From patchwork Fri Jan 13 09:34:52 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Koen Vandeputte X-Patchwork-Id: 714905 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2001:1868:205::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3v0HYW6vJvz9sDG for ; Fri, 13 Jan 2017 20:35:43 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=ncentric.com header.i=@ncentric.com header.b="SxBfaH/q"; dkim-atps=neutral Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1cRyGr-0008Ld-MM; Fri, 13 Jan 2017 09:35:41 +0000 Received: from mail-wm0-x229.google.com ([2a00:1450:400c:c09::229]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1cRyGf-000887-Nf for lede-dev@lists.infradead.org; Fri, 13 Jan 2017 09:35:32 +0000 Received: by mail-wm0-x229.google.com with SMTP id r144so62371974wme.1 for ; Fri, 13 Jan 2017 01:35:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncentric.com; s=google; h=from:to:cc:subject:date:message-id; bh=6EzIcljktT3OCS4AXXykodvN2G9gDOw6FDxKnes+ZGs=; b=SxBfaH/qBq1+Dr2pmxMQhnle4+eKVj1JoG+/5a6Hmg7GHgGaMxa8UI29jhZ2OEetm4 XDbfhnKod4lD0V/T8+UwQc+w9rrrfuYPIW72PFWLPbLctBycxwtNY1FbNBtqR/2ABSDd HIHBFHTqBDHYK2zEY8VdL8OFPvUZElXWIg9lI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=6EzIcljktT3OCS4AXXykodvN2G9gDOw6FDxKnes+ZGs=; b=uFLA7iJvIU1np1s15UMCwG1KcdB5LfPx/p6Fgg2nVY4tvAGdU8I21FwvENpOswhoki YmwhmTA/oSDuiZxNPYyxQUtywAoo7sKSkHDyKr7sp+dSyF0Zimu1Yl+qS7eZknpjBQB5 azqUV7UXnymXV+jRsuRzIrPCx15JSnnASmmyXq+DhwqIOSQ5Q9aS4lheSJkPfInlYYl8 twBEK4lgT9DTpYskmsLEvw5IXFWDVkPZ8wFsuBRwfT8FyFuffuo3lLAJwG1syJxQIDdO NjvecQ0VPAMc2jvYKychEmrg8A5MGaNqXOJOSdaOZ21cK5xnXDUj8PdePR+77sk4LOsc NGxQ== X-Gm-Message-State: AIkVDXI6NtFTB38OByyA6wf1BvB5EknOgoSXsU+IR8nf3SQTmbnSbFf31dktU+JSY1R4/8eQ X-Received: by 10.28.224.10 with SMTP id x10mr1492514wmg.134.1484300107421; Fri, 13 Jan 2017 01:35:07 -0800 (PST) Received: from localhost.localdomain (d515300d8.static.telenet.be. [81.83.0.216]) by smtp.googlemail.com with ESMTPSA id f76sm3011095wmd.15.2017.01.13.01.35.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 13 Jan 2017 01:35:06 -0800 (PST) From: Koen Vandeputte To: lede-dev@lists.infradead.org Date: Fri, 13 Jan 2017 10:34:52 +0100 Message-Id: <1484300093-26452-1-git-send-email-koen.vandeputte@ncentric.com> X-Mailer: git-send-email 2.7.4 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170113_013530_239177_80121104 X-CRM114-Status: GOOD ( 23.38 ) X-Spam-Score: -2.0 (--) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-2.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Subject: [LEDE-DEV] [PATCH 1/2] mac80211: backport some upstream fixes X-BeenThere: lede-dev@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Koen Vandeputte , nbd@nbd.name MIME-Version: 1.0 Sender: "Lede-dev" Errors-To: lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Backports the following upstream fixes: mac80211: initialize fast-xmit 'info' later mac80211: fix legacy and invalid rx-rate report mac80211: fix tid_agg_rx NULL dereference Compiled and tested on: cns3xxx Signed-off-by: Koen Vandeputte --- .../349-mac80211-fix-legacy-invalid-rxrate.patch | 60 +++++++++++++ .../patches/350-mac80211-init-fastxmit-later.patch | 41 +++++++++ .../patches/351-mac80211-fix-tid-agg-null.patch | 99 ++++++++++++++++++++++ 3 files changed, 200 insertions(+) create mode 100644 package/kernel/mac80211/patches/349-mac80211-fix-legacy-invalid-rxrate.patch create mode 100644 package/kernel/mac80211/patches/350-mac80211-init-fastxmit-later.patch create mode 100644 package/kernel/mac80211/patches/351-mac80211-fix-tid-agg-null.patch diff --git a/package/kernel/mac80211/patches/349-mac80211-fix-legacy-invalid-rxrate.patch b/package/kernel/mac80211/patches/349-mac80211-fix-legacy-invalid-rxrate.patch new file mode 100644 index 0000000..c160515 --- /dev/null +++ b/package/kernel/mac80211/patches/349-mac80211-fix-legacy-invalid-rxrate.patch @@ -0,0 +1,60 @@ +From a17d93ff3a950fefaea40e4a4bf3669b9137c533 Mon Sep 17 00:00:00 2001 +From: Ben Greear +Date: Wed, 14 Dec 2016 11:30:38 -0800 +Subject: [PATCH] mac80211: fix legacy and invalid rx-rate report + +This fixes obtaining the rate info via sta_set_sinfo +when the rx rate is invalid (for instance, on IBSS +interface that has received no frames from one of its +peers). + +Also initialize rinfo->flags for legacy rates, to not +rely on the whole sinfo being initialized to zero. + +Signed-off-by: Ben Greear +Signed-off-by: Johannes Berg +--- + net/mac80211/sta_info.