From dea42f67ab06a8f2c1e6338f9829d31a28642317 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Sat, 16 Mar 2024 08:50:05 +0100 Subject: [PATCH] mac80211: fix a crash triggered by sta disconnect with per-sta VLANs Reported-by: ranygh@riseup.net Signed-off-by: Felix Fietkau --- ...eck-clear-fast-rx-for-non-4addr-sta-.patch | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 package/kernel/mac80211/patches/subsys/332-wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-.patch diff --git a/package/kernel/mac80211/patches/subsys/332-wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-.patch b/package/kernel/mac80211/patches/subsys/332-wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-.patch new file mode 100644 index 0000000000..02b4345f21 --- /dev/null +++ b/package/kernel/mac80211/patches/subsys/332-wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-.patch @@ -0,0 +1,35 @@ +From: Felix Fietkau +Date: Sat, 16 Mar 2024 08:37:21 +0100 +Subject: [PATCH] wifi: mac80211: check/clear fast rx for non-4addr sta VLAN + changes + +When moving a station out of a VLAN and deleting the VLAN afterwards, the +fast_rx entry still holds a pointer to the VLAN's netdev, which can cause +use-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx +after the VLAN change. + +Cc: stable@vger.kernel.org +Reported-by: ranygh@riseup.net +Signed-off-by: Felix Fietkau +--- + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -2184,15 +2184,14 @@ static int ieee80211_change_station(stru + } + + if (sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN && +- sta->sdata->u.vlan.sta) { +- ieee80211_clear_fast_rx(sta); ++ sta->sdata->u.vlan.sta) + RCU_INIT_POINTER(sta->sdata->u.vlan.sta, NULL); +- } + + if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) + ieee80211_vif_dec_num_mcast(sta->sdata); + + sta->sdata = vlansdata; ++ ieee80211_check_fast_rx(sta); + ieee80211_check_fast_xmit(sta); + + if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) { -- 2.30.2