openwrt/package/kernel/mac80211/patches/subsys/350-v6.3-wifi-mac80211-Allow-NSS-change-only-up-to-capability.patch

From 1b7c710a8e912d54a24742ed5a87a047be64141a Mon Sep 17 00:00:00 2001
From: Rameshkumar Sundaram <quic_ramess@quicinc.com>
Date: Tue, 7 Feb 2023 17:11:46 +0530
Subject: [PATCH 350/351] wifi: mac80211: Allow NSS change only up to
 capability

Stations can update bandwidth/NSS change in
VHT action frame with action type Operating Mode Notification.
(IEEE Std 802.11-2020 - 9.4.1.53 Operating Mode field)

For Operating Mode Notification, an RX NSS change to a value
greater than AP's maximum NSS should not be allowed.
During fuzz testing, by forcefully sending VHT Op. mode notif.
frames from STA with random rx_nss values, it is found that AP
accepts rx_nss values greater that APs maximum NSS instead of
discarding such NSS change.

Hence allow NSS change only up to maximum NSS that is negotiated
and capped to AP's capability during association.

Signed-off-by: Rameshkumar Sundaram <quic_ramess@quicinc.com>
Link: https://lore.kernel.org/r/20230207114146.10567-1-quic_ramess@quicinc.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
(cherry picked from commit 57b341e9ab13e5688491bfd54f8b5502416c8905)
---
 net/mac80211/vht.c | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

--- a/net/mac80211/vht.c
+++ b/net/mac80211/vht.c
@@ -637,7 +637,7 @@ u32 __ieee80211_vht_handle_opmode(struct
 	enum ieee80211_sta_rx_bandwidth new_bw;
 	struct sta_opmode_info sta_opmode = {};
 	u32 changed = 0;
-	u8 nss;
+	u8 nss, cur_nss;
 
 	/* ignore - no support for BF yet */
 	if (opmode & IEEE80211_OPMODE_NOTIF_RX_NSS_TYPE_BF)
@@ -648,10 +648,25 @@ u32 __ieee80211_vht_handle_opmode(struct
 	nss += 1;
 
 	if (link_sta->pub->rx_nss != nss) {
-		link_sta->pub->rx_nss = nss;
-		sta_opmode.rx_nss = nss;
-		changed |= IEEE80211_RC_NSS_CHANGED;
-		sta_opmode.changed |= STA_OPMODE_N_SS_CHANGED;
+		cur_nss = link_sta->pub->rx_nss;
+		/* Reset rx_nss and call ieee80211_sta_set_rx_nss() which
+		 * will set the same to max nss value calculated based on capability.
+		 */
+		link_sta->pub->rx_nss = 0;
+		ieee80211_sta_set_rx_nss(link_sta);
+		/* Do not allow an nss change to rx_nss greater than max_nss
+		 * negotiated and capped to APs capability during association.
+		 */
+		if (nss <= link_sta->pub->rx_nss) {
+			link_sta->pub->rx_nss = nss;
+			sta_opmode.rx_nss = nss;
+			changed |= IEEE80211_RC_NSS_CHANGED;
+			sta_opmode.changed |= STA_OPMODE_N_SS_CHANGED;
+		} else {
+			link_sta->pub->rx_nss = cur_nss;
+			pr_warn_ratelimited("Ignoring NSS change in VHT Operating Mode Notification from %pM with invalid nss %d",
+					    link_sta->pub->addr, nss);
+		}
 	}
 
 	switch (opmode & IEEE80211_OPMODE_NOTIF_CHANWIDTH_MASK) {
mac80211: Fix wifi throughput Backport 2 patches from upstream Linux to fix a Wifi throughput problem. Fixes: 323e249ce8ed ("mac80211: Update to version 6.1.97-1") Link: https://github.com/openwrt/openwrt/pull/16007 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> 2024-07-26 01:13:51 +02:00			`From 1b7c710a8e912d54a24742ed5a87a047be64141a Mon Sep 17 00:00:00 2001`
			`From: Rameshkumar Sundaram <quic_ramess@quicinc.com>`
			`Date: Tue, 7 Feb 2023 17:11:46 +0530`
			`Subject: [PATCH 350/351] wifi: mac80211: Allow NSS change only up to`
			`capability`

