[PATCH] ath10k: drop beacon and probe response which leak from other channel

Tue Oct 26 17:59:24 PDT 2021

Hi Wen,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on v5.15-rc7]
[cannot apply to kvalo-ath/ath-next kvalo-wireless-drivers-next/master next-20211026]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Wen-Gong/ath10k-drop-beacon-and-probe-response-which-leak-from-other-channel/20211026-105155
base:    3906fe9bb7f1a2c8667ae54e967dc8690824f4ea
config: nios2-allyesconfig (attached as .config)
compiler: nios2-linux-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/023e143f5369642ccd3eca10fbce0eb7b1bf5696
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Wen-Gong/ath10k-drop-beacon-and-probe-response-which-leak-from-other-channel/20211026-105155
        git checkout 023e143f5369642ccd3eca10fbce0eb7b1bf5696
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross ARCH=nios2 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp at intel.com>

All errors (new ones prefixed by >>):

   drivers/net/wireless/ath/ath10k/wmi.c: In function 'ath10k_wmi_event_mgmt_rx':
>> drivers/net/wireless/ath/ath10k/wmi.c:2624:26: error: implicit declaration of function 'cfg80211_get_ies_channel_number'; did you mean 'cfg80211_get_chandef_type'? [-Werror=implicit-function-declaration]
    2624 |                 ies_ch = cfg80211_get_ies_channel_number(mgmt->u.beacon.variable,
         |                          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         |                          cfg80211_get_chandef_type
   cc1: all warnings being treated as errors

