Received: by 2002:ab2:f03:0:b0:1ef:ffd0:ce49 with SMTP id i3csp54011lqf;
        Tue, 26 Mar 2024 14:10:27 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCUSvuFhgDQhn9cqzKlfVs3NNvpZYAD4bOAm0sal00YqLHR+8U/SPFdOwmk8ekGCGB6cv+6X40ca49lJzVRUXl2uoFhlrr4w0tqcLFl/Qg==
X-Google-Smtp-Source: AGHT+IE/ZLKnjNS2gAB7pD7B2xkP00K3cLDqKjtgEDA3a6Z6nQegI7l2CYIGmK6pbGpAvBNNfXsv
X-Received: by 2002:a05:6808:1406:b0:3c3:9c9e:7c40 with SMTP id w6-20020a056808140600b003c39c9e7c40mr14235401oiv.40.1711487424724;
        Tue, 26 Mar 2024 14:10:24 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1711487424; cv=pass;
        d=google.com; s=arc-20160816;
        b=LhXvzs6Jh/8Wst/WH4HDg6yLiejWK/SYZHvQgo/Mw8V9gPygsSLQ+4BKc3BYGJ4ETi
         759hn0RVfoH0kHSpIEM8hY4wnjqxkJYPQFgrtFzjiCRhLkKm3mdZVFu5AXTUBykxgSBR
         +M15Oyeh+j3ALME276riPS5az7FoPGSDF8dnQho1739mZwjW5Zs7QyCM1DlXr0EPycva
         AS2nnVHEu6Od5JCW174635+TYq5e6XJddvckilacfblbeD7APb9bPmoOVBM9HV7fy6Rb
         7eUQOA1juE6OScXDP0dmeNii/+gL69qkA5yLE8ESVl4SFWocCouHzbgxlfoklm43Z8hG
         fvVw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=5o6LTM7XxUESe3lado7aQqRZFHulJVbiuBATwbzqBPc=;
        fh=VnGABc7cqzdejZylNUlQJCv7z0+zOa1T1ZFr1/Lonm0=;
        b=F6l44cPznvZeYPLVB0cYy2aptbuhHLqnVwHQp/aH8uXM0DltBhpqX1PjPuklbnf9hD
         31TxdRHUDdQTKrkd8PGkrXyCn9JI7/bEPOpI6hWpsgwpV/Qhc4pF9i+wVegffUAO6ti5
         i/AC7evBjXtIIHvE1v7Co4m1Own93CcgDU9/Y8wHaZwyTH+H+1mF7Q6IHjPyLLuUGbit
         5Fghq2MP3WLPXwkzEqlC6c4Q9RNsUBJk3GjYSfXUDRAyHG9VTplUtwX+p1Xh3i6B0+YK
         SJQTK1WwhRHQkdQeWePKHJ47fA66bBj6DzmHrK09T87K+0ViJngFpQNbwOHdFH2Fcknb
         A0hA==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@sipsolutions.net header.s=mail header.b=TFL+baXq;
       arc=pass (i=1 spf=pass spfdomain=sipsolutions.net dkim=pass dkdomain=sipsolutions.net dmarc=pass fromdomain=sipsolutions.net);
       spf=pass (google.com: domain of linux-wireless+bounces-5304-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-wireless+bounces-5304-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=sipsolutions.net
Return-Path: <linux-wireless+bounces-5304-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id f24-20020a05620a12f800b00789e44058c3si8617620qkl.584.2024.03.26.14.10.24
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 26 Mar 2024 14:10:24 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless+bounces-5304-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@sipsolutions.net header.s=mail header.b=TFL+baXq;
       arc=pass (i=1 spf=pass spfdomain=sipsolutions.net dkim=pass dkdomain=sipsolutions.net dmarc=pass fromdomain=sipsolutions.net);
       spf=pass (google.com: domain of linux-wireless+bounces-5304-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-wireless+bounces-5304-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=sipsolutions.net
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 63F541C37C5C
	for <linux.lists.archive@gmail.com>; Tue, 26 Mar 2024 21:10:24 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 6669813D88A;
