LinuxLists.cc - [PATCH 0/1] Fix potential HE IE bug and some other questions

2022-09-28 23:05:19

Subject: [PATCH 0/1] Fix potential HE IE bug and some other questions

I believe there is a bug when building the probe request IEs for the
HE capabilities. More info in the patch. While looking at this I
noticed some other confusing code related to building the probe
request.

Looking at ieee80211_build_preq_ies. It is passed 'bands_used' which
is a bitmask of bands. A probe request is only sent out on a single
band so why would this contain multiple bands? We then loop over these
bands and call ieee80211_build_preq_ies_band for each one.
This, AFAICT, would append the same IEs multiple times if 'bands_used'
contained more than one band. Internal to mac80211/util.c its only
passed BIT(chan->band), but mac80211/scan.c seems to pass a list...

Below is the warning I am seeing (many, many times). It says the warning
is in build_preq_ies, but it really seems like this is not correct
and its actually in ieee80211_get_he_6ghz_capa since I see no warning
message as others _should_ have.

[ 732.130000] ------------[ cut here ]------------
[ 732.130000] WARNING: CPU: 0 PID: 1352 at include/net/cfg80211.h:608 ieee80211_build_preq_ies+0x766/0x84d
[ 732.130000] Modules linked in:
[ 732.130000] CPU: 0 PID: 1352 Comm: kworker/u2:0 Tainted: G W 5.19.0 #1
[ 732.130000] Workqueue: rad6 ieee80211_scan_work
[ 732.130000] Stack:
[ 732.130000] 605d0943 60256c96 60035421 00000001
[ 732.130000] 6052cddd 60450efa 61f3d5d9 60454c00
[ 732.130000] 00000000 00000000 00000009 6003e77d
[ 732.130000] Call Trace:
[ 732.130000] [<60256c96>] ? dump_stack_print_info+0xe1/0xef
[ 732.130000] [<60035421>] ? um_set_signals+0x0/0x3c
[ 732.130000] [<60450efa>] ? _printk+0x0/0x9f
[ 732.130000] [<60454c00>] ? dump_stack_lvl+0x47/0x52
[ 732.130000] [<6003e77d>] ? __warn+0xf2/0x123
[ 732.130000] [<60035449>] ? um_set_signals+0x28/0x3c
[ 732.130000] [<604501bb>] ? warn_slowpath_fmt+0xd6/0xe2
[ 732.130000] [<6042830f>] ? ieee80211_prepare_and_rx_handle+0xbf4/0xc22
[ 732.130000] [<604500e5>] ? warn_slowpath_fmt+0x0/0xe2
[ 732.130000] [<603d3bc5>] ? ieee80211_ie_split_ric+0xe4/0xfe
[ 732.130000] [<60035421>] ? um_set_signals+0x0/0x3c
[ 732.130000] [<604341ac>] ? ieee80211_vif_type_p2p+0x0/0x26
[ 732.130000] [<6043aeb5>] ? ieee80211_build_preq_ies+0x766/0x84d
[ 732.130000] [<60035377>] ? unblock_signals+0x36/0xe0
[ 732.130000] [<60429f6c>] ? skb_put_zero+0x2c/0x34
[ 732.130000] [<60429f40>] ? skb_put_zero+0x0/0x34
[ 732.130000] [<6043b095>] ? ieee80211_build_probe_req+0xf9/0x161
[ 732.130000] [<6040c2ed>] ? ieee80211_scan_state_send_probe+0xaf/0x14c
[ 732.130000] [<60051181>] ? queue_delayed_work_on+0x67/0x72
[ 732.130000] [<6040d1b0>] ? ieee80211_scan_work+0x40b/0x503
[ 732.130000] [<6040cda5>] ? ieee80211_scan_work+0x0/0x503
[ 732.130000] [<600529de>] ? process_one_work+0x1b0/0x2b1
[ 732.130000] [<6004f829>] ? move_linked_works+0x0/0x57
[ 732.130000] [<60053086>] ? worker_thread+0x270/0x39b
[ 732.130000] [<6004f909>] ? set_pf_worker+0x0/0x5f
[ 732.130000] [<60057231>] ? arch_local_irq_save+0x0/0x26
[ 732.130000] [<60035449>] ? um_set_signals+0x28/0x3c
[ 732.130000] [<60052e16>] ? worker_thread+0x0/0x39b
[ 732.130000] [<600588ef>] ? kthread_exit+0x0/0x37
[ 732.130000] [<60052e16>] ? worker_thread+0x0/0x39b
[ 732.130000] [<60058a6d>] ? kthread+0x11f/0x124
[ 732.130000] [<60035377>] ? unblock_signals+0x36/0xe0
[ 732.130000] [<60021f95>] ? new_thread_handler+0x86/0xbb
[ 732.130000] ---[ end trace 0000000000000000 ]---
[ 732.210000] ------------[ cut here ]------------

James Prestwood (1):
wifi: mac80211: fix probe req HE capabilities access

net/mac80211/util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--
2.34.3

2022-09-29 09:57:48

by Johannes Berg

[permalink] [raw]

Subject: Re: [PATCH 0/1] Fix potential HE IE bug and some other questions

On Wed, 2022-09-28 at 15:49 -0700, James Prestwood wrote:
> I believe there is a bug when building the probe request IEs for the
> HE capabilities. More info in the patch.
>

That fix seems right.

> While looking at this I
> noticed some other confusing code related to building the probe
> request.
>
> Looking at ieee80211_build_preq_ies. It is passed 'bands_used' which
> is a bitmask of bands. A probe request is only sent out on a single
> band so why would this contain multiple bands?
>

The function can be used to prepare a HW scan request, which can contain
the elements for all bands that the HW is being asked to scan on.

> We then loop over these
> bands and call ieee80211_build_preq_ies_band for each one.

Correct, and ie_desc->ies[band]/len[band] gets the pointer/size for each
band.

> This, AFAICT, would append the same IEs multiple times if 'bands_used'
> contained more than one band.
>

Correct.

> Internal to mac80211/util.c its only
> passed BIT(chan->band), but mac80211/scan.c seems to pass a list...

Right, that's because "internal" is ieee80211_build_probe_req(), which
builds only a single probe request, while the other code is for HW scan.

> Below is the warning I am seeing (many, many times). It says the warning
> is in build_preq_ies, but it really seems like this is not correct
> and its actually in ieee80211_get_he_6ghz_capa since I see no warning
> message as others _should_ have.
>
> [ 732.130000] ------------[ cut here ]------------
> [ 732.130000] WARNING: CPU: 0 PID: 1352 at include/net/cfg80211.h:608 ieee80211_build_preq_ies+0x766/0x84d

The line number is in ieee80211_get_he_6ghz_capa() but that's inlined,
and that doesn't always work so well for the symbol resolution.

johannes