wifi: cfg80211: clear link ID from bitmap during link delete after clean up

jtornosm · jtornosm · commit 52137e5b6359 · 2025-01-15T17:26:26.000+01:00
JIRA: https://issues.redhat.com/browse/RHEL-73817 JIRA: https://issues.redhat.com/browse/RHEL-74089 CVE: CVE-2024-57898 commit b5c32ff Author: Aditya Kumar Singh <quic_adisi@quicinc.com> Date: Thu Nov 21 09:45:30 2024 +0530 wifi: cfg80211: clear link ID from bitmap during link delete after clean up Currently, during link deletion, the link ID is first removed from the valid_links bitmap before performing any clean-up operations. However, some functions require the link ID to remain in the valid_links bitmap. One such example is cfg80211_cac_event(). The flow is - nl80211_remove_link() cfg80211_remove_link() ieee80211_del_intf_link() ieee80211_vif_set_links() ieee80211_vif_update_links() ieee80211_link_stop() cfg80211_cac_event() cfg80211_cac_event() requires link ID to be present but it is cleared already in cfg80211_remove_link(). Ultimately, WARN_ON() is hit. Therefore, clear the link ID from the bitmap only after completing the link clean-up. Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com> Link: https://patch.msgid.link/20241121-mlo_dfs_fix-v2-1-92c3bf7ab551@quicinc.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
@@ -4992,10 +4992,16 @@ static void ieee80211_del_intf_link(struct wiphy *wiphy,
 				    unsigned int link_id)
 {
 	struct ieee80211_sub_if_data *sdata = IEEE80211_WDEV_TO_SUB_IF(wdev);
+	u16 new_links = wdev->valid_links & ~BIT(link_id);
 
 	lockdep_assert_wiphy(sdata->local->hw.wiphy);
 
-	ieee80211_vif_set_links(sdata, wdev->valid_links, 0);
+	/* During the link teardown process, certain functions require the
+	 * link_id to remain in the valid_links bitmap. Therefore, instead
+	 * of removing the link_id from the bitmap, pass a masked value to
+	 * simulate as if link_id does not exist anymore.
+	 */
+	ieee80211_vif_set_links(sdata, new_links, 0);
 }
 
 static int
diff --git a/net/wireless/util.c b/net/wireless/util.c
@@ -2843,10 +2843,9 @@ void cfg80211_remove_link(struct wireless_dev *wdev, unsigned int link_id)
 		break;
 	}
 
-	wdev->valid_links &= ~BIT(link_id);
-
 	rdev_del_intf_link(rdev, wdev, link_id);
 
+	wdev->valid_links &= ~BIT(link_id);
 	eth_zero_addr(wdev->links[link_id].addr);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -2843,10 +2843,9 @@ void cfg80211_remove_link(struct wireless_dev *wdev, unsigned int link_id)`
`2843`	`2843`	`break;`
`2844`	`2844`	`}`
`2845`	`2845`
`2846`		`- wdev->valid_links &= ~BIT(link_id);`
`2847`		`-`
`2848`	`2846`	`rdev_del_intf_link(rdev, wdev, link_id);`
`2849`	`2847`
	`2848`	`+ wdev->valid_links &= ~BIT(link_id);`
`2850`	`2849`	`eth_zero_addr(wdev->links[link_id].addr);`
`2851`	`2850`	`}`
`2852`	`2851`