bes2600: fix concurrency UAF in bes2600_hw_scan and sched_scan

bes2600_bss_info_changed() and bes2600_hw_scan() can run concurrently. The probe-request SKB allocated by ieee80211_probereq_get() before scan.lock + conf_lock are taken can be touched by a concurrent bss_info_changed (via wsm_set_template_frame's path) while we hold no lock. Reorder to acquire both locks BEFORE the SKB allocation. Also reorder cleanup paths so dev_kfree_skb() runs BEFORE up() — otherwise a small window exists where the SKB has been touched but the lock has been released, allowing concurrent code to also touch it. Three sites fixed: - bes2600_hw_scan: lock-take + ENOMEM cleanup + wsm_set_template_frame error cleanup + success-path SKB free + lock release order - bes2600_sched_scan_start (#ifdef ROAM_OFFLOAD): same three sub-fixes (compiled-out at default build, fixed for consistency) - All success/error paths: dev_kfree_skb before up() Backport of cw1200 mainline commit 86760e0dfe36 ("cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan()", 2018-12-14), which fixed the identical bug in the same code shape we inherited. That commit was merged from upstream 4f68ef64cd7f. Cherry-picked from upstream Linux: 86760e0dfe36 cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan() Author: Jia-Ju Bai <baijiaju1990@gmail.com> Link: https://lore.kernel.org/r/20181214035521.7575-1-baijiaju1990@gmail.com
bes2600: fix missing destroy_workqueue() on error in init_common
2026-05-07 21:24:01 +02:00 · 2026-05-07 21:20:46 +02:00 · 2026-05-07 21:19:49 +02:00 · 2026-05-07 10:47:59 +00:00 · 2026-05-07 12:06:46 +02:00
4 changed files with 35 additions and 26 deletions
@@ -101,7 +101,7 @@ void bes2600_unregister_bh(struct bes2600_common *hw_priv)
 	coex_deinit_mode(hw_priv);
 #endif

-	atomic_add(1, &hw_priv->bh_term);
+	atomic_inc(&hw_priv->bh_term);
 	wake_up(&hw_priv->bh_wq);

 	flush_workqueue(hw_priv->bh_workqueue);
@@ -590,7 +590,7 @@ static int bes2600_bh(void *arg)
 			bes_devel("[BH] Device resume.\n");
 			atomic_set(&hw_priv->bh_suspend, BES2600_BH_RESUMED);
 			wake_up(&hw_priv->bh_evt_wq);
-			atomic_add(1, &hw_priv->bh_rx);
+			atomic_inc(&hw_priv->bh_rx);
 			continue;
 		}

@@ -758,9 +758,9 @@ tx:

 #if 0 /* count is not implemented */
 				if (ret > 1)
-					atomic_add(1, &hw_priv->bh_tx);
+					atomic_inc(&hw_priv->bh_tx);
 #else
-				atomic_add(1, &hw_priv->bh_tx);
+				atomic_inc(&hw_priv->bh_tx);
 #endif

 #if defined(CONFIG_BES2600_NON_POWER_OF_TWO_BLOCKSIZES)
@@ -1134,7 +1134,7 @@ static int bes2600_bh_tx_helper(struct bes2600_common *hw_priv,
 	tx_len += 4;
 #endif

-	atomic_add(1, &hw_priv->bh_tx);
+	atomic_inc(&hw_priv->bh_tx);

 	tx_len = hw_priv->sbus_ops->align_size(
 		hw_priv->sbus_priv, tx_len);
@@ -1435,7 +1435,7 @@ static int bes2600_bh(void *arg)
 			bes_devel("[BH] Device resume.\n");
 			atomic_set(&hw_priv->bh_suspend, BES2600_BH_RESUMED);
 			wake_up(&hw_priv->bh_evt_wq);
-			atomic_add(1, &hw_priv->bh_rx);
+			atomic_inc(&hw_priv->bh_rx);
 			goto done;
 		}

@@ -570,7 +570,7 @@ int bes2600_itp_get_tx(struct bes2600_common *priv, u8 **data,
 	*burst = 2;
 	atomic_set(&priv->bh_tx, 1);
 	ktime_get_ts(&itp->last_sent);
-	atomic_add(1, &itp->awaiting_confirm);
+	atomic_inc(&itp->awaiting_confirm);
 	spin_unlock_bh(&itp->tx_lock);
 	return 1;

@@ -497,6 +497,7 @@ static struct ieee80211_hw *bes2600_init_common(size_t hw_priv_data_len)
 			WLAN_LINK_ID_MAX,
 			bes2600_skb_dtor,
 			hw_priv))) {
+		destroy_workqueue(hw_priv->workqueue);
 		ieee80211_free_hw(hw);
 		return NULL;
 	}
@@ -508,6 +509,7 @@ static struct ieee80211_hw *bes2600_init_common(size_t hw_priv_data_len)
 			for (; i > 0; i--)
 				bes2600_queue_deinit(&hw_priv->tx_queue[i - 1]);
 			bes2600_queue_stats_deinit(&hw_priv->tx_queue_stats);
+			destroy_workqueue(hw_priv->workqueue);
 			ieee80211_free_hw(hw);
 			return NULL;
 		}
@@ -257,18 +257,21 @@ int bes2600_hw_scan(struct ieee80211_hw *hw,

 	bes2600_pwr_set_busy_event(hw_priv, BES_PWR_LOCK_ON_SCAN);

