Today's Topics:

   1. Fwd: [PATCH] mac80211: prevent skb/txq mismatch (Dave Taht)


---------- Forwarded message ----------
From: Dave Taht <dave.taht@gmail.com>
To: make-wifi-fast@lists.bufferbloat.net
Cc: 
Date: Thu, 12 Jan 2017 10:44:12 -0800
Subject: [Make-wifi-fast] Fwd: [PATCH] mac80211: prevent skb/txq mismatch
yea! (I think)


---------- Forwarded message ----------
From: Michal Kazior <michal.kazior@tieto.com>
Date: Thu, Jan 12, 2017 at 6:28 AM
Subject: [PATCH] mac80211: prevent skb/txq mismatch
To: johannes@sipsolutions.net
Cc: linux-wireless@vger.kernel.org, greearb@candelatech.com,
mohammed@qti.qualcomm.com, Michal Kazior <michal.kazior@tieto.com>


Station structure is considered as not uploaded
(to driver) until drv_sta_state() finishes. This
call is however done after the structure is
attached to mac80211 internal lists and hashes.
This means mac80211 can lookup (and use) station
structure before it is uploaded to a driver.

If this happens (structure exists, but
sta->uploaded is false) fast_tx path can still be
taken. Deep in the fastpath call the sta->uploaded
is checked against to derive "pubsta" argument for
ieee80211_get_txq(). If sta->uploaded is false
(and sta is actually non-NULL) ieee80211_get_txq()
effectively downgraded to vif->txq.

At first glance this may look innocent but coerces
mac80211 into a state that is almost guaranteed
(codel may drop offending skb) to crash because a
station-oriented skb gets queued up on
vif-oriented txq. The ieee80211_tx_dequeue() ends
up looking at info->control.flags and tries to use
txq->sta which in the fail case is NULL.
..........

_______________________________________________
Make-wifi-fast mailing list
Make-wifi-fast@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/make-wifi-fast