A small list of fixes this time:
* two null pointer dereference fixes
* a fix for preempt-enabled/BHs-enabled (lockdep) splats
(that correctly pointed out a bug)
* a fix for multi-BSSID ordering assumptions
* a fix for the EDMG support, on-stack chandefs need to
be initialized properly (now that they're bigger)
* beacon (head) data from userspace should be validated
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEH1e1rEeCd0AIMq6MB8qZga/fl8QFAl2Td78ACgkQB8qZga/f
l8SnIA/9GatOHIbmXb0BE/ojm3FEQlQOfzdO2VgC40Z8oR0qMFIwkWPzbsqy2Qhl
xjzhh35q6iZunwp49LXRH1kDQn8xqo+RKpYDvrBSPvJW7jQj8l3UUK6tGaPL55RN
NN5Tk/nWQVun70qPF/JIFeA/S7GpWJuyAj28hVgyukzNfksaYHqoAZQ1yU1otuou
OmzsrXXzGVO9Xu0DU6U5b6UxcTUHiILLywr0kdE35oUATct7AijrU1E4f94/wmXG
O4S3BMgLG4Ggxqdn+GPNdHLstEH/z0nyoon3LeautkOSEDgAeZoXNAgRGHSzaLdn
YsTZ9mD1uKopSlro0obtyQPYswejnJ1dcEhMV6gpNSUqlf8hrzwzvh1ZxvZwZXpZ
bislxnLcA+t10tkRApYQ0JhpvNm2O2lHlXqWz8tug0szoR/GKawrpPEJXrb/9yxF
PFVI8TzXA0bLkO6clNV3vWWAf2Hg9My/hmPpbuORWdIw3KbpcMPfoWHkhAspTdpO
CmpHurDt1u0Oh/8NawrqUTYXKZkGfseoDXQvQCDOfDCfGl8RPrdthzfPJhh8w4rd
NCJa+WYNbFrvYcwi4FLCdRuO2dQjHLTclmZ/yXcVp8mxG5e8eihEIAfm30pyUxov
uH29GwctmoA9CBYOAfHsEFWJNeGcpLSa9hzogmBygrPh61eoP14=
=nhNe
-----END PGP SIGNATURE-----
Merge tag 'mac80211-for-davem-2019-10-01' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
Johannes Berg says:
====================
A small list of fixes this time:
* two null pointer dereference fixes
* a fix for preempt-enabled/BHs-enabled (lockdep) splats
(that correctly pointed out a bug)
* a fix for multi-BSSID ordering assumptions
* a fix for the EDMG support, on-stack chandefs need to
be initialized properly (now that they're bigger)
* beacon (head) data from userspace should be validated
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller
commit
9cfc370240
|
|
@ -487,9 +487,14 @@ static ssize_t ieee80211_if_fmt_aqm(
|
|||
const struct ieee80211_sub_if_data *sdata, char *buf, int buflen)
|
||||
{
|
||||
struct ieee80211_local *local = sdata->local;
|
||||
struct txq_info *txqi = to_txq_info(sdata->vif.txq);
|
||||
struct txq_info *txqi;
|
||||
int len;
|
||||
|
||||
if (!sdata->vif.txq)
|
||||
return 0;
|
||||
|
||||
txqi = to_txq_info(sdata->vif.txq);
|
||||
|
||||
spin_lock_bh(&local->fq.lock);
|
||||
rcu_read_lock();
|
||||
|
||||
|
|
@ -658,7 +663,9 @@ static void add_common_files(struct ieee80211_sub_if_data *sdata)
|
|||
DEBUGFS_ADD(rc_rateidx_vht_mcs_mask_5ghz);
|
||||
DEBUGFS_ADD(hw_queues);
|
||||
|
||||
if (sdata->local->ops->wake_tx_queue)
|
||||
if (sdata->local->ops->wake_tx_queue &&
|
||||
sdata->vif.type != NL80211_IFTYPE_P2P_DEVICE &&
|
||||
sdata->vif.type != NL80211_IFTYPE_NAN)
|
||||
DEBUGFS_ADD(aqm);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -247,7 +247,8 @@ static void __ieee80211_wake_txqs(struct ieee80211_sub_if_data *sdata, int ac)
|
|||
struct sta_info *sta;
|
||||
int i;
|
||||
|
||||
spin_lock_bh(&fq->lock);
|
||||
local_bh_disable();
|
||||
spin_lock(&fq->lock);
|
||||
|
||||
if (sdata->vif.type == NL80211_IFTYPE_AP)
|
||||
ps = &sdata->bss->ps;
|
||||
|
|
@ -273,9 +274,9 @@ static void __ieee80211_wake_txqs(struct ieee80211_sub_if_data *sdata, int ac)
|
|||
&txqi->flags))
|
||||
continue;
|
||||
|
||||
spin_unlock_bh(&fq->lock);
|
||||
spin_unlock(&fq->lock);
|
||||
drv_wake_tx_queue(local, txqi);
|
||||
spin_lock_bh(&fq->lock);
|
||||
spin_lock(&fq->lock);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -288,12 +289,14 @@ static void __ieee80211_wake_txqs(struct ieee80211_sub_if_data *sdata, int ac)
|
|||
(ps && atomic_read(&ps->num_sta_ps)) || ac != vif->txq->ac)
|
||||
goto out;
|
||||
|
||||
spin_unlock_bh(&fq->lock);
|
||||
spin_unlock(&fq->lock);
|
||||
|
||||
drv_wake_tx_queue(local, txqi);
|
||||
local_bh_enable();
|
||||
return;
|
||||
out:
|
||||
spin_unlock_bh(&fq->lock);
|
||||
spin_unlock(&fq->lock);
|
||||
local_bh_enable();
|
||||
}
|
||||
|
||||
static void
|
||||
|
|
|
|||
|
|
@ -201,6 +201,38 @@ cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
