[PATCH] wifi: mac80211: work around crash in mlme.c

greearb@xxxxxxxxxxxxxxx · Mon, 23 Oct 2023 10:57:38 -0700

From: Ben Greear <greearb@xxxxxxxxxxxxxxx>

Protect from NULL ifmgd->assoc_data in ieee80211_mgd_deauth, crash
was seen here fairly often in a 32-station test case utilizing
mtk7922 and be200 radios.  I'm not sure if radio types matters
though.

Signed-off-by: Ben Greear <greearb@xxxxxxxxxxxxxxx>
---

Patch is for wireless-next tree, bug was likely introduced in
this release since this crash was not seen in earlier 6.6-rc testing
nor in 6.5 or earlier.

There may be a better way to fix this...

 net/mac80211/mlme.c | 37 ++++++++++++++++++++++++-------------
 1 file changed, 24 insertions(+), 13 deletions(-)

diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 7695531de611..d2a44a13625c 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -8185,13 +8185,18 @@ int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata,
 			   "aborting authentication with %pM by local choice (Reason: %u=%s)\n",
 			   req->bssid, req->reason_code,
 			   ieee80211_get_reason_code_string(req->reason_code));
-
-		info.link_id = ifmgd->assoc_data->assoc_link_id;
-		drv_mgd_prepare_tx(sdata->local, sdata, &info);
-		ieee80211_send_deauth_disassoc(sdata, req->bssid, req->bssid,
-					       IEEE80211_STYPE_DEAUTH,
-					       req->reason_code, tx,
-					       frame_buf);
+		if (WARN_ON_ONCE((unsigned long)(ifmgd) < 4000 ||
+				 (unsigned long)(ifmgd->assoc_data) < 4000)) {
+			sdata_err(sdata, "ieee80211-mgd-auth abort auth, bad memory: ifmgd: %p  ifmgd->assoc_data: %p\n",
+				  ifmgd, ifmgd->assoc_data);
+		} else {
+			info.link_id = ifmgd->assoc_data->assoc_link_id;
+			drv_mgd_prepare_tx(sdata->local, sdata, &info);
+			ieee80211_send_deauth_disassoc(sdata, req->bssid, req->bssid,
+						       IEEE80211_STYPE_DEAUTH,
+						       req->reason_code, tx,
+						       frame_buf);
+		}
 		ieee80211_destroy_auth_data(sdata, false);
 		ieee80211_report_disconnect(sdata, frame_buf,
 					    sizeof(frame_buf), true,
@@ -8207,12 +8212,18 @@ int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata,
 			   req->bssid, req->reason_code,
 			   ieee80211_get_reason_code_string(req->reason_code));
 
-		info.link_id = ifmgd->auth_data->link_id;
-		drv_mgd_prepare_tx(sdata->local, sdata, &info);
-		ieee80211_send_deauth_disassoc(sdata, req->bssid, req->bssid,
-					       IEEE80211_STYPE_DEAUTH,
-					       req->reason_code, tx,
-					       frame_buf);
+		if (WARN_ON_ONCE((unsigned long)(ifmgd) < 4000 ||
+				 (unsigned long)(ifmgd->assoc_data) < 4000)) {
+			sdata_err(sdata, "ieee80211-mgd-auth abort assoc, bad memory: ifmgd: %p  ifmgd->assoc_data: %p\n",
+				  ifmgd, ifmgd->assoc_data);
+		} else {
+			info.link_id = ifmgd->auth_data->link_id;
+			drv_mgd_prepare_tx(sdata->local, sdata, &info);
+			ieee80211_send_deauth_disassoc(sdata, req->bssid, req->bssid,
+						       IEEE80211_STYPE_DEAUTH,
+						       req->reason_code, tx,
+						       frame_buf);
+		}
 		ieee80211_destroy_assoc_data(sdata, ASSOC_ABANDON);
 		ieee80211_report_disconnect(sdata, frame_buf,
 					    sizeof(frame_buf), true,
-- 
2.40.0







