wifi: mac80211: check basic rates validity

Message ID	20240729134318.291424-1-vincenzo.mezzela@gmail.com (mailing list archive)
State	Not Applicable
Delegated to:	Johannes Berg
Headers	show Received: from mail-lj1-f179.google.com (mail-lj1-f179.google.com [209.85.208.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E56248005C; Mon, 29 Jul 2024 13:43:37 +0000 (UTC) From: Vincenzo Mezzela <vincenzo.mezzela@gmail.com> To: johannes@sipsolutions.net, sashal@kernel.org, gregkh@linuxfoundation.org Cc: linux-wireless@vger.kernel.org, netdev@vger.kernel.org, javier.carrasco.cruz@gmail.com, skhan@linuxfoundation.org, stable@vger.kernel.org, Johannes Berg <johannes.berg@intel.com>, syzbot+07bee335584b04e7c2f8@syzkaller.appspotmail.com, Vincenzo Mezzela <vincenzo.mezzela@gmail.com> Subject: [PATCH] wifi: mac80211: check basic rates validity Date: Mon, 29 Jul 2024 15:43:18 +0200 Message-ID: <20240729134318.291424-1-vincenzo.mezzela@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	wifi: mac80211: check basic rates validity \| expand wifi: mac80211: check basic rates validity

Message ID

20240729134318.291424-1-vincenzo.mezzela@gmail.com (mailing list archive)

State

Not Applicable

Delegated to:

Johannes Berg

Headers

From: Vincenzo Mezzela <vincenzo.mezzela@gmail.com>
To: johannes@sipsolutions.net,
	sashal@kernel.org,
	gregkh@linuxfoundation.org
Cc: linux-wireless@vger.kernel.org,
	netdev@vger.kernel.org,
	javier.carrasco.cruz@gmail.com,
	skhan@linuxfoundation.org,
	stable@vger.kernel.org,
	Johannes Berg <johannes.berg@intel.com>,
	syzbot+07bee335584b04e7c2f8@syzkaller.appspotmail.com,
	Vincenzo Mezzela <vincenzo.mezzela@gmail.com>
Subject: [PATCH] wifi: mac80211: check basic rates validity
Date: Mon, 29 Jul 2024 15:43:18 +0200
Message-ID: <20240729134318.291424-1-vincenzo.mezzela@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

wifi: mac80211: check basic rates validity | expand

Commit Message

vincenzo mezzela July 29, 2024, 1:43 p.m. UTC

From: Johannes Berg <johannes.berg@intel.com>

commit ce04abc3fcc62cd5640af981ebfd7c4dc3bded28 upstream.

When userspace sets basic rates, it might send us some rates
list that's empty or consists of invalid values only. We're
currently ignoring invalid values and then may end up with a
rates bitmap that's empty, which later results in a warning.

Reject the call if there were no valid rates.

[ Conflict resolution involved adjusting the patch to accommodate
changes in the function signature of ieee80211_parse_bitrates and
ieee80211_check_rate_mask ]

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Reported-by: syzbot+07bee335584b04e7c2f8@syzkaller.appspotmail.com
Tested-by: syzbot+07bee335584b04e7c2f8@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=07bee335584b04e7c2f8
Signed-off-by: Vincenzo Mezzela <vincenzo.mezzela@gmail.com>
---
Hi,
please note that a backport of the same patch for v5.15 is available at
[1].

