Skip to content

Commit 0d1dc9e

Browse files
davem330davem330
committed
Merge tag 'mac80211-for-net-2021-06-18' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
Johannes Berg says: ==================== A couple of straggler fixes: * a minstrel HT sample check fix * peer measurement could double-free on races * certificate file generation at build time could sometimes hang * some parameters weren't reset between connections in mac80211 * some extensible elements were treated as non- extensible, possibly causuing bad connections (or failures) if the AP adds data ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2 parents 7e9838b + 652e836 commit 0d1dc9e

5 files changed

Lines changed: 35 additions & 15 deletions

File tree

net/mac80211/mlme.c

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4062,10 +4062,14 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
40624062
if (elems.mbssid_config_ie)
40634063
bss_conf->profile_periodicity =
40644064
elems.mbssid_config_ie->profile_periodicity;
4065+
else
4066+
bss_conf->profile_periodicity = 0;
40654067

40664068
if (elems.ext_capab_len >= 11 &&
40674069
(elems.ext_capab[10] & WLAN_EXT_CAPA11_EMA_SUPPORT))
40684070
bss_conf->ema_ap = true;
4071+
else
4072+
bss_conf->ema_ap = false;
40694073

40704074
/* continue assoc process */
40714075
ifmgd->assoc_data->timeout = jiffies;
@@ -5802,12 +5806,16 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
58025806
beacon_ies->data, beacon_ies->len);
58035807
if (elem && elem->datalen >= 3)
58045808
sdata->vif.bss_conf.profile_periodicity = elem->data[2];
5809+
else
5810+
sdata->vif.bss_conf.profile_periodicity = 0;
58055811

58065812
elem = cfg80211_find_elem(WLAN_EID_EXT_CAPABILITY,
58075813
beacon_ies->data, beacon_ies->len);
58085814
if (elem && elem->datalen >= 11 &&
58095815
(elem->data[10] & WLAN_EXT_CAPA11_EMA_SUPPORT))
58105816
sdata->vif.bss_conf.ema_ap = true;
5817+
else
5818+
sdata->vif.bss_conf.ema_ap = false;
58115819
} else {
58125820
assoc_data->timeout = jiffies;
58135821
assoc_data->timeout_started = true;

net/mac80211/rc80211_minstrel_ht.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1514,7 +1514,7 @@ minstrel_ht_get_rate(void *priv, struct ieee80211_sta *sta, void *priv_sta,
15141514
(info->control.flags & IEEE80211_TX_CTRL_PORT_CTRL_PROTO))
15151515
return;
15161516

1517-
if (time_is_before_jiffies(mi->sample_time))
1517+
if (time_is_after_jiffies(mi->sample_time))
15181518
return;
15191519

15201520
mi->sample_time = jiffies + MINSTREL_SAMPLE_INTERVAL;

net/mac80211/util.c

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -947,7 +947,7 @@ static void ieee80211_parse_extension_element(u32 *crc,
947947

948948
switch (elem->data[0]) {
949949
case WLAN_EID_EXT_HE_MU_EDCA:
950-
if (len == sizeof(*elems->mu_edca_param_set)) {
950+
if (len >= sizeof(*elems->mu_edca_param_set)) {
951951
elems->mu_edca_param_set = data;
952952
if (crc)
953953
*crc = crc32_be(*crc, (void *)elem,
@@ -968,15 +968,15 @@ static void ieee80211_parse_extension_element(u32 *crc,
968968
}
969969
break;
970970
case WLAN_EID_EXT_UORA:
971-
if (len == 1)
971+
if (len >= 1)
972972
elems->uora_element = data;
973973
break;
974974
case WLAN_EID_EXT_MAX_CHANNEL_SWITCH_TIME:
975975
if (len == 3)
976976
elems->max_channel_switch_time = data;
977977
break;
978978
case WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION:
979-
if (len == sizeof(*elems->mbssid_config_ie))
979+
if (len >= sizeof(*elems->mbssid_config_ie))
980980
elems->mbssid_config_ie = data;
981981
break;
982982
case WLAN_EID_EXT_HE_SPR:
@@ -985,7 +985,7 @@ static void ieee80211_parse_extension_element(u32 *crc,
985985
elems->he_spr = data;
986986
break;
987987
case WLAN_EID_EXT_HE_6GHZ_CAPA:
988-
if (len == sizeof(*elems->he_6ghz_capa))
988+
if (len >= sizeof(*elems->he_6ghz_capa))
989989
elems->he_6ghz_capa = data;
990990
break;
991991
}
@@ -1074,14 +1074,14 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
10741074

