Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp593126ioo;
        Thu, 26 May 2022 10:06:01 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJynxVpn26bbyMET5bd1ROlrd4CtCZp+a06tjI0wIUn2xZLdFHhy2siz7sWuvH/RmEnHFa2r
X-Received: by 2002:a17:902:7606:b0:161:df31:68f2 with SMTP id k6-20020a170902760600b00161df3168f2mr35961502pll.151.1653584761402;
        Thu, 26 May 2022 10:06:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1653584761; cv=none;
        d=google.com; s=arc-20160816;
        b=JF7X/D1DEmHqos+ZV0roxAMUaXxRS5z52OIODI5KLOKQPsE9PRST52IzG/A7v5uJnE
         Wyz7pvdQuoz62ktQckPX/y/gDmLzcMnCOtvfCCgaX8ZixbUcGdHqsP7FQuOhmtzKWDNq
         +4A5O0sQh9G0p112KGVKi17y7xs3lk112PU+R7a4HJUI3PNzUpwnk7ncAonSn9h1+7wr
         RKx/4Esrf58+31Sm1is4TYtcoExIg7ltU38cwXXSVC0hKTiv+QKLWuQTvWT6Bvywm9Q1
         UY47dDyTma6l312wXPUcJ83B2Lw56dmy6zTeCSdv3BPrZa56//3InHhrBD+eD7HMhNqc
         Cagw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from;
        bh=GypMp3kLVSEv+CE/6DuqKb6qJAUtvdinNkbMHFz2jIY=;
        b=OSugyhQhvuREtQoWJiZaIBVCZerjXwHf+0tgRx0awdl6nDtyGEdY4YvWh1P40mf7VV
         IDpZTQ4j0hjOHAaWlc6PI0KQGD8sxNXyThLhdi+vr0Wgg3WuJzg/PVnscW1TCGDs5aAQ
         5hrXiMhKJ7s2HgtaQ6tsOBtpODDfEFeq9DXnufIrhpn1rUeKolDmfbzdrJcu1Zkbvpem
         bTROW2Fo91Xpgtq1WVWnYkBtTgy0f+AmtoBjBLLjkvnERfY4Pt35qQQ+UE1vuoYtiNB3
         MiQqJkDt7m2284dDu5y1qBCNCQu0ASWwoP62YCZxLCZuRWL5sxtmZbNFsLqcYmLEJeqP
         pBLw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mediatek.com
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id b12-20020a170902d50c00b00161c51fc80dsi2522578plg.152.2022.05.26.10.05.43;
        Thu, 26 May 2022 10:06:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mediatek.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233818AbiEZNf7 (ORCPT <rfc822;nico.escande@gmail.com>
        + 67 others); Thu, 26 May 2022 09:35:59 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37300 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S243897AbiEZNf4 (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Thu, 26 May 2022 09:35:56 -0400
Received: from mailgw01.mediatek.com (unknown [60.244.123.138])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A82B8DC83E
        for <linux-wireless@vger.kernel.org>; Thu, 26 May 2022 06:35:37 -0700 (PDT)
X-UUID: 2687b01b5baf4ddc99f666f97c596a7e-20220526
X-CID-P-RULE: Release_Ham
X-CID-O-INFO: VERSION:1.1.5,REQID:cf34f8b4-0e42-4790-9b6b-8a69c752b5e6,OB:0,LO
        B:0,IP:0,URL:0,TC:0,Content:0,EDM:0,RT:0,SF:0,FILE:0,RULE:Release_Ham,ACTI
        ON:release,TS:0
X-CID-META: VersionHash:2a19b09,CLOUDID:b9b99847-4fb1-496b-8f1d-39e733fed1ea,C
        OID:IGNORED,Recheck:0,SF:nil,TC:nil,Content:0,EDM:-3,IP:nil,URL:0,File:nil
        ,QS:0,BEC:nil
X-UUID: 2687b01b5baf4ddc99f666f97c596a7e-20220526
Received: from mtkmbs10n2.mediatek.inc [(172.21.101.183)] by mailgw01.mediatek.com
        (envelope-from <ryder.lee@mediatek.com>)
        (Generic MTA with TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256/256)
        with ESMTP id 1535917669; Thu, 26 May 2022 21:35:33 +0800
Received: from mtkmbs11n1.mediatek.inc (172.21.101.185) by
 mtkmbs11n1.mediatek.inc (172.21.101.185) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3;
 Thu, 26 May 2022 21:35:32 +0800
Received: from mtksdccf07.mediatek.inc (172.21.84.99) by
 mtkmbs11n1.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id
 15.2.792.3 via Frontend Transport; Thu, 26 May 2022 21:35:32 +0800
From:   Ryder Lee <ryder.lee@mediatek.com>
To:     <linux-wireless@vger.kernel.org>
CC:     Felix Fietkau <nbd@nbd.name>,
        Lorenzo Bianconi <lorenzo.bianconi@redhat.com>,
        Shayne Chen <shayne.chen@mediatek.com>,
        Evelyn Tsai <evelyn.tsai@mediatek.com>,
        <linux-mediatek@lists.infradead.org>,
        Ryder Lee <ryder.lee@mediatek.com>
Subject: [PATCH v2] mac80211: check skb_shared in ieee80211_8023_xmit()
Date:   Thu, 26 May 2022 21:35:32 +0800
Message-ID: <e7a73aaf7742b17e43421c56625646dfc5c4d2cb.1653571902.git.ryder.lee@mediatek.com>
X-Mailer: git-send-email 2.18.0
MIME-Version: 1.0
Content-Type: text/plain
X-MTK:  N
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_SCC_BODY_TEXT_LINE,
        T_SPF_HELO_TEMPERROR,T_SPF_TEMPERROR,UNPARSEABLE_RELAY autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

