Re: [PATCH] wifi: mac80211: fix static key race condition in aql_enable_write()

Next message: Anthony Yznaga: "[PATCH] mm: prevent droppable mappings from being locked"
Previous message: Long Li: "RE: [EXTERNAL] Re: [v2,net-next,1/6] net: mana: Create separate EQs for each vPort"
In reply to: Johannes Berg: "Re: [PATCH] wifi: mac80211: fix static key race condition in aql_enable_write()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Josh Poimboeuf

Date: Fri Mar 06 2026 - 15:46:53 EST

On Fri, Mar 06, 2026 at 09:23:07PM +0100, Johannes Berg wrote:
> On Fri, 2026-03-06 at 12:01 -0800, Josh Poimboeuf wrote:
> > If multiple tasks are writing to the 'aql_enable' debugfs file, it may
> > incorrectly call static_branch_dec() for an already disabled static key,
> > resulting in the following warning:
> >
> > val == 0
> > WARNING: kernel/jump_label.c:311 at __static_key_slow_dec_cpuslocked.part.0+0x107/0x120 kernel/jump_label.c:311, CPU#0: syz.1.3155/20288
> > ...
> > Call Trace:
> > <TASK>
> > __static_key_slow_dec_cpuslocked kernel/jump_label.c:297 [inline]
> > __static_key_slow_dec kernel/jump_label.c:321 [inline]
> > static_key_slow_dec+0x7c/0xc0 kernel/jump_label.c:336
> > aql_enable_write+0x2b2/0x310 net/mac80211/debugfs.c:343
> > short_proxy_write+0x133/0x1a0 fs/debugfs/file.c:383
> > vfs_write+0x2aa/0x1070 fs/read_write.c:684
> > ksys_pwrite64 fs/read_write.c:793 [inline]
> > __do_sys_pwrite64 fs/read_write.c:801 [inline]
> > __se_sys_pwrite64 fs/read_write.c:798 [inline]
> > __x64_sys_pwrite64+0x1eb/0x250 fs/read_write.c:798
> > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> > do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94
> > entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >
> > Fix it by using the atomic static_branch_{enable,disable}() interfaces.
>
> Heh, I just applied the same change:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless.git/commit/?id=b94ae8e0d5fe1bdbbfdc3854ff6ce98f6876a828

Ha, and the code looks identical. I approve ;-)

--
Josh