	Tue, 26 Mar 2024 21:09:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=sipsolutions.net header.i=@sipsolutions.net header.b="TFL+baXq"
X-Original-To: linux-wireless@vger.kernel.org
Received: from sipsolutions.net (s3.sipsolutions.net [168.119.38.16])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4C61C13D88C
	for <linux-wireless@vger.kernel.org>; Tue, 26 Mar 2024 21:09:00 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=168.119.38.16
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1711487343; cv=none; b=mcyfldRFrXEGC4mKTo6SQs4jrqS9CODQM8XwqW713WoBaQAsEM8pLwiwOCj6S9uvCVeYpEs1zAmsJiTmfwXk+lv7eQYRg6v4yYVqZtx7rZgaYLfooxhM3/k89x2orwY3boB3xd0NkIjFlglLbXegABt9WEazgoqtq9vwUIClLoU=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1711487343; c=relaxed/simple;
	bh=SlXy3K2Nrs3kYm54mEXHmcs1t7hV5vu7l+8W77jJ4Ok=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=amwOU6/+dUEKxOPucc2u7/1Agnwgjp5kfWHaYKlXspL4CAU+xl274D8Y+U1RdEU/V1e7VXa9dxeBS0V7BmFv39SpZZuvUs9agwBPv3mOF22ATCsDIu28qpJiL7vQlHoi5zck10o+OXlg2Hss5qR3+TDPO1+GbdEwuuMJ65FMZR8=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sipsolutions.net; spf=pass smtp.mailfrom=sipsolutions.net; dkim=pass (2048-bit key) header.d=sipsolutions.net header.i=@sipsolutions.net header.b=TFL+baXq; arc=none smtp.client-ip=168.119.38.16
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sipsolutions.net
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sipsolutions.net
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=sipsolutions.net; s=mail; h=Content-Transfer-Encoding:MIME-Version:
	Message-ID:Date:Subject:Cc:To:From:Content-Type:Sender:Reply-To:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-To:Resent-Cc:
	Resent-Message-ID:In-Reply-To:References;
	bh=5o6LTM7XxUESe3lado7aQqRZFHulJVbiuBATwbzqBPc=; t=1711487341; x=1712696941; 
	b=TFL+baXqfjhp4ZObc2vTHZpBRn7PAKc8jFYL+NDasXFX4NBMcEbQNg+QdK4YLYTTspBrblBHfWJ
	V8go2OaUGyXex67noIoYO5MwjLwhMaO5CQZEUmkbOG1m9WqiPiQxqr8EoRbaY23Vdrjc//wq+WZN3
	zl0ZDjd6CBZU0icM3hhSYCOWbySe029cccA9GQeIwpZLXCQC8ufHSmYgA8omRCYMoquEjZ4DAXj4n
	gcHw31HS+8dyruSzBE5lTW9+3ug/sJFAJ7N35D2MA8g0jiuMN2YKJCsDE0JHVSy2edG9BS1lPVHk0
	5alPFQtrZMNjjt741PqmkiQ4CgV74coBid9g==;
Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
	(Exim 4.97)
	(envelope-from <johannes@sipsolutions.net>)
	id 1rpE2T-0000000FzQI-16GC;
	Tue, 26 Mar 2024 22:08:57 +0100
From: Johannes Berg <johannes@sipsolutions.net>
To: linux-wireless@vger.kernel.org
Cc: Johannes Berg <johannes.berg@intel.com>,
	syzbot+fdc5123366fb9c3fdc6d@syzkaller.appspotmail.com,
	Dmitry Antipov <dmantipov@yandex.ru>
Subject: [PATCH] wifi: mac80211: don't use rate mask for scanning
Date: Tue, 26 Mar 2024 22:08:54 +0100
Message-ID: <20240326220854.9594cbb418ca.I7f86c0ba1f98cf7e27c2bacf6c2d417200ecea5c@changeid>
X-Mailer: git-send-email 2.44.0
Precedence: bulk
X-Mailing-List: linux-wireless@vger.kernel.org
List-Id: <linux-wireless.vger.kernel.org>
List-Subscribe: <mailto:linux-wireless+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-wireless+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

