[LEDE-DEV] [PATCH 1/2] mac80211: backport some upstream fixes

Koen Vandeputte koen.vandeputte at ncentric.com
Fri Jan 13 01:34:52 PST 2017


Backports the following upstream fixes:

mac80211: initialize fast-xmit 'info' later
mac80211: fix legacy and invalid rx-rate report
mac80211: fix tid_agg_rx NULL dereference

Compiled and tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte at ncentric.com>
---
 .../349-mac80211-fix-legacy-invalid-rxrate.patch   | 60 +++++++++++++
 .../patches/350-mac80211-init-fastxmit-later.patch | 41 +++++++++
 .../patches/351-mac80211-fix-tid-agg-null.patch    | 99 ++++++++++++++++++++++
 3 files changed, 200 insertions(+)
 create mode 100644 package/kernel/mac80211/patches/349-mac80211-fix-legacy-invalid-rxrate.patch
 create mode 100644 package/kernel/mac80211/patches/350-mac80211-init-fastxmit-later.patch
 create mode 100644 package/kernel/mac80211/patches/351-mac80211-fix-tid-agg-null.patch

diff --git a/package/kernel/mac80211/patches/349-mac80211-fix-legacy-invalid-rxrate.patch b/package/kernel/mac80211/patches/349-mac80211-fix-legacy-invalid-rxrate.patch
new file mode 100644
index 0000000..c160515
--- /dev/null
+++ b/package/kernel/mac80211/patches/349-mac80211-fix-legacy-invalid-rxrate.patch
@@ -0,0 +1,60 @@
+From a17d93ff3a950fefaea40e4a4bf3669b9137c533 Mon Sep 17 00:00:00 2001
+From: Ben Greear <greearb at candelatech.com>
+Date: Wed, 14 Dec 2016 11:30:38 -0800
+Subject: [PATCH] mac80211: fix legacy and invalid rx-rate report
+
+This fixes obtaining the rate info via sta_set_sinfo
+when the rx rate is invalid (for instance, on IBSS
+interface that has received no frames from one of its
+peers).
+
+Also initialize rinfo->flags for legacy rates, to not
+rely on the whole sinfo being initialized to zero.
+
+Signed-off-by: Ben Greear <greearb at candelatech.com>
+Signed-off-by: Johannes Berg <johannes.berg at intel.com>
+---
+ net/mac80211/sta_info.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -1975,6 +1975,7 @@ static void sta_stats_decode_rate(struct
+ 		u16 brate;
+ 		unsigned int shift;
+ 
++		rinfo->flags = 0;
+ 		sband = local->hw.wiphy->bands[(rate >> 4) & 0xf];
+ 		brate = sband->bitrates[rate & 0xf].bitrate;
+ 		if (rinfo->bw == RATE_INFO_BW_5)
+@@ -1990,14 +1991,15 @@ static void sta_stats_decode_rate(struct
+ 		rinfo->flags |= RATE_INFO_FLAGS_SHORT_GI;
+ }
+ 
+-static void sta_set_rate_info_rx(struct sta_info *sta, struct rate_info *rinfo)
++static int sta_set_rate_info_rx(struct sta_info *sta, struct rate_info *rinfo)
+ {
+ 	u16 rate = ACCESS_ONCE(sta_get_last_rx_stats(sta)->last_rate);
+ 
+ 	if (rate == STA_STATS_RATE_INVALID)
+-		rinfo->flags = 0;
+-	else
+-		sta_stats_decode_rate(sta->local, rate, rinfo);
++		return -EINVAL;
++
++	sta_stats_decode_rate(sta->local, rate, rinfo);
++	return 0;
+ }
+ 
+ static void sta_set_tidstats(struct sta_info *sta,
+@@ -2202,8 +2204,8 @@ void sta_set_sinfo(struct sta_info *sta,
+ 	}
+ 
+ 	if (!(sinfo->filled & BIT(NL80211_STA_INFO_RX_BITRATE))) {
+-		sta_set_rate_info_rx(sta, &sinfo->rxrate);
+-		sinfo->filled |= BIT(NL80211_STA_INFO_RX_BITRATE);
++		if (sta_set_rate_info_rx(sta, &sinfo->rxrate) == 0)
++			sinfo->filled |= BIT(NL80211_STA_INFO_RX_BITRATE);
+ 	}
+ 
