Home Explore Help
Register Sign In
libreCMC
/
libreCMC
17
18
Fork 12
Files Issues 59 Pull Requests 3 Wiki
Tree: 71a6d1298d
Branches Tags
libreCMC
/
package
/
kernel
/
mac80211
/
patches
/
343-cfg80211-limit-scan-results-cache-size.patch

343-cfg80211-limit-scan-results-cache-size.patch 4.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150 
  1. From: Johannes Berg <johannes.berg@intel.com>
    2. 

  2. Date: Tue, 15 Nov 2016 12:05:11 +0100
    3. 

  3. Subject: [PATCH] cfg80211: limit scan results cache size
    4. 

  4. 

  5. It's possible to make scanning consume almost arbitrary amounts
    6. 

  6. of memory, e.g. by sending beacon frames with random BSSIDs at
    7. 

  7. high rates while somebody is scanning.
    8. 

  8. 

  9. Limit the number of BSS table entries we're willing to cache to
    10. 

  10. 1000, limiting maximum memory usage to maybe 4-5MB, but lower
    11. 

  11. in practice - that would be the case for having both full-sized
    12. 

  12. beacon and probe response frames for each entry; this seems not
    13. 

  13. possible in practice, so a limit of 1000 entries will likely be
    14. 

  14. closer to 0.5 MB.
    15. 

  15. 

  16. Cc: stable@vger.kernel.org
    17. 

  17. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    18. 

  18. ---
    19. 

  19. 

  20. --- a/net/wireless/core.h
    21. 

  21. +++ b/net/wireless/core.h
    22. 

  22. @@ -71,6 +71,7 @@ struct cfg80211_registered_device {
    23. 

  23.  	struct list_head bss_list;
    24. 

  24.  	struct rb_root bss_tree;
    25. 

  25.  	u32 bss_generation;
    26. 

  26. +	u32 bss_entries;
    27. 

  27.  	struct cfg80211_scan_request *scan_req; /* protected by RTNL */
    28. 

  28.  	struct sk_buff *scan_msg;
    29. 

  29.  	struct cfg80211_sched_scan_request __rcu *sched_scan_req;
    30. 

  30. --- a/net/wireless/scan.c
    31. 

  31. +++ b/net/wireless/scan.c
    32. 

  32. @@ -57,6 +57,19 @@
    33. 

  33.   * also linked into the probe response struct.
    34. 

  34.   */
    35. 

  35.  
    36. 

  36. +/*
    37. 

  37. + * Limit the number of BSS entries stored in mac80211. Each one is
    38. 

  38. + * a bit over 4k at most, so this limits to roughly 4-5M of memory.
    39. 

  39. + * If somebody wants to really attack this though, they'd likely
    40. 

  40. + * use small beacons, and only one type of frame, limiting each of
    41. 

  41. + * the entries to a much smaller size (in order to generate more
    42. 

  42. + * entries in total, so overhead is bigger.)
    43. 

  43. + */
    44. 

  44. +static int bss_entries_limit = 1000;
    45. 

  45. +module_param(bss_entries_limit, int, 0644);
    46. 

  46. +MODULE_PARM_DESC(bss_entries_limit,
    47. 

  47. +                 "limit to number of scan BSS entries (per wiphy, default 1000)");
    48. 

  48. +
    49. 

  49.  #define IEEE80211_SCAN_RESULT_EXPIRE	(30 * HZ)
    50. 

  50.  
    51. 

  51.  static void bss_free(struct cfg80211_internal_bss *bss)
    52. 

  52. @@ -137,6 +150,10 @@ static bool __cfg80211_unlink_bss(struct
    53. 

  53.  
    54. 

  54.  	list_del_init(&bss->list);
    55. 

  55.  	rb_erase(&bss->rbn, &rdev->bss_tree);
    56. 

  56. +	rdev->bss_entries--;
    57. 

  57. +	WARN_ONCE((rdev->bss_entries == 0) ^ list_empty(&rdev->bss_list),
    58. 

  58. +		  "rdev bss entries[%d]/list[empty:%d] corruption\n",
    59. 

  59. +		  rdev->bss_entries, list_empty(&rdev->bss_list));
    60. 

  60.  	bss_ref_put(rdev, bss);
    61. 

  61.  	return true;
    62. 

  62.  }
    63. 

  63. @@ -163,6 +180,40 @@ static void __cfg80211_bss_expire(struct
    64. 

  64.  		rdev->bss_generation++;
    65. 

  65.  }
    66. 

