* [PATCH] mac80211: fix crash on mesh local link ID generation with VIFs
@ 2015-10-24 19:25 Matthias Schiffer
2015-10-24 22:11 ` Matthias Schiffer
2015-11-03 9:43 ` Johannes Berg
0 siblings, 2 replies; 3+ messages in thread
From: Matthias Schiffer @ 2015-10-24 19:25 UTC (permalink / raw)
To: linux-wireless, johannes
llid_in_use needs to be limited to stations of the same VIF, otherwise it
will cause a NULL deref as the sta_info of non-mesh-VIFs don't have
sta->mesh set.
Steps to reproduce:
modprobe mac80211_hwsim channels=2
iw phy phy0 interface add ibss0 type ibss
iw phy phy0 interface add mesh0 type mp
iw phy phy1 interface add ibss1 type ibss
iw phy phy1 interface add mesh1 type mp
ip link set ibss0 up
ip link set mesh0 up
ip link set ibss1 up
ip link set mesh1 up
iw dev ibss0 ibss join foo 2412
iw dev ibss1 ibss join foo 2412
# Ensure that ibss0 and ibss1 are actually associated; I often need to
# leave and join the cell on ibss1 a second time.
iw dev mesh0 mesh join bar
iw dev mesh1 mesh join bar # crash
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
---
Should probably be queued for stable, at least for all kernels containing
"mac80211: move mesh related station fields to own struct" (the bug was
there before, but it didn't crash without that commit).
net/mac80211/mesh_plink.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
index 5838464..d1224d3 100644
--- a/net/mac80211/mesh_plink.c
+++ b/net/mac80211/mesh_plink.c
@@ -677,6 +677,9 @@ static bool llid_in_use(struct ieee80211_sub_if_data *sdata,
rcu_read_lock();
list_for_each_entry_rcu(sta, &local->sta_list, list) {
+ if (sdata != sta->sdata)
+ continue;
+
if (!memcmp(&sta->mesh->llid, &llid, sizeof(llid))) {
in_use = true;
break;
--
2.6.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] mac80211: fix crash on mesh local link ID generation with VIFs
2015-10-24 19:25 [PATCH] mac80211: fix crash on mesh local link ID generation with VIFs Matthias Schiffer
@ 2015-10-24 22:11 ` Matthias Schiffer
2015-11-03 9:43 ` Johannes Berg
1 sibling, 0 replies; 3+ messages in thread
From: Matthias Schiffer @ 2015-10-24 22:11 UTC (permalink / raw)
To: linux-wireless, johannes
[-- Attachment #1: Type: text/plain, Size: 1862 bytes --]
On 10/24/2015 09:25 PM, Matthias Schiffer wrote:
> llid_in_use needs to be limited to stations of the same VIF, otherwise it
> will cause a NULL deref as the sta_info of non-mesh-VIFs don't have
> sta->mesh set.
>
> Steps to reproduce:
>
> modprobe mac80211_hwsim channels=2
> iw phy phy0 interface add ibss0 type ibss
> iw phy phy0 interface add mesh0 type mp
> iw phy phy1 interface add ibss1 type ibss
> iw phy phy1 interface add mesh1 type mp
> ip link set ibss0 up
> ip link set mesh0 up
> ip link set ibss1 up
> ip link set mesh1 up
> iw dev ibss0 ibss join foo 2412
> iw dev ibss1 ibss join foo 2412
> # Ensure that ibss0 and ibss1 are actually associated; I often need to
> # leave and join the cell on ibss1 a second time.
> iw dev mesh0 mesh join bar
> iw dev mesh1 mesh join bar # crash
>
> Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
> ---
> Should probably be queued for stable, at least for all kernels containing
> "mac80211: move mesh related station fields to own struct" (the bug was
> there before, but it didn't crash without that commit).
Forget the queuing for stable, I just noticed that the patch didn't hit
Linus' tree before the 4.3 merge window.
>
>
> net/mac80211/mesh_plink.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
> index 5838464..d1224d3 100644
> --- a/net/mac80211/mesh_plink.c
> +++ b/net/mac80211/mesh_plink.c
> @@ -677,6 +677,9 @@ static bool llid_in_use(struct ieee80211_sub_if_data *sdata,
>
> rcu_read_lock();
> list_for_each_entry_rcu(sta, &local->sta_list, list) {
> + if (sdata != sta->sdata)
> + continue;
> +
> if (!memcmp(&sta->mesh->llid, &llid, sizeof(llid))) {
> in_use = true;
> break;
>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] mac80211: fix crash on mesh local link ID generation with VIFs
2015-10-24 19:25 [PATCH] mac80211: fix crash on mesh local link ID generation with VIFs Matthias Schiffer
2015-10-24 22:11 ` Matthias Schiffer
@ 2015-11-03 9:43 ` Johannes Berg
1 sibling, 0 replies; 3+ messages in thread
From: Johannes Berg @ 2015-11-03 9:43 UTC (permalink / raw)
To: Matthias Schiffer, linux-wireless
On Sat, 2015-10-24 at 21:25 +0200, Matthias Schiffer wrote:
> llid_in_use needs to be limited to stations of the same VIF,
> otherwise it
> will cause a NULL deref as the sta_info of non-mesh-VIFs don't have
> sta->mesh set.
>
Applied, thanks.
johannes
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-11-03 9:43 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-10-24 19:25 [PATCH] mac80211: fix crash on mesh local link ID generation with VIFs Matthias Schiffer
2015-10-24 22:11 ` Matthias Schiffer
2015-11-03 9:43 ` Johannes Berg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).