Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp5714493rdb; Wed, 13 Dec 2023 18:08:24 -0800 (PST) X-Google-Smtp-Source: AGHT+IGpvTVk5rLnkfpga65z+Jv8V2g4sDTMb0+1NfJiTZcgNUKHv9cHmBFCbJP5lGhdIQwRn8ub X-Received: by 2002:a05:620a:1362:b0:77f:7aa:2fac with SMTP id d2-20020a05620a136200b0077f07aa2facmr10022783qkl.99.1702519704540; Wed, 13 Dec 2023 18:08:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702519704; cv=none; d=google.com; s=arc-20160816; b=KRz4mWETjiOzWUvsHKTw/pZfW9dN7bkTc1MDMccZx6prRxaMyXLt7GH2Jszddwij9w ju6lCxrID76RiVsNaqvRimUd+kARyYro+mHSDwbdtE+71kthEZQI7i0fJsDZiqRESALh 6PosDeeBV1vcBWGFRHx/S0sATgJWSdJK0xbRK1CxTpxc7VlbgCwJpoDcqjvEK2Zo9yKf B07IqjGd/ohGGTlSkQVjSZ/4DhRbU8zMvt1L/S6IyRAQ6Vi23Ct27URq5g+76PHJSxCg 8RqYalAYMtinERimucWkFxFeJxOLaE0VmQMZdDrLZTwd7s2XhM0Gc0iaaWpi7Qw4p+Qt b2ww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=qShNyLDmN+8IdcHnMPIUGtk6Jx1xybC2q6g+/Fg38uw=; fh=nTGQUKMq/IjBQo3QnjQHiEoT0P9zc/7NhHvOIIWleS4=; b=iRfTPQ3n0CgP+QkRxbmOJhAjyGWG9plQsk1QDk6k6XKwCrLCG1GVEO9cnURTRMVp/z SC+hg1S2ZmZ1Nx/cyBbasEqJ0wDjhUTWMAmbQbN9Uhq9dLvFVSyPtPQEdT/hoVDXnlzR AM/tg4oBP2StGxkuCRxBpyaygP7OVI0/lIhOw6J51Yibwid7Fh0+2gx5ahT2J24EvFAT zHaGmYY/Q6vCmeIcSR4exPWuVgGiUM93IXzLWyYbUSlCZbYWBHkI4/W++/3N8fY+gk9q WgkSeQ7/w3ak+Tf7O7MHu/NTM0WxqzQbTP2duThoz7OdAGLTgzVytgVORpaZmcvnae6P nMWA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=fUsUytfZ; spf=pass (google.com: domain of linux-wireless+bounces-774-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-wireless+bounces-774-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id x10-20020a05620a258a00b0077d6c50a665si14371277qko.214.2023.12.13.18.08.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Dec 2023 18:08:24 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless+bounces-774-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=fUsUytfZ; spf=pass (google.com: domain of linux-wireless+bounces-774-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-wireless+bounces-774-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id EB3481C213DA for ; Thu, 14 Dec 2023 02:08:23 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E85CE7F9; Thu, 14 Dec 2023 02:08:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="fUsUytfZ" X-Original-To: linux-wireless@vger.kernel.org Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 04D18D5 for ; Wed, 13 Dec 2023 18:08:17 -0800 (PST) Received: by mail-pj1-x1034.google.com with SMTP id 98e67ed59e1d1-28b0016d989so667099a91.1 for ; Wed, 13 Dec 2023 18:08:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1702519696; x=1703124496; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=qShNyLDmN+8IdcHnMPIUGtk6Jx1xybC2q6g+/Fg38uw=; b=fUsUytfZVHYe5jB/M99+nPVBP/ghSkIVtppT+4H8eKMpNIlK2s8QriEJyhrJXpDPdI Nv/nCYBzmvmChtZgCR5UqqxhRkC14yRk1tpX0FYuGSnfm+Q6HlYQOXkGtTU75wgzwjaD Yi+fUqx8OI/nm5rGNylSgR+iRO0i3bsAXdWLo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702519696; x=1703124496; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=qShNyLDmN+8IdcHnMPIUGtk6Jx1xybC2q6g+/Fg38uw=; b=Qha1qTAdoH81lNmwN6WpM1DVQgDTt7qgOY8Hapd+cIvemkqXfM8jMEyR/djbKVKaBi GiQCO55SKksEVEoJ/4PWoX6DYeGTr3NA5x8DEx+LiAcwIpM+czDRHjuQZpw4U3GqRQeb FELYvgXcDQESbx/rijVrvkopEOjtyJqiIbrqkU9E3u/L1fbVZOlf1VpUv/jTMMu9HsfK Zt8x6yWdxTrMUG0Mnfz3zcXHEX/RQ13hmRg8ytNddqir8GSw2bJRqy6ltxWlRhjYU035 nIH1oLAqbb7l/bLYhWD9UfA40J4iu5ORFA2z3UICWEBK1SrzWs4qddC9rWGZmFDk10K8 1ZlA== X-Gm-Message-State: AOJu0Yw6RzOTKY01Es8KrjWxjw1KesGxEuTGygFYZt2R0prbI/dS6hxh NTOgzqq5gOsVdpO/RSpCVo0N6Q== X-Received: by 2002:a05:6a20:ce83:b0:18f:c24e:7249 with SMTP id if3-20020a056a20ce8300b0018fc24e7249mr4358658pzb.90.1702519696466; Wed, 