			`Stations can update bandwidth/NSS change in`
			`VHT action frame with action type Operating Mode Notification.`
			`(IEEE Std 802.11-2020 - 9.4.1.53 Operating Mode field)`

			`For Operating Mode Notification, an RX NSS change to a value`
			`greater than AP's maximum NSS should not be allowed.`
			`During fuzz testing, by forcefully sending VHT Op. mode notif.`
			`frames from STA with random rx_nss values, it is found that AP`
			`accepts rx_nss values greater that APs maximum NSS instead of`
			`discarding such NSS change.`

			`Hence allow NSS change only up to maximum NSS that is negotiated`
			`and capped to AP's capability during association.`

			`Signed-off-by: Rameshkumar Sundaram <quic_ramess@quicinc.com>`
			`Link: https://lore.kernel.org/r/20230207114146.10567-1-quic_ramess@quicinc.com`
			`Signed-off-by: Johannes Berg <johannes.berg@intel.com>`
			`(cherry picked from commit 57b341e9ab13e5688491bfd54f8b5502416c8905)`
			`---`
			`net/mac80211/vht.c \| 25 ++++++++++++++++++++-----`
			`1 file changed, 20 insertions(+), 5 deletions(-)`

			`--- a/net/mac80211/vht.c`
			`+++ b/net/mac80211/vht.c`
			`@@ -637,7 +637,7 @@ u32 __ieee80211_vht_handle_opmode(struct`
			`enum ieee80211_sta_rx_bandwidth new_bw;`
			`struct sta_opmode_info sta_opmode = {};`
			`u32 changed = 0;`
			`- u8 nss;`
			`+ u8 nss, cur_nss;`

			`/* ignore - no support for BF yet */`
			`if (opmode & IEEE80211_OPMODE_NOTIF_RX_NSS_TYPE_BF)`
			`@@ -648,10 +648,25 @@ u32 __ieee80211_vht_handle_opmode(struct`
			`nss += 1;`

			`if (link_sta->pub->rx_nss != nss) {`
			`- link_sta->pub->rx_nss = nss;`
			`- sta_opmode.rx_nss = nss;`
			`- changed \|= IEEE80211_RC_NSS_CHANGED;`
			`- sta_opmode.changed \|= STA_OPMODE_N_SS_CHANGED;`
			`+ cur_nss = link_sta->pub->rx_nss;`
			`+ /* Reset rx_nss and call ieee80211_sta_set_rx_nss() which`
			`+ * will set the same to max nss value calculated based on capability.`
			`+ */`
			`+ link_sta->pub->rx_nss = 0;`
			`+ ieee80211_sta_set_rx_nss(link_sta);`
			`+ /* Do not allow an nss change to rx_nss greater than max_nss`
			`+ * negotiated and capped to APs capability during association.`
			`+ */`
			`+ if (nss <= link_sta->pub->rx_nss) {`
			`+ link_sta->pub->rx_nss = nss;`
			`+ sta_opmode.rx_nss = nss;`
			`+ changed \|= IEEE80211_RC_NSS_CHANGED;`
			`+ sta_opmode.changed \|= STA_OPMODE_N_SS_CHANGED;`
			`+ } else {`
			`+ link_sta->pub->rx_nss = cur_nss;`
			`+ pr_warn_ratelimited("Ignoring NSS change in VHT Operating Mode Notification from %pM with invalid nss %d",`
			`+ link_sta->pub->addr, nss);`
			`+ }`
			`}`

			`switch (opmode & IEEE80211_OPMODE_NOTIF_CHANWIDTH_MASK) {`