tmakin/tegra-linux-noble
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

wifi: cfg80211: clear link ID from bitmap during link delete after clean up

Browse Source 
BugLink: https://bugs.launchpad.net/bugs/2106632

[ Upstream commit b5c32ff6a3a38c74facdd1fe34c0d709a55527fd ]

Currently, during link deletion, the link ID is first removed from the
valid_links bitmap before performing any clean-up operations. However, some
functions require the link ID to remain in the valid_links bitmap. One
such example is cfg80211_cac_event(). The flow is -

nl80211_remove_link()
    cfg80211_remove_link()
        ieee80211_del_intf_link()
            ieee80211_vif_set_links()
                ieee80211_vif_update_links()
                    ieee80211_link_stop()
                        cfg80211_cac_event()

cfg80211_cac_event() requires link ID to be present but it is cleared
already in cfg80211_remove_link(). Ultimately, WARN_ON() is hit.

Therefore, clear the link ID from the bitmap only after completing the link
clean-up.

Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Link: https://patch.msgid.link/20241121-mlo_dfs_fix-v2-1-92c3bf7ab551@quicinc.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
CVE-2024-57898
Signed-off-by: Manuel Diewald <manuel.diewald@canonical.com>
Signed-off-by: Mehmet Basaran <mehmet.basaran@canonical.com>
This commit is contained in:
Aditya Kumar Singh
2024-11-21 09:45:30 +05:30
committed by Mehmet Basaran
parent fd4c526c56
commit 29e9fb682e
2 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
net/mac80211/cfg.c
+7 -1
View File
@@ -4846,10 +4846,16 @@ static void ieee80211_del_intf_link(struct wiphy *wiphy,
unsigned int link_id)
{
struct ieee80211_sub_if_data *sdata = IEEE80211_WDEV_TO_SUB_IF(wdev);
u16 new_links = wdev->valid_links & ~BIT(link_id);
lockdep_assert_wiphy(sdata->local->hw.wiphy);
ieee80211_vif_set_links(sdata, wdev->valid_links, 0);
/* During the link teardown process, certain functions require the
* link_id to remain in the valid_links bitmap. Therefore, instead
* of removing the link_id from the bitmap, pass a masked value to
* simulate as if link_id does not exist anymore.
*/
ieee80211_vif_set_links(sdata, new_links, 0);
}
static int sta_add_link_station(struct ieee80211_local *local,
net/wireless/util.c
+1 -2
View File
@@ -2748,10 +2748,9 @@ void cfg80211_remove_link(struct wireless_dev *wdev, unsigned int link_id)
break;
}
wdev->valid_links &= ~BIT(link_id);
rdev_del_intf_link(rdev, wdev, link_id);
wdev->valid_links &= ~BIT(link_id);
eth_zero_addr(wdev->links[link_id].addr);
}