From: Johannes Berg <johannes@sipsolutions.net>
To: Michal Kazior <michal.kazior@tieto.com>
Cc: linux-wireless@vger.kernel.org
Subject: Re: [PATCH v2 1/2] cfg80211: ignore netif running state when changing iftype
Date: Fri, 29 May 2015 13:07:22 +0200 [thread overview]
Message-ID: <1432897642.2104.4.camel@sipsolutions.net> (raw)
In-Reply-To: <1432285043-8878-1-git-send-email-michal.kazior@tieto.com> (sfid-20150522_105742_600921_0255DD40)
On Fri, 2015-05-22 at 10:57 +0200, Michal Kazior wrote:
> It was possible for mac80211 to be coerced into an
> unexpected flow causing sdata union to become
> corrupted. Station pointer was put into
> sdata->u.vlan.sta memory location while it was
> really master AP's sdata->u.ap.next_beacon. This
> led to station entry being later freed as
> next_beacon before __sta_info_flush() in
> ieee80211_stop_ap() and a subsequent invalid
> pointer dereference crash.
>
> The problem was that ieee80211_ptr->use_4addr
> wasn't cleared on interface type changes.
>
> This could be reproduced with the following steps:
>
> # host A and host B have just booted; no
> # wpa_s/hostapd running; all vifs are down
> host A> iw wlan0 set type station
> host A> iw wlan0 set 4addr on
> host A> printf 'interface=wlan0\nssid=4addrcrash\nchannel=1\nwds_sta=1' > /tmp/hconf
> host A> hostapd -B /tmp/conf
> host B> iw wlan0 set 4addr on
> host B> ifconfig wlan0 up
> host B> iw wlan0 connect -w hostAssid
> host A> pkill hostapd
> # host A crashed:
>
> [ 127.928192] BUG: unable to handle kernel NULL pointer dereference at 00000000000006c8
> [ 127.929014] IP: [<ffffffff816f4f32>] __sta_info_flush+0xac/0x158
> ...
> [ 127.934578] [<ffffffff8170789e>] ieee80211_stop_ap+0x139/0x26c
> [ 127.934578] [<ffffffff8100498f>] ? dump_trace+0x279/0x28a
> [ 127.934578] [<ffffffff816dc661>] __cfg80211_stop_ap+0x84/0x191
> [ 127.934578] [<ffffffff816dc7ad>] cfg80211_stop_ap+0x3f/0x58
> [ 127.934578] [<ffffffff816c5ad6>] nl80211_stop_ap+0x1b/0x1d
> [ 127.934578] [<ffffffff815e53f8>] genl_family_rcv_msg+0x259/0x2b5
>
> Note: This isn't a revert of f8cdddb8d61d
> ("cfg80211: check iface combinations only when
> iface is running") as far as functionality is
> considered because b6a550156bc ("cfg80211/mac80211:
> move more combination checks to mac80211") moved
> the logic somewhere else already.
>
> Fixes: f8cdddb8d61d ("cfg80211: check iface combinations only when iface is running")
> Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Applied.
johannes
prev parent reply other threads:[~2015-05-29 11:07 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-19 12:37 [PATCH 1/2] cfg80211: ignore netif running state when changing iftype Michal Kazior
2015-05-19 12:37 ` [PATCH 2/2] mac80211: guard against invalid ptr deref Michal Kazior
2015-05-20 13:23 ` Johannes Berg
2015-05-20 13:17 ` [PATCH 1/2] cfg80211: ignore netif running state when changing iftype Johannes Berg
2015-05-20 13:19 ` Johannes Berg
2015-05-21 7:44 ` Michal Kazior
2015-05-22 8:34 ` Johannes Berg
2015-05-22 8:57 ` [PATCH v2 " Michal Kazior
2015-05-22 8:57 ` [PATCH v2 2/2] mac80211: guard against invalid ptr deref Michal Kazior
2015-05-29 11:10 ` Johannes Berg
2015-05-29 11:34 ` Michal Kazior
2015-05-29 11:39 ` Johannes Berg
2015-05-29 11:48 ` Michal Kazior
2015-05-29 11:07 ` Johannes Berg [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1432897642.2104.4.camel@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=michal.kazior@tieto.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.