From: Tom Hughes <tom@compton.nu>
To: Johannes Berg <johannes@sipsolutions.net>,
linux-wireless@vger.kernel.org
Cc: stable@vger.kernel.org
Subject: Re: Null pointer dereference when station associates [introduced by 4.0.5?]
Date: Mon, 29 Jun 2015 11:24:42 +0100 [thread overview]
Message-ID: <55911CEA.7010103@compton.nu> (raw)
In-Reply-To: <55911375.3070003@compton.nu>
On 29/06/15 10:44, Tom Hughes wrote:
> On 29/06/15 10:20, Tom Hughes wrote:
>> On 29/06/15 09:30, Tom Hughes wrote:
>>> On 29/06/15 09:14, Johannes Berg wrote:
>>>> On Sat, 2015-06-27 at 16:34 +0100, Tom Hughes wrote:
>>>>>
>>>>> Interestingly from what I can see this is trying to create a file
>>>>> for the station at a path something like:
>>>>>
>>>>> ieee80211/phy0/netdev:XXXX/stations/XXXXXX
>>>>
>>>> indeed.
>>>>
>>>>> but in my (currently working) boot under 4.0.4 there is no netdev
>>>>> directory under phy0 in debugfs... but then maybe that is the problem
>>>>> as well if the inode pointer was null?
>>>>>
>>>>
>>>> This is pretty strange - if the dentry pointer (sdata
>>>> ->debugfs.subdir_stations) was NULL or an ERR_PTR(), the code would
>>>> return pretty much immediately.
>>>>
>>>> So it looks like that pointer is valid, but it's ->d_inode was NULL?
>>>>
>>>> I'm not really sure how that could happen.
>>>
>>> Indeed I'm a bit puzzled...
>>
>> It looks like hostapd has something to do with it... If I stop hostapd and
>> remove ath9k and then reprobe it then the netdev dir appears:
>>
>> gosford [~] % sudo modprobe ath9k
>> gosford [~] % sudo ls /sys/kernel/debug/ieee80211/phy1
>> ath9k long_retry_limit reset user_power
>> fragmentation_threshold netdev:wlp2s0 rts_threshold wep_iv
>> ht40allow_map power short_retry_limit
>> hwflags queues statistics
>> keys rc total_ps_buffered
>>
>> Then I start hostapd and it vanishes:
>
> ...and you also need to have selinux in enforcing mode.
>
> It appears hostapd is trying to do something with debugfs and is
> being denied directory search access:
So I think this happens when hostapd switches the interface
to AP mode, which causes the netdev to be torn down and then
recreated, and the debugfs directory along with it.
Except that if the netlink message to change the mode was
sent from a daemon whose selinux context prevents searching
debugfs the recreation somehow fails and leaves an invalid
state that later causes the null pointer deref.
Tom
--
Tom Hughes (tom@compton.nu)
http://compton.nu/
next prev parent reply other threads:[~2015-06-29 10:24 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <558EC27A.60804@compton.nu>
2015-06-29 8:14 ` Null pointer dereference when station associates [introduced by 4.0.5?] Johannes Berg
2015-06-29 8:30 ` Tom Hughes
2015-06-29 9:20 ` Tom Hughes
2015-06-29 9:44 ` Tom Hughes
2015-06-29 10:24 ` Tom Hughes [this message]
2015-06-29 10:28 ` Tom Hughes
2015-06-29 18:41 ` [PATCH] Clear subdir_stations when stations directory is removed (was Re: Null pointer dereference when station associates [introduced by 4.0.5?]) Tom Hughes
2015-07-17 8:53 ` Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55911CEA.7010103@compton.nu \
--to=tom@compton.nu \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).