+ 	sinfo->filled |= BIT(NL80211_STA_INFO_TID_STATS);
diff --git a/package/kernel/mac80211/patches/350-mac80211-init-fastxmit-later.patch b/package/kernel/mac80211/patches/350-mac80211-init-fastxmit-later.patch
new file mode 100644
index 0000000..0b640ef
--- /dev/null
+++ b/package/kernel/mac80211/patches/350-mac80211-init-fastxmit-later.patch
@@ -0,0 +1,41 @@
+From 35f432a03e41d3bf08c51ede917f94e2288fbe8c Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg at intel.com>
+Date: Mon, 2 Jan 2017 11:19:29 +0100
+Subject: [PATCH] mac80211: initialize fast-xmit 'info' later
+
+In ieee80211_xmit_fast(), 'info' is initialized to point to the skb
+that's passed in, but that skb may later be replaced by a clone (if
+it was shared), leading to an invalid pointer.
+
+This can lead to use-after-free and also later crashes since the
+real SKB's info->hw_queue doesn't get initialized properly.
+
+Fix this by assigning info only later, when it's needed, after the
+skb replacement (may have) happened.
+
+Cc: stable at vger.kernel.org
+Reported-by: Ben Greear <greearb at candelatech.com>
+Signed-off-by: Johannes Berg <johannes.berg at intel.com>
+---
+ net/mac80211/tx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3297,7 +3297,7 @@ static bool ieee80211_xmit_fast(struct i
+ 	int extra_head = fast_tx->hdr_len - (ETH_HLEN - 2);
+ 	int hw_headroom = sdata->local->hw.extra_tx_headroom;
+ 	struct ethhdr eth;
+-	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
++	struct ieee80211_tx_info *info;
+ 	struct ieee80211_hdr *hdr = (void *)fast_tx->hdr;
+ 	struct ieee80211_tx_data tx;
+ 	ieee80211_tx_result r;
+@@ -3361,6 +3361,7 @@ static bool ieee80211_xmit_fast(struct i
+ 	memcpy(skb->data + fast_tx->da_offs, eth.h_dest, ETH_ALEN);
+ 	memcpy(skb->data + fast_tx->sa_offs, eth.h_source, ETH_ALEN);
+ 
++	info = IEEE80211_SKB_CB(skb);
+ 	memset(info, 0, sizeof(*info));
+ 	info->band = fast_tx->band;
+ 	info->control.vif = &sdata->vif;
diff --git a/package/kernel/mac80211/patches/351-mac80211-fix-tid-agg-null.patch b/package/kernel/mac80211/patches/351-mac80211-fix-tid-agg-null.patch
new file mode 100644
index 0000000..9148cfa
--- /dev/null
+++ b/package/kernel/mac80211/patches/351-mac80211-fix-tid-agg-null.patch
@@ -0,0 +1,99 @@
+From 1c3d185a9a0b136a58e73b02912d593d0303d1da Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg at intel.com>
+Date: Tue, 18 Oct 2016 23:12:08 +0300
+Subject: [PATCH] mac80211: fix tid_agg_rx NULL dereference
+
+On drivers setting the SUPPORTS_REORDERING_BUFFER hardware flag,
+we crash when the peer sends an AddBA request while we already
+have a session open on the seame TID; this is because on those
+drivers, the tid_agg_rx is left NULL even though the session is
+valid, and the agg_session_valid bit is set.
+
+To fix this, store the dialog tokens outside the tid_agg_rx to
+be able to compare them to the received AddBA request.
+
+Fixes: f89e07d4cf26 ("mac80211: agg-rx: refuse ADDBA Request with timeout update")
+Reported-by: Emmanuel Grumbach <emmanuel.grumbach at intel.com>
+Signed-off-by: Johannes Berg <johannes.berg at intel.com>
+---
+ net/mac80211/agg-rx.c      | 8 ++------
+ net/mac80211/debugfs_sta.c | 2 +-
+ net/mac80211/sta_info.h    | 4 ++--
+ 3 files changed, 5 insertions(+), 9 deletions(-)
