tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'mac80211-for-net-2021-09-27' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211

Johannes berg says:

====================
Some fixes:
* potential use-after-free in CCMP/GCMP RX processing
* potential use-after-free in TX A-MSDU processing
* revert to low data rates for no-ack as the commit
broke other things
* limit VHT MCS/NSS in radiotap injection
* drop frames with invalid addresses in IBSS mode
* check rhashtable_init() return value in mesh
* fix potentially unaligned access in mesh
* fix late beacon hrtimer handling in hwsim (syzbot)
* fix documentation for PTK0 rekeying
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller ca48aa4a 3ebaaad4

+32 -13
+2 -2
drivers/net/wireless/mac80211_hwsim.c
··· 1867 1867 bcn_int -= data->bcn_delta; 1868 1868 data->bcn_delta = 0; 1869 1869 } 1870 - hrtimer_forward(&data->beacon_timer, hrtimer_get_expires(timer), 1871 - ns_to_ktime(bcn_int * NSEC_PER_USEC)); 1870 + hrtimer_forward_now(&data->beacon_timer, 1871 + ns_to_ktime(bcn_int * NSEC_PER_USEC)); 1872 1872 return HRTIMER_RESTART; 1873 1873 } 1874 1874
+4 -4
include/net/mac80211.h
··· 2818 2818 * Mac80211 drivers should set the @NL80211_EXT_FEATURE_CAN_REPLACE_PTK0 flag 2819 2819 * when they are able to replace in-use PTK keys according to the following 2820 2820 * requirements: 2821 - * 1) They do not hand over frames decrypted with the old key to 2822 - mac80211 once the call to set_key() with command %DISABLE_KEY has been 2823 - completed when also setting @IEEE80211_KEY_FLAG_GENERATE_IV for any key, 2821 + * 1) They do not hand over frames decrypted with the old key to mac80211 2822 + once the call to set_key() with command %DISABLE_KEY has been completed, 2824 2823 2) either drop or continue to use the old key for any outgoing frames queued 2825 2824 at the time of the key deletion (including re-transmits), 2826 2825 3) never send out a frame queued prior to the set_key() %SET_KEY command 2827 - encrypted with the new key and 2826 + encrypted with the new key when also needing 2827 + @IEEE80211_KEY_FLAG_GENERATE_IV and 2828 2828 4) never send out a frame unencrypted when it should be encrypted. 2829 2829 Mac80211 will not queue any new frames for a deleted key to the driver. 2830 2830 */
+4 -1
net/mac80211/mesh_pathtbl.c
··· 60 60 atomic_set(&newtbl->entries, 0); 61 61 spin_lock_init(&newtbl->gates_lock); 62 62 spin_lock_init(&newtbl->walk_lock); 63 - rhashtable_init(&newtbl->rhead, &mesh_rht_params); 63 + if (rhashtable_init(&newtbl->rhead, &mesh_rht_params)) { 64 + kfree(newtbl); 65 + return NULL; 66 + } 64 67 65 68 return newtbl; 66 69 }
+2 -1
net/mac80211/mesh_ps.c
··· 2 2 /* 3 3 * Copyright 2012-2013, Marco Porsch <marco.porsch@s2005.tu-chemnitz.de> 4 4 * Copyright 2012-2013, cozybit Inc. 5 + * Copyright (C) 2021 Intel Corporation 5 6 */ 6 7 7 8 #include "mesh.h" ··· 589 588 590 589 /* only transmit to PS STA with announced, non-zero awake window */ 591 590 if (test_sta_flag(sta, WLAN_STA_PS_STA) && 592 - (!elems->awake_window || !le16_to_cpu(*elems->awake_window))) 591 + (!elems->awake_window || !get_unaligned_le16(elems->awake_window))) 593 592 return; 594 593 595 594 if (!test_sta_flag(sta, WLAN_STA_MPSP_OWNER))
-4
net/mac80211/rate.c
··· 392 392 int mcast_rate; 393 393 bool use_basicrate = false; 394 394 395 - if (ieee80211_is_tx_data(txrc->skb) && 396 - info->flags & IEEE80211_TX_CTL_NO_ACK) 397 - return false; 398 - 399 395 if (!pubsta || rc_no_data_or_no_ack_use_min(txrc)) { 400 396 __rate_control_send_low(txrc->hw, sband, pubsta, info, 401 397 txrc->rate_idx_mask);
+2 -1
net/mac80211/rx.c
··· 4131 4131 if (!bssid) 4132 4132 return false; 4133 4133 if (ether_addr_equal(sdata->vif.addr, hdr->addr2) || 4134 - ether_addr_equal(sdata->u.ibss.bssid, hdr->addr2)) 4134 + ether_addr_equal(sdata->u.ibss.bssid, hdr->addr2) || 4135 + !is_valid_ether_addr(hdr->addr2)) 4135 4136 return false; 4136 4137 if (ieee80211_is_beacon(hdr->frame_control)) 4137 4138 return true;
+12
net/mac80211/tx.c
··· 2209 2209 } 2210 2210 2211 2211 vht_mcs = iterator.this_arg[4] >> 4; 2212 + if (vht_mcs > 11) 2213 + vht_mcs = 0; 2212 2214 vht_nss = iterator.this_arg[4] & 0xF; 2215 + if (!vht_nss || vht_nss > 8) 2216 + vht_nss = 1; 2213 2217 break; 2214 2218 2215 2219 /* ··· 3383 3379 3384 3380 if (!ieee80211_amsdu_prepare_head(sdata, fast_tx, head)) 3385 3381 goto out; 3382 + 3383 + /* If n == 2, the "while (*frag_tail)" loop above didn't execute 3384 + * and frag_tail should be &skb_shinfo(head)->frag_list. 3385 + * However, ieee80211_amsdu_prepare_head() can reallocate it. 3386 + * Reload frag_tail to have it pointing to the correct place. 3387 + */ 3388 + if (n == 2) 3389 + frag_tail = &skb_shinfo(head)->frag_list; 3386 3390 3387 3391 /* 3388 3392 * Pad out the previous subframe to a multiple of 4 by adding the
+6
net/mac80211/wpa.c
··· 520 520 return RX_DROP_UNUSABLE; 521 521 } 522 522 523 + /* reload hdr - skb might have been reallocated */ 524 + hdr = (void *)rx->skb->data; 525 + 523 526 data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN - mic_len; 524 527 if (!rx->sta || data_len < 0) 525 528 return RX_DROP_UNUSABLE; ··· 751 748 if (skb_linearize(rx->skb)) 752 749 return RX_DROP_UNUSABLE; 753 750 } 751 + 752 + /* reload hdr - skb might have been reallocated */ 753 + hdr = (void *)rx->skb->data; 754 754 755 755 data_len = skb->len - hdrlen - IEEE80211_GCMP_HDR_LEN - mic_len; 756 756 if (!rx->sta || data_len < 0)