diff options
Diffstat (limited to 'package/kernel/mac80211/patches/351-mac80211-fix-tid-agg-null.patch')
| -rw-r--r-- | package/kernel/mac80211/patches/351-mac80211-fix-tid-agg-null.patch | 99 |
1 files changed, 0 insertions, 99 deletions
diff --git a/package/kernel/mac80211/patches/351-mac80211-fix-tid-agg-null.patch b/package/kernel/mac80211/patches/351-mac80211-fix-tid-agg-null.patch deleted file mode 100644 index 9148cfa426..0000000000 --- a/package/kernel/mac80211/patches/351-mac80211-fix-tid-agg-null.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 1c3d185a9a0b136a58e73b02912d593d0303d1da Mon Sep 17 00:00:00 2001 -From: Johannes Berg <johannes.berg@intel.com> -Date: Tue, 18 Oct 2016 23:12:08 +0300 -Subject: [PATCH] mac80211: fix tid_agg_rx NULL dereference - -On drivers setting the SUPPORTS_REORDERING_BUFFER hardware flag, -we crash when the peer sends an AddBA request while we already -have a session open on the seame TID; this is because on those -drivers, the tid_agg_rx is left NULL even though the session is -valid, and the agg_session_valid bit is set. - -To fix this, store the dialog tokens outside the tid_agg_rx to -be able to compare them to the received AddBA request. - -Fixes: f89e07d4cf26 ("mac80211: agg-rx: refuse ADDBA Request with timeout update") -Reported-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> -Signed-off-by: Johannes Berg <johannes.berg@intel.com> ---- - net/mac80211/agg-rx.c | 8 ++------ - net/mac80211/debugfs_sta.c | 2 +- - net/mac80211/sta_info.h | 4 ++-- - 3 files changed, 5 insertions(+), 9 deletions(-) - ---- a/net/mac80211/agg-rx.c -+++ b/net/mac80211/agg-rx.c -@@ -315,11 +315,7 @@ void __ieee80211_start_rx_ba_session(str - mutex_lock(&sta->ampdu_mlme.mtx); - - if (test_bit(tid, sta->ampdu_mlme.agg_session_valid)) { -- tid_agg_rx = rcu_dereference_protected( -- sta->ampdu_mlme.tid_rx[tid], -- lockdep_is_held(&sta->ampdu_mlme.mtx)); -- -- if (tid_agg_rx->dialog_token == dialog_token) { -+ if (sta->ampdu_mlme.tid_rx_token[tid] == dialog_token) { - ht_dbg_ratelimited(sta->sdata, - "updated AddBA Req from %pM on tid %u\n", - sta->sta.addr, tid); -@@ -396,7 +392,6 @@ void __ieee80211_start_rx_ba_session(str - } - - /* update data */ -- tid_agg_rx->dialog_token = dialog_token; - tid_agg_rx->ssn = start_seq_num; - tid_agg_rx->head_seq_num = start_seq_num; - tid_agg_rx->buf_size = buf_size; -@@ -418,6 +413,7 @@ end: - if (status == WLAN_STATUS_SUCCESS) { - __set_bit(tid, sta->ampdu_mlme.agg_session_valid); - __clear_bit(tid, sta->ampdu_mlme.unexpected_agg); -+ sta->ampdu_mlme.tid_rx_token[tid] = dialog_token; - } - mutex_unlock(&sta->ampdu_mlme.mtx); - ---- a/net/mac80211/debugfs_sta.c -+++ b/net/mac80211/debugfs_sta.c -@@ -205,7 +205,7 @@ static ssize_t sta_agg_status_read(struc - p += scnprintf(p, sizeof(buf) + buf - p, "%02d", i); - p += scnprintf(p, sizeof(buf) + buf - p, "\t\t%x", !!tid_rx); - p += scnprintf(p, sizeof(buf) + buf - p, "\t%#.2x", -- tid_rx ? tid_rx->dialog_token : 0); -+ tid_rx ? sta->ampdu_mlme.tid_rx_token[i] : 0); - p += scnprintf(p, sizeof(buf) + buf - p, "\t%#.3x", - tid_rx ? tid_rx->ssn : 0); - ---- a/net/mac80211/sta_info.h -+++ b/net/mac80211/sta_info.h -@@ -184,7 +184,6 @@ struct tid_ampdu_tx { - * @ssn: Starting Sequence Number expected to be aggregated. - * @buf_size: buffer size for incoming A-MPDUs - * @timeout: reset timer value (in TUs). -- * @dialog_token: dialog token for aggregation session - * @rcu_head: RCU head used for freeing this struct - * @reorder_lock: serializes access to reorder buffer, see below. - * @auto_seq: used for offloaded BA sessions to automatically pick head_seq_and -@@ -213,7 +212,6 @@ struct tid_ampdu_rx { - u16 ssn; - u16 buf_size; - u16 timeout; -- u8 dialog_token; - bool auto_seq; - bool removed; - }; -@@ -225,6 +223,7 @@ struct tid_ampdu_rx { - * to tid_tx[idx], which are protected by the sta spinlock) - * tid_start_tx is also protected by sta->lock. - * @tid_rx: aggregation info for Rx per TID -- RCU protected -+ * @tid_rx_token: dialog tokens for valid aggregation sessions - * @tid_rx_timer_expired: bitmap indicating on which TIDs the - * RX timer expired until the work for it runs - * @tid_rx_stop_requested: bitmap indicating which BA sessions per TID the -@@ -243,6 +242,7 @@ struct sta_ampdu_mlme { - struct mutex mtx; - /* rx */ - struct tid_ampdu_rx __rcu *tid_rx[IEEE80211_NUM_TIDS]; -+ u8 tid_rx_token[IEEE80211_NUM_TIDS]; - unsigned long tid_rx_timer_expired[BITS_TO_LONGS(IEEE80211_NUM_TIDS)]; - unsigned long tid_rx_stop_requested[BITS_TO_LONGS(IEEE80211_NUM_TIDS)]; - unsigned long agg_session_valid[BITS_TO_LONGS(IEEE80211_NUM_TIDS)]; |