| Message ID | 20230913050134.53536-1-nbd@nbd.name |
|---|---|
| State | New |
| Headers | show |
| Series | [wireless] wifi: mac80211: fix mesh id corruption on 32 bit systems | expand |
> -----Original Message----- > From: Felix Fietkau <nbd@nbd.name> > Sent: Wednesday, September 13, 2023 1:02 PM > To: linux-wireless@vger.kernel.org > Cc: johannes@sipsolutions.net; pagadala.yesu.anjaneyulu@intel.com; Thomas Hühn > <thomas.huehn@hs-nordhausen.de> > Subject: [PATCH wireless] wifi: mac80211: fix mesh id corruption on 32 bit systems > > Since the changed field size was increased to u64, mesh_bss_info_changed > pulls invalid bits from the first 3 bytes of the mesh id, clears them, and > passes them on to ieee80211_link_info_change_notify, because > ifmsh->mbss_changed was not updated to match its size. > Fix this by turning into ifmsh->mbss_changed into an unsigned long array with > 64 bit size. > > Fixes: 15ddba5f4311 ("wifi: mac80211: consistently use u64 for BSS changes") > Reported-by: Thomas Hühn <thomas.huehn@hs-nordhausen.de> > Signed-off-by: Felix Fietkau <nbd@nbd.name> > --- > net/mac80211/ieee80211_i.h | 2 +- > net/mac80211/mesh.c | 8 ++++---- > 2 files changed, 5 insertions(+), 5 deletions(-) > > diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h > index b8465d205076..3c5dbf95685d 100644 > --- a/net/mac80211/ieee80211_i.h > +++ b/net/mac80211/ieee80211_i.h > @@ -682,7 +682,7 @@ struct ieee80211_if_mesh { > struct timer_list mesh_path_root_timer; > > unsigned long wrkq_flags; > - unsigned long mbss_changed; > + unsigned long mbss_changed[64 / BITS_PER_LONG]; mbss_changed is a bitmap, so DECLARE_BITMAP(mbss_changed, 64); > > bool userspace_handles_dfs; > > diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c > index 0d0fbae51b61..092a1dc7314d 100644 > --- a/net/mac80211/mesh.c > +++ b/net/mac80211/mesh.c > @@ -1175,7 +1175,7 @@ void ieee80211_mbss_info_change_notify(struct ieee80211_sub_if_data *sdata, > > /* if we race with running work, worst case this work becomes a noop */ > for_each_set_bit(bit, &bits, sizeof(changed) * BITS_PER_BYTE) > - set_bit(bit, &ifmsh->mbss_changed); > + set_bit(bit, ifmsh->mbss_changed); > set_bit(MESH_WORK_MBSS_CHANGED, &ifmsh->wrkq_flags); > wiphy_work_queue(sdata->local->hw.wiphy, &sdata->work); > } > @@ -1257,7 +1257,7 @@ void ieee80211_stop_mesh(struct ieee80211_sub_if_data *sdata) > > /* clear any mesh work (for next join) we may have accrued */ > ifmsh->wrkq_flags = 0; > - ifmsh->mbss_changed = 0; > + memset(ifmsh->mbss_changed, 0, sizeof(ifmsh->mbss_changed)); bitmap_zero(ifmsh->mbss_changed, 64); bitmap_zero() can choose just '=0' or memset(0) according to BITS_PER_LONG. > > local->fif_other_bss--; > atomic_dec(&local->iff_allmultis); > @@ -1722,9 +1722,9 @@ static void mesh_bss_info_changed(struct ieee80211_sub_if_data *sdata) > u32 bit; > u64 changed = 0; > > - for_each_set_bit(bit, &ifmsh->mbss_changed, > + for_each_set_bit(bit, ifmsh->mbss_changed, > sizeof(changed) * BITS_PER_BYTE) { > - clear_bit(bit, &ifmsh->mbss_changed); > + clear_bit(bit, ifmsh->mbss_changed); > changed |= BIT(bit); > } > > -- > 2.41.0
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index b8465d205076..3c5dbf95685d 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -682,7 +682,7 @@ struct ieee80211_if_mesh { struct timer_list mesh_path_root_timer; unsigned long wrkq_flags; - unsigned long mbss_changed; + unsigned long mbss_changed[64 / BITS_PER_LONG]; bool userspace_handles_dfs; diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c index 0d0fbae51b61..092a1dc7314d 100644 --- a/net/mac80211/mesh.c +++ b/net/mac80211/mesh.c @@ -1175,7 +1175,7 @@ void ieee80211_mbss_info_change_notify(struct ieee80211_sub_if_data *sdata, /* if we race with running work, worst case this work becomes a noop */ for_each_set_bit(bit, &bits, sizeof(changed) * BITS_PER_BYTE) - set_bit(bit, &ifmsh->mbss_changed); + set_bit(bit, ifmsh->mbss_changed); set_bit(MESH_WORK_MBSS_CHANGED, &ifmsh->wrkq_flags); wiphy_work_queue(sdata->local->hw.wiphy, &sdata->work); } @@ -1257,7 +1257,7 @@ void ieee80211_stop_mesh(struct ieee80211_sub_if_data *sdata) /* clear any mesh work (for next join) we may have accrued */ ifmsh->wrkq_flags = 0; - ifmsh->mbss_changed = 0; + memset(ifmsh->mbss_changed, 0, sizeof(ifmsh->mbss_changed)); local->fif_other_bss--; atomic_dec(&local->iff_allmultis); @@ -1722,9 +1722,9 @@ static void mesh_bss_info_changed(struct ieee80211_sub_if_data *sdata) u32 bit; u64 changed = 0; - for_each_set_bit(bit, &ifmsh->mbss_changed, + for_each_set_bit(bit, ifmsh->mbss_changed, sizeof(changed) * BITS_PER_BYTE) { - clear_bit(bit, &ifmsh->mbss_changed); + clear_bit(bit, ifmsh->mbss_changed); changed |= BIT(bit); }
Since the changed field size was increased to u64, mesh_bss_info_changed pulls invalid bits from the first 3 bytes of the mesh id, clears them, and passes them on to ieee80211_link_info_change_notify, because ifmsh->mbss_changed was not updated to match its size. Fix this by turning into ifmsh->mbss_changed into an unsigned long array with 64 bit size. Fixes: 15ddba5f4311 ("wifi: mac80211: consistently use u64 for BSS changes") Reported-by: Thomas Hühn <thomas.huehn@hs-nordhausen.de> Signed-off-by: Felix Fietkau <nbd@nbd.name> --- net/mac80211/ieee80211_i.h | 2 +- net/mac80211/mesh.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-)