APPLIED: [SRU Xenial] UBUNTU: SAUCE: Redpine: enhancement for MAC spoofing to avoid kernel crash

Tue Feb 5 05:18:47 UTC 2019

On 2019-01-30 16:24:17 , Siva Rebbagondla wrote:
> From: Siva Rebbagondla <siva.rebbagondla at redpinesignals.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/1813869
> 
> When mac spoof is enabled in userspace and scan gets triggered with custom
> mac address, driver is not handling custom mac addresses properly and
> causing kernel crash. This could be fixed by copying custom mac addess to
> mac address.
> 
> ...skipping...
> [ 49.130185] BUG: unable to handle kernel NULL pointer dereference at 0000000000000134
> [ 49.138969] IP: [<ffffffffc0517c03>] rsi_prepare_mgmt_desc+0xd3/0x2d0 [ven_rsi_91x]
> [ 49.147555] PGD 0
> [ 49.149799] Oops: 0000 [#1] SMP
> [ 49.244030] CPU: 0 PID: 31 Comm: kworker/u4:1 Not tainted 4.4.0-139-generic #165-Ubuntu
> [ 49.252988] Hardware name: Dell Inc. Edge Gateway 3001/, BIOS 01.00.00 04/17/2017
> [ 49.261374] Workqueue: rsi_scan_worker rsi_scan_start [ven_rsi_91x]
> [ 49.357435] Stack:
> [ 49.359675]  ffff88007542d7c0 ffff88005c290dd8 ffff880077894000 0000000000000000
> [ 49.367971]  ffff8800747aa640 ffff88006928a500 ffff8800785e7d78 ffffffffc0516457
> [ 49.376267]  00000046785e7d48 ffff8800778950e0 ffff8800747aa640 ffff880075438000
> [ 49.384561] Call Trace:
> [ 49.387307]  [<ffffffffc0516457>] rsi_send_probe_request+0x2c7/0x350 [ven_rsi_91x]
> [ 49.395784]  [<ffffffffc0516702>] rsi_scan_start+0x222/0x380 [ven_rsi_91x]
> [ 49.403486]  [<ffffffff818530c1>] ? __schedule+0x301/0x7f0
> [ 49.409633]  [<ffffffff8109ee4b>] process_one_work+0x16b/0x490
> [ 49.416164]  [<ffffffff8109f1bb>] worker_thread+0x4b/0x4d0
> [ 49.422306]  [<ffffffff8109f170>] ? process_one_work+0x490/0x490
> [ 49.429032]  [<ffffffff810a5587>] kthread+0xe7/0x100
> [ 49.434589]  [<ffffffff818530c1>] ? __schedule+0x301/0x7f0
> [ 49.440731]  [<ffffffff810a54a0>] ? kthread_create_on_node+0x1e0/0x1e0
> [ 49.448042]  [<ffffffff81857bf5>] ret_from_fork+0x55/0x80
> [ 49.454086]  [<ffffffff810a54a0>] ? kthread_create_on_node+0x1e0/0x1e0
> 
> Signed-off-by: Siva Rebbagondla <siva.rebbagondla at redpinesignals.com>
> ---
>  ubuntu/rsi/rsi_91x_mac80211.c | 22 ++++++++++++++++++++++
>  1 file changed, 22 insertions(+)
> 
> diff --git a/ubuntu/rsi/rsi_91x_mac80211.c b/ubuntu/rsi/rsi_91x_mac80211.c
> index 78702ff24532..f6a075824e60 100644
> --- a/ubuntu/rsi/rsi_91x_mac80211.c
> +++ b/ubuntu/rsi/rsi_91x_mac80211.c
> @@ -216,6 +216,19 @@ static struct reg_map rsi_caracalla_reg_db[MAX_REG_COUNTRIES] = {
>  };
>  #endif
>  
> +static int rsi_validate_mac_addr(struct rsi_common *common, u8 *addr_t)
> +{
> +	u8 addr[ETH_ALEN] = {0};
> +
> +	if (!memcmp(addr, addr_t, ETH_ALEN)) {
> +		ven_rsi_dbg(ERR_ZONE, "%s: MAC addr is NULL\n", __func__);
> +		return -1;
> +	} else if (memcmp(common->mac_addr, addr_t, ETH_ALEN)) {
> +		memcpy(common->mac_addr, addr_t, ETH_ALEN);
> +	}
> +	return 0;
> +}
> +
>  struct ieee80211_vif *rsi_get_vif(struct rsi_hw *adapter, u8 *mac)
>  {
>  	u8 i;
> @@ -375,6 +388,8 @@ static int rsi_mac80211_hw_scan_start(struct ieee80211_hw *hw,
>  	/* Scan already in progress. So return */
>  	if (common->bgscan_en || common->scan_in_prog)
>  		return -EBUSY;
> +	if (rsi_validate_mac_addr(common, vif->addr))
> +		return -ENODEV;
>  
>  	cancel_work_sync(&common->scan_work);
>  	mutex_lock(&common->mutex);
> @@ -554,6 +569,13 @@ static void rsi_mac80211_tx(struct ieee80211_hw *hw,
>  	struct ieee80211_vif *vif = adapter->vifs[adapter->sc_nvifs - 1];
>  	struct ieee80211_bss_conf *bss = &adapter->vifs[0]->bss_conf;
>  
> +#ifndef CONFIG_VEN_RSI_P2P
> +	if (rsi_validate_mac_addr(common, wlh->addr2)) {
> +		ieee80211_free_txskb(common->priv->hw, skb);
> +		return;
> +	}
> +#endif
> +
>  #ifdef CONFIG_VEN_RSI_WOW
>  	if (common->wow_flags & RSI_WOW_ENABLED) {
>  		ieee80211_free_txskb(common->priv->hw, skb);
> -- 
> 2.17.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team