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -1975,6 +1975,7 @@ static void sta_stats_decode_rate(struct + u16 brate; + unsigned int shift; + ++ rinfo->flags = 0; + sband = local->hw.wiphy->bands[(rate >> 4) & 0xf]; + brate = sband->bitrates[rate & 0xf].bitrate; + if (rinfo->bw == RATE_INFO_BW_5) +@@ -1990,14 +1991,15 @@ static void sta_stats_decode_rate(struct + rinfo->flags |= RATE_INFO_FLAGS_SHORT_GI; + } + +-static void sta_set_rate_info_rx(struct sta_info *sta, struct rate_info *rinfo) ++static int sta_set_rate_info_rx(struct sta_info *sta, struct rate_info *rinfo) + { + u16 rate = ACCESS_ONCE(sta_get_last_rx_stats(sta)->last_rate); + + if (rate == STA_STATS_RATE_INVALID) +- rinfo->flags = 0; +- else +- sta_stats_decode_rate(sta->local, rate, rinfo); ++ return -EINVAL; ++ ++ sta_stats_decode_rate(sta->local, rate, rinfo); ++ return 0; + } + + static void sta_set_tidstats(struct sta_info *sta, +@@ -2202,8 +2204,8 @@ void sta_set_sinfo(struct sta_info *sta, + } + + if (!(sinfo->filled & BIT(NL80211_STA_INFO_RX_BITRATE))) { +- sta_set_rate_info_rx(sta, &sinfo->rxrate); +- sinfo->filled |= BIT(NL80211_STA_INFO_RX_BITRATE); ++ if (sta_set_rate_info_rx(sta, &sinfo->rxrate) == 0) ++ sinfo->filled |= BIT(NL80211_STA_INFO_RX_BITRATE); + } + + sinfo->filled |= BIT(NL80211_STA_INFO_TID_STATS); diff --git a/package/kernel/mac80211/patches/350-mac80211-init-fastxmit-later.patch b/package/kernel/mac80211/patches/350-mac80211-init-fastxmit-later.patch new file mode 100644 index 0000000..0b640ef --- /dev/null +++ b/package/kernel/mac80211/patches/350-mac80211-init-fastxmit-later.patch @@ -0,0 +1,41 @@ +From 35f432a03e41d3bf08c51ede917f94e2288fbe8c Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Mon, 2 Jan 2017 11:19:29 +0100 +Subject: [PATCH] mac80211: initialize fast-xmit 'info' later + +In ieee80211_xmit_fast(), 'info' is initialized to point to the skb +that's passed in, but that skb may later be replaced by a clone (if +it was shared), leading to an invalid pointer. + +This can lead to use-after-free and also later crashes since the +real SKB's info->hw_queue doesn't get initialized properly. + +Fix this by assigning info only later, when it's needed, after the +skb replacement (may have) happened. + +Cc: stable@vger.kernel.org +Reported-by: Ben Greear +Signed-off-by: Johannes Berg +--- + net/mac80211/tx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -3297,7 +3297,7 @@ static bool ieee80211_xmit_fast(struct i + int extra_head = fast_tx->hdr_len - (ETH_HLEN - 2); + int hw_headroom = sdata->local->hw.extra_tx_headroom; + struct ethhdr eth; +- struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); ++ struct ieee80211_tx_info *info; + struct ieee80211_hdr *hdr = (void *)fast_tx->hdr; + struct ieee80211_tx_data tx; + ieee80211_tx_result r; +@@ -3361,6 +3361,7 @@ static bool ieee80211_xmit_fast(struct i + memcpy(skb->data + fast_tx->da_offs, eth.h_dest, ETH_ALEN); + memcpy(skb->data + fast_tx->sa_offs, eth.h_source, ETH_ALEN); + ++ info = IEEE80211_SKB_CB(skb); + memset(info, 0, sizeof(*info)); + info->band = fast_tx->band; + info->control.vif = &sdata->vif; diff --git a/package/kernel/mac80211/patches/351-mac80211-fix-tid-agg-null.patch b/package/kernel/mac80211/patches/351-mac80211-fix-tid-agg-null.patch new file mode 100644 index 0000000..9148cfa --- /dev/null +++ b/package/kernel/mac80211/patches/351-mac80211-fix-tid-agg-null.patch @@ -0,0 +1,99 @@ +From 