Patch "mac80211_hwsim: drop pending frames on stop" has been added to the 5.12-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 25 Jun 2021 21:31:09 -0400

This is a note to let you know that I've just added the patch titled

    mac80211_hwsim: drop pending frames on stop

to the 5.12-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     mac80211_hwsim-drop-pending-frames-on-stop.patch
and it can be found in the queue-5.12 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 08d56e619dbfa4c98af169caa9acd43367a11826
Author: Johannes Berg <johannes.berg@xxxxxxxxx>
Date:   Mon May 17 17:04:31 2021 +0200

    mac80211_hwsim: drop pending frames on stop
    
    [ Upstream commit bd18de517923903a177508fc8813f44e717b1c00 ]
    
    Syzbot reports that we may be able to get into a situation where
    mac80211 has pending ACK frames on shutdown with hwsim. It appears
    that the reason for this is that syzbot uses the wmediumd hooks to
    intercept/injection frames, and may shut down hwsim, removing the
    radio(s), while frames are pending in the air simulation.
    
    Clean out the pending queue when the interface is stopped, after
    this the frames can't be reported back to mac80211 properly anyway.
    
    Reported-by: syzbot+a063bbf0b15737362592@xxxxxxxxxxxxxxxxxxxxxxxxx
    Link: https://lore.kernel.org/r/20210517170429.b0f85ab0eda1.Ie42a6ec6b940c971f3441286aeaaae2fe368e29a@changeid
    Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index fa7d4c20dc13..30b39cb4056a 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -1693,8 +1693,13 @@ static int mac80211_hwsim_start(struct ieee80211_hw *hw)
 static void mac80211_hwsim_stop(struct ieee80211_hw *hw)
 {
 	struct mac80211_hwsim_data *data = hw->priv;
+
 	data->started = false;
 	hrtimer_cancel(&data->beacon_timer);
+
+	while (!skb_queue_empty(&data->pending))
+		ieee80211_free_txskb(hw, skb_dequeue(&data->pending));
+
 	wiphy_dbg(hw->wiphy, "%s\n", __func__);
 }
 