13 Dec 2023 18:08:16 -0800 (PST) Received: from localhost ([2620:15c:9d:2:17f:673b:ab18:3603]) by smtp.gmail.com with UTF8SMTPSA id s13-20020a170902ea0d00b001d1d27259cesm11188492plg.180.2023.12.13.18.08.15 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 13 Dec 2023 18:08:16 -0800 (PST) Date: Wed, 13 Dec 2023 18:08:14 -0800 From: Brian Norris To: David Lin Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, kvalo@kernel.org, francesco@dolcini.it, tsung-hsien.hsieh@nxp.com, stable@vger.kernel.org Subject: Re: [PATCH v2] wifi: mwifiex: fix STA cannot connect to AP Message-ID: References: <20231208234127.2251-1-yu-hao.lin@nxp.com> Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20231208234127.2251-1-yu-hao.lin@nxp.com> Hi, Nitpick: "fix STA cannot connect to AP" isn't the best commit message; that could describe an enormous number of fixes. Maybe something more like "Configure BSSID consistently when starting AP"? On Sat, Dec 09, 2023 at 07:41:27AM +0800, David Lin wrote: > AP BSSID configuration is missing at AP start. > Without this fix, FW returns STA interface MAC address after first init. > When hostapd restarts, it gets MAC address from netdev before driver > sets STA MAC to netdev again. Now MAC address between hostapd and net > interface are different causes STA cannot connect to AP. > After that MAC address of uap0 mlan0 become the same. And issue > disappears after following hostapd restart (another issue is AP/STA MAC > address become the same). > This patch fixes the issue cleanly. > > Signed-off-by: David Lin > Fixes: 12190c5d80bd ("mwifiex: add cfg80211 start_ap and stop_ap handlers") > Cc: stable@vger.kernel.org > > --- > > v2: > - v1 was a not finished patch that was send to the LKML by mistake Looks fine to me: Acked-by: Brian Norris > drivers/net/wireless/marvell/mwifiex/cfg80211.c | 2 ++ > drivers/net/wireless/marvell/mwifiex/fw.h | 1 + > drivers/net/wireless/marvell/mwifiex/ioctl.h | 1 + > drivers/net/wireless/marvell/mwifiex/uap_cmd.c | 8 ++++++++ > 4 files changed, 12 insertions(+) > --- a/drivers/net/wireless/marvell/mwifiex/uap_cmd.c > +++ b/drivers/net/wireless/marvell/mwifiex/uap_cmd.c > @@ -487,6 +488,13 @@ mwifiex_uap_bss_param_prepare(u8 *tlv, void *cmd_buf, u16 *param_size) > int i; > u16 cmd_size = *param_size; > > + mac_tlv = (struct host_cmd_tlv_mac_addr *)tlv; Not directly related to this patch, but while you're expanding the size of this command buffer: it always felt like a security-hole-in-waiting that none of these command producers do any kinds of bounds checking. We're just "lucky" that these function only generate contents of ~100 bytes at max, while MWIFIEX_SIZE_OF_CMD_BUFFER=2048. But, just add a few more user-space controlled TLV params, and boom, we'll have ourselves a nice little CVE. It probably wouldn't hurt to significantly write much of this driver, but at a minimum, we could probably use a few checks like this: cmd_size += sizeof(struct host_cmd_tlv_mac_addr); if (cmd_size > MWIFIEX_SIZE_OF_CMD_BUFFER) return -1; // Only touch tlv *after* the bounds check. That doesn't need to block this patch, of course. Brian > + mac_tlv->header.type = cpu_to_le16(TLV_TYPE_UAP_MAC_ADDRESS); > + mac_tlv->header.len = cpu_to_le16(ETH_ALEN); > + memcpy(mac_tlv->mac_addr, bss_cfg->mac_addr, ETH_ALEN); > + cmd_size += sizeof(struct host_cmd_tlyyv_mac_addr); > + tlv += sizeof(struct host_cmd_tlv_mac_addr); > + > if (bss_cfg->ssid.ssid_len) { > ssid = (struct host_cmd_tlv_ssid *)tlv; > ssid->header.type = cpu_to_le16(TLV_TYPE_UAP_SSID); > > base-commit: 783004b6dbda2cfe9a552a4cc9c1d168a2068f6c > -- > 2.25.1 >