[PATCH 0/1] Fix potential HE IE bug and some other questions

[PATCH 0/1] Fix potential HE IE bug and some other questions

[James Prestwood]

I believe there is a bug when building the probe request IEs for the
HE capabilities. More info in the patch. While looking at this I
noticed some other confusing code related to building the probe
request.

Looking at ieee80211_build_preq_ies. It is passed 'bands_used' which
is a bitmask of bands. A probe request is only sent out on a single
band so why would this contain multiple bands? We then loop over these
bands and call ieee80211_build_preq_ies_band for each one.
This, AFAICT, would append the same IEs multiple times if 'bands_used'
contained more than one band. Internal to mac80211/util.c its only
passed BIT(chan->band), but mac80211/scan.c seems to pass a list...

Below is the warning I am seeing (many, many times). It says the warning
is in build_preq_ies, but it really seems like this is not correct
and its actually in ieee80211_get_he_6ghz_capa since I see no warning
message as others _should_ have.

[  732.130000] ------------[ cut here ]------------
[  732.130000] WARNING: CPU: 0 PID: 1352 at include/net/cfg80211.h:608 ieee80211_build_preq_ies+0x766/0x84d
[  732.130000] Modules linked in:
[  732.130000] CPU: 0 PID: 1352 Comm: kworker/u2:0 Tainted: G        W         5.19.0 #1
[  732.130000] Workqueue: rad6 ieee80211_scan_work
[  732.130000] Stack:
[  732.130000]  605d0943 60256c96 60035421 00000001
[  732.130000]  6052cddd 60450efa 61f3d5d9 60454c00
[  732.130000]  00000000 00000000 00000009 6003e77d
[  732.130000] Call Trace:
[  732.130000]  [<60256c96>] ? dump_stack_print_info+0xe1/0xef
[  732.130000]  [<60035421>] ? um_set_signals+0x0/0x3c
[  732.130000]  [<60450efa>] ? _printk+0x0/0x9f
[  732.130000]  [<60454c00>] ? dump_stack_lvl+0x47/0x52
[  732.130000]  [<6003e77d>] ? __warn+0xf2/0x123
[  732.130000]  [<60035449>] ? um_set_signals+0x28/0x3c
[  732.130000]  [<604501bb>] ? warn_slowpath_fmt+0xd6/0xe2
[  732.130000]  [<6042830f>] ? ieee80211_prepare_and_rx_handle+0xbf4/0xc22
[  732.130000]  [<604500e5>] ? warn_slowpath_fmt+0x0/0xe2
[  732.130000]  [<603d3bc5>] ? ieee80211_ie_split_ric+0xe4/0xfe
[  732.130000]  [<60035421>] ? um_set_signals+0x0/0x3c
[  732.130000]  [<604341ac>] ? ieee80211_vif_type_p2p+0x0/0x26
[  732.130000]  [<6043aeb5>] ? ieee80211_build_preq_ies+0x766/0x84d
[  732.130000]  [<60035377>] ? unblock_signals+0x36/0xe0
[  732.130000]  [<60429f6c>] ? skb_put_zero+0x2c/0x34
[  732.130000]  [<60429f40>] ? skb_put_zero+0x0/0x34
[  732.130000]  [<6043b095>] ? ieee80211_build_probe_req+0xf9/0x161
[  732.130000]  [<6040c2ed>] ? ieee80211_scan_state_send_probe+0xaf/0x14c
[  732.130000]  [<60051181>] ? queue_delayed_work_on+0x67/0x72
[  732.130000]  [<6040d1b0>] ? ieee80211_scan_work+0x40b/0x503
[  732.130000]  [<6040cda5>] ? ieee80211_scan_work+0x0/0x503
[  732.130000]  [<600529de>] ? process_one_work+0x1b0/0x2b1
[  732.130000]  [<6004f829>] ? move_linked_works+0x0/0x57
[  732.130000]  [<60053086>] ? worker_thread+0x270/0x39b
[  732.130000]  [<6004f909>] ? set_pf_worker+0x0/0x5f
[  732.130000]  [<60057231>] ? arch_local_irq_save+0x0/0x26
[  732.130000]  [<60035449>] ? um_set_signals+0x28/0x3c
[  732.130000]  [<60052e16>] ? worker_thread+0x0/0x39b
[  732.130000]  [<600588ef>] ? kthread_exit+0x0/0x37
[  732.130000]  [<60052e16>] ? worker_thread+0x0/0x39b
[  732.130000]  [<60058a6d>] ? kthread+0x11f/0x124
[  732.130000]  [<60035377>] ? unblock_signals+0x36/0xe0
[  732.130000]  [<60021f95>] ? new_thread_handler+0x86/0xbb
[  732.130000] ---[ end trace 0000000000000000 ]---
[  732.210000] ------------[ cut here ]------------


