From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B7B161E8320 for ; Sat, 9 May 2026 04:34:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778301276; cv=none; b=rm9pmibJRdVZvUrDGFMkmyZKhUG9SG0GrcxZbGXknUvHNtJn3R8zngiqFgxWyK6Bbxi2GmM3l8K5YbDjvKatcvQ/ov5dcqtxMq0VwpQmogYAJnzCBFDl7T5ipN0pDHqEVSHnmlULap/Vr7DJGYEN8LdAW43peKmHAq/sNEBSSgE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778301276; c=relaxed/simple; bh=gtxY+4TOi0oA41qVHGkJ/QLj89NC1FA7J5o+n/DdpMg=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=KIvfUd49Iu1+QKvP1LgKWEhVZ6TSPvm27ocLLWXOTUX5X8nVF8zGsyRbv6ZYa6pW+qFBxIdSakh3LpL4v01ndQMuyVLCC0sPnABCBLAk8kJcvD9l/lDRhvS1FfCVWljjB4UBxwbFAJzxXEsKic8cMkgynrFFeHkeQmf8llntPZQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Za4zVImj; arc=none smtp.client-ip=209.85.215.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Za4zVImj" Received: by mail-pg1-f182.google.com with SMTP id 41be03b00d2f7-c80227c9572so1177327a12.2 for ; Fri, 08 May 2026 21:34:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778301275; x=1778906075; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=qHby+hWH9+W424QK2ah85IJT+/j+8nWOsWmsllDI9MU=; b=Za4zVImjLqNml7p+0s6UTUqQNeP/SEyVIro4wSxgQJ3NUs1cEW6A0wMYtf5GYWNxbF RozOOdcDWYT8rrT8qoTcmfE0eur2Ww3qEHDWFFL8PYSrs4LJkV4vk8MYH6DGLlJXDdtG rBNuZ5iokYX+8c/Qvh5TxFToyqcJF4XBLdYadxvAZMIk3OCbMazgcVCN+ZIk0+Rp+UTk 0aivQHBlXrubf8pjMOqvmPFM+/AB6T+5guxoTaQl1UHAuonJIPHLvzlW60y0de2RHIx2 XilEO1tk+qWqoo0SZUXLKps+Lh1DhphCEINTi+fCq9KzsTiljloMQtKW/rKD2mOK4F/v BqzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778301275; x=1778906075; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=qHby+hWH9+W424QK2ah85IJT+/j+8nWOsWmsllDI9MU=; b=Qck3f0DKhCIt3AjKLldir2nb1WQJEuwTgbNPxVF9WAI2xfR0rfMCsIUrMHOyUDZ0zm SSGLDwP8tfr+e1rqGf9ceNcrcMIggYuNIN4bV1UjW0LENVsLG+LeUIF+HxrdH9yk0fDc StJATQdiEMzGSiXgYA8kjJhZzZO77ii7kfu09dxhBPxhlSFmSJB3hsaMxneYKfN0Rw0K tbG9VsH/yG4xoWacmGuf3KnIlh7XxfWZccCiI5HQKFqWtWQLjxAAUM+qoYhvb9glZDF1 Z7a4mb/1lHLW4ZCDmsz9k0ekUi0vjtLXYV+IztHvRWkgJ8cdDd6QeyBMw+A/DMuqJhtP +v+g== X-Forwarded-Encrypted: i=1; AFNElJ9rKN6ByjLyUTfs1o8VVKYI1pkm8ey/eHtpELtE/SeTtAgWQZXbkFCfxqvi5n25GBdUQv62zJSdAVZLlYA=@vger.kernel.org X-Gm-Message-State: AOJu0YwRgBv5cE0bWldD06nKjmAwsu7qH6JBiXrtM+KyWIWuasCb/bAF 3yxHlj8RdmJXcsaHkFnBLFW9eE9/KXB+upJAIwH1JqeZ8uC8hxKRw+Gu X-Gm-Gg: Acq92OEM+3Tw2LqgwL43cEWgf3QoDYvYgCPsecZpGnuTjqjE3DKA/VHIuZECYS0xKCn EOaUYmNzxDh0OyYQVGAPlCVnVheisHbByf8EPZLyFbbiohj8DU2dr4DZ2TR8gNhesojUyNMQvln V0nNZhMcTzdpfac3tHCi5ENO4ES8ApVlnhOZ4YwzXHAV8dpwVl7aFXglcijrkE9D/Rg36jjj7Q2 JEQyyiQoawzrdfmi6jkdXnER2k2kF5I+N1hg6dcdu+9HYWTZQS87ce7AeCfPLHuUsPIylOPiA3X wxSDyPWFfGSP9X9HdPYVmui99FB/6DLh2O2OsNkvxsJfUtcEYqWO2s7na72bggC7hCMMAFXOmuR sOd7fevq9hwnQHRJUQUjzXh8ydnsPio1OXfyeGn2BX6xtT8DYnPxroPsbgq8bFDfLXw2iA28jg/ gGEJdjiDgGbtoucWFuaF44iStcB+teWGRICspIq+O7FryFPtoS9Zs6TQM= X-Received: by 2002:a17:903:1d2:b0:2b0:663f:6b53 with SMTP id d9443c01a7336-2ba7908bfb1mr159909685ad.13.1778301274960; Fri, 08 May 2026 21:34:34 -0700 (PDT) Received: from KRHW1CJW23.bytedance.net ([203.208.189.9]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2baf1e6199csm52018435ad.55.2026.05.08.21.34.31 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Fri, 08 May 2026 21:34:34 -0700 (PDT) From: Zhao Li To: linux-wireless@vger.kernel.org Cc: Johannes Berg , Felix Fietkau , Ryder Lee , Jeff Johnson , linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH] wifi: mac80211: capture fast-RX rate before mesh reuses skb->cb Date: Sat, 9 May 2026 12:34:28 +0800 Message-ID: <20260509043427.60322-2-enderaoelyther@gmail.com> X-Mailer: git-send-email 2.50.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit ieee80211_invoke_fast_rx() reads RX status through IEEE80211_SKB_RXCB(skb), which aliases the same skb->cb storage that ieee80211_rx_mesh_data() reuses as IEEE80211_TX_INFO. In the unicast forward path, mesh_data does: info = IEEE80211_SKB_CB(fwd_skb); memset(info, 0, sizeof(*info)); on the same skb the caller still names via rx->skb, then either queues the skb for TX (success) or kfree_skb()'s it (no-route) before returning RX_QUEUED. The caller's RX_QUEUED arm then calls sta_stats_encode_rate(status) on memory that is either zeroed (success path) or freed (no-route path). The latter is KASAN slab-use-after-free in ieee80211_prepare_and_rx_handle. Fix by encoding the rate from status before invoking ieee80211_rx_mesh_data(), so the RX_QUEUED arm consumes a value captured while status was still backed by valid memory. Fixes: 3468e1e0c639 ("wifi: mac80211: add mesh fast-rx support") Cc: stable@vger.kernel.org Signed-off-by: Zhao Li --- net/mac80211/rx.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -4984,6 +4984,7 @@ static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx, u8 sa[ETH_ALEN]; } addrs __aligned(2); struct ieee80211_sta_rx_stats *stats; + u32 encoded_rate; /* for parallel-rx, we need to have DUP_VALIDATED, otherwise we write * to a common data structure; drivers can implement that per queue @@ -5090,11 +5091,14 @@ static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx, /* push the addresses in front */ memcpy(skb_push(skb, sizeof(addrs)), &addrs, sizeof(addrs)); + /* capture before mesh forward may memset or free skb->cb */ + encoded_rate = sta_stats_encode_rate(status); + res = ieee80211_rx_mesh_data(rx->sdata, rx->sta, rx->skb); switch (res) { case RX_QUEUED: stats->last_rx = jiffies; - stats->last_rate = sta_stats_encode_rate(status); + stats->last_rate = encoded_rate; return true; case RX_CONTINUE: break; -- 2.50.1