• Michal Kazior's avatar
    mac80211: prevent possible crypto tx tailroom corruption · ab499db8
    Michal Kazior authored
    There was a possible race between
    ieee80211_reconfig() and
    ieee80211_delayed_tailroom_dec(). This could
    result in inability to transmit data if driver
    crashed during roaming or rekeying and subsequent
    skbs with insufficient tailroom appeared.
    
    This race was probably never seen in the wild
    because a device driver would have to crash AND
    recover within 0.5s which is very unlikely.
    
    I was able to prove this race exists after
    changing the delay to 10s locally and crashing
    ath10k via debugfs immediately after GTK
    rekeying. In case of ath10k the counter went below
    0. This was harmless but other drivers which
    actually require tailroom (e.g. for WEP ICV or
    MMIC) could end up with the counter at 0 instead
    of >0 and introduce insufficient skb tailroom
    failures because mac80211 would not resize skbs
    appropriately anymore.
    
    Fixes: 8d1f7ecd ("mac80211: defer tailroom counter manipulation when roaming")
    Signed-off-by: default avatarMichal Kazior <michal.kazior@tieto.com>
    Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
    ab499db8
main.c 34.5 KB