wifi: mac80211: don't use rate mask for offchannel TX either

Like the commit ab9177d83c04 ("wifi: mac80211: don't use rate mask for
scanning"), ignore incorrect settings to avoid no supported rate warning
reported by syzbot.

The syzbot did bisect and found cause is commit 9df66d5b9f45 ("cfg80211:
fix default HE tx bitrate mask in 2G band"), which however corrects
bitmask of HE MCS and recognizes correctly settings of empty legacy rate
plus HE MCS rate instead of returning -EINVAL.

As suggestions [1], follow the change of SCAN TX to consider this case of
offchannel TX as well.

[1] https://lore.kernel.org/linux-wireless/6ab2dc9c3afe753ca6fdcdd1421e7a1f47e87b84.camel@sipsolutions.net/T/#m2ac2a6d2be06a37c9c47a3d8a44b4f647ed4f024

Reported-by: syzbot+8dd98a9e98ee28dc484a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-wireless/000000000000fdef8706191a3f7b@google.com/
Fixes: 9df66d5b9f45 ("cfg80211: fix default HE tx bitrate mask in 2G band")
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20240729074816.20323-1-pkshih@realtek.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/include/net/mac80211.h b/include/net/mac80211.h
index 9406f687cffb7e3d142083afa96f5f06f708dde9..de50dc8712c04463ab0b992b14b2b9489599533b 100644 (file)
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -994,8 +994,9 @@ enum mac80211_tx_info_flags {
  *     of their QoS TID or other priority field values.
  * @IEEE80211_TX_CTRL_MCAST_MLO_FIRST_TX: first MLO TX, used mostly internally
  *     for sequence number assignment
- * @IEEE80211_TX_CTRL_SCAN_TX: Indicates that this frame is transmitted
- *     due to scanning, not in normal operation on the interface.
+ * @IEEE80211_TX_CTRL_DONT_USE_RATE_MASK: Don't use rate mask for this frame
+ *     which is transmitted due to scanning or offchannel TX, not in normal
+ *     operation on the interface.
  * @IEEE80211_TX_CTRL_MLO_LINK: If not @IEEE80211_LINK_UNSPECIFIED, this
  *     frame should be transmitted on the specific link. This really is
  *     only relevant for frames that do not have data present, and is
@@ -1016,7 +1017,7 @@ enum mac80211_tx_control_flags {
        IEEE80211_TX_CTRL_NO_SEQNO              = BIT(7),
        IEEE80211_TX_CTRL_DONT_REORDER          = BIT(8),
        IEEE80211_TX_CTRL_MCAST_MLO_FIRST_TX    = BIT(9),
-       IEEE80211_TX_CTRL_SCAN_TX               = BIT(10),
+       IEEE80211_TX_CTRL_DONT_USE_RATE_MASK    = BIT(10),
        IEEE80211_TX_CTRL_MLO_LINK              = 0xf0000000,
 };
 

diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
index 28d03196ef75a7c15f5244684c6d11202c96d9db..29fab7ae47b4c77236613903641cbd0553a8ca0a 100644 (file)
--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -997,6 +997,7 @@ int ieee80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
        }
 
        IEEE80211_SKB_CB(skb)->flags = flags;
+       IEEE80211_SKB_CB(skb)->control.flags |= IEEE80211_TX_CTRL_DONT_USE_RATE_MASK;
 
        skb->dev = sdata->dev;
 

diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c
index 4dc1def695486567b486fdada893557752f8df43..3dc9752188d58f1d45654c90d0d69d1b01397728 100644 (file)
--- a/net/mac80211/rate.c
+++ b/net/mac80211/rate.c
@@ -890,7 +890,7 @@ void ieee80211_get_tx_rates(struct ieee80211_vif *vif,
        if (ieee80211_is_tx_data(skb))
                rate_control_apply_mask(sdata, sta, sband, dest, max_rates);
 
-       if (!(info->control.flags & IEEE80211_TX_CTRL_SCAN_TX))
+       if (!(info->control.flags & IEEE80211_TX_CTRL_DONT_USE_RATE_MASK))
                mask = sdata->rc_rateidx_mask[info->band];
 
        if (dest[0].idx < 0)

diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index b5f2df61c7f6716ebac832073687257e13c65e85..1c5d99975ad04df28770225c9cbcfe0371828ed8 100644 (file)
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -649,7 +649,7 @@ static void ieee80211_send_scan_probe_req(struct ieee80211_sub_if_data *sdata,
                                cpu_to_le16(IEEE80211_SN_TO_SEQ(sn));
                }
                IEEE80211_SKB_CB(skb)->flags |= tx_flags;
-               IEEE80211_SKB_CB(skb)->control.flags |= IEEE80211_TX_CTRL_SCAN_TX;
+               IEEE80211_SKB_CB(skb)->control.flags |= IEEE80211_TX_CTRL_DONT_USE_RATE_MASK;
                ieee80211_tx_skb_tid_band(sdata, skb, 7, channel->band);
        }
 }

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 72a9ba8bc5fd9764068e00d42755f3ba922418de..0c79584922cc3bcad797b1abb25fa1f449d2bedd 100644 (file)
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -699,7 +699,7 @@ ieee80211_tx_h_rate_ctrl(struct ieee80211_tx_data *tx)
        txrc.skb = tx->skb;
        txrc.reported_rate.idx = -1;
 
-       if (unlikely(info->control.flags & IEEE80211_TX_CTRL_SCAN_TX)) {
+       if (unlikely(info->control.flags & IEEE80211_TX_CTRL_DONT_USE_RATE_MASK)) {
                txrc.rate_idx_mask = ~0;
        } else {
                txrc.rate_idx_mask = tx->sdata->rc_rateidx_mask[info->band];