From: Johannes Berg <johannes.berg@intel.com>
Date: Thu, 12 Oct 2023 10:34:47 +0000 (+0200)
Subject: wifi: mac80211: fix change_address deadlock during unregister
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=74a7c93f45abba538914a65dd2ef2ea7cf7150e2;p=linux.git

wifi: mac80211: fix change_address deadlock during unregister

When using e.g. bonding, and doing a sequence such as

 # iw wlan0 set type __ap
 # ip link add name bond1 type bond
 # ip link set wlan0 master bond1
 # iw wlan0 interface del

we deadlock, since the wlan0 interface removal will cause
bonding to reset the MAC address of wlan0.

The locking would be somewhat difficult to fix, but since
this only happens during removal, we can simply ignore the
MAC address change at this time.

Reported-by: syzbot+25b3a0b24216651bc2af@syzkaller.appspotmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Link: https://lore.kernel.org/r/20231012123447.9f9d7fd1f237.Ic3a5ef4391b670941a69cec5592aefc79d9c2890@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---

diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 124cc53f6b34e..e4e7c0b38cb6e 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -298,6 +298,14 @@ static int ieee80211_change_mac(struct net_device *dev, void *addr)
 	struct ieee80211_local *local = sdata->local;
 	int ret;
 
+	/*
+	 * This happens during unregistration if there's a bond device
+	 * active (maybe other cases?) and we must get removed from it.
+	 * But we really don't care anymore if it's not registered now.
+	 */
+	if (!dev->ieee80211_ptr->registered)
+		return 0;
+
 	wiphy_lock(local->hw.wiphy);
 	ret = _ieee80211_change_mac(sdata, addr);
 	wiphy_unlock(local->hw.wiphy);