git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Zhao Li <enderaoelyther@gmail.com>
	Sat, 9 May 2026 04:34:28 +0000 (12:34 +0800)
committer	Johannes Berg <johannes.berg@intel.com>
	Wed, 20 May 2026 09:19:53 +0000 (11:19 +0200)
commit	d71c841be5d9e586ee7f36c0dc8ed4db0d9a1349
tree	e675b041389a8d9176e4750ced7dab182fff294d	tree \| snapshot
parent	fe2d61a5d2849ee75dd4deeb2fe35f78d80721f8	commit \| diff

wifi: mac80211: capture fast-RX rate before mesh reuses skb->cb

ieee80211_invoke_fast_rx() reads RX status through
IEEE80211_SKB_RXCB(skb), which aliases the same skb->cb storage
that ieee80211_rx_mesh_data() reuses as IEEE80211_TX_INFO.  In the
unicast forward path, mesh_data does:

info = IEEE80211_SKB_CB(fwd_skb);
memset(info, 0, sizeof(*info));

on the same skb the caller still names via rx->skb, then either
queues the skb for TX (success) or kfree_skb()'s it (no-route)
before returning RX_QUEUED.  The caller's RX_QUEUED arm then
calls sta_stats_encode_rate(status) on memory that is either
zeroed (success path) or freed (no-route path).  The latter is
KASAN slab-use-after-free in ieee80211_prepare_and_rx_handle.

Fix by encoding the rate from status before invoking
ieee80211_rx_mesh_data(), so the RX_QUEUED arm consumes a value
captured while status was still backed by valid memory.

Fixes: 3468e1e0c639 ("wifi: mac80211: add mesh fast-rx support")
Cc: stable@vger.kernel.org
Signed-off-by: Zhao Li <enderaoelyther@gmail.com>
Link: https://patch.msgid.link/20260509043427.60322-2-enderaoelyther@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>