-	frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
-		req->ie_len);
-	if (!frame.skb)
-		return -ENOMEM;
-
-	if (req->ie_len)
-		skb_put_data(frame.skb, req->ie, req->ie_len);
-
 	/* will be unlocked in bes2600_scan_work() */
 	down(&hw_priv->scan.lock);
 	down(&hw_priv->conf_lock);

+	frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
+		req->ie_len);
+	if (!frame.skb) {
+		up(&hw_priv->conf_lock);
+		up(&hw_priv->scan.lock);
+		return -ENOMEM;
+	}
+
+	if (req->ie_len)
+		skb_put_data(frame.skb, req->ie, req->ie_len);
+
 	if (frame.skb) {
 		int ret;
 		//if (priv->if_id == 0)
@@ -286,9 +289,9 @@ int bes2600_hw_scan(struct ieee80211_hw *hw,
 		}
 #endif
 		if (ret) {
+			dev_kfree_skb(frame.skb);
 			up(&hw_priv->conf_lock);
 			up(&hw_priv->scan.lock);
-			dev_kfree_skb(frame.skb);
 			return ret;
 		}
 	}
@@ -318,10 +321,10 @@ int bes2600_hw_scan(struct ieee80211_hw *hw,
 		++hw_priv->scan.n_ssids;
 	}

-	up(&hw_priv->conf_lock);
-
 	if (frame.skb)
 		dev_kfree_skb(frame.skb);
+
+	up(&hw_priv->conf_lock);
 #ifdef WIFI_BT_COEXIST_EPTA_ENABLE
 	bwifi_change_current_status(hw_priv, BWIFI_STATUS_SCANNING);
 #endif
@@ -362,14 +365,18 @@ int bes2600_hw_sched_scan_start(struct ieee80211_hw *hw,
 	if (req->n_ssids > hw->wiphy->max_scan_ssids)
 		return -EINVAL;

-	frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
-		req->ie_len);
-	if (!frame.skb)
-		return -ENOMEM;
-
 	/* will be unlocked in bes2600_scan_work() */
 	down(&hw_priv->scan.lock);
 	down(&hw_priv->conf_lock);
+
+	frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0,
+		req->ie_len);
+	if (!frame.skb) {
+		up(&hw_priv->conf_lock);
+		up(&hw_priv->scan.lock);
+		return -ENOMEM;
+	}
+
 	if (frame.skb) {
 		int ret;
 		if (priv->if_id == 0)
@@ -380,9 +387,9 @@ int bes2600_hw_sched_scan_start(struct ieee80211_hw *hw,
 			ret = wsm_set_probe_responder(priv, true);
 		}
 		if (ret) {
+			dev_kfree_skb(frame.skb);
 			up(&hw_priv->conf_lock);
 			up(&hw_priv->scan.lock);
-			dev_kfree_skb(frame.skb);
 			return ret;
 		}
 	}
@@ -414,10 +421,10 @@ int bes2600_hw_sched_scan_start(struct ieee80211_hw *hw,
 		}
 	}

