mac80211: don't leave skb->next/prev pointing to stack

Commit Message

Johannes Berg March 20, 2020, 9:20 a.m. UTC

From: Johannes Berg <johannes.berg@intel.com>

In beacon protection, don't leave skb->next/prev pointing to the
on-stack list, even if that's actually harmless since we don't use
them again afterwards.

While at it, check that the SKB on the list is still the same, as
that's required here. If not, the encryption (protection) code is
buggy.

Fixes: 0a3a84360b37 ("mac80211: Beacon protection using the new BIGTK (AP)")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 net/mac80211/tx.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Patch

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 83147385c200..49d35936cc9d 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -4670,6 +4670,7 @@  static int ieee80211_beacon_protect(struct sk_buff *skb,
 {
 	ieee80211_tx_result res;
 	struct ieee80211_tx_data tx;
+	struct sk_buff *check_skb;
 
 	memset(&tx, 0, sizeof(tx));
 	tx.key = rcu_dereference(sdata->default_beacon_key);
@@ -4680,8 +4681,11 @@  static int ieee80211_beacon_protect(struct sk_buff *skb,
 	__skb_queue_head_init(&tx.skbs);
 	__skb_queue_tail(&tx.skbs, skb);
 	res = ieee80211_tx_h_encrypt(&tx);
+	check_skb = __skb_dequeue(&tx.skbs);
+	/* we may crash after this, but it'd be a bug in crypto */
+	WARN_ON(check_skb != skb);
 	if (WARN_ON_ONCE(res != TX_CONTINUE))
-		return -1;
+		return -EINVAL;
 
 	return 0;
 }