BACKPORT: wifi: cfg80211: fix BSS refcounting bugs
There are multiple refcounting bugs related to multi-BSSID:
- In bss_ref_get(), if the BSS has a hidden_beacon_bss, then
the bss pointer is overwritten before checking for the
transmitted BSS, which is clearly wrong. Fix this by using
the bss_from_pub() macro.
- In cfg80211_bss_update() we copy the transmitted_bss pointer
from tmp into new, but then if we release new, we'll unref
it erroneously. We already set the pointer and ref it, but
need to NULL it since it was copied from the tmp data.
- In cfg80211_inform_single_bss_data(), if adding to the non-
transmitted list fails, we unlink the BSS and yet still we
return it, but this results in returning an entry without
a reference. We shouldn't return it anyway if it was broken
enough to not get added there.
This fixes CVE-2022-42720.
BUG=b:255981722
TEST=Basic Wifi sanity like bringing up AP, mesh and STA mode and connect a STA, mesh and connect to AP and verified the ping.
(cherry picked from commit 0b7808818cb9df6680f98996b8e9a439fa7bcc2f)
(Source:https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless.git)
(Link: https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless.git/
commit/?id=0b7808818cb9df6680f98996b8e9a439fa7bcc2f)
Change-Id: Ia984c454e65ee6cd356a61597a072dab8ca0ad49
Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: a3584f56de1c ("cfg80211: Properly track transmitting and non-transmitting BSS")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ganesh Babu Jothiram <gjothira@qualcomm.corp-partner.google.com>
Signed-off-by: Maharaja Kennadyrajan <mkenna@qualcomm.corp-partner.google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/4135923
Tested-by: Julan Hsu <julanhsu@google.com>
Reviewed-by: Julan Hsu <julanhsu@google.com>
Commit-Queue: Julan Hsu <julanhsu@google.com>
1 file changed
