Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp2653240imj;
        Mon, 11 Feb 2019 06:31:08 -0800 (PST)
X-Google-Smtp-Source: AHgI3IYoulIyZ2Qv1YrCr3/x58U/ByCjzSmYum6fKn2UGwc69VL+PTvtDZu/eKOtUQjLBhBRcOC7
X-Received: by 2002:a63:fc59:: with SMTP id r25mr18861697pgk.302.1549895468703;
        Mon, 11 Feb 2019 06:31:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1549895468; cv=none;
        d=google.com; s=arc-20160816;
        b=lNmg92A/t9CQd1AW4V+PSLUQgGWMnwk48xKMG9kHxuskhwQqHKNK6g/hpMfLX1aC6W
         K4YfNtgw28m2qA6r1N3pdlxB+ZDuyTXViKOdjYwoi/flVk03xlT8mrOdq5o+UqEkr6fL
         iPOCIagw5GVIEWxFqWvK71j8dtUZulboTPCVUjJUWd8ikeVAjQ8TxcIfvQaTg9N2+Zfw
         ruRO4wXZMmHDbVs2m/NjgZNyPOK+9/x6c2+2s4YC6Khnze+CryU0jW2tXtgD2YRgw8iO
         hgBkXfYiDCz0Ub3ncmeqqkycLuKSlcD3I0fWuw+N6vCtVK8Mrd1yXE6miP6+vcBmxnlO
         Yo+A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=EHxPfoAUV/t1WlC9VyTO6jyC/pm36VW5Oulor3fj+GY=;
        b=A1AoLYgvRPLChDfoTFdRv8j4M5dJJwCuHoervJ4p5M7jQUlzAdWgc14hqckjDYKOhc
         1R2z5GAljHTLsftnjaXquEyE2js37JdyCP9yMg9c/TbVRf627FxMIRwCYH19syOeSmGP
         tKj9nH1yQ9kH4lDU4vlZonwIvCov8O5WECen1H1dY4rj9cRIRXdxhd/daAa72qi9vHRb
         x4G9CLKuKwWx2h6ed+OppX0mjnUwddWlFRkhFgdV0bOrRV6GcwjHdOeyMkqjBvexRUix
         DYl32obyfrjVZkImZ1a/2YhBsRr+IJVdZr4vNxGrZ+xf9a/31jg73l53E5nnWrTRL+vd
         hOOg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=aLniGRnw;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e15si9871547pgg.281.2019.02.11.06.30.52;
        Mon, 11 Feb 2019 06:31:08 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=aLniGRnw;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728644AbfBKOaT (ORCPT <rfc822;jekfish0@gmail.com> + 99 others);
        Mon, 11 Feb 2019 09:30:19 -0500
Received: from mail.kernel.org ([198.145.29.99]:36584 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1729552AbfBKOaN (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 11 Feb 2019 09:30:13 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id D940D20675;
        Mon, 11 Feb 2019 14:30:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1549895412;
        bh=ejmSe/8NqA10huS4TsCJLWKtHcDJGmb31xrVEMwle84=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=aLniGRnwzQWieFJHUFxTilsIuXz+gSMUcv6Q9lW4Bvy299Tdp1AaVQ4/2BLG6V0hI
         7XmV8EiaSL3lIJTT1gzylQNCBaU8pDTQmYguEhCMnm1XCio3CR2lVmu9R41R+FfRCD
         5FeT9xB0dcr4jv8QrZYtVD9EQw1aLh4Mhp7IpCa0=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Ilan Peer <ilan.peer@intel.com>,
        Luca Coelho <luciano.coelho@intel.com>,
        Johannes Berg <johannes.berg@intel.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.20 196/352] mac80211: Properly handle SKB with radiotap only
Date:   Mon, 11 Feb 2019 15:17:03 +0100
Message-Id: <20190211141859.608082806@linuxfoundation.org>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190211141846.543045703@linuxfoundation.org>
References: <20190211141846.543045703@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
X-Patchwork-Hint: ignore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 8020919a9b99d6c990dc6a50e8215e291fbbe5a6 ]

The monitor interface Rx handling of SKBs that contain only
radiotap information was buggy as it tried to access the
SKB assuming it contains a frame.

To fix this, check the RX_FLAG_NO_PSDU flag in the Rx status
(indicting that the SKB contains only radiotap information),
and do not perform data path specific processing when the flag
is set.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/mac80211/rx.c | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 428f7ad5f9b5..77d996a60f12 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -753,6 +753,7 @@ ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
 	struct ieee80211_sub_if_data *monitor_sdata =
 		rcu_dereference(local->monitor_sdata);
 	bool only_monitor = false;
+	unsigned int min_head_len;
 
 	if (status->flag & RX_FLAG_RADIOTAP_HE)
 		rtap_space += sizeof(struct ieee80211_radiotap_he);
@@ -766,6 +767,8 @@ ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
 		rtap_space += sizeof(*rtap) + rtap->len + rtap->pad;
 	}
 
+	min_head_len = rtap_space;
+
 	/*
 	 * First, we may need to make a copy of the skb because
 	 *  (1) we need to modify it for radiotap (if not present), and
@@ -775,18 +778,23 @@ ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
 	 * the SKB because it has a bad FCS/PLCP checksum.
 	 */
 
-	if (ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)) {
-		if (unlikely(origskb->len <= FCS_LEN)) {
-			/* driver bug */
-			WARN_ON(1);
-			dev_kfree_skb(origskb);
-			return NULL;
+	if (!(status->flag & RX_FLAG_NO_PSDU)) {
+		if (ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)) {
+			if (unlikely(origskb->len <= FCS_LEN + rtap_space)) {
+				/* driver bug */
+				WARN_ON(1);
+				dev_kfree_skb(origskb);
+				return NULL;
+			}
+			present_fcs_len = FCS_LEN;
 		}
-		present_fcs_len = FCS_LEN;
+
+		/* also consider the hdr->frame_control */
+		min_head_len += 2;
 	}
 
-	/* ensure hdr->frame_control and vendor radiotap data are in skb head */
-	if (!pskb_may_pull(origskb, 2 + rtap_space)) {
+	/* ensure that the expected data elements are in skb head */
+	if (!pskb_may_pull(origskb, min_head_len)) {
 		dev_kfree_skb(origskb);
 		return NULL;
 	}
-- 
2.19.1