From: Felix Fietkau <nbd@openwrt.org>
To: linux-wireless <linux-wireless@vger.kernel.org>
Cc: Johannes Berg <johannes@sipsolutions.net>,
"John W. Linville" <linville@tuxdriver.com>
Subject: mac80211: fix queue selection for data frames on monitor interfaces
Date: Mon, 11 Jan 2010 06:47:00 +0100 [thread overview]
Message-ID: <4B4ABB54.7030600@openwrt.org> (raw)
When ieee80211_monitor_select_queue encounters data frames, it selects
the WMM AC based on skb->priority and assumes that skb->priority
contains a valid 802.1d tag. However this assumption is incorrect, since
ieee80211_select_queue has not been called at this point.
If skb->priority > 7, an array overrun occurs, which could lead to
invalid values, resulting in crashes in the tx path.
Fix this by setting skb->priority based on the 802.11 header for QoS
frames and using the default AC for all non-QoS frames.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
---
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -685,6 +685,7 @@ static u16 ieee80211_monitor_select_queu
struct ieee80211_local *local = sdata->local;
struct ieee80211_hdr *hdr;
struct ieee80211_radiotap_header *rtap = (void *)skb->data;
+ u8 *p;
if (local->hw.queues < 4)
return 0;
@@ -695,11 +696,14 @@ static u16 ieee80211_monitor_select_queu
hdr = (void *)((u8 *)skb->data + le16_to_cpu(rtap->it_len));
- if (!ieee80211_is_data(hdr->frame_control)) {
+ if (!ieee80211_is_data_qos(hdr->frame_control)) {
skb->priority = 7;
return ieee802_1d_to_ac[skb->priority];
}
+ p = ieee80211_get_qos_ctl(hdr);
+ skb->priority = *p & IEEE80211_QOS_CTL_TAG1D_MASK;
+
return ieee80211_downgrade_queue(local, skb);
}
next reply other threads:[~2010-01-11 5:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-11 5:47 Felix Fietkau [this message]
2010-01-11 16:03 ` mac80211: fix queue selection for data frames on monitor interfaces Luis R. Rodriguez
2010-01-12 3:02 ` Felix Fietkau
2010-01-12 9:37 ` Lennert Buytenhek
2010-01-12 11:51 ` Felix Fietkau
2010-01-12 16:51 ` Luis R. Rodriguez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B4ABB54.7030600@openwrt.org \
--to=nbd@openwrt.org \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.