lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20241121-mlo_dfs_fix-v2-1-92c3bf7ab551@quicinc.com>
Date: Thu, 21 Nov 2024 09:45:30 +0530
From: Aditya Kumar Singh <quic_adisi@...cinc.com>
To: Johannes Berg <johannes@...solutions.net>
CC: Aditya Kumar Singh <quic_adisi@...cinc.com>,
        <linux-wireless@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Subject: [PATCH v2] wifi: cfg80211: clear link ID from bitmap during link
 delete after clean up

Currently, during link deletion, the link ID is first removed from the
valid_links bitmap before performing any clean-up operations. However, some
functions require the link ID to remain in the valid_links bitmap. One
such example is cfg80211_cac_event(). The flow is -

nl80211_remove_link()
    cfg80211_remove_link()
        ieee80211_del_intf_link()
            ieee80211_vif_set_links()
                ieee80211_vif_update_links()
                    ieee80211_link_stop()
                        cfg80211_cac_event()

cfg80211_cac_event() requires link ID to be present but it is cleared
already in cfg80211_remove_link(). Ultimately, WARN_ON() is hit.

Therefore, clear the link ID from the bitmap only after completing the link
clean-up.

Signed-off-by: Aditya Kumar Singh <quic_adisi@...cinc.com>
---
Changes in v2:
- Handled link ID removal properly instead of removing the WARN_ON()
- Renamed subject accordingly.
- Link to v1: https://lore.kernel.org/r/20241113-mlo_dfs_fix-v1-1-e4326736347b@quicinc.com
---
 net/mac80211/cfg.c  | 8 +++++++-
 net/wireless/util.c | 3 +--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 61a824ec33da356a9d2c4c99a5507b340bbf909e..53dc76bde158b8ada4a504c793246b856c52c83a 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -5046,10 +5046,16 @@ static void ieee80211_del_intf_link(struct wiphy *wiphy,
 				    unsigned int link_id)
 {
 	struct ieee80211_sub_if_data *sdata = IEEE80211_WDEV_TO_SUB_IF(wdev);
+	u16 new_links = wdev->valid_links & ~BIT(link_id);
 
 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
 
-	ieee80211_vif_set_links(sdata, wdev->valid_links, 0);
+	/* During the link teardown process, certain functions require the
+	 * link_id to remain in the valid_links bitmap. Therefore, instead
+	 * of removing the link_id from the bitmap, pass a masked value to
+	 * simulate as if link_id does not exist anymore.
+	 */
+	ieee80211_vif_set_links(sdata, new_links, 0);
 }
 
 static int
diff --git a/net/wireless/util.c b/net/wireless/util.c
index 040d62051eb96ea52ba301f0767d2e4e4ba51e0b..65c8e47246b7c3889e9c2faf0c0b508c426ee513 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -2843,10 +2843,9 @@ void cfg80211_remove_link(struct wireless_dev *wdev, unsigned int link_id)
 		break;
 	}
 
-	wdev->valid_links &= ~BIT(link_id);
-
 	rdev_del_intf_link(rdev, wdev, link_id);
 
+	wdev->valid_links &= ~BIT(link_id);
 	eth_zero_addr(wdev->links[link_id].addr);
 }
 

---
base-commit: dfc14664794a4706e0c2186a0c082386e6b14c4d
change-id: 20241113-mlo_dfs_fix-1123060109bc


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