  66.  
    67. 

  67. +static bool cfg80211_bss_expire_oldest(struct cfg80211_registered_device *rdev)
    68. 

  68. +{
    69. 

  69. +	struct cfg80211_internal_bss *bss, *oldest = NULL;
    70. 

  70. +	bool ret;
    71. 

  71. +
    72. 

  72. +	lockdep_assert_held(&rdev->bss_lock);
    73. 

  73. +
    74. 

  74. +	list_for_each_entry(bss, &rdev->bss_list, list) {
    75. 

  75. +		if (atomic_read(&bss->hold))
    76. 

  76. +			continue;
    77. 

  77. +
    78. 

  78. +		if (!list_empty(&bss->hidden_list) &&
    79. 

  79. +		    !bss->pub.hidden_beacon_bss)
    80. 

  80. +			continue;
    81. 

  81. +
    82. 

  82. +		if (oldest && time_before(oldest->ts, bss->ts))
    83. 

  83. +			continue;
    84. 

  84. +		oldest = bss;
    85. 

  85. +	}
    86. 

  86. +
    87. 

  87. +	if (WARN_ON(!oldest))
    88. 

  88. +		return false;
    89. 

  89. +
    90. 

  90. +	/*
    91. 

  91. +	 * The callers make sure to increase rdev->bss_generation if anything
    92. 

  92. +	 * gets removed (and a new entry added), so there's no need to also do
    93. 

  93. +	 * it here.
    94. 

  94. +	 */
    95. 

  95. +
    96. 

  96. +	ret = __cfg80211_unlink_bss(rdev, oldest);
    97. 

  97. +	WARN_ON(!ret);
    98. 

  98. +	return ret;
    99. 

  99. +}
    100. 

  100. +
    101. 

  101.  void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev,
    102. 

  102.  			   bool send_message)
    103. 

  103.  {
    104. 

  104. @@ -689,6 +740,7 @@ static bool cfg80211_combine_bsses(struc
    105. 

  105.  	const u8 *ie;
    106. 

  106.  	int i, ssidlen;
    107. 

  107.  	u8 fold = 0;
    108. 

  108. +	u32 n_entries = 0;
    109. 

  109.  
    110. 

  110.  	ies = rcu_access_pointer(new->pub.beacon_ies);
    111. 

  111.  	if (WARN_ON(!ies))
    112. 

  112. @@ -712,6 +764,12 @@ static bool cfg80211_combine_bsses(struc
    113. 

  113.  	/* This is the bad part ... */
    114. 

  114.  
    115. 

  115.  	list_for_each_entry(bss, &rdev->bss_list, list) {
    116. 

  116. +		/*
    117. 

  117. +		 * we're iterating all the entries anyway, so take the
    118. 

  118. +		 * opportunity to validate the list length accounting
    119. 

  119. +		 */
    120. 

  120. +		n_entries++;
    121. 

  121. +
    122. 

  122.  		if (!ether_addr_equal(bss->pub.bssid, new->pub.bssid))
    123. 

  123.  			continue;
    124. 

  124.  		if (bss->pub.channel != new->pub.channel)
    125. 

  125. @@ -740,6 +798,10 @@ static bool cfg80211_combine_bsses(struc
    126. 

  126.  				   new->pub.beacon_ies);
    127. 

  127.  	}
    128. 

  128.  
    129. 

  129. +	WARN_ONCE(n_entries != rdev->bss_entries,
    130. 

  130. +		  "rdev bss entries[%d]/list[len:%d] corruption\n",
    131. 

  131. +		  rdev->bss_entries, n_entries);
    132. 

  132. +
    133. 

  133.  	return true;
    134. 

  134.  }
    135. 

  135.  
    136. 

  136. @@ -894,7 +956,14 @@ cfg80211_bss_update(struct cfg80211_regi
    137. 

  137.  			}
    138. 

  138.  		}
    139. 

  139.  
    140. 

  140. +		if (rdev->bss_entries >= bss_entries_limit &&
    141. 

  141. +		    !cfg80211_bss_expire_oldest(rdev)) {
    142. 

  142. +			kfree(new);
    143. 

  143. +			goto drop;
    144. 

  144. +		}
    145. 

  145. +
    146. 

  146.  		list_add_tail(&new->list, &rdev->bss_list);
    147. 

  147. +		rdev->bss_entries++;
    148. 

  148.  		rb_insert_bss(rdev, new);
    149. 

  149.  		found = new;
    150. 

  150.  	}
    151.