diff options
| author | Johannes Berg <johannes.berg@intel.com> | 2021-05-17 18:04:31 +0300 |
|---|---|---|
| committer | Sasha Levin <sashal@kernel.org> | 2021-06-30 15:47:19 +0300 |
| commit | a9028333001f793b2724e8be42fce3336de2cf1c (patch) | |
| tree | 639ce5e15f9fb3b2be3c9c92aa080cd730fdcc27 /drivers/net | |
| parent | 8cfe765afd5a8d127770780f45fd971a28897484 (diff) | |
| download | linux-a9028333001f793b2724e8be42fce3336de2cf1c.tar.xz | |
mac80211_hwsim: drop pending frames on stop
[ Upstream commit bd18de517923903a177508fc8813f44e717b1c00 ]
Syzbot reports that we may be able to get into a situation where
mac80211 has pending ACK frames on shutdown with hwsim. It appears
that the reason for this is that syzbot uses the wmediumd hooks to
intercept/injection frames, and may shut down hwsim, removing the
radio(s), while frames are pending in the air simulation.
Clean out the pending queue when the interface is stopped, after
this the frames can't be reported back to mac80211 properly anyway.
Reported-by: syzbot+a063bbf0b15737362592@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/20210517170429.b0f85ab0eda1.Ie42a6ec6b940c971f3441286aeaaae2fe368e29a@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'drivers/net')
| -rw-r--r-- | drivers/net/wireless/mac80211_hwsim.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c index 3b3fc7c9c91d..f147d4feedb9 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -1623,8 +1623,13 @@ static int mac80211_hwsim_start(struct ieee80211_hw *hw) static void mac80211_hwsim_stop(struct ieee80211_hw *hw) { struct mac80211_hwsim_data *data = hw->priv; + data->started = false; hrtimer_cancel(&data->beacon_timer); + + while (!skb_queue_empty(&data->pending)) + ieee80211_free_txskb(hw, skb_dequeue(&data->pending)); + wiphy_dbg(hw->wiphy, "%s\n", __func__); } |