From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH 4.8 13/37] cfg80211: limit scan results cache size
Date: Wed, 30 Nov 2016 10:29:50 +0100 [thread overview]
Message-ID: <20161130092730.422139187@linuxfoundation.org> (raw)
In-Reply-To: <20161130092729.623248210@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
commit 9853a55ef1bb66d7411136046060bbfb69c714fa upstream.
It's possible to make scanning consume almost arbitrary amounts
of memory, e.g. by sending beacon frames with random BSSIDs at
high rates while somebody is scanning.
Limit the number of BSS table entries we're willing to cache to
1000, limiting maximum memory usage to maybe 4-5MB, but lower
in practice - that would be the case for having both full-sized
beacon and probe response frames for each entry; this seems not
possible in practice, so a limit of 1000 entries will likely be
closer to 0.5 MB.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/wireless/core.h | 1
net/wireless/scan.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 70 insertions(+)
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -71,6 +71,7 @@ struct cfg80211_registered_device {
struct list_head bss_list;
struct rb_root bss_tree;
u32 bss_generation;
+ u32 bss_entries;
struct cfg80211_scan_request *scan_req; /* protected by RTNL */
struct sk_buff *scan_msg;
struct cfg80211_sched_scan_request __rcu *sched_scan_req;
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -57,6 +57,19 @@
* also linked into the probe response struct.
*/
+/*
+ * Limit the number of BSS entries stored in mac80211. Each one is
+ * a bit over 4k at most, so this limits to roughly 4-5M of memory.
+ * If somebody wants to really attack this though, they'd likely
+ * use small beacons, and only one type of frame, limiting each of
+ * the entries to a much smaller size (in order to generate more
+ * entries in total, so overhead is bigger.)
+ */
+static int bss_entries_limit = 1000;
+module_param(bss_entries_limit, int, 0644);
+MODULE_PARM_DESC(bss_entries_limit,
+ "limit to number of scan BSS entries (per wiphy, default 1000)");
+
#define IEEE80211_SCAN_RESULT_EXPIRE (30 * HZ)
static void bss_free(struct cfg80211_internal_bss *bss)
@@ -137,6 +150,10 @@ static bool __cfg80211_unlink_bss(struct
list_del_init(&bss->list);
rb_erase(&bss->rbn, &rdev->bss_tree);
+ rdev->bss_entries--;
+ WARN_ONCE((rdev->bss_entries == 0) ^ list_empty(&rdev->bss_list),
+ "rdev bss entries[%d]/list[empty:%d] corruption\n",
+ rdev->bss_entries, list_empty(&rdev->bss_list));
bss_ref_put(rdev, bss);
return true;
}
@@ -163,6 +180,40 @@ static void __cfg80211_bss_expire(struct
rdev->bss_generation++;
}
+static bool cfg80211_bss_expire_oldest(struct cfg80211_registered_device *rdev)
+{
+ struct cfg80211_internal_bss *bss, *oldest = NULL;
+ bool ret;
+
+ lockdep_assert_held(&rdev->bss_lock);
+
+ list_for_each_entry(bss, &rdev->bss_list, list) {
+ if (atomic_read(&bss->hold))
+ continue;
+
+ if (!list_empty(&bss->hidden_list) &&
+ !bss->pub.hidden_beacon_bss)
+ continue;
+
+ if (oldest && time_before(oldest->ts, bss->ts))
+ continue;
+ oldest = bss;
+ }
+
+ if (WARN_ON(!oldest))
+ return false;
+
+ /*
+ * The callers make sure to increase rdev->bss_generation if anything
+ * gets removed (and a new entry added), so there's no need to also do
+ * it here.
+ */
+
+ ret = __cfg80211_unlink_bss(rdev, oldest);
+ WARN_ON(!ret);
+ return ret;
+}
+
void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev,
bool send_message)
{
@@ -693,6 +744,7 @@ static bool cfg80211_combine_bsses(struc
const u8 *ie;
int i, ssidlen;
u8 fold = 0;
+ u32 n_entries = 0;
ies = rcu_access_pointer(new->pub.beacon_ies);
if (WARN_ON(!ies))
@@ -716,6 +768,12 @@ static bool cfg80211_combine_bsses(struc
/* This is the bad part ... */
list_for_each_entry(bss, &rdev->bss_list, list) {
+ /*
+ * we're iterating all the entries anyway, so take the
+ * opportunity to validate the list length accounting
+ */
+ n_entries++;
+
if (!ether_addr_equal(bss->pub.bssid, new->pub.bssid))
continue;
if (bss->pub.channel != new->pub.channel)
@@ -744,6 +802,10 @@ static bool cfg80211_combine_bsses(struc
new->pub.beacon_ies);
}
+ WARN_ONCE(n_entries != rdev->bss_entries,
+ "rdev bss entries[%d]/list[len:%d] corruption\n",
+ rdev->bss_entries, n_entries);
+
return true;
}
@@ -898,7 +960,14 @@ cfg80211_bss_update(struct cfg80211_regi
}
}
+ if (rdev->bss_entries >= bss_entries_limit &&
