298977887/lede
1
0
Fork 0
mirror of https://github.com/coolsnowwolf/lede.git synced 2025-04-16 04:13:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
d05fbef769
lede/package/kernel/mac80211/patches/rtl/005-rtw88-iterate-over-vif-sta-list-non-atomically.patch
1054009064 d05fbef769
mac80211: backport security fixes (#10324) 
* mac80211: backport security fixes

This mainly affects scanning and beacon parsing, especially with MBSSID enabled

Fixes: CVE-2022-41674
Fixes: CVE-2022-42719
Fixes: CVE-2022-42720
Fixes: CVE-2022-42721
Fixes: CVE-2022-42722
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 26f400210d6b3780fcc0deb89b9741837df9c8b8)

* mac80211: refresh patches

355-wifi-cfg80211-fix-BSS-refcounting-bugs.patch - 5a52384a51

Co-authored-by: Felix Fietkau <nbd@nbd.name>
Co-authored-by: 1054009064 <1054009064@users.noreply.github.com>
2022-10-28 15:17:13 +08:00

178 lines
5.3 KiB
Diff
Raw Blame History

--- a/drivers/net/wireless/realtek/rtw88/phy.c
+++ b/drivers/net/wireless/realtek/rtw88/phy.c
@@ -240,7 +240,7 @@ static void rtw_phy_stat_rssi(struct rtw
data.rtwdev = rtwdev;
data.min_rssi = U8_MAX;
- rtw_iterate_stas_atomic(rtwdev, rtw_phy_stat_rssi_iter, &data);
+ rtw_iterate_stas(rtwdev, rtw_phy_stat_rssi_iter, &data);
dm_info->pre_min_rssi = dm_info->min_rssi;
dm_info->min_rssi = data.min_rssi;
@@ -484,7 +484,7 @@ static void rtw_phy_ra_info_update(struc
if (rtwdev->watch_dog_cnt & 0x3)
return;
- rtw_iterate_stas_atomic(rtwdev, rtw_phy_ra_info_update_iter, rtwdev);
+ rtw_iterate_stas(rtwdev, rtw_phy_ra_info_update_iter, rtwdev);
}
static u32 rtw_phy_get_rrsr_mask(struct rtw_dev *rtwdev, u8 rate_idx)
@@ -537,7 +537,7 @@ static void rtw_phy_rrsr_update(struct r
struct rtw_dm_info *dm_info = &rtwdev->dm_info;
dm_info->rrsr_mask_min = RRSR_RATE_ORDER_MAX;
- rtw_iterate_stas_atomic(rtwdev, rtw_phy_rrsr_mask_min_iter, rtwdev);
+ rtw_iterate_stas(rtwdev, rtw_phy_rrsr_mask_min_iter, rtwdev);
rtw_write32(rtwdev, REG_RRSR, dm_info->rrsr_val_init & dm_info->rrsr_mask_min);
}
--- a/drivers/net/wireless/realtek/rtw88/ps.c
+++ b/drivers/net/wireless/realtek/rtw88/ps.c
@@ -58,7 +58,7 @@ int rtw_leave_ips(struct rtw_dev *rtwdev
return ret;
}
- rtw_iterate_vifs_atomic(rtwdev, rtw_restore_port_cfg_iter, rtwdev);
+ rtw_iterate_vifs(rtwdev, rtw_restore_port_cfg_iter, rtwdev);
rtw_coex_ips_notify(rtwdev, COEX_IPS_LEAVE);
--- a/drivers/net/wireless/realtek/rtw88/util.c
+++ b/drivers/net/wireless/realtek/rtw88/util.c
@@ -105,3 +105,106 @@ void rtw_desc_to_mcsrate(u16 rate, u8 *m
*mcs = rate - DESC_RATEMCS0;
}
}
+
+struct rtw_stas_entry {
+ struct list_head list;
+ struct ieee80211_sta *sta;
+};
+
+struct rtw_iter_stas_data {
+ struct rtw_dev *rtwdev;
+ struct list_head list;
+};
+
+static void rtw_collect_sta_iter(void *data, struct ieee80211_sta *sta)
+{
+ struct rtw_iter_stas_data *iter_stas = data;
+ struct rtw_stas_entry *stas_entry;
+
+ stas_entry = kmalloc(sizeof(*stas_entry), GFP_ATOMIC);
+ if (!stas_entry)
+ return;
+
+ stas_entry->sta = sta;
+ list_add_tail(&stas_entry->list, &iter_stas->list);
