On Wed, Dec 4, 2013 at 5:35 PM, Yeoh Chun-Yeow <yeohchunyeow@xxxxxxxxx> wrote:
>> #ifdef CONFIG_MAC80211_MESH
>> case NL80211_IFTYPE_MESH_POINT:
>> @@ -3159,12 +3208,18 @@ int ieee80211_channel_switch(struct wiphy *wiphy, struct net_device *dev,
>> if (ifmsh->csa_role == IEEE80211_MESH_CSA_ROLE_NONE)
>> ifmsh->csa_role = IEEE80211_MESH_CSA_ROLE_INIT;
>>
>> - err = ieee80211_mesh_csa_beacon(sdata, params,
>> - (ifmsh->csa_role == IEEE80211_MESH_CSA_ROLE_INIT));
>> - if (err < 0) {
>> - ifmsh->csa_role = IEEE80211_MESH_CSA_ROLE_NONE;
>> - return err;
>> + if (params->count > 1) {
>> + err = ieee80211_mesh_csa_beacon(sdata, params);
>> + if (err < 0) {
>> + ifmsh->csa_role = IEEE80211_MESH_CSA_ROLE_NONE;
>> + return err;
>> + }
>> + changed |= err;
>> }
>
> Since the ieee80211_mesh_csa_beacon is not called, the kfree_rcu of
> tmp_csa_settings in ieee80211_mesh_finish_csa has caused kernel oops.
>
> Anyway, I would like to suggest if the params->count is less than 1,
> the mesh channel switch is not triggered since there maybe mesh STA
> located two hops away from the initiator.
>
> if (params->count > 1) {
> .....
> } else
> return -EINVAL;
maybe try to push the checking of params->count earlier, such as follow:
if (params->count < 2)
return -EINVAL;
----
Chun-Yeow
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