From: Johannes Berg <johannes.berg@intel.com>

The rate mask is intended for use during operation, and
can be set to only have masks for the currently active
band. As such, it cannot be used for scanning which can
be on other bands as well.

Simply ignore the rate masks during scanning to avoid
warnings from incorrect settings.

Reported-by: syzbot+fdc5123366fb9c3fdc6d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fdc5123366fb9c3fdc6d
Co-developed-by: Dmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 include/net/mac80211.h |  3 +++
 net/mac80211/rate.c    |  6 +++++-
 net/mac80211/scan.c    |  1 +
 net/mac80211/tx.c      | 13 +++++++++----
 4 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/include/net/mac80211.h b/include/net/mac80211.h
index 353488ab94a2..2d7f87bc5324 100644
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -953,6 +953,8 @@ enum mac80211_tx_info_flags {
  *	of their QoS TID or other priority field values.
  * @IEEE80211_TX_CTRL_MCAST_MLO_FIRST_TX: first MLO TX, used mostly internally
  *	for sequence number assignment
+ * @IEEE80211_TX_CTRL_SCAN_TX: Indicates that this frame is transmitted
+ *	due to scanning, not in normal operation on the interface.
  * @IEEE80211_TX_CTRL_MLO_LINK: If not @IEEE80211_LINK_UNSPECIFIED, this
  *	frame should be transmitted on the specific link. This really is
  *	only relevant for frames that do not have data present, and is
@@ -973,6 +975,7 @@ enum mac80211_tx_control_flags {
 	IEEE80211_TX_CTRL_NO_SEQNO		= BIT(7),
 	IEEE80211_TX_CTRL_DONT_REORDER		= BIT(8),
 	IEEE80211_TX_CTRL_MCAST_MLO_FIRST_TX	= BIT(9),
+	IEEE80211_TX_CTRL_SCAN_TX		= BIT(10),
 	IEEE80211_TX_CTRL_MLO_LINK		= 0xf0000000,
 };
 
diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c
index 23404b275457..4dc1def69548 100644
--- a/net/mac80211/rate.c
+++ b/net/mac80211/rate.c
@@ -877,6 +877,7 @@ void ieee80211_get_tx_rates(struct ieee80211_vif *vif,
 	struct ieee80211_sub_if_data *sdata;
 	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
 	struct ieee80211_supported_band *sband;
+	u32 mask = ~0;
 
 	rate_control_fill_sta_table(sta, info, dest, max_rates);
 
@@ -889,9 +890,12 @@ void ieee80211_get_tx_rates(struct ieee80211_vif *vif,
 	if (ieee80211_is_tx_data(skb))
 		rate_control_apply_mask(sdata, sta, sband, dest, max_rates);
 
+	if (!(info->control.flags & IEEE80211_TX_CTRL_SCAN_TX))
+		mask = sdata->rc_rateidx_mask[info->band];
+
 	if (dest[0].idx < 0)
 		__rate_control_send_low(&sdata->local->hw, sband, sta, info,
-					sdata->rc_rateidx_mask[info->band]);
+					mask);
 
 	if (sta)
 		rate_fixup_ratelist(vif, sband, info, dest, max_rates);
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index 0429e59ba387..73850312580f 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -648,6 +648,7 @@ static void ieee80211_send_scan_probe_req(struct ieee80211_sub_if_data *sdata,
 				cpu_to_le16(IEEE80211_SN_TO_SEQ(sn));
 		}
 		IEEE80211_SKB_CB(skb)->flags |= tx_flags;
+		IEEE80211_SKB_CB(skb)->control.flags |= IEEE80211_TX_CTRL_SCAN_TX;
 		ieee80211_tx_skb_tid_band(sdata, skb, 7, channel->band);
 	}
 }
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 6bf223e6cd1a..cfd0a62d0152 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -698,11 +698,16 @@ ieee80211_tx_h_rate_ctrl(struct ieee80211_tx_data *tx)
 	txrc.bss_conf = &tx->sdata->vif.bss_conf;
 	txrc.skb = tx->skb;
 	txrc.reported_rate.idx = -1;
-	txrc.rate_idx_mask = tx->sdata->rc_rateidx_mask[info->band];
 
-	if (tx->sdata->rc_has_mcs_mask[info->band])
-		txrc.rate_idx_mcs_mask =
-			tx->sdata->rc_rateidx_mcs_mask[info->band];
+	if (unlikely(info->control.flags & IEEE80211_TX_CTRL_SCAN_TX)) {
+		txrc.rate_idx_mask = ~0;
+	} else {
+		txrc.rate_idx_mask = tx->sdata->rc_rateidx_mask[info->band];
+
+		if (tx->sdata->rc_has_mcs_mask[info->band])
+			txrc.rate_idx_mcs_mask =
+				tx->sdata->rc_rateidx_mcs_mask[info->band];
+	}
 
 	txrc.bss = (tx->sdata->vif.type == NL80211_IFTYPE_AP ||
 		    tx->sdata->vif.type == NL80211_IFTYPE_MESH_POINT ||
-- 
2.44.0