wifi: check if socket flags are valid

Checking the SOCK_WIFI_STATUS flag bit in sk_flags may give wrong results
since sk_flags are part of a union and the union is used otherwise. Add
sk_requests_wifi_status() which checks if sk is non-NULL, sk is a full
socket (so flags are valid) and checks the flag bit.

Fixes: 76a853f86c97 ("wifi: free SKBTX_WIFI_STATUS skb tx_flags flag")
Suggested-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Bert Karwatzki <spasswolf@web.de>
Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
Link: https://patch.msgid.link/20250520223430.6875-1-spasswolf@web.de
[edit commit message, fix indentation]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/drivers/net/wireless/ath/wil6210/txrx.h b/drivers/net/wireless/ath/wil6210/txrx.h
index 33ccd0b248d4e23379c250644a8c12edc1139e9e..fff8b7f8abc5d925fbb4e73bfab62ac9938caed1 100644 (file)
--- a/drivers/net/wireless/ath/wil6210/txrx.h
+++ b/drivers/net/wireless/ath/wil6210/txrx.h
@@ -617,8 +617,7 @@ static inline bool wil_need_txstat(struct sk_buff *skb)
 {
        const u8 *da = wil_skb_get_da(skb);
 
-       return is_unicast_ether_addr(da) && skb->sk &&
-              sock_flag(skb->sk, SOCK_WIFI_STATUS);
+       return is_unicast_ether_addr(da) && sk_requests_wifi_status(skb->sk);
 }
 
 static inline void wil_consume_skb(struct sk_buff *skb, bool acked)

diff --git a/drivers/net/wireless/marvell/mwifiex/main.c b/drivers/net/wireless/marvell/mwifiex/main.c
index 1485f949ad4e07052feee5c5030940c270e74186..7b50a88a18e57328a714cb3d31f6a71b7b9ec322 100644 (file)
--- a/drivers/net/wireless/marvell/mwifiex/main.c
+++ b/drivers/net/wireless/marvell/mwifiex/main.c
@@ -913,8 +913,7 @@ mwifiex_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
 
        multicast = is_multicast_ether_addr(skb->data);
 
-       if (unlikely(!multicast && skb->sk &&
-                    sock_flag(skb->sk, SOCK_WIFI_STATUS) &&
+       if (unlikely(!multicast && sk_requests_wifi_status(skb->sk) &&
                     priv->adapter->fw_api_ver == MWIFIEX_FW_V15))
                skb = mwifiex_clone_skb_for_tx_status(priv,
                                                      skb,

diff --git a/include/net/sock.h b/include/net/sock.h
index f0fabb9fd28a076961d051d58367f0f5bb03f4bf..75c12e14fc47145fa56e9d9debdf023e130b45d7 100644 (file)
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -2821,6 +2821,12 @@ sk_is_refcounted(struct sock *sk)
        return !sk_fullsock(sk) || !sock_flag(sk, SOCK_RCU_FREE);
 }
 
+static inline bool
+sk_requests_wifi_status(struct sock *sk)
+{
+       return sk && sk_fullsock(sk) && sock_flag(sk, SOCK_WIFI_STATUS);
+}
+
 /* Checks if this SKB belongs to an HW offloaded socket
  * and whether any SW fallbacks are required based on dev.
  * Check decrypted mark in case skb_orphan() cleared socket.

diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index a381b4b756eac81c5ac4fee40bcd7dff22b81c80..5cc56d5780483e89ac0b09afc36aa378aed8bf0b 100644 (file)
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -777,7 +777,7 @@ bool ieee80211_mesh_xmit_fast(struct ieee80211_sub_if_data *sdata,
        if (ethertype < ETH_P_802_3_MIN)
                return false;
 
-       if (skb->sk && sock_flag(skb->sk, SOCK_WIFI_STATUS))
+       if (sk_requests_wifi_status(skb->sk))
                return false;
 
        if (skb->ip_summed == CHECKSUM_PARTIAL) {

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 3b9392a6ddb2b5ba5c7c261faf3bfe95dea6d091..d8d4f3d7d7f2388d682916670a938cf283fff9a1 100644 (file)
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -2859,7 +2859,7 @@ static struct sk_buff *ieee80211_build_hdr(struct ieee80211_sub_if_data *sdata,
        }
 
        if (unlikely(!multicast &&
-                    ((skb->sk && sock_flag(skb->sk, SOCK_WIFI_STATUS)) ||
+                    (sk_requests_wifi_status(skb->sk) ||
                      ctrl_flags & IEEE80211_TX_CTL_REQ_TX_STATUS)))
                info_id = ieee80211_store_ack_skb(local, skb, &info_flags,
                                                  cookie);
@@ -3756,7 +3756,7 @@ static bool ieee80211_xmit_fast(struct ieee80211_sub_if_data *sdata,
                return false;
 
        /* don't handle TX status request here either */
-       if (skb->sk && sock_flag(skb->sk, SOCK_WIFI_STATUS))
+       if (sk_requests_wifi_status(skb->sk))
                return false;
 
        if (hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_QOS_DATA)) {
@@ -4648,7 +4648,7 @@ static void ieee80211_8023_xmit(struct ieee80211_sub_if_data *sdata,
                        memcpy(IEEE80211_SKB_CB(seg), info, sizeof(*info));
        }
 
-       if (unlikely(skb->sk && sock_flag(skb->sk, SOCK_WIFI_STATUS))) {
+       if (unlikely(sk_requests_wifi_status(skb->sk))) {
                info->status_data = ieee80211_store_ack_skb(local, skb,
                                                            &info->flags, NULL);
                if (info->status_data)