Add a missing skb_shared check into 802.3 path to prevent potential
use-after-free from happening. This also uses skb_share_check()
instead of open-coding in tx path.

Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
---
change since v2 - switch to use skb_share_check()
---
 net/mac80211/tx.c | 36 +++++++++++++-----------------------
 1 file changed, 13 insertions(+), 23 deletions(-)

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 0e4efc08c762..c425f4fb7c2e 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -2818,19 +2818,10 @@ static struct sk_buff *ieee80211_build_hdr(struct ieee80211_sub_if_data *sdata,
 	/*
 	 * If the skb is shared we need to obtain our own copy.
 	 */
-	if (skb_shared(skb)) {
-		struct sk_buff *tmp_skb = skb;
-
-		/* can't happen -- skb is a clone if info_id != 0 */
-		WARN_ON(info_id);
-
-		skb = skb_clone(skb, GFP_ATOMIC);
-		kfree_skb(tmp_skb);
-
-		if (!skb) {
-			ret = -ENOMEM;
-			goto free;
-		}
+	skb = skb_share_check(skb, GFP_ATOMIC);
+	if (unlikely(!skb)) {
+		ret = -ENOMEM;
+		goto free;
 	}
 
 	hdr.frame_control = fc;
@@ -3539,15 +3530,9 @@ static bool ieee80211_xmit_fast(struct ieee80211_sub_if_data *sdata,
 
 	/* after this point (skb is modified) we cannot return false */
 
-	if (skb_shared(skb)) {
-		struct sk_buff *tmp_skb = skb;
-
-		skb = skb_clone(skb, GFP_ATOMIC);
-		kfree_skb(tmp_skb);
-
-		if (!skb)
-			return true;
-	}
+	skb = skb_share_check(skb, GFP_ATOMIC);
+	if (unlikely(!skb))
+		return true;
 
 	if ((hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_QOS_DATA)) &&
 	    ieee80211_amsdu_aggregate(sdata, sta, fast_tx, skb))
@@ -4437,7 +4422,7 @@ static void ieee80211_8023_xmit(struct ieee80211_sub_if_data *sdata,
 				struct net_device *dev, struct sta_info *sta,
 				struct ieee80211_key *key, struct sk_buff *skb)
 {
-	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
+	struct ieee80211_tx_info *info;
 	struct ieee80211_local *local = sdata->local;
 	struct tid_ampdu_tx *tid_tx;
 	u8 tid;
@@ -4452,6 +4437,11 @@ static void ieee80211_8023_xmit(struct ieee80211_sub_if_data *sdata,
 	    test_bit(SDATA_STATE_OFFCHANNEL, &sdata->state))
 		goto out_free;
 
+	skb = skb_share_check(skb, GFP_ATOMIC);
+	if (unlikely(!skb))
+		return;
+
+	info = IEEE80211_SKB_CB(skb);
 	memset(info, 0, sizeof(*info));
 
 	ieee80211_aggr_check(sdata, sta, skb);
-- 
2.29.2