From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, "Peter Seiderer" <ps.report@gmx.net>,
"Toke Høiland-Jørgensen" <toke@redhat.com>,
"Kalle Valo" <kvalo@kernel.org>
Subject: [PATCH 5.4 42/63] ath9k: Fix usage of driver-private space in tx_info
Date: Mon, 18 Apr 2022 14:13:39 +0200 [thread overview]
Message-ID: <20220418121137.049816471@linuxfoundation.org> (raw)
In-Reply-To: <20220418121134.149115109@linuxfoundation.org>
From: Toke Høiland-Jørgensen <toke@redhat.com>
commit 5a6b06f5927c940fa44026695779c30b7536474c upstream.
The ieee80211_tx_info_clear_status() helper also clears the rate counts and
the driver-private part of struct ieee80211_tx_info, so using it breaks
quite a few other things. So back out of using it, and instead define a
ath-internal helper that only clears the area between the
status_driver_data and the rates info. Combined with moving the
ath_frame_info struct to status_driver_data, this avoids clearing anything
we shouldn't be, and so we can keep the existing code for handling the rate
information.
While fixing this I also noticed that the setting of
tx_info->status.rates[tx_rateindex].count on hardware underrun errors was
always immediately overridden by the normal setting of the same fields, so
rearrange the code so that the underrun detection actually takes effect.
The new helper could be generalised to a 'memset_between()' helper, but
leave it as a driver-internal helper for now since this needs to go to
stable.
Cc: stable@vger.kernel.org
Reported-by: Peter Seiderer <ps.report@gmx.net>
Fixes: 037250f0a45c ("ath9k: Properly clear TX status area before reporting to mac80211")
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Tested-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220404204800.2681133-1-toke@toke.dk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath9k/main.c | 2 +-
drivers/net/wireless/ath/ath9k/xmit.c | 30 ++++++++++++++++++++----------
2 files changed, 21 insertions(+), 11 deletions(-)
--- a/drivers/net/wireless/ath/ath9k/main.c
+++ b/drivers/net/wireless/ath/ath9k/main.c
@@ -836,7 +836,7 @@ static bool ath9k_txq_list_has_key(struc
continue;
txinfo = IEEE80211_SKB_CB(bf->bf_mpdu);
- fi = (struct ath_frame_info *)&txinfo->rate_driver_data[0];
+ fi = (struct ath_frame_info *)&txinfo->status.status_driver_data[0];
if (fi->keyix == keyix)
return true;
}
--- a/drivers/net/wireless/ath/ath9k/xmit.c
+++ b/drivers/net/wireless/ath/ath9k/xmit.c
@@ -141,8 +141,8 @@ static struct ath_frame_info *get_frame_
{
struct ieee80211_tx_info *tx_info = IEEE80211_SKB_CB(skb);
BUILD_BUG_ON(sizeof(struct ath_frame_info) >
- sizeof(tx_info->rate_driver_data));
- return (struct ath_frame_info *) &tx_info->rate_driver_data[0];
+ sizeof(tx_info->status.status_driver_data));
+ return (struct ath_frame_info *) &tx_info->status.status_driver_data[0];
}
static void ath_send_bar(struct ath_atx_tid *tid, u16 seqno)
@@ -2498,6 +2498,16 @@ skip_tx_complete:
spin_unlock_irqrestore(&sc->tx.txbuflock, flags);
}
+static void ath_clear_tx_status(struct ieee80211_tx_info *tx_info)
+{
+ void *ptr = &tx_info->status;
+
+ memset(ptr + sizeof(tx_info->status.rates), 0,
+ sizeof(tx_info->status) -
+ sizeof(tx_info->status.rates) -
+ sizeof(tx_info->status.status_driver_data));
+}
+
static void ath_tx_rc_status(struct ath_softc *sc, struct ath_buf *bf,
struct ath_tx_status *ts, int nframes, int nbad,
int txok)
@@ -2509,7 +2519,7 @@ static void ath_tx_rc_status(struct ath_
struct ath_hw *ah = sc->sc_ah;
u8 i, tx_rateindex;
- ieee80211_tx_info_clear_status(tx_info);
+ ath_clear_tx_status(tx_info);
if (txok)
tx_info->status.ack_signal = ts->ts_rssi;
@@ -2525,6 +2535,13 @@ static void ath_tx_rc_status(struct ath_
tx_info->status.ampdu_len = nframes;
tx_info->status.ampdu_ack_len = nframes - nbad;
+ tx_info->status.rates[tx_rateindex].count = ts->ts_longretry + 1;
+
+ for (i = tx_rateindex + 1; i < hw->max_rates; i++) {
+ tx_info->status.rates[i].count = 0;
+ tx_info->status.rates[i].idx = -1;
+ }
+
if ((ts->ts_status & ATH9K_TXERR_FILT) == 0 &&
(tx_info->flags & IEEE80211_TX_CTL_NO_ACK) == 0) {
/*
