• Michal Kazior's avatar
    mac80211: release channel on auth failure · d01f858c
    Michal Kazior authored
    There were a few rare cases when upon
    authentication failure channel wasn't released.
    This could cause stale pointers to remain in
    chanctx assigned_vifs after interface removal and
    trigger general protection fault later.
    
    This could be triggered, e.g. on ath10k with the
    following steps:
    
     1. start an AP
     2. create 2 extra vifs on ath10k host
     3. connect vif1 to the AP
     4. connect vif2 to the AP
        (auth fails because ath10k firmware isn't able
         to maintain 2 peers with colliding AP mac
         addresses across vifs and consequently
         refuses sta_info_insert() in
         ieee80211_prep_connection())
     5. remove the 2 extra vifs
     6. goto step 2; at step 3 kernel was crashing:
    
     general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
     Modules linked in: ath10k_pci ath10k_core ath
     ...
     Call Trace:
      [<ffffffff81a2dabb>] ieee80211_check_combinations+0x22b/0x290
      [<ffffffff819fb825>] ? ieee80211_check_concurrent_iface+0x125/0x220
      [<ffffffff8180f664>] ? netpoll_poll_disable+0x84/0x100
      [<ffffffff819fb833>] ieee80211_check_concurrent_iface+0x133/0x220
      [<ffffffff81a0029e>] ieee80211_open+0x3e/0x80
      [<ffffffff817f2d26>] __dev_open+0xb6/0x130
      [<ffffffff817f3051>] __dev_change_flags+0xa1/0x170
     ...
     RIP  [<ffffffff81a23140>] ieee80211_chanctx_radar_detect+0xa0/0x170
    
     (gdb) l * ieee80211_chanctx_radar_detect+0xa0
     0xffffffff81a23140 is in ieee80211_chanctx_radar_detect (/devel/src/linux/net/mac80211/util.c:3182).
     3177             */
     3178            WARN_ON(ctx->replace_state == IEEE80211_CHANCTX_REPLACES_OTHER &&
     3179                    !list_empty(&ctx->assigned_vifs));
     3180
     3181            list_for_each_entry(sdata, &ctx->assigned_vifs, assigned_chanctx_list)
     3182                    if (sdata->radar_required)
     3183                            radar_detect |= BIT(sdata->vif.bss_conf.chandef.width);
     3184
     3185            return radar_detect;
    Signed-off-by: default avatarMichal Kazior <michal.kazior@tieto.com>
    Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
    d01f858c
mlme.c 145 KB