wifi: mac80211_hwsim: fix race condition in pending packet

commit 4ee186fa7e40ae06ebbfbad77e249e3746e14114 upstream.

A pending packet uses a cookie as an unique key, but it can be duplicated
because it didn't use atomic operators.

And also, a pending packet can be null in hwsim_tx_info_frame_received_nl
due to race condition with mac80211_hwsim_stop.

For this,
 * Use an atomic type and operator for a cookie
 * Add a lock around the loop for pending packets

Signed-off-by: Jeongik Cha <jeongik@google.com>
Link: https://lore.kernel.org/r/20220704084354.3556326-1-jeongik@google.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index c3189e2c7c93aca2702ac23381158135a7bf1ba6..3b5afd3545a755d1c3a3b6ae29f98f13513c05b8 100644 (file)
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -663,7 +663,7 @@ struct mac80211_hwsim_data {
        bool ps_poll_pending;
        struct dentry *debugfs;
 
-       uintptr_t pending_cookie;
+       atomic64_t pending_cookie;
        struct sk_buff_head pending;    /* packets pending */
        /*
         * Only radios in the same group can communicate together (the
@@ -1270,7 +1270,7 @@ static void mac80211_hwsim_tx_frame_nl(struct ieee80211_hw *hw,
        int i;
        struct hwsim_tx_rate tx_attempts[IEEE80211_TX_MAX_RATES];
        struct hwsim_tx_rate_flag tx_attempts_flags[IEEE80211_TX_MAX_RATES];
-       uintptr_t cookie;
+       u64 cookie;
 
        if (data->ps != PS_DISABLED)
                hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM);
@@ -1339,8 +1339,7 @@ static void mac80211_hwsim_tx_frame_nl(struct ieee80211_hw *hw,
                goto nla_put_failure;
 
        /* We create a cookie to identify this skb */
-       data->pending_cookie++;
-       cookie = data->pending_cookie;
+       cookie = (u64)atomic64_inc_return(&data->pending_cookie);
        info->rate_driver_data[0] = (void *)cookie;
        if (nla_put_u64_64bit(skb, HWSIM_ATTR_COOKIE, cookie, HWSIM_ATTR_PAD))
                goto nla_put_failure;
@@ -3582,6 +3581,7 @@ static int hwsim_tx_info_frame_received_nl(struct sk_buff *skb_2,
        const u8 *src;
        unsigned int hwsim_flags;
        int i;
+       unsigned long flags;
        bool found = false;
 
        if (!info->attrs[HWSIM_ATTR_ADDR_TRANSMITTER] ||
@@ -3609,18 +3609,20 @@ static int hwsim_tx_info_frame_received_nl(struct sk_buff *skb_2,
        }
 
        /* look for the skb matching the cookie passed back from user */
+       spin_lock_irqsave(&data2->pending.lock, flags);
        skb_queue_walk_safe(&data2->pending, skb, tmp) {
                u64 skb_cookie;
 
                txi = IEEE80211_SKB_CB(skb);
-               skb_cookie = (u64)(uintptr_t)txi->rate_driver_data[0];
+               skb_cookie = (u64)txi->rate_driver_data[0];
 
                if (skb_cookie == ret_skb_cookie) {
-                       skb_unlink(skb, &data2->pending);
+                       __skb_unlink(skb, &data2->pending);
                        found = true;
                        break;
                }
        }
+       spin_unlock_irqrestore(&data2->pending.lock, flags);
 
        /* not found */
        if (!found)