Received: by 2002:a05:7412:251c:b0:e2:908c:2ebd with SMTP id w28csp1386990rda; Mon, 23 Oct 2023 10:57:51 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGkIfvVZxwi5fUL8ZRZijGCfbdjgM5RZ/dKGFOvcajgKtlK0Xx1kPpozTAvO1qisGAfiFyZ X-Received: by 2002:a05:6a00:1a4e:b0:693:4108:1eb7 with SMTP id h14-20020a056a001a4e00b0069341081eb7mr7796418pfv.30.1698083871399; Mon, 23 Oct 2023 10:57:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698083871; cv=none; d=google.com; s=arc-20160816; b=R7AR1s4IptUsccYOSuIdBkuap10ek+AEZkFwaBA9vKAuATi+40el8X7dsM/muh9Q5p rbT5P4x0xBVge+XG3ELBIH6d5rR/+LcV4/2efif8Esobnu3GCF3shpXZIZEbg/zNfBKH HVKi+aOfCQWcwVulOGTKe82IwU4xasT2ZLGW/0CTYx6AzbPqDP1FyRUnb0XgFSZYD4Xi xZabTIaoJhwNPsUKTVK+O3ysXW2dymNCz6cYLCLr+oVMZwHwhPuHiNh0Gwx9nzTnRHPI GutvL63T0qgBAt8szi7wpkmVg8RAu1LhunB4xP6mdmT/03SdT62DtuUit2KUKGFGhoP0 neiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-filter; bh=0rpCfBlGz7NpcMl+BB3pu8iFlOw75KZ+nXGpkCCL9IY=; fh=JBH4xoAqU+QnblKa21BUCNwDoqYIhtDQiRUeFKc8nFo=; b=BmmxZWyoP50l5zM00LAgywbalO9Bk7bq5fhqzM9MwdfWnnun2aXvuOfRV1Uzl0yFeH QN71LSceQ9wlJmhRNlh0IQPpL340cw8FpPcP528XEYwt1hFKhyedp9/kPVzZby6/NTBD H20AdwO43SM2HlegEtSDgG/hqdvryNfe8+u5g+Bg6UYKxRofkZhRDURbqAm75Ird0Qq+ r+AGsq1Y+iRFTVWfXzuVLM+ayVYfG8eoYBQvEzdd0NEqPQDr8V7bi4r2NwlJr7uQINYI VUJcgi5zbwkIHnYcGQnxdoicbdZ9wAUl7gT/URkWwQtGdtzaIbMRZ9UJdPqCil4wJZff o95w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@candelatech.com header.s=default header.b=CSUZbnFr; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=candelatech.com Return-Path: Received: from howler.vger.email (howler.vger.email. [2620:137:e000::3:4]) by mx.google.com with ESMTPS id o5-20020a656a45000000b005859c221c6dsi7380645pgu.221.2023.10.23.10.57.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Oct 2023 10:57:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) client-ip=2620:137:e000::3:4; Authentication-Results: mx.google.com; dkim=pass header.i=@candelatech.com header.s=default header.b=CSUZbnFr; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=candelatech.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 9D5DF809B44E; Mon, 23 Oct 2023 10:57:46 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229578AbjJWR5q (ORCPT + 52 others); Mon, 23 Oct 2023 13:57:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56494 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229529AbjJWR5p (ORCPT ); Mon, 23 Oct 2023 13:57:45 -0400 Received: from dispatch1-us1.ppe-hosted.com (dispatch1-us1.ppe-hosted.com [148.163.129.49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 99C5CA1 for ; Mon, 23 Oct 2023 10:57:43 -0700 (PDT) X-Virus-Scanned: Proofpoint Essentials engine Received: from mail3.candelatech.com (mail2.candelatech.com [208.74.158.173]) by mx1-us1.ppe-hosted.com (PPE Hosted ESMTP Server) with ESMTP id E267E340062 for ; Mon, 23 Oct 2023 17:57:41 +0000 (UTC) Received: from ben-dt5.candelatech.com (50-251-239-81-static.hfc.comcastbusiness.net [50.251.239.81]) by mail3.candelatech.com (Postfix) with ESMTP id 5567713C2B0; Mon, 23 Oct 2023 10:57:41 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 mail3.candelatech.com 5567713C2B0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=candelatech.com; s=default; t=1698083861; bh=ivZD/LGa6z8tn3S9sqZQgEGubMGyqtF46eoNzrZop84=; h=From:To:Cc:Subject:Date:From; b=CSUZbnFr7ByQxWEHXT19/IAINjgZuNGLHHVs9+PJBn0sN+bDwzt152owMyRrO6Ohn rK2S8DEYhjEf6UxG5yCKFE1IWEJqgHjiDnuPkUDtJ9sruqwzwQcZFdCNoOqVStNEf5 SYXVsQw7tiKonj94f86J1TKP7X/S0ubjfkGTfDH8= From: greearb@candelatech.com To: linux-wireless@vger.kernel.org Cc: Ben Greear Subject: [PATCH] wifi: mac80211: work around crash in mlme.c Date: Mon, 23 Oct 2023 10:57:38 -0700 Message-Id: <20231023175738.1686631-1-greearb@candelatech.