@@ -2546,13 +2563,6 @@ static void ath_tx_rc_status(struct ath_
tx_info->status.rates[tx_rateindex].count =
hw->max_rate_tries;
}
-
- for (i = tx_rateindex + 1; i < hw->max_rates; i++) {
- tx_info->status.rates[i].count = 0;
- tx_info->status.rates[i].idx = -1;
- }
-
- tx_info->status.rates[tx_rateindex].count = ts->ts_longretry + 1;
}
static void ath_tx_processq(struct ath_softc *sc, struct ath_txq *txq)
next prev parent reply other threads:[~2022-04-18 13:21 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-18 12:12 [PATCH 5.4 00/63] 5.4.190-rc1 review Greg Kroah-Hartman
2022-04-18 12:12 ` [PATCH 5.4 01/63] memory: atmel-ebi: Fix missing of_node_put in atmel_ebi_probe Greg Kroah-Hartman
2022-04-18 12:12 ` [PATCH 5.4 02/63] net/sched: flower: fix parsing of ethertype following VLAN header Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 03/63] veth: Ensure eth header is in skbs linear part Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 04/63] gpiolib: acpi: use correct format characters Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 05/63] mlxsw: i2c: Fix initialization error flow Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 06/63] net/sched: fix initialization order when updating chain 0 head Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 07/63] net: ethernet: stmmac: fix altr_tse_pcs function when using a fixed-link Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 08/63] net/sched: taprio: Check if socket flags are valid Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 09/63] cfg80211: hold bss_lock while updating nontrans_list Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 10/63] drm/msm/dsi: Use connector directly in msm_dsi_manager_connector_init() Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 11/63] net/smc: Fix NULL pointer dereference in smc_pnet_find_ib() Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 12/63] sctp: Initialize daddr on peeled off socket Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 13/63] testing/selftests/mqueue: Fix mq_perf_tests to free the allocated cpu set Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 14/63] nfc: nci: add flush_workqueue to prevent uaf Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 15/63] cifs: potential buffer overflow in handling symlinks Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 16/63] drm/amd: Add USBC connector ID Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 17/63] drm/amd/display: fix audio format not updated after edid updated Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 18/63] drm/amd/display: Update VTEM Infopacket definition Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 19/63] drm/amdkfd: Fix Incorrect VMIDs passed to HWS Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 20/63] drm/amdkfd: Check for potential null return of kmalloc_array() Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 21/63] Drivers: hv: vmbus: Prevent load re-ordering when reading ring buffer Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 22/63] scsi: target: tcmu: Fix possible page UAF Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 23/63] scsi: ibmvscsis: Increase INITIAL_SRP_LIMIT to 1024 Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 24/63] net: micrel: fix KS8851_MLL Kconfig Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 25/63] ata: libata-core: Disable READ LOG DMA EXT for Samsung 840 EVOs Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 26/63] gpu: ipu-v3: Fix dev_dbg frequency output Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 27/63] regulator: wm8994: Add an off-on delay for WM8994 variant Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 28/63] arm64: alternatives: mark patch_alternative() as `noinstr` Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 29/63] tlb: hugetlb: Add more sizes to tlb_remove_huge_tlb_entry Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 30/63] net: usb: aqc111: Fix out-of-bounds accesses in RX fixup Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 31/63] drm/amd/display: Fix allocate_mst_payload assert