| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251122060614.148101-1-qiang.zhang@linux.dev>
Date: Sat, 22 Nov 2025 14:06:13 +0800
From: Zqiang <qiang.zhang@...ux.dev>
To: johannes@...solutions.net
Cc: linux-kernel@...r.kernel.org,
qiang.zhang@...ux.dev,
qiang.zhang1211@...il.com,
syzbot+b59873f5699e941717ca@...kaller.appspotmail.com
Subject: [PATCH] wifi: mac80211: Fix suspicious RCU usage in ieee80211_mesh_csa_beacon()
The ieee80211_mesh_csa_beacon() is protected by wiphy->mtx lock,
this commit therefore use sdata_dereference() instead of
rcu_dereference() to get ifmsh->csa, to fix following warnings:
net/mac80211/mesh.c:1571 suspicious rcu_dereference_check() usage!
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
lockdep_rcu_suspicious+0x140/0x1d0 kernel/locking/lockdep.c:6876
ieee80211_mesh_csa_beacon+0x280/0x2c0 net/mac80211/mesh.c:1571
ieee80211_set_csa_beacon+0x3cc/0x9a0 net/mac80211/cfg.c:4288
__ieee80211_channel_switch net/mac80211/cfg.c:4406 [inline]
ieee80211_channel_switch+0x8ef/0xcb0 net/mac80211/cfg.c:4442
rdev_channel_switch+0x108/0x290 net/wireless/rdev-ops.h:1116
nl80211_channel_switch+0xac9/0xd70 net/wireless/nl80211.c:11475
genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0x21c/0x270 net/socket.c:742
____sys_sendmsg+0x505/0x830 net/socket.c:2630
___sys_sendmsg+0x21f/0x2a0 net/socket.c:2684
__sys_sendmsg net/socket.c:2716 [inline]
__do_sys_sendmsg net/socket.c:2721 [inline]
__se_sys_sendmsg net/socket.c:2719 [inline]
__x64_sys_sendmsg+0x19b/0x260 net/socket.c:2719
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Reported-by: syzbot+b59873f5699e941717ca@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b59873f5699e941717ca
Signed-off-by: Zqiang <qiang.zhang@...ux.dev>
---
net/mac80211/mesh.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index f37068a533f4..97eb19416e23 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -1568,7 +1568,7 @@ int ieee80211_mesh_csa_beacon(struct ieee80211_sub_if_data *sdata,
ret = ieee80211_mesh_rebuild_beacon(sdata);
if (ret) {
- tmp_csa_settings = rcu_dereference(ifmsh->csa);
+ tmp_csa_settings = sdata_dereference(ifmsh->csa, sdata);
RCU_INIT_POINTER(ifmsh->csa, NULL);
kfree_rcu(tmp_csa_settings, rcu_head);
return ret;
--
2.48.1
Powered by blists - more mailing lists