+
+--- a/net/mac80211/agg-rx.c
++++ b/net/mac80211/agg-rx.c
+@@ -315,11 +315,7 @@ void __ieee80211_start_rx_ba_session(str
+ 	mutex_lock(&sta->ampdu_mlme.mtx);
+ 
+ 	if (test_bit(tid, sta->ampdu_mlme.agg_session_valid)) {
+-		tid_agg_rx = rcu_dereference_protected(
+-				sta->ampdu_mlme.tid_rx[tid],
+-				lockdep_is_held(&sta->ampdu_mlme.mtx));
+-
+-		if (tid_agg_rx->dialog_token == dialog_token) {
++		if (sta->ampdu_mlme.tid_rx_token[tid] == dialog_token) {
+ 			ht_dbg_ratelimited(sta->sdata,
+ 					   "updated AddBA Req from %pM on tid %u\n",
+ 					   sta->sta.addr, tid);
+@@ -396,7 +392,6 @@ void __ieee80211_start_rx_ba_session(str
+ 	}
+ 
+ 	/* update data */
+-	tid_agg_rx->dialog_token = dialog_token;
+ 	tid_agg_rx->ssn = start_seq_num;
+ 	tid_agg_rx->head_seq_num = start_seq_num;
+ 	tid_agg_rx->buf_size = buf_size;
+@@ -418,6 +413,7 @@ end:
+ 	if (status == WLAN_STATUS_SUCCESS) {
+ 		__set_bit(tid, sta->ampdu_mlme.agg_session_valid);
+ 		__clear_bit(tid, sta->ampdu_mlme.unexpected_agg);
++		sta->ampdu_mlme.tid_rx_token[tid] = dialog_token;
+ 	}
+ 	mutex_unlock(&sta->ampdu_mlme.mtx);
+ 
+--- a/net/mac80211/debugfs_sta.c
++++ b/net/mac80211/debugfs_sta.c
+@@ -205,7 +205,7 @@ static ssize_t sta_agg_status_read(struc
+ 		p += scnprintf(p, sizeof(buf) + buf - p, "%02d", i);
+ 		p += scnprintf(p, sizeof(buf) + buf - p, "\t\t%x", !!tid_rx);
+ 		p += scnprintf(p, sizeof(buf) + buf - p, "\t%#.2x",
+-				tid_rx ? tid_rx->dialog_token : 0);
++				tid_rx ? sta->ampdu_mlme.tid_rx_token[i] : 0);
+ 		p += scnprintf(p, sizeof(buf) + buf - p, "\t%#.3x",
+ 				tid_rx ? tid_rx->ssn : 0);
+ 
+--- a/net/mac80211/sta_info.h
++++ b/net/mac80211/sta_info.h
+@@ -184,7 +184,6 @@ struct tid_ampdu_tx {
+  * @ssn: Starting Sequence Number expected to be aggregated.
+  * @buf_size: buffer size for incoming A-MPDUs
+  * @timeout: reset timer value (in TUs).
+- * @dialog_token: dialog token for aggregation session
+  * @rcu_head: RCU head used for freeing this struct
+  * @reorder_lock: serializes access to reorder buffer, see below.
+  * @auto_seq: used for offloaded BA sessions to automatically pick head_seq_and
+@@ -213,7 +212,6 @@ struct tid_ampdu_rx {
+ 	u16 ssn;
+ 	u16 buf_size;
+ 	u16 timeout;
+-	u8 dialog_token;
+ 	bool auto_seq;
+ 	bool removed;
+ };
+@@ -225,6 +223,7 @@ struct tid_ampdu_rx {
+  *	to tid_tx[idx], which are protected by the sta spinlock)
+  *	tid_start_tx is also protected by sta->lock.
+  * @tid_rx: aggregation info for Rx per TID -- RCU protected
++ * @tid_rx_token: dialog tokens for valid aggregation sessions
+  * @tid_rx_timer_expired: bitmap indicating on which TIDs the
+  *	RX timer expired until the work for it runs
+  * @tid_rx_stop_requested:  bitmap indicating which BA sessions per TID the
+@@ -243,6 +242,7 @@ struct sta_ampdu_mlme {
+ 	struct mutex mtx;
+ 	/* rx */
+ 	struct tid_ampdu_rx __rcu *tid_rx[IEEE80211_NUM_TIDS];
++	u8 tid_rx_token[IEEE80211_NUM_TIDS];
+ 	unsigned long tid_rx_timer_expired[BITS_TO_LONGS(IEEE80211_NUM_TIDS)];
+ 	unsigned long tid_rx_stop_requested[BITS_TO_LONGS(IEEE80211_NUM_TIDS)];
+ 	unsigned long agg_session_valid[BITS_TO_LONGS(IEEE80211_NUM_TIDS)];
-- 
2.7.4




More information about the Lede-dev mailing list