vim +2624 drivers/net/wireless/ath/ath10k/wmi.c

  2498	
  2499	int ath10k_wmi_event_mgmt_rx(struct ath10k *ar, struct sk_buff *skb)
  2500	{
  2501		struct wmi_mgmt_rx_ev_arg arg = {};
  2502		struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
  2503		struct ieee80211_hdr *hdr;
  2504		struct ieee80211_supported_band *sband;
  2505		u32 rx_status;
  2506		u32 channel;
  2507		u32 phy_mode;
  2508		u32 snr, rssi;
  2509		u32 rate;
  2510		u16 fc;
  2511		int ret, i;
  2512	
  2513		ret = ath10k_wmi_pull_mgmt_rx(ar, skb, &arg);
  2514		if (ret) {
  2515			ath10k_warn(ar, "failed to parse mgmt rx event: %d\n", ret);
  2516			dev_kfree_skb(skb);
  2517			return ret;
  2518		}
  2519	
  2520		channel = __le32_to_cpu(arg.channel);
  2521		rx_status = __le32_to_cpu(arg.status);
  2522		snr = __le32_to_cpu(arg.snr);
  2523		phy_mode = __le32_to_cpu(arg.phy_mode);
  2524		rate = __le32_to_cpu(arg.rate);
  2525	
  2526		memset(status, 0, sizeof(*status));
  2527	
  2528		ath10k_dbg(ar, ATH10K_DBG_MGMT,
  2529			   "event mgmt rx status %08x\n", rx_status);
  2530	
  2531		if ((test_bit(ATH10K_CAC_RUNNING, &ar->dev_flags)) ||
  2532		    (rx_status & (WMI_RX_STATUS_ERR_DECRYPT |
  2533		    WMI_RX_STATUS_ERR_KEY_CACHE_MISS | WMI_RX_STATUS_ERR_CRC))) {
  2534			dev_kfree_skb(skb);
  2535			return 0;
  2536		}
  2537	
  2538		if (rx_status & WMI_RX_STATUS_ERR_MIC)
  2539			status->flag |= RX_FLAG_MMIC_ERROR;
  2540	
  2541		if (rx_status & WMI_RX_STATUS_EXT_INFO) {
  2542			status->mactime =
  2543				__le64_to_cpu(arg.ext_info.rx_mac_timestamp);
  2544			status->flag |= RX_FLAG_MACTIME_END;
  2545		}
  2546		/* Hardware can Rx CCK rates on 5GHz. In that case phy_mode is set to
  2547		 * MODE_11B. This means phy_mode is not a reliable source for the band
  2548		 * of mgmt rx.
  2549		 */
  2550		if (channel >= 1 && channel <= 14) {
  2551			status->band = NL80211_BAND_2GHZ;
  2552		} else if (channel >= 36 && channel <= ATH10K_MAX_5G_CHAN) {
  2553			status->band = NL80211_BAND_5GHZ;
  2554		} else {
  2555			/* Shouldn't happen unless list of advertised channels to
  2556			 * mac80211 has been changed.
  2557			 */
  2558			WARN_ON_ONCE(1);
  2559			dev_kfree_skb(skb);
  2560			return 0;
  2561		}
  2562	
  2563		if (phy_mode == MODE_11B && status->band == NL80211_BAND_5GHZ)
  2564			ath10k_dbg(ar, ATH10K_DBG_MGMT, "wmi mgmt rx 11b (CCK) on 5GHz\n");
  2565	
  2566		sband = &ar->mac.sbands[status->band];
  2567	
  2568		status->freq = ieee80211_channel_to_frequency(channel, status->band);
  2569		status->signal = snr + ATH10K_DEFAULT_NOISE_FLOOR;
  2570	
  2571		BUILD_BUG_ON(ARRAY_SIZE(status->chain_signal) != ARRAY_SIZE(arg.rssi));
  2572	
  2573		for (i = 0; i < ARRAY_SIZE(status->chain_signal); i++) {
  2574			status->chains &= ~BIT(i);
  2575			rssi = __le32_to_cpu(arg.rssi[i]);
  2576			ath10k_dbg(ar, ATH10K_DBG_MGMT, "mgmt rssi[%d]:%d\n", i, arg.rssi[i]);
  2577	
  2578			if (rssi != ATH10K_INVALID_RSSI && rssi != 0) {
  2579				status->chain_signal[i] = ATH10K_DEFAULT_NOISE_FLOOR + rssi;
  2580				status->chains |= BIT(i);
  2581			}
  2582		}
  2583	
  2584		status->rate_idx = ath10k_mac_bitrate_to_idx(sband, rate / 100);
  2585	
  2586		hdr = (struct ieee80211_hdr *)skb->data;
  2587		fc = le16_to_cpu(hdr->frame_control);
  2588	
  2589		/* Firmware is guaranteed to report all essential management frames via
  2590		 * WMI while it can deliver some extra via HTT. Since there can be
  2591		 * duplicates split the reporting wrt monitor/sniffing.
  2592		 */
  2593		status->flag |= RX_FLAG_SKIP_MONITOR;
  2594	
  2595		ath10k_wmi_handle_wep_reauth(ar, skb, status);
  2596	
  2597		if (ath10k_wmi_rx_is_decrypted(ar, hdr)) {
  2598			status->flag |= RX_FLAG_DECRYPTED;
  2599	
  2600			if (!ieee80211_is_action(hdr->frame_control) &&
  2601			    !ieee80211_is_deauth(hdr->frame_control) &&
  2602			    !ieee80211_is_disassoc(hdr->frame_control)) {
  2603				status->flag |= RX_FLAG_IV_STRIPPED |
  2604						RX_FLAG_MMIC_STRIPPED;
  2605				hdr->frame_control = __cpu_to_le16(fc &
  2606						~IEEE80211_FCTL_PROTECTED);
  2607			}
  2608		}
  2609	
  2610		if (ieee80211_is_beacon(hdr->frame_control))
  2611			ath10k_mac_handle_beacon(ar, skb);
  2612	
  2613		if (ieee80211_is_beacon(hdr->frame_control) ||
  2614		    ieee80211_is_probe_resp(hdr->frame_control)) {
  2615			struct ieee80211_mgmt *mgmt = (void *)skb->data;
  2616			u8 *ies;
  2617			int ies_ch;
  2618	
  2619			if (!ar->scan_channel)
  2620				goto drop;
  2621	
  2622			ies = mgmt->u.beacon.variable;
  2623	
> 2624			ies_ch = cfg80211_get_ies_channel_number(mgmt->u.beacon.variable,
  2625								 skb_tail_pointer(skb) - ies,
  2626								 sband->band);
  2627	
  2628			if (ies_ch > 0 && ies_ch != channel) {
  2629				ath10k_dbg(ar, ATH10K_DBG_MGMT,
  2630					   "channel mismatched ds channel %d scan channel %d\n",
  2631					   ies_ch, channel);
  2632				goto drop;
  2633			}
  2634		}
  2635	
  2636		ath10k_dbg(ar, ATH10K_DBG_MGMT,
  2637			   "event mgmt rx skb %pK len %d ftype %02x stype %02x\n",
  2638			   skb, skb->len,
  2639			   fc & IEEE80211_FCTL_FTYPE, fc & IEEE80211_FCTL_STYPE);
  2640	
  2641		ath10k_dbg(ar, ATH10K_DBG_MGMT,
  2642			   "event mgmt rx freq %d band %d snr %d, rate_idx %d\n",
  2643			   status->freq, status->band, status->signal,
  2644			   status->rate_idx);
  2645	
  2646		ieee80211_rx_ni(ar->hw, skb);
  2647	
  2648		return 0;
  2649	
  2650	drop:
  2651		dev_kfree_skb(skb);
  2652		return 0;
  2653	}
  2654	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: .config.gz
Type: application/gzip
Size: 61049 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/ath10k/attachments/20211027/807f4678/attachment-0001.gz>