When scan request on channel 1, it also receive beacon from other
channels, and the beacon also indicate to mac80211 and wpa_supplicant,
and then the bss info appears in radio measurement report of radio
measurement sent from wpa_supplicant, thus lead RRM case fail.
This is to drop the beacon and probe response which is not the same
channel of scanning.
Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049
Signed-off-by: Wen Gong <[email protected]>
---
This depends on commit
97981d89a1d47942a2d7517631d2400b99fe3f93
("cfg80211: separate get channel number from ies")
drivers/net/wireless/ath/ath10k/wmi.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
index d48b922215eb..2c75fdddbf6e 100644
--- a/drivers/net/wireless/ath/ath10k/wmi.c
+++ b/drivers/net/wireless/ath/ath10k/wmi.c
@@ -2610,6 +2610,29 @@ int ath10k_wmi_event_mgmt_rx(struct ath10k *ar, struct sk_buff *skb)
if (ieee80211_is_beacon(hdr->frame_control))
ath10k_mac_handle_beacon(ar, skb);
+ if (ieee80211_is_beacon(hdr->frame_control) ||
+ ieee80211_is_probe_resp(hdr->frame_control)) {
+ struct ieee80211_mgmt *mgmt = (void *)skb->data;
+ u8 *ies;
+ int ies_ch;
+
+ if (!ar->scan_channel)
+ goto drop;
+
+ ies = mgmt->u.beacon.variable;
+
+ ies_ch = cfg80211_get_ies_channel_number(mgmt->u.beacon.variable,
+ skb_tail_pointer(skb) - ies,
+ sband->band);
+
+ if (ies_ch > 0 && ies_ch != channel) {
+ ath10k_dbg(ar, ATH10K_DBG_MGMT,
+ "channel mismatched ds channel %d scan channel %d\n",
+ ies_ch, channel);
+ goto drop;
+ }
+ }
+
ath10k_dbg(ar, ATH10K_DBG_MGMT,
"event mgmt rx skb %pK len %d ftype %02x stype %02x\n",
skb, skb->len,
@@ -2623,6 +2646,10 @@ int ath10k_wmi_event_mgmt_rx(struct ath10k *ar, struct sk_buff *skb)
ieee80211_rx_ni(ar->hw, skb);
return 0;
+
+drop:
+ dev_kfree_skb(skb);
+ return 0;
}
static int freq_to_idx(struct ath10k *ar, int freq)
--
2.31.1
Hi Wen,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on v5.15-rc7]
[cannot apply to kvalo-ath/ath-next kvalo-wireless-drivers-next/master next-20211026]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Wen-Gong/ath10k-drop-beacon-and-probe-response-which-leak-from-other-channel/20211026-105155
base: 3906fe9bb7f1a2c8667ae54e967dc8690824f4ea
config: nios2-allyesconfig (attached as .config)
compiler: nios2-linux-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/023e143f5369642ccd3eca10fbce0eb7b1bf5696
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Wen-Gong/ath10k-drop-beacon-and-probe-response-which-leak-from-other-channel/20211026-105155
git checkout 023e143f5369642ccd3eca10fbce0eb7b1bf5696
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross ARCH=nios2
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>
All errors (new ones prefixed by >>):
drivers/net/wireless/ath/ath10k/wmi.c: In function 'ath10k_wmi_event_mgmt_rx':
>> drivers/net/wireless/ath/ath10k/wmi.c:2624:26: error: implicit declaration of function 'cfg80211_get_ies_channel_number'; did you mean 'cfg80211_get_chandef_type'? [-Werror=implicit-function-declaration]
2624 | ies_ch = cfg80211_get_ies_channel_number(mgmt->u.beacon.variable,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| cfg80211_get_chandef_type
cc1: all warnings being treated as errors
