From: syzbot <syzbot+614e82b88a1a4973e534@syzkaller.appspotmail.com>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: johannes.berg@intel.com, johannes@sipsolutions.net,
linux-wireless@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH] mac80211: track only QoS data frames for admission control
Date: Mon, 22 Nov 2021 03:47:55 -0800 [thread overview]
Message-ID: <0000000000000c4c1805d15f320b@google.com> (raw)
In-Reply-To: <20211122124737.dad29e65902a.Ieb04587afacb27c14e0de93ec1bfbefb238cc2a0@changeid>
> From: Johannes Berg <johannes.berg@intel.com>
>
> For admission control, obviously all of that only works for
> QoS data frames, otherwise we cannot even access the QoS
> field in the header.
>
> Syzbot reported (see below) an uninitialized value here due
> to a status of a non-QoS nullfunc packet, which isn't even
> long enough to contain the QoS header.
>
> Fix this to only do anything for QoS data packets.
>
> #syz: test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git master
This crash does not have a reproducer. I cannot test it.
> Reported-by: syzbot+614e82b88a1a4973e534@syzkaller.appspotmail.com
> Fixes: 02219b3abca5 ("mac80211: add WMM admission control support")
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> ---
> net/mac80211/mlme.c | 13 ++++++++++---
> 1 file changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
> index 54ab0e1ef6ca..37f7d975f3da 100644
> --- a/net/mac80211/mlme.c
> +++ b/net/mac80211/mlme.c
> @@ -2452,11 +2452,18 @@ static void ieee80211_sta_tx_wmm_ac_notify(struct ieee80211_sub_if_data *sdata,
> u16 tx_time)
> {
> struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
> - u16 tid = ieee80211_get_tid(hdr);
> - int ac = ieee80211_ac_from_tid(tid);
> - struct ieee80211_sta_tx_tspec *tx_tspec = &ifmgd->tx_tspec[ac];
> + u16 tid;
> + int ac;
> + struct ieee80211_sta_tx_tspec *tx_tspec;
> unsigned long now = jiffies;
>
> + if (!ieee80211_is_data_qos(hdr->frame_control))
> + return;
> +
> + tid = ieee80211_get_tid(hdr);
> + ac = ieee80211_ac_from_tid(tid);
> + tx_tspec = &ifmgd->tx_tspec[ac];
> +
> if (likely(!tx_tspec->admitted_time))
> return;
>
> --
> 2.33.1
>
prev parent reply other threads:[~2021-11-22 11:47 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-20 12:17 [syzbot] KMSAN: uninit-value in ieee80211_sta_tx_notify (2) syzbot
2021-11-22 11:47 ` [PATCH] mac80211: track only QoS data frames for admission control Johannes Berg
2021-11-22 11:47 ` syzbot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0000000000000c4c1805d15f320b@google.com \
--to=syzbot+614e82b88a1a4973e534@syzkaller.appspotmail.com \
--cc=johannes.berg@intel.com \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.