[PATCH 4/5] mac80211: run late dequeue late tx handlers without holding fq->lock
Wen Gong
quic_wgong at quicinc.com
Mon Dec 5 01:46:15 PST 2022
On 3/17/2019 1:06 AM, Felix Fietkau wrote:
> Reduces lock contention on enqueue/dequeue of iTXQ packets
>
> Signed-off-by: Felix Fietkau <nbd at nbd.name>
> ---
> net/mac80211/tx.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
> index 8127e43e12b1..f85344c9af62 100644
> --- a/net/mac80211/tx.c
> +++ b/net/mac80211/tx.c
> @@ -3544,6 +3544,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
> ieee80211_tx_result r;
> struct ieee80211_vif *vif = txq->vif;
>
> +begin:
> spin_lock_bh(&fq->lock);
Maybe use-after-free will happened?
You can see ieee80211_tx_dequeue() in tx.c as below, after
ieee80211_free_txskb(), it will goto begin,
If goto out happened in below check, then the skb which is freed will be
returned, and use-after-free will happen.
https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git/tree/net/mac80211/tx.c?id=ded4698b58cb23c22b0dcbd829ced19ce4e6ce02#n3538
begin:
spin_lock_bh(&fq->lock);
if (test_bit(IEEE80211_TXQ_STOP, &txqi->flags) ||
test_bit(IEEE80211_TXQ_STOP_NETIF_TX, &txqi->flags))
goto out;
if (vif->txqs_stopped[ieee80211_ac_from_tid(txq->tid)]) {
set_bit(IEEE80211_TXQ_STOP_NETIF_TX, &txqi->flags);
goto out;
}
/* Make sure fragments stay together. */
skb = __skb_dequeue(&txqi->frags);
if (skb)
goto out;
skb = fq_tin_dequeue(fq, tin, fq_tin_dequeue_func);
if (!skb)
goto out;
spin_unlock_bh(&fq->lock);
Maybe "skb = NULL;" should be added after "begin:".
...
More information about the ath11k
mailing list