From: Johannes Berg <johannes@sipsolutions.net>
To: Fredrik Olofsson <fredrik.olofsson@anyfinetworks.com>
Cc: linux-wireless@vger.kernel.org
Subject: Re: [PATCH] mac80211: fix overwriting of qos_ctrl.tid field
Date: Fri, 22 Nov 2019 18:50:13 +0100 [thread overview]
Message-ID: <d6d9eef2a6260fd7b677f137d00c4aa416ba4c3f.camel@sipsolutions.net> (raw)
In-Reply-To: <CADiFmNOFfjoZ9ah-_AyrJmKUvVoYjO3EfG9LqozZDFq4tUoZ-Q@mail.gmail.com> (sfid-20191122_160659_482033_F1641F35)
On Fri, 2019-11-22 at 16:06 +0100, Fredrik Olofsson wrote:
> > I'm not sure I understand.
> >
> > If the QoS field is overwritten (where, btw?) then wouldn't that still
> > be done even after this change, and if the frame is pre-encrypted it is
> > corrupted?
>
> Thanks for your response, and sorry for being too terse.
>
> What we are doing is injecting pre-encrypted frames on the monitor interface.
> This used to work without issues (prior to the commit I mentioned). But now,
> the QoS field is overwritten, corrupting the frame. Actually the overwriting
> happened previously as well, but the QoS.TID field was not changed since it
> was always overwritten with the same value as it already had. This
> overwriting with the same value happens after my patch as well.
>
> The simplified call flow for the frame is something like this:
>
> netdev_core_pick_tx()
> if (dev->real_num_tx_queues != 1) {
> dev->ndo_select_queue() <<< really: ieee80211_monitor_select_queue()
> }
>
> ...
>
> ieee80211_monitor_start_xmit()
> ieee80211_xmit()
> ieee80211_set_qos_hdr() <<< here the tid is overwritten
> ieee80211_tx()
>
> But after dbd50a851c50, real_num_tx_queues == 1 and
> ieee80211_monitor_select_queue() is never called. Then when the frame arrives
> in ieee80211_set_qos_hdr() the qos.tid field is overwritten with the wrong
> value. My patch makes sure ieee80211_set_qos_hdr() writes the same QoS.TID
> value as was originally in the frame. Even if ieee80211_monitor_select_queue()
> is not called.
>
> My suggested patch tries to do the same as what happened before, but it may
> not be the correct way to do this. Maybe real_num_queues should not be 1?
> Maybe it would be better to detect the case that the frame is already
> encrypted, and make sure not to touch any protected fields at all?
No ... I get it now I think. Will need to think about it correctly
again.
What confused me is that you said the field was 'encrypted' but really
it's not, it's just part of what gets protected during the encryption. I
paid too much attention to your email vs. remembering how this all works
and then figured you couldn't write back the value to an encrypted
field. All good, I'll figure it out :)
johannes
prev parent reply other threads:[~2019-11-22 17:50 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-19 13:34 [PATCH] mac80211: fix overwriting of qos_ctrl.tid field Fredrik Olofsson
2019-11-22 12:00 ` Johannes Berg
2019-11-22 15:06 ` Fredrik Olofsson
2019-11-22 17:50 ` Johannes Berg [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d6d9eef2a6260fd7b677f137d00c4aa416ba4c3f.camel@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=fredrik.olofsson@anyfinetworks.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).