10751075
switch (id) {
10761076
case WLAN_EID_LINK_ID:
1077-
if (elen + 2 != sizeof(struct ieee80211_tdls_lnkie)) {
1077+
if (elen + 2 < sizeof(struct ieee80211_tdls_lnkie)) {
10781078
elem_parse_failed = true;
10791079
break;
10801080
}
10811081
elems->lnk_id = (void *)(pos - 2);
10821082
break;
10831083
case WLAN_EID_CHAN_SWITCH_TIMING:
1084-
if (elen != sizeof(struct ieee80211_ch_switch_timing)) {
1084+
if (elen < sizeof(struct ieee80211_ch_switch_timing)) {
10851085
elem_parse_failed = true;
10861086
break;
10871087
}
@@ -1244,7 +1244,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
12441244
elems->sec_chan_offs = (void *)pos;
12451245
break;
12461246
case WLAN_EID_CHAN_SWITCH_PARAM:
1247-
if (elen !=
1247+
if (elen <
12481248
sizeof(*elems->mesh_chansw_params_ie)) {
12491249
elem_parse_failed = true;
12501250
break;
@@ -1253,7 +1253,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
12531253
break;
12541254
case WLAN_EID_WIDE_BW_CHANNEL_SWITCH:
12551255
if (!action ||
1256-
elen != sizeof(*elems->wide_bw_chansw_ie)) {
1256+
elen < sizeof(*elems->wide_bw_chansw_ie)) {
12571257
elem_parse_failed = true;
12581258
break;
12591259
}
@@ -1272,7 +1272,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
12721272
ie = cfg80211_find_ie(WLAN_EID_WIDE_BW_CHANNEL_SWITCH,
12731273
pos, elen);
12741274
if (ie) {
1275-
if (ie[1] == sizeof(*elems->wide_bw_chansw_ie))
1275+
if (ie[1] >= sizeof(*elems->wide_bw_chansw_ie))
12761276
elems->wide_bw_chansw_ie =
12771277
(void *)(ie + 2);
12781278
else
@@ -1316,7 +1316,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
13161316
elems->cisco_dtpc_elem = pos;
13171317
break;
13181318
case WLAN_EID_ADDBA_EXT:
1319-
if (elen != sizeof(struct ieee80211_addba_ext_ie)) {
1319+
if (elen < sizeof(struct ieee80211_addba_ext_ie)) {
13201320
elem_parse_failed = true;
13211321
break;
13221322
}
@@ -1342,7 +1342,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
13421342
elem, elems);
13431343
break;
13441344
case WLAN_EID_S1G_CAPABILITIES:
1345-
if (elen == sizeof(*elems->s1g_capab))
1345+
if (elen >= sizeof(*elems->s1g_capab))
13461346
elems->s1g_capab = (void *)pos;
13471347
else
13481348
elem_parse_failed = true;

net/wireless/Makefile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ $(obj)/shipped-certs.c: $(wildcard $(srctree)/$(src)/certs/*.hex)
2828
@$(kecho) " GEN $@"
2929
@(echo '#include "reg.h"'; \
3030
echo 'const u8 shipped_regdb_certs[] = {'; \
31-
cat $^ ; \
31+
echo | cat - $^ ; \
3232
echo '};'; \
3333
echo 'unsigned int shipped_regdb_certs_len = sizeof(shipped_regdb_certs);'; \
3434
) > $@

net/wireless/pmsr.c

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -334,6 +334,7 @@ void cfg80211_pmsr_complete(struct wireless_dev *wdev,
334334
gfp_t gfp)
335335
{
336336
struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
337+
struct cfg80211_pmsr_request *tmp, *prev, *to_free = NULL;
337338
struct sk_buff *msg;
338339
void *hdr;
339340

@@ -364,9 +365,20 @@ void cfg80211_pmsr_complete(struct wireless_dev *wdev,
364365
nlmsg_free(msg);
365366
free_request:
366367
spin_lock_bh(&wdev->pmsr_lock);
367-
list_del(&req->list);
368+
/*
369+
* cfg80211_pmsr_process_abort() may have already moved this request
370+
* to the free list, and will free it later. In this case, don't free
371+
* it here.
372+
*/
373+
list_for_each_entry_safe(tmp, prev, &wdev->pmsr_list, list) {
374+
if (tmp == req) {
375+
list_del(&req->list);
376+
to_free = req;
377+
break;
378+
}
379+
}
368380
spin_unlock_bh(&wdev->pmsr_lock);
369-
kfree(req);
381+
kfree(to_free);
370382
}
371383
EXPORT_SYMBOL_GPL(cfg80211_pmsr_complete);
372384

0 commit comments

Comments
 (0)