-	up(&hw_priv->conf_lock);
-
 	if (frame.skb)
 		dev_kfree_skb(frame.skb);
+
+	up(&hw_priv->conf_lock);
 	queue_work(hw_priv->workqueue, &hw_priv->scan.swork);
 	wiphy_warn(hw->wiphy, "<--[SCAN] Scheduled scan request.\n");
 	return 0;
Author	SHA1	Message	Date
test0r	b717251598	bes2600: fix concurrency UAF in bes2600_hw_scan and sched_scan bes2600_bss_info_changed() and bes2600_hw_scan() can run concurrently. The probe-request SKB allocated by ieee80211_probereq_get() before scan.lock + conf_lock are taken can be touched by a concurrent bss_info_changed (via wsm_set_template_frame's path) while we hold no lock. Reorder to acquire both locks BEFORE the SKB allocation. Also reorder cleanup paths so dev_kfree_skb() runs BEFORE up() — otherwise a small window exists where the SKB has been touched but the lock has been released, allowing concurrent code to also touch it. Three sites fixed: - bes2600_hw_scan: lock-take + ENOMEM cleanup + wsm_set_template_frame error cleanup + success-path SKB free + lock release order - bes2600_sched_scan_start (#ifdef ROAM_OFFLOAD): same three sub-fixes (compiled-out at default build, fixed for consistency) - All success/error paths: dev_kfree_skb before up() Backport of cw1200 mainline commit 86760e0dfe36 ("cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan()", 2018-12-14), which fixed the identical bug in the same code shape we inherited. That commit was merged from upstream 4f68ef64cd7f. Cherry-picked from upstream Linux: 86760e0dfe36 cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan() Author: Jia-Ju Bai <baijiaju1990@gmail.com> Link: https://lore.kernel.org/r/20181214035521.7575-1-baijiaju1990@gmail.com	2026-05-07 21:24:01 +02:00
test0r	65a4c39914	bes2600: fix missing destroy_workqueue() on error in init_common Two error paths between create_singlethread_workqueue() (~main.c:489) and the success-path destroy_workqueue() in unregister_common (~609) return without cleaning up the workqueue, leaking it on probe failure: 1. bes2600_queue_stats_init() failure 2. bes2600_queue_init() failure (any of the 4 TID queues) Both call ieee80211_free_hw(hw); return NULL — without first destroy_workqueue(hw_priv->workqueue). Add it. Backport of cw1200 mainline commit 7ec8a926188e ("cw1200: fix missing destroy_workqueue() on error in cw1200_init_common", 2020-11-19), which fixed the identical bug in the same code shape we inherited. Reported on cw1200 by Hulk Robot. Cherry-picked from upstream Linux: 7ec8a926188e cw1200: fix missing destroy_workqueue() on error Author: Qinglang Miao <miaoqinglang@huawei.com> Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20201119070842.1011-1-miaoqinglang@huawei.com Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")	2026-05-07 21:20:46 +02:00
test0r	4bc0a34c94	bes2600: replace a set of atomic_add() Backport of cw1200 mainline commit 07f995ca1951 ("cw1200: replace a set of atomic_add()", 2020-11-10). atomic_inc() reads more naturally than atomic_add(1, &x). Mechanical change, no functional impact. 7 sites: 6 in bh.c (bh_term, bh_rx x2, bh_tx x3) and 1 in itp.c (awaiting_confirm). Two of the bh_rx and three of the bh_tx sites are inside the cw1200-ancestor #if 0 block; replaced anyway to keep the file consistent with cw1200 mainline source style. Cherry-picked from upstream Linux: 07f995ca1951 cw1200: replace a set of atomic_add() Author: Yejune Deng <yejune.deng@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1604991491-27908-1-git-send-email-yejune.deng@gmail.com	2026-05-07 21:19:49 +02:00
claude-noether	90f50b375f	Merge pull request #2 : bes2600: bus_reset on connection-loss storm to dodge assoc-comeback blackhole	2026-05-07 10:47:59 +00:00
claude-noether	f2cf586f89	bes2600: bus_reset on connection-loss storm to dodge assoc-comeback blackhole When mac80211 declares connection loss against this AP (typically driven by inactivity-deauth or beacon-loss), the userspace reauth that follows sometimes enters a long blackhole: the AP responds to auth with success but defers assoc with the 802.11v "assoc comeback" timer; ohm retries faster than the comeback grants permission; the AP eventually fires an unprotected deauth-reason-6 ("Class 2 frame received from non- authenticated station"), and recovery only completes via cross-SSID or cross-channel fallback. Receipts: ~86 s blackhole observed in the phase-7 rep on 2026-05-07 02:42, with three subsequent BSSIDs returning assoc comeback timeouts before reason-9 (STA_REQ_ASSOC_WITHOUT_AUTH) fired. Documented in marfrit/besser:notes/phase4-2026-05-07.md. When N=3 driver-side connection_loss decisions fire within a 60 s window on the same vif, skip the ieee80211_connection_loss() path and trigger the c5.2-introduced bes2600_chrdev_do_bus_reset() instead. The bus reset removes and re-probes the chip; userspace re-associates with a fresh chip state, dodging the AP's comeback-timer rejection cycle. Predicted Phase 7 delta vs current baseline: - api_connection_loss rate: unchanged (we don't address the trigger) - conditional probability of >5 s blackhole given event: <= 30 % - worst-case recovery: 86 s -> < 10 s Contract pin: bes2600_chrdev_do_bus_reset(sbus_ops, sbus_priv) at bes2600/bes_chardev.c:455, introduced by c5.2. The function is async- returning: sbus_ops->bus_reset() schedules an SDIO rescan; the helper waits up to 3 s for the remove() callback to clear sbus_priv, then returns. Per-vif state is gone after this point, so the recover work lives on bes2600_common (hw_priv) and uses the global bes2600_cdev for the bus_reset call rather than dereferencing per-vif state. Threshold (3 / 60 s) is well above the steady-state per-vif connection_loss rate observed in the patch-A phase-7 rep (0.86/h under sustained load), so a true storm is required to trip it. Files touched: - bes2600/bes2600.h: 3 counter fields on struct bes2600_vif, 1 work_struct on struct bes2600_common, 3 prototypes - bes2600/sta.c: 3 helpers + storm-account hook in bes2600_connection_loss_work + storm-init in bes2600_vif_setup + cancel_work_sync in the hw_priv shutdown path; #include bes_chardev.h was already pulled in by an earlier c-stack patch - bes2600/main.c: INIT_WORK alongside other hw_priv work_structs - bes2600/debug.c: ConnectionLossStormRecoveries seq_printf in the per-vif status seq_file output The cw1200/cw1260 ancestor has no equivalent; this is a clean addition. checkpatch.pl --no-tree --strict: clean (0/0/0). Signed-off-by: Claude (noether) <claude@reauktion.de>	2026-05-07 12:06:46 +02:00