x10 [mac80211] [] dev_hard_start_xmit+0x9b/0x220 [] sch_direct_xmit+0xd6/0x1a0 [] __dev_queue_xmit+0x3be/0x6c0 [] ? finish_task_switch+0x73/0x1f0 [] dev_queue_xmit+0xd/0x10 [] br_dev_queue_push_xmit+0x75/0x140 [bridge] [] br_forward_finish+0x29/0xa0 [bridge] [] ? del_timer_sync+0x43/0x50 [] __br_deliver+0x62/0x130 [bridge] [] ? __getnstimeofday64+0x37/0xd0 [] ? getnstimeofday64+0x9/0x30 [] br_deliver+0x56/0x60 [bridge] [] br_dev_xmit+0x1c2/0x250 [bridge] [] pktgen_thread_worker+0x174c/0x2471 [pktgen] [] ? __schedule+0x30a/0x7c0 [] ? wake_atomic_t_function+0x60/0x60 [] ? pktgen_rem_all_ifs+0x80/0x80 [pktgen] [] kthread+0xc4/0xe0 [] ret_from_fork+0x1f/0x40 [] ? kthread_worker_fn+0x180/0x180 Fix this by re-assigning info after creating new one. Signed-off-by: Ben Greear --- This patch is against 4.7.10+ net/mac80211/tx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index 0573ab9..3da5f94 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c @@ -3081,6 +3081,7 @@ static bool ieee80211_xmit_fast(struct ieee80211_sub_if_data *sdata, if (!skb) return true; + info = IEEE80211_SKB_CB(skb); } ieee80211_tx_stats(dev, skb->len + extra_head);