|
|||
return __cfg80211_rdev_from_attrs(netns, info->attrs);
|
||||
}
|
||||
|
||||
static int validate_beacon_head(const struct nlattr *attr,
|
||||
struct netlink_ext_ack *extack)
|
||||
{
|
||||
const u8 *data = nla_data(attr);
|
||||
unsigned int len = nla_len(attr);
|
||||
const struct element *elem;
|
||||
const struct ieee80211_mgmt *mgmt = (void *)data;
|
||||
unsigned int fixedlen = offsetof(struct ieee80211_mgmt,
|
||||
u.beacon.variable);
|
||||
|
||||
if (len < fixedlen)
|
||||
goto err;
|
||||
|
||||
if (ieee80211_hdrlen(mgmt->frame_control) !=
|
||||
offsetof(struct ieee80211_mgmt, u.beacon))
|
||||
goto err;
|
||||
|
||||
data += fixedlen;
|
||||
len -= fixedlen;
|
||||
|
||||
for_each_element(elem, data, len) {
|
||||
/* nothing */
|
||||
}
|
||||
|
||||
if (for_each_element_completed(elem, data, len))
|
||||
return 0;
|
||||
|
||||
err:
|
||||
NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
static int validate_ie_attr(const struct nlattr *attr,
|
||||
struct netlink_ext_ack *extack)
|
||||
{
|
||||
|
|
@ -338,8 +370,9 @@ const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
|
|||
|
||||
[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
|
||||
[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
|
||||
[NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
|
||||
.len = IEEE80211_MAX_DATA_LEN },
|
||||
[NL80211_ATTR_BEACON_HEAD] =
|
||||
NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
|
||||
IEEE80211_MAX_DATA_LEN),
|
||||
[NL80211_ATTR_BEACON_TAIL] =
|
||||
NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
|
||||
IEEE80211_MAX_DATA_LEN),
|
||||
|
|
@ -2636,6 +2669,8 @@ int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
|
|||
|
||||
control_freq = nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]);
|
||||
|
||||
memset(chandef, 0, sizeof(*chandef));
|
||||
|
||||
chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
|
||||
chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
|
||||
chandef->center_freq1 = control_freq;
|
||||
|
|
@ -3176,7 +3211,7 @@ static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flag
|
|||
|
||||
if (rdev->ops->get_channel) {
|
||||
int ret;
|
||||
struct cfg80211_chan_def chandef;
|
||||
struct cfg80211_chan_def chandef = {};
|
||||
|
||||
ret = rdev_get_channel(rdev, wdev, &chandef);
|
||||
if (ret == 0) {
|
||||
|
|
@ -6270,6 +6305,9 @@ static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
|
|||
if (!rdev->ops->del_mpath)
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
return rdev_del_mpath(rdev, dev, dst);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -2108,7 +2108,7 @@ static void reg_call_notifier(struct wiphy *wiphy,
|
|||
|
||||
static bool reg_wdev_chan_valid(struct wiphy *wiphy, struct wireless_dev *wdev)
|
||||
{
|
||||
struct cfg80211_chan_def chandef;
|
||||
struct cfg80211_chan_def chandef = {};
|
||||
struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
|
||||
enum nl80211_iftype iftype;
|
||||
|
||||
|
|
|
|||
|
|
@ -1723,7 +1723,12 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy,
|
|||
return;
|
||||
new_ie_len -= trans_ssid[1];
|
||||
mbssid = cfg80211_find_ie(WLAN_EID_MULTIPLE_BSSID, ie, ielen);
|
||||
if (!mbssid)
|
||||
/*
|
||||
* It's not valid to have the MBSSID element before SSID
|
||||
* ignore if that happens - the code below assumes it is
|
||||
* after (while copying things inbetween).
|
||||
*/
|
||||
if (!mbssid || mbssid < trans_ssid)
|
||||
return;
|
||||
new_ie_len -= mbssid[1];
|
||||
rcu_read_lock();
|
||||
|
|
|
|||
|
|
@ -798,7 +798,7 @@ static int cfg80211_wext_giwfreq(struct net_device *dev,
|
|||
{
|
||||
struct wireless_dev *wdev = dev->ieee80211_ptr;
|
||||
struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
|
||||
struct cfg80211_chan_def chandef;
|
||||
struct cfg80211_chan_def chandef = {};
|
||||
int ret;
|
||||
|
||||
switch (wdev->iftype) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue