| Message ID | 1548845657-7793-1-git-send-email-siva8118@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [SRU,Xenial] UBUNTU: SAUCE: Redpine: enhancement for MAC spoofing to avoid kernel crash | expand |
On 30.01.19 11:54, Siva Rebbagondla wrote: > From: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com> > > BugLink: https://bugs.launchpad.net/bugs/1813869 > > When mac spoof is enabled in userspace and scan gets triggered with custom > mac address, driver is not handling custom mac addresses properly and > causing kernel crash. This could be fixed by copying custom mac addess to > mac address. > > ...skipping... > [ 49.130185] BUG: unable to handle kernel NULL pointer dereference at 0000000000000134 > [ 49.138969] IP: [<ffffffffc0517c03>] rsi_prepare_mgmt_desc+0xd3/0x2d0 [ven_rsi_91x] > [ 49.147555] PGD 0 > [ 49.149799] Oops: 0000 [#1] SMP > [ 49.244030] CPU: 0 PID: 31 Comm: kworker/u4:1 Not tainted 4.4.0-139-generic #165-Ubuntu > [ 49.252988] Hardware name: Dell Inc. Edge Gateway 3001/, BIOS 01.00.00 04/17/2017 > [ 49.261374] Workqueue: rsi_scan_worker rsi_scan_start [ven_rsi_91x] > [ 49.357435] Stack: > [ 49.359675] ffff88007542d7c0 ffff88005c290dd8 ffff880077894000 0000000000000000 > [ 49.367971] ffff8800747aa640 ffff88006928a500 ffff8800785e7d78 ffffffffc0516457 > [ 49.376267] 00000046785e7d48 ffff8800778950e0 ffff8800747aa640 ffff880075438000 > [ 49.384561] Call Trace: > [ 49.387307] [<ffffffffc0516457>] rsi_send_probe_request+0x2c7/0x350 [ven_rsi_91x] > [ 49.395784] [<ffffffffc0516702>] rsi_scan_start+0x222/0x380 [ven_rsi_91x] > [ 49.403486] [<ffffffff818530c1>] ? __schedule+0x301/0x7f0 > [ 49.409633] [<ffffffff8109ee4b>] process_one_work+0x16b/0x490 > [ 49.416164] [<ffffffff8109f1bb>] worker_thread+0x4b/0x4d0 > [ 49.422306] [<ffffffff8109f170>] ? process_one_work+0x490/0x490 > [ 49.429032] [<ffffffff810a5587>] kthread+0xe7/0x100 > [ 49.434589] [<ffffffff818530c1>] ? __schedule+0x301/0x7f0 > [ 49.440731] [<ffffffff810a54a0>] ? kthread_create_on_node+0x1e0/0x1e0 > [ 49.448042] [<ffffffff81857bf5>] ret_from_fork+0x55/0x80 > [ 49.454086] [<ffffffff810a54a0>] ? kthread_create_on_node+0x1e0/0x1e0 > > Signed-off-by: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > ubuntu/rsi/rsi_91x_mac80211.c | 22 ++++++++++++++++++++++ > 1 file changed, 22 insertions(+) > > diff --git a/ubuntu/rsi/rsi_91x_mac80211.c b/ubuntu/rsi/rsi_91x_mac80211.c > index 78702ff24532..f6a075824e60 100644 > --- a/ubuntu/rsi/rsi_91x_mac80211.c > +++ b/ubuntu/rsi/rsi_91x_mac80211.c > @@ -216,6 +216,19 @@ static struct reg_map rsi_caracalla_reg_db[MAX_REG_COUNTRIES] = { > }; > #endif > > +static int rsi_validate_mac_addr(struct rsi_common *common, u8 *addr_t) > +{ > + u8 addr[ETH_ALEN] = {0}; > + > + if (!memcmp(addr, addr_t, ETH_ALEN)) { > + ven_rsi_dbg(ERR_ZONE, "%s: MAC addr is NULL\n", __func__); > + return -1; > + } else if (memcmp(common->mac_addr, addr_t, ETH_ALEN)) { > + memcpy(common->mac_addr, addr_t, ETH_ALEN); > + } > + return 0; > +} > + > struct ieee80211_vif *rsi_get_vif(struct rsi_hw *adapter, u8 *mac) > { > u8 i; > @@ -375,6 +388,8 @@ static int rsi_mac80211_hw_scan_start(struct ieee80211_hw *hw, > /* Scan already in progress. So return */ > if (common->bgscan_en || common->scan_in_prog) > return -EBUSY; > + if (rsi_validate_mac_addr(common, vif->addr)) > + return -ENODEV; > > cancel_work_sync(&common->scan_work); > mutex_lock(&common->mutex); > @@ -554,6 +569,13 @@ static void rsi_mac80211_tx(struct ieee80211_hw *hw, > struct ieee80211_vif *vif = adapter->vifs[adapter->sc_nvifs - 1]; > struct ieee80211_bss_conf *bss = &adapter->vifs[0]->bss_conf; > > +#ifndef CONFIG_VEN_RSI_P2P > + if (rsi_validate_mac_addr(common, wlh->addr2)) { > + ieee80211_free_txskb(common->priv->hw, skb); > + return; > + } > +#endif > + > #ifdef CONFIG_VEN_RSI_WOW > if (common->wow_flags & RSI_WOW_ENABLED) { > ieee80211_free_txskb(common->priv->hw, skb); >
On 1/30/19 11:54 AM, Siva Rebbagondla wrote: > From: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com> > > BugLink: https://bugs.launchpad.net/bugs/1813869 > > When mac spoof is enabled in userspace and scan gets triggered with custom > mac address, driver is not handling custom mac addresses properly and > causing kernel crash. This could be fixed by copying custom mac addess to > mac address. > > ...skipping... > [ 49.130185] BUG: unable to handle kernel NULL pointer dereference at 0000000000000134 > [ 49.138969] IP: [<ffffffffc0517c03>] rsi_prepare_mgmt_desc+0xd3/0x2d0 [ven_rsi_91x] > [ 49.147555] PGD 0 > [ 49.149799] Oops: 0000 [#1] SMP > [ 49.244030] CPU: 0 PID: 31 Comm: kworker/u4:1 Not tainted 4.4.0-139-generic #165-Ubuntu > [ 49.252988] Hardware name: Dell Inc. Edge Gateway 3001/, BIOS 01.00.00 04/17/2017 > [ 49.261374] Workqueue: rsi_scan_worker rsi_scan_start [ven_rsi_91x] > [ 49.357435] Stack: > [ 49.359675] ffff88007542d7c0 ffff88005c290dd8 ffff880077894000 0000000000000000 > [ 49.367971] ffff8800747aa640 ffff88006928a500 ffff8800785e7d78 ffffffffc0516457 > [ 49.376267] 00000046785e7d48 ffff8800778950e0 ffff8800747aa640 ffff880075438000 > [ 49.384561] Call Trace: > [ 49.387307] [<ffffffffc0516457>] rsi_send_probe_request+0x2c7/0x350 [ven_rsi_91x] > [ 49.395784] [<ffffffffc0516702>] rsi_scan_start+0x222/0x380 [ven_rsi_91x] > [ 49.403486] [<ffffffff818530c1>] ? __schedule+0x301/0x7f0 > [ 49.409633] [<ffffffff8109ee4b>] process_one_work+0x16b/0x490 > [ 49.416164] [<ffffffff8109f1bb>] worker_thread+0x4b/0x4d0 > [ 49.422306] [<ffffffff8109f170>] ? process_one_work+0x490/0x490 > [ 49.429032] [<ffffffff810a5587>] kthread+0xe7/0x100 > [ 49.434589] [<ffffffff818530c1>] ? __schedule+0x301/0x7f0 > [ 49.440731] [<ffffffff810a54a0>] ? kthread_create_on_node+0x1e0/0x1e0 > [ 49.448042] [<ffffffff81857bf5>] ret_from_fork+0x55/0x80 > [ 49.454086] [<ffffffff810a54a0>] ? kthread_create_on_node+0x1e0/0x1e0 > > Signed-off-by: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > ubuntu/rsi/rsi_91x_mac80211.c | 22 ++++++++++++++++++++++ > 1 file changed, 22 insertions(+) > > diff --git a/ubuntu/rsi/rsi_91x_mac80211.c b/ubuntu/rsi/rsi_91x_mac80211.c > index 78702ff24532..f6a075824e60 100644 > --- a/ubuntu/rsi/rsi_91x_mac80211.c > +++ b/ubuntu/rsi/rsi_91x_mac80211.c > @@ -216,6 +216,19 @@ static struct reg_map rsi_caracalla_reg_db[MAX_REG_COUNTRIES] = { > }; > #endif > > +static int rsi_validate_mac_addr(struct rsi_common *common, u8 *addr_t) > +{ > + u8 addr[ETH_ALEN] = {0}; > + > + if (!memcmp(addr, addr_t, ETH_ALEN)) { > + ven_rsi_dbg(ERR_ZONE, "%s: MAC addr is NULL\n", __func__); > + return -1; > + } else if (memcmp(common->mac_addr, addr_t, ETH_ALEN)) { > + memcpy(common->mac_addr, addr_t, ETH_ALEN); > + } > + return 0; > +} > + > struct ieee80211_vif *rsi_get_vif(struct rsi_hw *adapter, u8 *mac) > { > u8 i; > @@ -375,6 +388,8 @@ static int rsi_mac80211_hw_scan_start(struct ieee80211_hw *hw, > /* Scan already in progress. So return */ > if (common->bgscan_en || common->scan_in_prog) > return -EBUSY; > + if (rsi_validate_mac_addr(common, vif->addr)) > + return -ENODEV; > > cancel_work_sync(&common->scan_work); > mutex_lock(&common->mutex); > @@ -554,6 +569,13 @@ static void rsi_mac80211_tx(struct ieee80211_hw *hw, > struct ieee80211_vif *vif = adapter->vifs[adapter->sc_nvifs - 1]; > struct ieee80211_bss_conf *bss = &adapter->vifs[0]->bss_conf; > > +#ifndef CONFIG_VEN_RSI_P2P > + if (rsi_validate_mac_addr(common, wlh->addr2)) { > + ieee80211_free_txskb(common->priv->hw, skb); > + return; > + } > +#endif > + > #ifdef CONFIG_VEN_RSI_WOW > if (common->wow_flags & RSI_WOW_ENABLED) { > ieee80211_free_txskb(common->priv->hw, skb);
On 2019-01-30 16:24:17 , Siva Rebbagondla wrote: > From: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com> > > BugLink: https://bugs.launchpad.net/bugs/1813869 > > When mac spoof is enabled in userspace and scan gets triggered with custom > mac address, driver is not handling custom mac addresses properly and > causing kernel crash. This could be fixed by copying custom mac addess to > mac address. > > ...skipping... > [ 49.130185] BUG: unable to handle kernel NULL pointer dereference at 0000000000000134 > [ 49.138969] IP: [<ffffffffc0517c03>] rsi_prepare_mgmt_desc+0xd3/0x2d0 [ven_rsi_91x] > [ 49.147555] PGD 0 > [ 49.149799] Oops: 0000 [#1] SMP > [ 49.244030] CPU: 0 PID: 31 Comm: kworker/u4:1 Not tainted 4.4.0-139-generic #165-Ubuntu > [ 49.252988] Hardware name: Dell Inc. Edge Gateway 3001/, BIOS 01.00.00 04/17/2017 > [ 49.261374] Workqueue: rsi_scan_worker rsi_scan_start [ven_rsi_91x] > [ 49.357435] Stack: > [ 49.359675] ffff88007542d7c0 ffff88005c290dd8 ffff880077894000 0000000000000000 > [ 49.367971] ffff8800747aa640 ffff88006928a500 ffff8800785e7d78 ffffffffc0516457 > [ 49.376267] 00000046785e7d48 ffff8800778950e0 ffff8800747aa640 ffff880075438000 > [ 49.384561] Call Trace: > [ 49.387307] [<ffffffffc0516457>] rsi_send_probe_request+0x2c7/0x350 [ven_rsi_91x] > [ 49.395784] [<ffffffffc0516702>] rsi_scan_start+0x222/0x380 [ven_rsi_91x] > [ 49.403486] [<ffffffff818530c1>] ? __schedule+0x301/0x7f0 > [ 49.409633] [<ffffffff8109ee4b>] process_one_work+0x16b/0x490 > [ 49.416164] [<ffffffff8109f1bb>] worker_thread+0x4b/0x4d0 > [ 49.422306] [<ffffffff8109f170>] ? process_one_work+0x490/0x490 > [ 49.429032] [<ffffffff810a5587>] kthread+0xe7/0x100 > [ 49.434589] [<ffffffff818530c1>] ? __schedule+0x301/0x7f0 > [ 49.440731] [<ffffffff810a54a0>] ? kthread_create_on_node+0x1e0/0x1e0 > [ 49.448042] [<ffffffff81857bf5>] ret_from_fork+0x55/0x80 > [ 49.454086] [<ffffffff810a54a0>] ? kthread_create_on_node+0x1e0/0x1e0 > > Signed-off-by: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com> > --- > ubuntu/rsi/rsi_91x_mac80211.c | 22 ++++++++++++++++++++++ > 1 file changed, 22 insertions(+) > > diff --git a/ubuntu/rsi/rsi_91x_mac80211.c b/ubuntu/rsi/rsi_91x_mac80211.c > index 78702ff24532..f6a075824e60 100644 > --- a/ubuntu/rsi/rsi_91x_mac80211.c > +++ b/ubuntu/rsi/rsi_91x_mac80211.c > @@ -216,6 +216,19 @@ static struct reg_map rsi_caracalla_reg_db[MAX_REG_COUNTRIES] = { > }; > #endif > > +static int rsi_validate_mac_addr(struct rsi_common *common, u8 *addr_t) > +{ > + u8 addr[ETH_ALEN] = {0}; > + > + if (!memcmp(addr, addr_t, ETH_ALEN)) { > + ven_rsi_dbg(ERR_ZONE, "%s: MAC addr is NULL\n", __func__); > + return -1; > + } else if (memcmp(common->mac_addr, addr_t, ETH_ALEN)) { > + memcpy(common->mac_addr, addr_t, ETH_ALEN); > + } > + return 0; > +} > + > struct ieee80211_vif *rsi_get_vif(struct rsi_hw *adapter, u8 *mac) > { > u8 i; > @@ -375,6 +388,8 @@ static int rsi_mac80211_hw_scan_start(struct ieee80211_hw *hw, > /* Scan already in progress. So return */ > if (common->bgscan_en || common->scan_in_prog) > return -EBUSY; > + if (rsi_validate_mac_addr(common, vif->addr)) > + return -ENODEV; > > cancel_work_sync(&common->scan_work); > mutex_lock(&common->mutex); > @@ -554,6 +569,13 @@ static void rsi_mac80211_tx(struct ieee80211_hw *hw, > struct ieee80211_vif *vif = adapter->vifs[adapter->sc_nvifs - 1]; > struct ieee80211_bss_conf *bss = &adapter->vifs[0]->bss_conf; > > +#ifndef CONFIG_VEN_RSI_P2P > + if (rsi_validate_mac_addr(common, wlh->addr2)) { > + ieee80211_free_txskb(common->priv->hw, skb); > + return; > + } > +#endif > + > #ifdef CONFIG_VEN_RSI_WOW > if (common->wow_flags & RSI_WOW_ENABLED) { > ieee80211_free_txskb(common->priv->hw, skb); > -- > 2.17.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/ubuntu/rsi/rsi_91x_mac80211.c b/ubuntu/rsi/rsi_91x_mac80211.c index 78702ff24532..f6a075824e60 100644 --- a/ubuntu/rsi/rsi_91x_mac80211.c +++ b/ubuntu/rsi/rsi_91x_mac80211.c @@ -216,6 +216,19 @@ static struct reg_map rsi_caracalla_reg_db[MAX_REG_COUNTRIES] = { }; #endif +static int rsi_validate_mac_addr(struct rsi_common *common, u8 *addr_t) +{ + u8 addr[ETH_ALEN] = {0}; + + if (!memcmp(addr, addr_t, ETH_ALEN)) { + ven_rsi_dbg(ERR_ZONE, "%s: MAC addr is NULL\n", __func__); + return -1; + } else if (memcmp(common->mac_addr, addr_t, ETH_ALEN)) { + memcpy(common->mac_addr, addr_t, ETH_ALEN); + } + return 0; +} + struct ieee80211_vif *rsi_get_vif(struct rsi_hw *adapter, u8 *mac) { u8 i; @@ -375,6 +388,8 @@ static int rsi_mac80211_hw_scan_start(struct ieee80211_hw *hw, /* Scan already in progress. So return */ if (common->bgscan_en || common->scan_in_prog) return -EBUSY; + if (rsi_validate_mac_addr(common, vif->addr)) + return -ENODEV; cancel_work_sync(&common->scan_work); mutex_lock(&common->mutex); @@ -554,6 +569,13 @@ static void rsi_mac80211_tx(struct ieee80211_hw *hw, struct ieee80211_vif *vif = adapter->vifs[adapter->sc_nvifs - 1]; struct ieee80211_bss_conf *bss = &adapter->vifs[0]->bss_conf; +#ifndef CONFIG_VEN_RSI_P2P + if (rsi_validate_mac_addr(common, wlh->addr2)) { + ieee80211_free_txskb(common->priv->hw, skb); + return; + } +#endif + #ifdef CONFIG_VEN_RSI_WOW if (common->wow_flags & RSI_WOW_ENABLED) { ieee80211_free_txskb(common->priv->hw, skb);