wifi: mac80211: fix mesh id corruption on 32 bit systems

Since the changed field size was increased to u64, mesh_bss_info_changed
pulls invalid bits from the first 3 bytes of the mesh id, clears them, and
passes them on to ieee80211_link_info_change_notify, because
ifmsh->mbss_changed was not updated to match its size.
Fix this by turning into ifmsh->mbss_changed into an unsigned long array with
64 bit size.

Fixes: 15ddba5f4311 ("wifi: mac80211: consistently use u64 for BSS changes")
Reported-by: Thomas Hühn <thomas.huehn@hs-nordhausen.de>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://lore.kernel.org/r/20230913050134.53536-1-nbd@nbd.name
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 06bd406..b3d0025 100644 (file)
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -676,7 +676,7 @@ struct ieee80211_if_mesh {
        struct timer_list mesh_path_root_timer;
 
        unsigned long wrkq_flags;
        struct timer_list mesh_path_root_timer;
 
        unsigned long wrkq_flags;

-       unsigned long mbss_changed;
+       unsigned long mbss_changed[64 / BITS_PER_LONG];

 
        bool userspace_handles_dfs;
 
 
        bool userspace_handles_dfs;
 

diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index af8c5fc..e31c312 100644 (file)
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -1175,7 +1175,7 @@ void ieee80211_mbss_info_change_notify(struct ieee80211_sub_if_data *sdata,
 
        /* if we race with running work, worst case this work becomes a noop */
        for_each_set_bit(bit, &bits, sizeof(changed) * BITS_PER_BYTE)
 
        /* if we race with running work, worst case this work becomes a noop */
        for_each_set_bit(bit, &bits, sizeof(changed) * BITS_PER_BYTE)

-               set_bit(bit, &ifmsh->mbss_changed);
+               set_bit(bit, ifmsh->mbss_changed);

        set_bit(MESH_WORK_MBSS_CHANGED, &ifmsh->wrkq_flags);
        wiphy_work_queue(sdata->local->hw.wiphy, &sdata->work);
 }
        set_bit(MESH_WORK_MBSS_CHANGED, &ifmsh->wrkq_flags);
        wiphy_work_queue(sdata->local->hw.wiphy, &sdata->work);
 }


@@ -1257,7 +1257,7 @@ void ieee80211_stop_mesh(struct ieee80211_sub_if_data *sdata)
 
        /* clear any mesh work (for next join) we may have accrued */
        ifmsh->wrkq_flags = 0;
 
        /* clear any mesh work (for next join) we may have accrued */
        ifmsh->wrkq_flags = 0;

-       ifmsh->mbss_changed = 0;
+       memset(ifmsh->mbss_changed, 0, sizeof(ifmsh->mbss_changed));

 
        local->fif_other_bss--;
        atomic_dec(&local->iff_allmultis);
 
        local->fif_other_bss--;
        atomic_dec(&local->iff_allmultis);


@@ -1724,9 +1724,9 @@ static void mesh_bss_info_changed(struct ieee80211_sub_if_data *sdata)
        u32 bit;
        u64 changed = 0;
 
        u32 bit;
        u64 changed = 0;
 

-       for_each_set_bit(bit, &ifmsh->mbss_changed,
+       for_each_set_bit(bit, ifmsh->mbss_changed,

                         sizeof(changed) * BITS_PER_BYTE) {
                         sizeof(changed) * BITS_PER_BYTE) {

-               clear_bit(bit, &ifmsh->mbss_changed);
+               clear_bit(bit, ifmsh->mbss_changed);

                changed |= BIT(bit);
        }
 
                changed |= BIT(bit);
        }