| Message ID | 20250402175714.2667270-1-praneesh.p@oss.qualcomm.com |
|---|---|
| State | New |
| Headers | show |
| Series | [ath-next] wifi: ath12k: Fix memory corruption during MLO multicast tx | expand |
On Wed, 02 Apr 2025 23:27:14 +0530, P Praneesh wrote: > The struct sk_buff's control buffer is shared by mac80211's struct > ieee80211_tx_info and ath12k's struct ath12k_skb_cb. When the driver wants > to transmit an skb, it caches all the mac80211-specific information from > struct ieee80211_tx_info, then performs a memset on the control buffer > before writing the ath12k-specific information using struct ath12k_skb_cb. > However, during multicast tx, the key is being filled into the driver data, > which overwrites some crucial members like link_id and flags in struct > ath12k_skb_cb. This causes invalid information retrieval when the driver > accesses these fields during ath12k_dp_tx(). Fix this issue by removing > the key filling logic during MLO multicast tx, as it is not used anywhere > in the tx path. > > [...] Applied, thanks! [1/1] wifi: ath12k: Fix memory corruption during MLO multicast tx commit: 6f8a27a584b23e9dedefd6cb110dd2587b84a6d4 Best regards,
diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c index f2fddf213afb..8aeba791dbc5 100644 --- a/drivers/net/wireless/ath/ath12k/mac.c +++ b/drivers/net/wireless/ath/ath12k/mac.c @@ -7467,7 +7467,6 @@ static void ath12k_mac_op_tx(struct ieee80211_hw *hw, info_flags); skb_cb = ATH12K_SKB_CB(msdu_copied); - info = IEEE80211_SKB_CB(msdu_copied); skb_cb->link_id = link_id; /* For open mode, skip peer find logic */ @@ -7490,7 +7489,6 @@ static void ath12k_mac_op_tx(struct ieee80211_hw *hw, if (key) { skb_cb->cipher = key->cipher; skb_cb->flags |= ATH12K_SKB_CIPHER_SET; - info->control.hw_key = key; hdr = (struct ieee80211_hdr *)msdu_copied->data; if (!ieee80211_has_protected(hdr->frame_control))
The struct sk_buff's control buffer is shared by mac80211's struct ieee80211_tx_info and ath12k's struct ath12k_skb_cb. When the driver wants to transmit an skb, it caches all the mac80211-specific information from struct ieee80211_tx_info, then performs a memset on the control buffer before writing the ath12k-specific information using struct ath12k_skb_cb. However, during multicast tx, the key is being filled into the driver data, which overwrites some crucial members like link_id and flags in struct ath12k_skb_cb. This causes invalid information retrieval when the driver accesses these fields during ath12k_dp_tx(). Fix this issue by removing the key filling logic during MLO multicast tx, as it is not used anywhere in the tx path. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 Fixes: 2f50de725677 ("wifi: ath12k: Add support for MLO Multicast handling in driver") Signed-off-by: P Praneesh <praneesh.p@oss.qualcomm.com> --- drivers/net/wireless/ath/ath12k/mac.c | 2 -- 1 file changed, 2 deletions(-) base-commit: ba613742db305037ca2193b2b552b769c4f2a5f7