Patch "mac80211: track only QoS data frames for admission control" has been added to the 5.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 18 Dec 2021 22:09:50 -0500

This is a note to let you know that I've just added the patch titled

    mac80211: track only QoS data frames for admission control

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     mac80211-track-only-qos-data-frames-for-admission-co.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit ea887c4d682c5526712000ba302b182886d19908
Author: Johannes Berg <johannes.berg@xxxxxxxxx>
Date:   Mon Nov 22 12:47:40 2021 +0100

    mac80211: track only QoS data frames for admission control
    
    [ Upstream commit d5e568c3a4ec2ddd23e7dc5ad5b0c64e4f22981a ]
    
    For admission control, obviously all of that only works for
    QoS data frames, otherwise we cannot even access the QoS
    field in the header.
    
    Syzbot reported (see below) an uninitialized value here due
    to a status of a non-QoS nullfunc packet, which isn't even
    long enough to contain the QoS header.
    
    Fix this to only do anything for QoS data packets.
    
    Reported-by: syzbot+614e82b88a1a4973e534@xxxxxxxxxxxxxxxxxxxxxxxxx
    Fixes: 02219b3abca5 ("mac80211: add WMM admission control support")
    Link: https://lore.kernel.org/r/20211122124737.dad29e65902a.Ieb04587afacb27c14e0de93ec1bfbefb238cc2a0@changeid
    Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index ccaf2389ccc1d..5c727af01143f 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -2418,11 +2418,18 @@ static void ieee80211_sta_tx_wmm_ac_notify(struct ieee80211_sub_if_data *sdata,
 					   u16 tx_time)
 {
 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
-	u16 tid = ieee80211_get_tid(hdr);
-	int ac = ieee80211_ac_from_tid(tid);
-	struct ieee80211_sta_tx_tspec *tx_tspec = &ifmgd->tx_tspec[ac];
+	u16 tid;
+	int ac;
+	struct ieee80211_sta_tx_tspec *tx_tspec;
 	unsigned long now = jiffies;
 
+	if (!ieee80211_is_data_qos(hdr->frame_control))
+		return;
+
+	tid = ieee80211_get_tid(hdr);
+	ac = ieee80211_ac_from_tid(tid);
+	tx_tspec = &ifmgd->tx_tspec[ac];
+
 	if (likely(!tx_tspec->admitted_time))
 		return;
 