James Prestwood (1):
  wifi: mac80211: fix probe req HE capabilities access

 net/mac80211/util.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.34.3

[PATCH 1/1] wifi: mac80211: fix probe req HE capabilities access

[James Prestwood]

When building the probe request IEs HE support is checked for
the 6GHz band (wiphy->bands[NL80211_BAND_6GHZ]). If supported
the HE capability IE should be included according to the spec.
The problem is the 16-bit capability is obtained from the
band object (sband) that was passed in, not the 6GHz band
object (sband6). If the sband object doesn't support HE it will
result in a warning.

Fixes: 7d29bc50b30e ("mac80211: always include HE 6GHz capability in probe request")
Signed-off-by: James Prestwood <prestwoj@gmail.com>
---
 net/mac80211/util.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 0ea5d50091dc..be69cddaf139 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -2046,7 +2046,7 @@ static int ieee80211_build_preq_ies_band(struct ieee80211_sub_if_data *sdata,
 		if (he_cap) {
 			enum nl80211_iftype iftype =
 				ieee80211_vif_type_p2p(&sdata->vif);
-			__le16 cap = ieee80211_get_he_6ghz_capa(sband, iftype);
+			__le16 cap = ieee80211_get_he_6ghz_capa(sband6, iftype);
 
 			pos = ieee80211_write_he_6ghz_cap(pos, cap, end);
 		}
-- 
2.34.3

Re: [PATCH 0/1] Fix potential HE IE bug and some other questions

[Johannes Berg]

On Wed, 2022-09-28 at 15:49 -0700, James Prestwood wrote:
> I believe there is a bug when building the probe request IEs for the
> HE capabilities. More info in the patch.
> 

That fix seems right.

> While looking at this I
> noticed some other confusing code related to building the probe
> request.
> 
> Looking at ieee80211_build_preq_ies. It is passed 'bands_used' which
> is a bitmask of bands. A probe request is only sent out on a single
> band so why would this contain multiple bands? 
> 

The function can be used to prepare a HW scan request, which can contain
the elements for all bands that the HW is being asked to scan on.

> We then loop over these
> bands and call ieee80211_build_preq_ies_band for each one.

Correct, and ie_desc->ies[band]/len[band] gets the pointer/size for each
band.

> This, AFAICT, would append the same IEs multiple times if 'bands_used'
> contained more than one band.
> 

Correct.

> Internal to mac80211/util.c its only
> passed BIT(chan->band), but mac80211/scan.c seems to pass a list...

Right, that's because "internal" is ieee80211_build_probe_req(), which
builds only a single probe request, while the other code is for HW scan.

> Below is the warning I am seeing (many, many times). It says the warning
> is in build_preq_ies, but it really seems like this is not correct
> and its actually in ieee80211_get_he_6ghz_capa since I see no warning
> message as others _should_ have.
> 
> [  732.130000] ------------[ cut here ]------------
> [  732.130000] WARNING: CPU: 0 PID: 1352 at include/net/cfg80211.h:608 ieee80211_build_preq_ies+0x766/0x84d

The line number is in ieee80211_get_he_6ghz_capa() but that's inlined,
and that doesn't always work so well for the symbol resolution.

johannes