mac80211: release channel on auth failure
There were a few rare cases when upon authentication failure channel wasn't released. This could cause stale pointers to remain in chanctx assigned_vifs after interface removal and trigger general protection fault later. This could be triggered, e.g. on ath10k with the following steps: 1. start an AP 2. create 2 extra vifs on ath10k host 3. connect vif1 to the AP 4. connect vif2 to the AP (auth fails because ath10k firmware isn't able to maintain 2 peers with colliding AP mac addresses across vifs and consequently refuses sta_info_insert() in ieee80211_prep_connection()) 5. remove the 2 extra vifs 6. goto step 2; at step 3 kernel was crashing: general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC Modules linked in: ath10k_pci ath10k_core ath ... Call Trace: [<ffffffff81a2dabb>] ieee80211_check_combinations+0x22b/0x290 [<ffffffff819fb825>] ? ieee80211_check_concurrent_iface+0x125/0x220 [<ffffffff8180f664>] ? netpoll_poll_disable+0x84/0x100 [<ffffffff819fb833>] ieee80211_check_concurrent_iface+0x133/0x220 [<ffffffff81a0029e>] ieee80211_open+0x3e/0x80 [<ffffffff817f2d26>] __dev_open+0xb6/0x130 [<ffffffff817f3051>] __dev_change_flags+0xa1/0x170 ... RIP [<ffffffff81a23140>] ieee80211_chanctx_radar_detect+0xa0/0x170 (gdb) l * ieee80211_chanctx_radar_detect+0xa0 0xffffffff81a23140 is in ieee80211_chanctx_radar_detect (/devel/src/linux/net/mac80211/util.c:3182). 3177 */ 3178 WARN_ON(ctx->replace_state == IEEE80211_CHANCTX_REPLACES_OTHER && 3179 !list_empty(&ctx->assigned_vifs)); 3180 3181 list_for_each_entry(sdata, &ctx->assigned_vifs, assigned_chanctx_list) 3182 if (sdata->radar_required) 3183 radar_detect |= BIT(sdata->vif.bss_conf.chandef.width); 3184 3185 return radar_detect; Signed-off-by: NMichal Kazior <michal.kazior@tieto.com> Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Showing
想要评论请 注册 或 登录