1 From 1c3d185a9a0b136a58e73b02912d593d0303d1da Mon Sep 17 00:00:00 2001
2 From: Johannes Berg <johannes.berg@intel.com>
3 Date: Tue, 18 Oct 2016 23:12:08 +0300
4 Subject: [PATCH] mac80211: fix tid_agg_rx NULL dereference
6 On drivers setting the SUPPORTS_REORDERING_BUFFER hardware flag,
7 we crash when the peer sends an AddBA request while we already
8 have a session open on the seame TID; this is because on those
9 drivers, the tid_agg_rx is left NULL even though the session is
10 valid, and the agg_session_valid bit is set.
12 To fix this, store the dialog tokens outside the tid_agg_rx to
13 be able to compare them to the received AddBA request.
15 Fixes: f89e07d4cf26 ("mac80211: agg-rx: refuse ADDBA Request with timeout update")
16 Reported-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
17 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
19 net/mac80211/agg-rx.c | 8 ++------
20 net/mac80211/debugfs_sta.c | 2 +-
21 net/mac80211/sta_info.h | 4 ++--
22 3 files changed, 5 insertions(+), 9 deletions(-)
24 --- a/net/mac80211/agg-rx.c
25 +++ b/net/mac80211/agg-rx.c
26 @@ -315,11 +315,7 @@ void __ieee80211_start_rx_ba_session(str
27 mutex_lock(&sta->ampdu_mlme.mtx);
29 if (test_bit(tid, sta->ampdu_mlme.agg_session_valid)) {
30 - tid_agg_rx = rcu_dereference_protected(
31 - sta->ampdu_mlme.tid_rx[tid],
32 - lockdep_is_held(&sta->ampdu_mlme.mtx));
34 - if (tid_agg_rx->dialog_token == dialog_token) {
35 + if (sta->ampdu_mlme.tid_rx_token[tid] == dialog_token) {
36 ht_dbg_ratelimited(sta->sdata,
37 "updated AddBA Req from %pM on tid %u\n",
39 @@ -396,7 +392,6 @@ void __ieee80211_start_rx_ba_session(str
43 - tid_agg_rx->dialog_token = dialog_token;
44 tid_agg_rx->ssn = start_seq_num;
45 tid_agg_rx->head_seq_num = start_seq_num;
46 tid_agg_rx->buf_size = buf_size;
47 @@ -418,6 +413,7 @@ end:
48 if (status == WLAN_STATUS_SUCCESS) {
49 __set_bit(tid, sta->ampdu_mlme.agg_session_valid);
50 __clear_bit(tid, sta->ampdu_mlme.unexpected_agg);
51 + sta->ampdu_mlme.tid_rx_token[tid] = dialog_token;
53 mutex_unlock(&sta->ampdu_mlme.mtx);
55 --- a/net/mac80211/debugfs_sta.c
56 +++ b/net/mac80211/debugfs_sta.c
57 @@ -205,7 +205,7 @@ static ssize_t sta_agg_status_read(struc
58 p += scnprintf(p, sizeof(buf) + buf - p, "%02d", i);
59 p += scnprintf(p, sizeof(buf) + buf - p, "\t\t%x", !!tid_rx);
60 p += scnprintf(p, sizeof(buf) + buf - p, "\t%#.2x",
61 - tid_rx ? tid_rx->dialog_token : 0);
62 + tid_rx ? sta->ampdu_mlme.tid_rx_token[i] : 0);
63 p += scnprintf(p, sizeof(buf) + buf - p, "\t%#.3x",
64 tid_rx ? tid_rx->ssn : 0);
66 --- a/net/mac80211/sta_info.h
67 +++ b/net/mac80211/sta_info.h
68 @@ -184,7 +184,6 @@ struct tid_ampdu_tx {
69 * @ssn: Starting Sequence Number expected to be aggregated.
70 * @buf_size: buffer size for incoming A-MPDUs
71 * @timeout: reset timer value (in TUs).
72 - * @dialog_token: dialog token for aggregation session
73 * @rcu_head: RCU head used for freeing this struct
74 * @reorder_lock: serializes access to reorder buffer, see below.
75 * @auto_seq: used for offloaded BA sessions to automatically pick head_seq_and
76 @@ -213,7 +212,6 @@ struct tid_ampdu_rx {
84 @@ -225,6 +223,7 @@ struct tid_ampdu_rx {
85 * to tid_tx[idx], which are protected by the sta spinlock)
86 * tid_start_tx is also protected by sta->lock.
87 * @tid_rx: aggregation info for Rx per TID -- RCU protected
88 + * @tid_rx_token: dialog tokens for valid aggregation sessions
89 * @tid_rx_timer_expired: bitmap indicating on which TIDs the
90 * RX timer expired until the work for it runs
91 * @tid_rx_stop_requested: bitmap indicating which BA sessions per TID the
92 @@ -243,6 +242,7 @@ struct sta_ampdu_mlme {
95 struct tid_ampdu_rx __rcu *tid_rx[IEEE80211_NUM_TIDS];
96 + u8 tid_rx_token[IEEE80211_NUM_TIDS];
97 unsigned long tid_rx_timer_expired[BITS_TO_LONGS(IEEE80211_NUM_TIDS)];
98 unsigned long tid_rx_stop_requested[BITS_TO_LONGS(IEEE80211_NUM_TIDS)];
99 unsigned long agg_session_valid[BITS_TO_LONGS(IEEE80211_NUM_TIDS)];
projects / librecmc / librecmc.git / blob