vim +2624 drivers/net/wireless/ath/ath10k/wmi.c
2498
2499 int ath10k_wmi_event_mgmt_rx(struct ath10k *ar, struct sk_buff *skb)
2500 {
2501 struct wmi_mgmt_rx_ev_arg arg = {};
2502 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2503 struct ieee80211_hdr *hdr;
2504 struct ieee80211_supported_band *sband;
2505 u32 rx_status;
2506 u32 channel;
2507 u32 phy_mode;
2508 u32 snr, rssi;
2509 u32 rate;
2510 u16 fc;
2511 int ret, i;
2512
2513 ret = ath10k_wmi_pull_mgmt_rx(ar, skb, &arg);
2514 if (ret) {
2515 ath10k_warn(ar, "failed to parse mgmt rx event: %d\n", ret);
2516 dev_kfree_skb(skb);
2517 return ret;
2518 }
2519
2520 channel = __le32_to_cpu(arg.channel);
2521 rx_status = __le32_to_cpu(arg.status);
2522 snr = __le32_to_cpu(arg.snr);
2523 phy_mode = __le32_to_cpu(arg.phy_mode);
2524 rate = __le32_to_cpu(arg.rate);
2525
2526 memset(status, 0, sizeof(*status));
2527
2528 ath10k_dbg(ar, ATH10K_DBG_MGMT,
2529 "event mgmt rx status %08x\n", rx_status);
2530
2531 if ((test_bit(ATH10K_CAC_RUNNING, &ar->dev_flags)) ||
2532 (rx_status & (WMI_RX_STATUS_ERR_DECRYPT |
2533 WMI_RX_STATUS_ERR_KEY_CACHE_MISS | WMI_RX_STATUS_ERR_CRC))) {
2534 dev_kfree_skb(skb);
2535 return 0;
2536 }
2537
2538 if (rx_status & WMI_RX_STATUS_ERR_MIC)
2539 status->flag |= RX_FLAG_MMIC_ERROR;
2540
2541 if (rx_status & WMI_RX_STATUS_EXT_INFO) {
2542 status->mactime =
2543 __le64_to_cpu(arg.ext_info.rx_mac_timestamp);
2544 status->flag |= RX_FLAG_MACTIME_END;
2545 }
2546 /* Hardware can Rx CCK rates on 5GHz. In that case phy_mode is set to
2547 * MODE_11B. This means phy_mode is not a reliable source for the band
2548 * of mgmt rx.
2549 */
2550 if (channel >= 1 && channel <= 14) {
2551 status->band = NL80211_BAND_2GHZ;
2552 } else if (channel >= 36 && channel <= ATH10K_MAX_5G_CHAN) {
2553 status->band = NL80211_BAND_5GHZ;
2554 } else {
2555 /* Shouldn't happen unless list of advertised channels to
2556 * mac80211 has been changed.
2557 */
2558 WARN_ON_ONCE(1);
2559 dev_kfree_skb(skb);
2560 return 0;
2561 }
2562
2563 if (phy_mode == MODE_11B && status->band == NL80211_BAND_5GHZ)
2564 ath10k_dbg(ar, ATH10K_DBG_MGMT, "wmi mgmt rx 11b (CCK) on 5GHz\n");
2565
2566 sband = &ar->mac.sbands[status->band];
2567
2568 status->freq = ieee80211_channel_to_frequency(channel, status->band);
2569 status->signal = snr + ATH10K_DEFAULT_NOISE_FLOOR;
2570
2571 BUILD_BUG_ON(ARRAY_SIZE(status->chain_signal) != ARRAY_SIZE(arg.rssi));
2572
2573 for (i = 0; i < ARRAY_SIZE(status->chain_signal); i++) {
2574 status->chains &= ~BIT(i);
2575 rssi = __le32_to_cpu(arg.rssi[i]);
2576 ath10k_dbg(ar, ATH10K_DBG_MGMT, "mgmt rssi[%d]:%d\n", i, arg.rssi[i]);
2577
2578 if (rssi != ATH10K_INVALID_RSSI && rssi != 0) {
2579 status->chain_signal[i] = ATH10K_DEFAULT_NOISE_FLOOR + rssi;
2580 status->chains |= BIT(i);
2581 }
2582 }
2583
2584 status->rate_idx = ath10k_mac_bitrate_to_idx(sband, rate / 100);
2585
2586 hdr = (struct ieee80211_hdr *)skb->data;
2587 fc = le16_to_cpu(hdr->frame_control);
2588
2589 /* Firmware is guaranteed to report all essential management frames via
2590 * WMI while it can deliver some extra via HTT. Since there can be
2591 * duplicates split the reporting wrt monitor/sniffing.
2592 */
2593 status->flag |= RX_FLAG_SKIP_MONITOR;
2594
2595 ath10k_wmi_handle_wep_reauth(ar, skb, status);
2596
2597 if (ath10k_wmi_rx_is_decrypted(ar, hdr)) {
2598 status->flag |= RX_FLAG_DECRYPTED;
2599
2600 if (!ieee80211_is_action(hdr->frame_control) &&
2601 !ieee80211_is_deauth(hdr->frame_control) &&
2602 !ieee80211_is_disassoc(hdr->frame_control)) {
2603 status->flag |= RX_FLAG_IV_STRIPPED |
2604 RX_FLAG_MMIC_STRIPPED;
2605 hdr->frame_control = __cpu_to_le16(fc &
2606 ~IEEE80211_FCTL_PROTECTED);
2607 }
2608 }
2609
2610 if (ieee80211_is_beacon(hdr->frame_control))
2611 ath10k_mac_handle_beacon(ar, skb);
2612
2613 if (ieee80211_is_beacon(hdr->frame_control) ||
2614 ieee80211_is_probe_resp(hdr->frame_control)) {
2615 struct ieee80211_mgmt *mgmt = (void *)skb->data;
2616 u8 *ies;
2617 int ies_ch;
2618
2619 if (!ar->scan_channel)
2620 goto drop;
2621
2622 ies = mgmt->u.beacon.variable;
2623
> 2624 ies_ch = cfg80211_get_ies_channel_number(mgmt->u.beacon.variable,
2625 skb_tail_pointer(skb) - ies,
2626 sband->band);
2627
2628 if (ies_ch > 0 && ies_ch != channel) {
2629 ath10k_dbg(ar, ATH10K_DBG_MGMT,
2630 "channel mismatched ds channel %d scan channel %d\n",
2631 ies_ch, channel);
2632 goto drop;
2633 }
2634 }
2635
2636 ath10k_dbg(ar, ATH10K_DBG_MGMT,
2637 "event mgmt rx skb %pK len %d ftype %02x stype %02x\n",
2638 skb, skb->len,
2639 fc & IEEE80211_FCTL_FTYPE, fc & IEEE80211_FCTL_STYPE);
2640
2641 ath10k_dbg(ar, ATH10K_DBG_MGMT,
2642 "event mgmt rx freq %d band %d snr %d, rate_idx %d\n",
2643 status->freq, status->band, status->signal,
2644 status->rate_idx);
2645
2646 ieee80211_rx_ni(ar->hw, skb);
2647
2648 return 0;
2649
2650 drop:
2651 dev_kfree_skb(skb);
2652 return 0;
2653 }
2654
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]
Wen Gong <[email protected]> wrote:
> When scan request on channel 1, it also receive beacon from other
> channels, and the beacon also indicate to mac80211 and wpa_supplicant,
> and then the bss info appears in radio measurement report of radio
> measurement sent from wpa_supplicant, thus lead RRM case fail.
>
> This is to drop the beacon and probe response which is not the same
> channel of scanning.
>
> Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049
>
> Signed-off-by: Wen Gong <[email protected]>
> Reported-by: kernel test robot <[email protected]>
Fails to apply:
error: patch failed: drivers/net/wireless/ath/ath10k/wmi.c:2610
error: drivers/net/wireless/ath/ath10k/wmi.c: patch does not apply
stg import: Diff does not apply cleanly
Patch set to Changes Requested.
--
https://patchwork.kernel.org/project/linux-wireless/patch/[email protected]/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches