> From: Johannes Berg <johannes.berg@xxxxxxxxx>
>
> For admission control, obviously all of that only works for
> QoS data frames, otherwise we cannot even access the QoS
> field in the header.
>
> Syzbot reported (see below) an uninitialized value here due
> to a status of a non-QoS nullfunc packet, which isn't even
> long enough to contain the QoS header.
>
> Fix this to only do anything for QoS data packets.
>
> #syz: test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git master
This crash does not have a reproducer. I cannot test it.
> Reported-by: syzbot+614e82b88a1a4973e534@xxxxxxxxxxxxxxxxxxxxxxxxx
> Fixes: 02219b3abca5 ("mac80211: add WMM admission control support")
> Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
> ---
> net/mac80211/mlme.c | 13 ++++++++++---
> 1 file changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
> index 54ab0e1ef6ca..37f7d975f3da 100644
> --- a/net/mac80211/mlme.c
> +++ b/net/mac80211/mlme.c
> @@ -2452,11 +2452,18 @@ static void ieee80211_sta_tx_wmm_ac_notify(struct ieee80211_sub_if_data *sdata,
> u16 tx_time)
> {
> struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
> - u16 tid = ieee80211_get_tid(hdr);
> - int ac = ieee80211_ac_from_tid(tid);
> - struct ieee80211_sta_tx_tspec *tx_tspec = &ifmgd->tx_tspec[ac];
> + u16 tid;
> + int ac;
> + struct ieee80211_sta_tx_tspec *tx_tspec;
> unsigned long now = jiffies;
>
> + if (!ieee80211_is_data_qos(hdr->frame_control))
> + return;
> +
> + tid = ieee80211_get_tid(hdr);
> + ac = ieee80211_ac_from_tid(tid);
> + tx_tspec = &ifmgd->tx_tspec[ac];
> +
> if (likely(!tx_tspec->admitted_time))
> return;
>
> --
> 2.33.1
>
