From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org, linux-wireless@vger.kernel.org,
linux-mediatek@lists.infradead.org,
linux-arm-kernel@lists.infradead.org,
Felix Fietkau <nbd@nbd.name>
Subject: [PATCH AUTOSEL 5.4 060/108] mt76: mt7603: fix input validation issues for powersave-filtered frames
Date: Sat, 11 Apr 2020 19:08:55 -0400 [thread overview]
Message-ID: <20200411230943.24951-60-sashal@kernel.org> (raw)
In-Reply-To: <20200411230943.24951-1-sashal@kernel.org>
From: Felix Fietkau <nbd@nbd.name>
[ Upstream commit d55aa5e17461b8b423adae376978032c4a10a1d8 ]
Before extracting the tid out of the packet, check if it was qos-data.
Only accept tid values 0-7
Also, avoid accepting the hardware queue as skb queue mapping, it could
lead to an overrun. Instead, derive the hardware queue from the tid number,
in order to avoid issues with packets being filtered multiple times.
This also fixes a mismatch between hardware and software queue indexes.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/mediatek/mt76/mt7603/dma.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7603/dma.c b/drivers/net/wireless/mediatek/mt76/mt7603/dma.c
index 24d82a20d046d..86820cf31bb34 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7603/dma.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7603/dma.c
@@ -30,6 +30,16 @@ mt7603_init_tx_queue(struct mt7603_dev *dev, struct mt76_sw_queue *q,
static void
mt7603_rx_loopback_skb(struct mt7603_dev *dev, struct sk_buff *skb)
{
+ static const u8 tid_to_ac[8] = {
+ IEEE80211_AC_BE,
+ IEEE80211_AC_BK,
+ IEEE80211_AC_BK,
+ IEEE80211_AC_BE,
+ IEEE80211_AC_VI,
+ IEEE80211_AC_VI,
+ IEEE80211_AC_VO,
+ IEEE80211_AC_VO
+ };
__le32 *txd = (__le32 *)skb->data;
struct ieee80211_hdr *hdr;
struct ieee80211_sta *sta;
@@ -38,7 +48,7 @@ mt7603_rx_loopback_skb(struct mt7603_dev *dev, struct sk_buff *skb)
void *priv;
int idx;
u32 val;
- u8 tid;
+ u8 tid = 0;
if (skb->len < MT_TXD_SIZE + sizeof(struct ieee80211_hdr))
goto free;
@@ -56,15 +66,16 @@ mt7603_rx_loopback_skb(struct mt7603_dev *dev, struct sk_buff *skb)
priv = msta = container_of(wcid, struct mt7603_sta, wcid);
val = le32_to_cpu(txd[0]);
- skb_set_queue_mapping(skb, FIELD_GET(MT_TXD0_Q_IDX, val));
-
val &= ~(MT_TXD0_P_IDX | MT_TXD0_Q_IDX);
val |= FIELD_PREP(MT_TXD0_Q_IDX, MT_TX_HW_QUEUE_MGMT);
txd[0] = cpu_to_le32(val);
sta = container_of(priv, struct ieee80211_sta, drv_priv);
hdr = (struct ieee80211_hdr *)&skb->data[MT_TXD_SIZE];
- tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK;
+ if (ieee80211_is_data_qos(hdr->frame_control))
+ tid = *ieee80211_get_qos_ctl(hdr) &
+ IEEE80211_QOS_CTL_TAG1D_MASK;
+ skb_set_queue_mapping(skb, tid_to_ac[tid]);
ieee80211_sta_set_buffered(sta, tid, true);
spin_lock_bh(&dev->ps_lock);
--
2.20.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-04-11 23:18 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200411230943.24951-1-sashal@kernel.org>
2020-04-11 23:07 ` [PATCH AUTOSEL 5.4 003/108] net: axienet: Convert DMA error handler to a work queue Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 006/108] mmc: sdhci-esdhc-imx: restore pin state when resume back Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 042/108] drm/sun4i: dsi: Use NULL to signify "no panel" Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 043/108] mt76: fix handling full tx queues in mt76_dma_tx_queue_skb_raw Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 051/108] drm/stm: ltdc: check crtc state before enabling LIE Sasha Levin
2020-04-11 23:08 ` [PATCH AUTOSEL 5.4 058/108] ASoC: mediatek: mt8183-da7219: pull TDM GPIO pins down when probed Sasha Levin
2020-04-11 23:08 ` Sasha Levin [this message]
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 076/108] net: axienet: Propagate failure of DMA descriptor setup Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 085/108] ASoC: stm32: spdifrx: fix regmap status check Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 090/108] dmaengine: stm32-dma: use reset controller only at probe time Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 094/108] scsi: ufs: Fix ufshcd_hold() caused scheduling while atomic Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 095/108] ARM: shmobile: Enable ARM_GLOBAL_TIMER on Cortex-A9 MPCore SoCs Sasha Levin
2020-04-12 8:44 ` Geert Uytterhoeven
2020-04-17 17:18 ` Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 098/108] arm64: dts: g12-common: add parkmode_disable_ss_quirk on DWC3 controller Sasha Levin
2020-04-11 23:09 ` [PATCH AUTOSEL 5.4 107/108] rtc: imx-sc: Align imx sc msg structs to 4 Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200411230943.24951-60-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-wireless@vger.kernel.org \
--cc=nbd@nbd.name \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).