+ !cfg80211_bss_expire_oldest(rdev)) {
+ kfree(new);
+ goto drop;
+ }
+
list_add_tail(&new->list, &rdev->bss_list);
+ rdev->bss_entries++;
rb_insert_bss(rdev, new);
found = new;
}
next prev parent reply other threads:[~2016-11-30 9:29 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20161130093010epcas2p3047cf63814e74dfcc79f43d37b446ae0@epcas2p3.samsung.com>
2016-11-30 9:29 ` [PATCH 4.8 00/37] 4.8.12-stable review Greg Kroah-Hartman
2016-11-30 9:29 ` [PATCH 4.8 07/37] usb: chipidea: move the lock initialization to core file Greg Kroah-Hartman
2016-11-30 9:29 ` [PATCH 4.8 08/37] USB: serial: cp210x: add ID for the Zone DPMX Greg Kroah-Hartman
2016-11-30 9:29 ` [PATCH 4.8 09/37] USB: serial: ftdi_sio: add support for TI CC3200 LaunchPad Greg Kroah-Hartman
2016-11-30 9:29 ` [PATCH 4.8 10/37] Fix USB CB/CBI storage devices with CONFIG_VMAP_STACK=y Greg Kroah-Hartman
2016-11-30 9:29 ` [PATCH 4.8 11/37] scsi: mpt3sas: Fix secure erase premature termination Greg Kroah-Hartman
2016-11-30 16:49 ` Martin K. Petersen
2016-12-01 7:10 ` Greg Kroah-Hartman
2016-11-30 9:29 ` [PATCH 4.8 12/37] tile: avoid using clocksource_cyc2ns with absolute cycle count Greg Kroah-Hartman
2016-11-30 9:29 ` Greg Kroah-Hartman [this message]
2016-11-30 9:29 ` [PATCH 4.8 15/37] drm/radeon: fix power state when port pm is unavailable (v2) Greg Kroah-Hartman
2016-11-30 9:29 ` [PATCH 4.8 16/37] apparmor: fix change_hat not finding hat after policy replacement Greg Kroah-Hartman
2016-11-30 9:29 ` [PATCH 4.8 17/37] NFSv4.x: hide array-bounds warning Greg Kroah-Hartman
2016-11-30 9:29 ` [PATCH 4.8 18/37] x86/fpu: Fix invalid FPU ptrace state after execve() Greg Kroah-Hartman
2016-11-30 9:29 ` [PATCH 4.8 19/37] x86/traps: Ignore high word of regs->cs in early_fixup_exception() Greg Kroah-Hartman
2016-11-30 9:29 ` [PATCH 4.8 20/37] perf/core: Fix address filter parser Greg Kroah-Hartman
2016-11-30 9:29 ` [PATCH 4.8 21/37] perf/x86/intel: Cure bogus unwind from PEBS entries Greg Kroah-Hartman
2016-11-30 9:29 ` [PATCH 4.8 22/37] thermal/powerclamp: add back module device table Greg Kroah-Hartman
2016-11-30 9:30 ` [PATCH 4.8 23/37] parisc: Fix races in parisc_setup_cache_timing() Greg Kroah-Hartman
2016-11-30 9:30 ` [PATCH 4.8 24/37] parisc: Switch to generic sched_clock implementation Greg Kroah-Hartman
2016-11-30 9:30 ` [PATCH 4.8 25/37] parisc: Fix race in pci-dma.c Greg Kroah-Hartman
2016-11-30 9:30 ` [PATCH 4.8 26/37] parisc: Also flush data TLB in flush_icache_page_asm Greg Kroah-Hartman
2016-11-30 9:30 ` [PATCH 4.8 27/37] mmc: sdhci-of-esdhc: fixup PRESENT_STATE read Greg Kroah-Hartman
2016-11-30 9:30 ` [PATCH 4.8 28/37] mpi: Fix NULL ptr dereference in mpi_powm() [ver #3] Greg Kroah-Hartman
2016-11-30 9:30 ` [PATCH 4.8 29/37] X.509: Fix double free in x509_cert_parse() " Greg Kroah-Hartman
2016-11-30 9:30 ` [PATCH 4.8 30/37] xc2028: Fix use-after-free bug properly Greg Kroah-Hartman
2016-11-30 9:30 ` [PATCH 4.8 31/37] device-dax: check devm_nsio_enable() return value Greg Kroah-Hartman
2016-11-30 9:30 ` [PATCH 4.8 32/37] device-dax: fail all private mapping attempts Greg Kroah-Hartman
2016-11-30 9:30 ` [PATCH 4.8 33/37] powerpc: Set missing wakeup bit in LPCR on POWER9 Greg Kroah-Hartman
2016-11-30 9:30 ` [PATCH 4.8 34/37] powerpc/mm: Fixup kernel read only mapping Greg Kroah-Hartman
2016-11-30 9:30 ` [PATCH 4.8 35/37] powerpc/boot: Fix the early OPAL console wrappers Greg Kroah-Hartman
2016-11-30 9:30 ` [PATCH 4.8 36/37] can: bcm: fix support for CAN FD frames Greg Kroah-Hartman
2016-11-30 9:30 ` [PATCH 4.8 37/37] mm, oom: stop pre-mature high-order OOM killer invocations Greg Kroah-Hartman
[not found] ` <20161130092730.460938123@linuxfoundation.org>
2016-11-30 10:51 ` [PATCH 4.8 14/37] drm/amdgpu: fix power state when port pm is unavailable Peter Wu
2016-11-30 11:53 ` Greg Kroah-Hartman
2016-12-05 0:11 ` Peter Wu
2016-12-05 14:46 ` Greg Kroah-Hartman
2016-11-30 16:04 ` [PATCH 4.8 00/37] 4.8.12-stable review Shuah Khan
2016-12-01 7:14 ` Greg Kroah-Hartman
2016-11-30 23:34 ` Guenter Roeck
2016-12-01 7:15 ` Greg Kroah-Hartman
[not found] ` <583ed167.6602c20a.c3129.a6b8@mx.google.com>
[not found] ` <m2oa0wkjlk.fsf@baylibre.com>
2016-12-01 7:11 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161130092730.422139187@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=johannes.berg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).