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-MDID: 1698083862-ki-DXbvBbzp7 X-MDID-O: us5;ut7;1698083862;ki-DXbvBbzp7;;f7146c1849a4b08a52804beb1c1cdf45 X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on howler.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Mon, 23 Oct 2023 10:57:46 -0700 (PDT) From: Ben Greear Protect from NULL ifmgd->assoc_data in ieee80211_mgd_deauth, crash was seen here fairly often in a 32-station test case utilizing mtk7922 and be200 radios. I'm not sure if radio types matters though. Signed-off-by: Ben Greear --- Patch is for wireless-next tree, bug was likely introduced in this release since this crash was not seen in earlier 6.6-rc testing nor in 6.5 or earlier. There may be a better way to fix this... net/mac80211/mlme.c | 37 ++++++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index 7695531de611..d2a44a13625c 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -8185,13 +8185,18 @@ int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata, "aborting authentication with %pM by local choice (Reason: %u=%s)\n", req->bssid, req->reason_code, ieee80211_get_reason_code_string(req->reason_code)); - - info.link_id = ifmgd->assoc_data->assoc_link_id; - drv_mgd_prepare_tx(sdata->local, sdata, &info); - ieee80211_send_deauth_disassoc(sdata, req->bssid, req->bssid, - IEEE80211_STYPE_DEAUTH, - req->reason_code, tx, - frame_buf); + if (WARN_ON_ONCE((unsigned long)(ifmgd) < 4000 || + (unsigned long)(ifmgd->assoc_data) < 4000)) { + sdata_err(sdata, "ieee80211-mgd-auth abort auth, bad memory: ifmgd: %p ifmgd->assoc_data: %p\n", + ifmgd, ifmgd->assoc_data); + } else { + info.link_id = ifmgd->assoc_data->assoc_link_id; + drv_mgd_prepare_tx(sdata->local, sdata, &info); + ieee80211_send_deauth_disassoc(sdata, req->bssid, req->bssid, + IEEE80211_STYPE_DEAUTH, + req->reason_code, tx, + frame_buf); + } ieee80211_destroy_auth_data(sdata, false); ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), true, @@ -8207,12 +8212,18 @@ int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata, req->bssid, req->reason_code, ieee80211_get_reason_code_string(req->reason_code)); - info.link_id = ifmgd->auth_data->link_id; - drv_mgd_prepare_tx(sdata->local, sdata, &info); - ieee80211_send_deauth_disassoc(sdata, req->bssid, req->bssid, - IEEE80211_STYPE_DEAUTH, - req->reason_code, tx, - frame_buf); + if (WARN_ON_ONCE((unsigned long)(ifmgd) < 4000 || + (unsigned long)(ifmgd->assoc_data) < 4000)) { + sdata_err(sdata, "ieee80211-mgd-auth abort assoc, bad memory: ifmgd: %p ifmgd->assoc_data: %p\n", + ifmgd, ifmgd->assoc_data); + } else { + info.link_id = ifmgd->auth_data->link_id; + drv_mgd_prepare_tx(sdata->local, sdata, &info); + ieee80211_send_deauth_disassoc(sdata, req->bssid, req->bssid, + IEEE80211_STYPE_DEAUTH, + req->reason_code, tx, + frame_buf); + } ieee80211_destroy_assoc_data(sdata, ASSOC_ABANDON); ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), true, -- 2.40.0