Thanks,
Vincenzo

- [1] https://lore.kernel.org/all/20240727125033.1774143-1-vincenzo.mezzela@gmail.com/
 net/mac80211/cfg.c | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

Comments

vincenzo mezzela July 29, 2024, 1:51 p.m. UTC | #1

On 7/29/24 15:43, Vincenzo Mezzela wrote:
> From: Johannes Berg <johannes.berg@intel.com>
>
> commit ce04abc3fcc62cd5640af981ebfd7c4dc3bded28 upstream.
>
> When userspace sets basic rates, it might send us some rates
> list that's empty or consists of invalid values only. We're
> currently ignoring invalid values and then may end up with a
> rates bitmap that's empty, which later results in a warning.
>
> Reject the call if there were no valid rates.
>
> [ Conflict resolution involved adjusting the patch to accommodate
> changes in the function signature of ieee80211_parse_bitrates and
> ieee80211_check_rate_mask ]
>
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> Reported-by: syzbot+07bee335584b04e7c2f8@syzkaller.appspotmail.com
> Tested-by: syzbot+07bee335584b04e7c2f8@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=07bee335584b04e7c2f8
> Signed-off-by: Vincenzo Mezzela <vincenzo.mezzela@gmail.com>
> ---
> Hi,
> please note that a backport of the same patch for v5.15 is available at
> [1].
>
> Thanks,
> Vincenzo
>
> - [1] https://lore.kernel.org/all/20240727125033.1774143-1-vincenzo.mezzela@gmail.com/
>   net/mac80211/cfg.c | 21 +++++++++++----------
>   1 file changed, 11 insertions(+), 10 deletions(-)
>
> diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
> index 2c60fc165801..d121a3b460f4 100644
> --- a/net/mac80211/cfg.c
> +++ b/net/mac80211/cfg.c
> @@ -2577,6 +2577,17 @@ static int ieee80211_change_bss(struct wiphy *wiphy,
>   	if (!sband)
>   		return -EINVAL;
>   
> +	if (params->basic_rates) {
> +		if (!ieee80211_parse_bitrates(sdata->vif.bss_conf.chandef.width,
> +					      wiphy->bands[sband->band],
> +					      params->basic_rates,
> +					      params->basic_rates_len,
> +					      &sdata->vif.bss_conf.basic_rates))
> +			return -EINVAL;
> +		changed |= BSS_CHANGED_BASIC_RATES;
> +		ieee80211_check_rate_mask(&sdata->deflink);
> +	}
> +
>   	if (params->use_cts_prot >= 0) {
>   		sdata->vif.bss_conf.use_cts_prot = params->use_cts_prot;
>   		changed |= BSS_CHANGED_ERP_CTS_PROT;
> @@ -2600,16 +2611,6 @@ static int ieee80211_change_bss(struct wiphy *wiphy,
>   		changed |= BSS_CHANGED_ERP_SLOT;
>   	}
>   
> -	if (params->basic_rates) {
> -		ieee80211_parse_bitrates(sdata->vif.bss_conf.chandef.width,
> -					 wiphy->bands[sband->band],
> -					 params->basic_rates,
> -					 params->basic_rates_len,
> -					 &sdata->vif.bss_conf.basic_rates);
> -		changed |= BSS_CHANGED_BASIC_RATES;
> -		ieee80211_check_rate_mask(&sdata->deflink);
> -	}
> -
>   	if (params->ap_isolate >= 0) {
>   		if (params->ap_isolate)
>   			sdata->flags |= IEEE80211_SDATA_DONT_BRIDGE_PACKETS;
Hi,
this is a backport for v6.1, I forgot to add the TAG in the subject of 
the email.
Should I resend a new patch with the correct version TAG?

Thanks,
Vincenzo

Greg KH July 30, 2024, 2:23 p.m. UTC | #2

On Mon, Jul 29, 2024 at 03:43:18PM +0200, Vincenzo Mezzela wrote:
> From: Johannes Berg <johannes.berg@intel.com>
> 
> commit ce04abc3fcc62cd5640af981ebfd7c4dc3bded28 upstream.
> 
> When userspace sets basic rates, it might send us some rates
> list that's empty or consists of invalid values only. We're
> currently ignoring invalid values and then may end up with a
> rates bitmap that's empty, which later results in a warning.
> 
> Reject the call if there were no valid rates.
> 
> [ Conflict resolution involved adjusting the patch to accommodate
> changes in the function signature of ieee80211_parse_bitrates and
> ieee80211_check_rate_mask ]
> 
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> Reported-by: syzbot+07bee335584b04e7c2f8@syzkaller.appspotmail.com
> Tested-by: syzbot+07bee335584b04e7c2f8@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=07bee335584b04e7c2f8
> Signed-off-by: Vincenzo Mezzela <vincenzo.mezzela@gmail.com>
> ---
> Hi,
> please note that a backport of the same patch for v5.15 is available at
> [1].

