From: Miri Korenblit <miriam.rachel.korenblit@intel.com>
To: johannes@sipsolutions.net
Cc: linux-wireless@vger.kernel.org,
Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Subject: [PATCH 01/11] wifi: iwlwifi: mvm: fix a crash when we run out of stations
Date: Tue, 6 Feb 2024 18:02:04 +0200 [thread overview]
Message-ID: <20240206175739.1f76c44b2486.I6a00955e2842f15f0a089db2f834adb9d10fbe35@changeid> (raw)
In-Reply-To: <20240206160214.3260547-1-miriam.rachel.korenblit@intel.com>
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
A DoS tool that injects loads of authentication frames made our AP
crash. The iwl_mvm_is_dup() function couldn't find the per-queue
dup_data which was not allocated.
The root cause for that is that we ran out of stations in the firmware
and we didn't really add the station to the firmware, yet we didn't
return an error to mac80211.
Mac80211 was thinking that we have the station and because of that,
sta_info::uploaded was set to 1. This allowed
ieee80211_find_sta_by_ifaddr() to return a valid station object, but
that ieee80211_sta didn't have any iwl_mvm_sta object initialized and
that caused the crash mentioned earlier when we got Rx on that station.
Fixes: 57974a55d995 ("wifi: iwlwifi: mvm: refactor iwl_mvm_mac_sta_state_common()")
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
---
drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 3 +++
drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 4 ++++
2 files changed, 7 insertions(+)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
index 9c8eea883212..4fe50036bfde 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
@@ -3697,6 +3697,9 @@ iwl_mvm_sta_state_notexist_to_none(struct iwl_mvm *mvm,
NL80211_TDLS_SETUP);
}
+ if (ret)
+ return ret;
+
for_each_sta_active_link(vif, sta, link_sta, i)
link_sta->agg.max_rc_amsdu_len = 1;
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
index b7639e429889..1484eaedf452 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
@@ -512,6 +512,10 @@ static bool iwl_mvm_is_dup(struct ieee80211_sta *sta, int queue,
return false;
mvm_sta = iwl_mvm_sta_from_mac80211(sta);
+
+ if (WARN_ON_ONCE(!mvm_sta->dup_data))
+ return false;
+
dup_data = &mvm_sta->dup_data[queue];
/*
--
2.34.1
next prev parent reply other threads:[~2024-02-06 16:02 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-06 16:02 [PATCH 00/11] wifi: iwlwifi: updates - 2024-02-06 Miri Korenblit
2024-02-06 16:02 ` Miri Korenblit [this message]
2024-02-06 16:02 ` [PATCH 02/11] wifi: iwlwifi: fw: allow vmalloc for PNVM image Miri Korenblit
2024-02-06 16:02 ` [PATCH 03/11] wifi: iwlwifi: mvm: don't set the MFP flag for the GTK Miri Korenblit
2024-02-06 16:02 ` [PATCH 04/11] wifi: iwlwifi: mvm: don't send the smart fifo command if not needed Miri Korenblit
2024-02-06 16:02 ` [PATCH 05/11] wifi: iwlwifi: pcie: Add new PCI device id and CNVI Miri Korenblit
2024-02-06 16:02 ` [PATCH 06/11] wifi: iwlwifi: mvm: don't set replay counters to 0xff Miri Korenblit
2024-02-06 16:02 ` [PATCH 07/11] wifi: iwlwifi: mvm: remove flags for enable/disable beacon filter Miri Korenblit
2024-02-06 16:02 ` [PATCH 08/11] wifi: iwlwifi: mvm: show skb_mac_gso_segment() failure reason Miri Korenblit
2024-02-06 16:02 ` [PATCH 09/11] wifi: iwlwifi: iwlmvm: handle unprotected deauth/disassoc in d3 Miri Korenblit
2024-02-07 3:39 ` kernel test robot
2024-02-07 6:27 ` kernel test robot
2024-02-06 16:02 ` [PATCH 10/11] wifi: iwlwifi: mvm: move BA notif messages before action Miri Korenblit
2024-02-06 16:02 ` [PATCH 11/11] wifi: iwlwifi: queue: improve warning for no skb in reclaim Miri Korenblit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240206175739.1f76c44b2486.I6a00955e2842f15f0a089db2f834adb9d10fbe35@changeid \
--to=miriam.rachel.korenblit@intel.com \
--cc=emmanuel.grumbach@intel.com \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.