1c3d185a9a0b136a58e73b02912d593d0303d1da Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 18 Oct 2016 23:12:08 +0300 +Subject: [PATCH] mac80211: fix tid_agg_rx NULL dereference + +On drivers setting the SUPPORTS_REORDERING_BUFFER hardware flag, +we crash when the peer sends an AddBA request while we already +have a session open on the seame TID; this is because on those +drivers, the tid_agg_rx is left NULL even though the session is +valid, and the agg_session_valid bit is set. + +To fix this, store the dialog tokens outside the tid_agg_rx to +be able to compare them to the received AddBA request. + +Fixes: f89e07d4cf26 ("mac80211: agg-rx: refuse ADDBA Request with timeout update") +Reported-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +--- + net/mac80211/agg-rx.c | 8 ++------ + net/mac80211/debugfs_sta.c | 2 +- + net/mac80211/sta_info.h | 4 ++-- + 3 files changed, 5 insertions(+), 9 deletions(-) + +--- a/net/mac80211/agg-rx.c ++++ b/net/mac80211/agg-rx.c +@@ -315,11 +315,7 @@ void __ieee80211_start_rx_ba_session(str + mutex_lock(&sta->ampdu_mlme.mtx); + + if (test_bit(tid, sta->ampdu_mlme.agg_session_valid)) { +- tid_agg_rx = rcu_dereference_protected( +- sta->ampdu_mlme.tid_rx[tid], +- lockdep_is_held(&sta->ampdu_mlme.mtx)); +- +- if (tid_agg_rx->dialog_token == dialog_token) { ++ if (sta->ampdu_mlme.tid_rx_token[tid] == dialog_token) { + ht_dbg_ratelimited(sta->sdata, + "updated AddBA Req from %pM on tid %u\n", + sta->sta.addr, tid); +@@ -396,7 +392,6 @@ void __ieee80211_start_rx_ba_session(str + } + + /* update data */ +- tid_agg_rx->dialog_token = dialog_token; + tid_agg_rx->ssn = start_seq_num; + tid_agg_rx->head_seq_num = start_seq_num; + tid_agg_rx->buf_size = buf_size; +@@ -418,6 +413,7 @@ end: + if (status == WLAN_STATUS_SUCCESS) { + __set_bit(tid, sta->ampdu_mlme.agg_session_valid); + __clear_bit(tid, sta->ampdu_mlme.unexpected_agg); ++ sta->ampdu_mlme.tid_rx_token[tid] = dialog_token; + } + mutex_unlock(&sta->ampdu_mlme.mtx); + +--- a/net/mac80211/debugfs_sta.c ++++ b/net/mac80211/debugfs_sta.c +@@ -205,7 +205,7 @@ static ssize_t sta_agg_status_read(struc + p += scnprintf(p, sizeof(buf) + buf - p, "%02d", i); + p += scnprintf(p, sizeof(buf) + buf - p, "\t\t%x", !!tid_rx); + p += scnprintf(p, sizeof(buf) + buf - p, "\t%#.2x", +- tid_rx ? tid_rx->dialog_token : 0); ++ tid_rx ? sta->ampdu_mlme.tid_rx_token[i] : 0); + p += scnprintf(p, sizeof(buf) + buf - p, "\t%#.3x", + tid_rx ? tid_rx->ssn : 0); + +--- a/net/mac80211/sta_info.h ++++ b/net/mac80211/sta_info.h +@@ -184,7 +184,6 @@ struct tid_ampdu_tx { + * @ssn: Starting Sequence Number expected to be aggregated. + * @buf_size: buffer size for incoming A-MPDUs + * @timeout: reset timer value (in TUs). +- * @dialog_token: dialog token for aggregation session + * @rcu_head: RCU head used for freeing this struct + * @reorder_lock: serializes access to reorder buffer, see below. + * @auto_seq: used for offloaded BA sessions to automatically pick head_seq_and +@@ -213,7 +212,6 @@ struct tid_ampdu_rx { + u16 ssn; + u16 buf_size; + u16 timeout; +- u8 dialog_token; + bool auto_seq; + bool removed; + }; +@@ -225,6 +223,7 @@ struct tid_ampdu_rx { + * to tid_tx[idx], which are protected by the sta spinlock) + * tid_start_tx is also protected by sta->lock. + * @tid_rx: aggregation info for Rx per TID -- RCU protected ++ * @tid_rx_token: dialog tokens for valid aggregation sessions + * @tid_rx_timer_expired: bitmap indicating on which TIDs the + * RX timer expired until the work for it runs + * @tid_rx_stop_requested: bitmap indicating which BA sessions per TID the +@@ -243,6 +242,7 @@ struct sta_ampdu_mlme { + struct mutex mtx; + /* rx */ + struct tid_ampdu_rx __rcu *tid_rx[IEEE80211_NUM_TIDS]; ++ u8 tid_rx_token[IEEE80211_NUM_TIDS]; + unsigned long tid_rx_timer_expired[BITS_TO_LONGS(IEEE80211_NUM_TIDS)]; + unsigned long tid_rx_stop_requested[BITS_TO_LONGS(IEEE80211_NUM_TIDS)]; + unsigned long agg_session_valid[BITS_TO_LONGS(IEEE80211_NUM_TIDS)];