Please resend [1] as it's gone from my queue.

greg k-h

vincenzo mezzela Aug. 10, 2024, 9:59 a.m. UTC | #3

On 7/30/24 16:23, Greg KH wrote:
> On Mon, Jul 29, 2024 at 03:43:18PM +0200, Vincenzo Mezzela wrote:
>> From: Johannes Berg <johannes.berg@intel.com>
>>
>> commit ce04abc3fcc62cd5640af981ebfd7c4dc3bded28 upstream.
>>
>> When userspace sets basic rates, it might send us some rates
>> list that's empty or consists of invalid values only. We're
>> currently ignoring invalid values and then may end up with a
>> rates bitmap that's empty, which later results in a warning.
>>
>> Reject the call if there were no valid rates.
>>
>> [ Conflict resolution involved adjusting the patch to accommodate
>> changes in the function signature of ieee80211_parse_bitrates and
>> ieee80211_check_rate_mask ]
>>
>> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
>> Reported-by: syzbot+07bee335584b04e7c2f8@syzkaller.appspotmail.com
>> Tested-by: syzbot+07bee335584b04e7c2f8@syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=07bee335584b04e7c2f8
>> Signed-off-by: Vincenzo Mezzela <vincenzo.mezzela@gmail.com>
>> ---
>> Hi,
>> please note that a backport of the same patch for v5.15 is available at
>> [1].
> Please resend [1] as it's gone from my queue.
>
> greg k-h

Hi Greg,

I've just sent it here [1].


Vincenzo


- [1] 
https://lore.kernel.org/all/20240810095432.89063-1-vincenzo.mezzela@gmail.com/

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 2c60fc165801..d121a3b460f4 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -2577,6 +2577,17 @@  static int ieee80211_change_bss(struct wiphy *wiphy,
 	if (!sband)
 		return -EINVAL;
 
+	if (params->basic_rates) {
+		if (!ieee80211_parse_bitrates(sdata->vif.bss_conf.chandef.width,
+					      wiphy->bands[sband->band],
+					      params->basic_rates,
+					      params->basic_rates_len,
+					      &sdata->vif.bss_conf.basic_rates))
+			return -EINVAL;
+		changed |= BSS_CHANGED_BASIC_RATES;
+		ieee80211_check_rate_mask(&sdata->deflink);
+	}
+
 	if (params->use_cts_prot >= 0) {
 		sdata->vif.bss_conf.use_cts_prot = params->use_cts_prot;
 		changed |= BSS_CHANGED_ERP_CTS_PROT;
@@ -2600,16 +2611,6 @@  static int ieee80211_change_bss(struct wiphy *wiphy,
 		changed |= BSS_CHANGED_ERP_SLOT;
 	}
 
-	if (params->basic_rates) {
-		ieee80211_parse_bitrates(sdata->vif.bss_conf.chandef.width,
-					 wiphy->bands[sband->band],
-					 params->basic_rates,
-					 params->basic_rates_len,
-					 &sdata->vif.bss_conf.basic_rates);
-		changed |= BSS_CHANGED_BASIC_RATES;
-		ieee80211_check_rate_mask(&sdata->deflink);
-	}
-
 	if (params->ap_isolate >= 0) {
 		if (params->ap_isolate)
 			sdata->flags |= IEEE80211_SDATA_DONT_BRIDGE_PACKETS;

wifi: mac80211: check basic rates validity

Commit Message

Comments

Patch