on resume Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 32/63] powerpc: Fix virt_addr_valid() for 64-bit Book3E & 32-bit Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 33/63] scsi: mvsas: Add PCI ID of RocketRaid 2640 Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 34/63] scsi: megaraid_sas: Target with invalid LUN ID is deleted during scan Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 35/63] drivers: net: slip: fix NPD bug in sl_tx_timeout() Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 36/63] perf/imx_ddr: Fix undefined behavior due to shift overflowing the constant Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 37/63] mm, page_alloc: fix build_zonerefs_node() Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 38/63] mm: kmemleak: take a full lowmem check in kmemleak_*_phys() Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 39/63] KVM: Dont create VM debugfs files outside of the VM directory Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 40/63] gcc-plugins: latent_entropy: use /dev/urandom Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 41/63] ath9k: Properly clear TX status area before reporting to mac80211 Greg Kroah-Hartman
2022-04-18 12:13 ` Greg Kroah-Hartman [this message]
2022-04-18 12:13 ` [PATCH 5.4 43/63] btrfs: remove unused variable in btrfs_{start,write}_dirty_block_groups() Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 44/63] btrfs: mark resumed async balance as writing Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 45/63] ALSA: hda/realtek: Add quirk for Clevo PD50PNT Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 46/63] ALSA: pcm: Test for "silence" field in struct "pcm_format_data" Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 47/63] ipv6: fix panic when forwarding a pkt with no in6 dev Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 48/63] drm/amd/display: dont ignore alpha property on pre-multiplied mode Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 49/63] genirq/affinity: Consider that CPUs on nodes can be unbalanced Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 50/63] tick/nohz: Use WARN_ON_ONCE() to prevent console saturation Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 51/63] ARM: davinci: da850-evm: Avoid NULL pointer dereference Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 52/63] dm integrity: fix memory corruption when tag_size is less than digest size Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 53/63] smp: Fix offline cpu check in flush_smp_call_function_queue() Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 54/63] i2c: pasemi: Wait for write xfers to finish Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 55/63] dma-direct: avoid redundant memory sync for swiotlb Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 56/63] ax25: add refcount in ax25_dev to avoid UAF bugs Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 57/63] ax25: fix reference count leaks of ax25_dev Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 58/63] ax25: fix UAF bugs of net_device caused by rebinding operation Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 59/63] ax25: Fix refcount leaks caused by ax25_cb_del() Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 60/63] ax25: fix UAF bug in ax25_send_control() Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 61/63] ax25: fix NPD bug in ax25_disconnect Greg Kroah-Hartman
2022-04-18 12:13 ` [PATCH 5.4 62/63] ax25: Fix NULL pointer dereferences in ax25 timers Greg Kroah-Hartman
2022-04-18 12:14 ` [PATCH 5.4 63/63] ax25: Fix UAF bugs " Greg Kroah-Hartman
2022-04-18 17:33 ` [PATCH 5.4 00/63] 5.4.190-rc1 review Florian Fainelli
2022-04-18 18:18 ` Pavel Machek
2022-04-19 0:05 ` Guenter Roeck
2022-04-19 0:09 ` Shuah Khan
2022-04-19 6:37 ` Naresh Kamboju
2022-04-19 12:00 ` Sudip Mukherjee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220418121137.049816471@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ps.report@gmx.net \
--cc=stable@vger.kernel.org \
--cc=toke@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox