From: Felix Fietkau <nbd@openwrt.org>
To: linux-wireless@vger.kernel.org
Cc: johannes@sipsolutions.net
Subject: [PATCH 1/2] mac80211: validate skb->dev in the tx status path
Date: Fri, 7 Sep 2012 16:54:15 +0200 [thread overview]
Message-ID: <1347029656-41430-1-git-send-email-nbd@openwrt.org> (raw)
skb->dev might contain a stale reference to a device that was already
deleted, and using it unchecked can lead to invalid pointer accesses.
Since this is only used for nl80211 tx, iterate over active interfaces
to find a match for skb->dev, and discard the tx status if the device
is gone.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
---
net/mac80211/status.c | 46 +++++++++++++++++++++++++++++++---------------
1 file changed, 31 insertions(+), 15 deletions(-)
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index b0801b7..6a21562 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -516,30 +516,46 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
}
if (info->flags & IEEE80211_TX_INTFL_NL80211_FRAME_TX) {
+ struct ieee80211_sub_if_data *p2p_sdata;
u64 cookie = (unsigned long)skb;
+ bool found = false;
+
acked = info->flags & IEEE80211_TX_STAT_ACK;
- if (ieee80211_is_nullfunc(hdr->frame_control) ||
- ieee80211_is_qos_nullfunc(hdr->frame_control)) {
- cfg80211_probe_status(skb->dev, hdr->addr1,
- cookie, acked, GFP_ATOMIC);
- } else if (skb->dev) {
- cfg80211_mgmt_tx_status(
- skb->dev->ieee80211_ptr, cookie, skb->data,
- skb->len, acked, GFP_ATOMIC);
- } else {
- struct ieee80211_sub_if_data *p2p_sdata;
+ rcu_read_lock();
+
+ list_for_each_entry_rcu(sdata, &local->interfaces, list) {
+ if (!sdata->dev)
+ continue;
- rcu_read_lock();
+ if (skb->dev != sdata->dev)
+ continue;
+ found = true;
+ break;
+ }
+
+ if (!skb->dev) {
p2p_sdata = rcu_dereference(local->p2p_sdata);
if (p2p_sdata) {
- cfg80211_mgmt_tx_status(
- &p2p_sdata->wdev, cookie, skb->data,
- skb->len, acked, GFP_ATOMIC);
+ skb->dev = p2p_sdata->dev;
+ found = true;
}
- rcu_read_unlock();
}
+
+ if (!found)
+ skb->dev = NULL;
+ else if (ieee80211_is_nullfunc(hdr->frame_control) ||
+ ieee80211_is_qos_nullfunc(hdr->frame_control)) {
+ cfg80211_probe_status(skb->dev, hdr->addr1,
+ cookie, acked, GFP_ATOMIC);
+ } else {
+ cfg80211_mgmt_tx_status(
+ skb->dev->ieee80211_ptr, cookie, skb->data,
+ skb->len, acked, GFP_ATOMIC);
+ }
+
+ rcu_read_unlock();
}
if (unlikely(info->ack_frame_id)) {
--
1.7.9.6 (Apple Git-31.1)
next reply other threads:[~2012-09-07 14:54 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-07 14:54 Felix Fietkau [this message]
2012-09-07 14:54 ` [PATCH 2/2] mac80211: prevent work queueing while quiescing on suspend Felix Fietkau
2012-09-09 9:15 ` Arik Nemtsov
2012-09-09 11:59 ` Arik Nemtsov
2012-09-07 15:11 ` [PATCH 1/2] mac80211: validate skb->dev in the tx status path Johannes Berg
2012-09-07 15:27 ` Felix Fietkau
2012-09-07 15:24 ` Ben Greear
2012-09-07 15:28 ` Johannes Berg
2012-09-07 15:37 ` Ben Greear
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1347029656-41430-1-git-send-email-nbd@openwrt.org \
--to=nbd@openwrt.org \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).