+}
+
+void rtw_iterate_stas(struct rtw_dev *rtwdev,
+ void (*iterator)(void *data,
+ struct ieee80211_sta *sta),
+ void *data)
+{
+ struct rtw_iter_stas_data iter_data;
+ struct rtw_stas_entry *sta_entry, *tmp;
+
+ /* &rtwdev->mutex makes sure no stations can be removed between
+ * collecting the stations and iterating over them.
+ */
+ lockdep_assert_held(&rtwdev->mutex);
+
+ iter_data.rtwdev = rtwdev;
+ INIT_LIST_HEAD(&iter_data.list);
+
+ ieee80211_iterate_stations_atomic(rtwdev->hw, rtw_collect_sta_iter,
+ &iter_data);
+
+ list_for_each_entry_safe(sta_entry, tmp, &iter_data.list,
+ list) {
+ list_del_init(&sta_entry->list);
+ iterator(data, sta_entry->sta);
+ kfree(sta_entry);
+ }
+}
+
+struct rtw_vifs_entry {
+ struct list_head list;
+ struct ieee80211_vif *vif;
+ u8 mac[ETH_ALEN];
+};
+
+struct rtw_iter_vifs_data {
+ struct rtw_dev *rtwdev;
+ struct list_head list;
+};
+
+void rtw_collect_vif_iter(void *data, u8 *mac, struct ieee80211_vif *vif)
+{
+ struct rtw_iter_vifs_data *iter_stas = data;
+ struct rtw_vifs_entry *vifs_entry;
+
+ vifs_entry = kmalloc(sizeof(*vifs_entry), GFP_ATOMIC);
+ if (!vifs_entry)
+ return;
+
+ vifs_entry->vif = vif;
+ ether_addr_copy(vifs_entry->mac, mac);
+ list_add_tail(&vifs_entry->list, &iter_stas->list);
+}
+
+void rtw_iterate_vifs(struct rtw_dev *rtwdev,
+ void (*iterator)(void *data, u8 *mac,
+ struct ieee80211_vif *vif),
+ void *data)
+{
+ struct rtw_iter_vifs_data iter_data;
+ struct rtw_vifs_entry *vif_entry, *tmp;
+
+ /* &rtwdev->mutex makes sure no interfaces can be removed between
+ * collecting the interfaces and iterating over them.
+ */
+ lockdep_assert_held(&rtwdev->mutex);
+
+ iter_data.rtwdev = rtwdev;
+ INIT_LIST_HEAD(&iter_data.list);
+
+ ieee80211_iterate_active_interfaces_atomic(rtwdev->hw,
+ IEEE80211_IFACE_ITER_NORMAL,
+ rtw_collect_vif_iter, &iter_data);
+
+ list_for_each_entry_safe(vif_entry, tmp, &iter_data.list,
+ list) {
+ list_del_init(&vif_entry->list);
+ iterator(data, vif_entry->mac, vif_entry->vif);
+ kfree(vif_entry);
+ }
+}
--- a/drivers/net/wireless/realtek/rtw88/util.h
+++ b/drivers/net/wireless/realtek/rtw88/util.h
@@ -7,9 +7,6 @@
struct rtw_dev;
-#define rtw_iterate_vifs(rtwdev, iterator, data) \
- ieee80211_iterate_active_interfaces(rtwdev->hw, \
- IEEE80211_IFACE_ITER_NORMAL, iterator, data)
#define rtw_iterate_vifs_atomic(rtwdev, iterator, data) \
ieee80211_iterate_active_interfaces_atomic(rtwdev->hw, \
IEEE80211_IFACE_ITER_NORMAL, iterator, data)
@@ -20,6 +17,15 @@ struct rtw_dev;
#define rtw_iterate_keys_rcu(rtwdev, vif, iterator, data) \
ieee80211_iter_keys_rcu((rtwdev)->hw, vif, iterator, data)
+void rtw_iterate_vifs(struct rtw_dev *rtwdev,
+ void (*iterator)(void *data, u8 *mac,
+ struct ieee80211_vif *vif),
+ void *data);
+void rtw_iterate_stas(struct rtw_dev *rtwdev,
+ void (*iterator)(void *data,
+ struct ieee80211_sta *sta),
+ void *data);
+
static inline u8 *get_hdr_bssid(struct ieee80211_hdr *hdr)
{
__le16 fc = hdr->frame_control;
Reference in New Issue View Git Blame Copy Permalink