On 11 March 2014 14:14, Johannes Berg <johannes@xxxxxxxxxxxxxxxx> wrote: > On Tue, 2014-03-11 at 12:30 +0100, Michal Kazior wrote: >> On 7 March 2014 08:09, Michal Kazior <michal.kazior@xxxxxxxxx> wrote: >> > If chanctx is missing on a given vif then the band >> > is assumed to be 2GHz. However if hw doesn't >> > support 2GHz band then mac80211 ended up with a >> > NULL dereference. > >> Drop this, please. There are more places that need sband to be >> NULL-checked. I'll send out a more thorough patch later. > > Ok. However, I'm not sure that we should ever really run into this? At > least with Luca's patches we want to not go through NULL state to start > with. Current channel reservation patches do a sequence of unassign_vif_chanctx() followed by assign_vif_chanctx(). This implies you have no chanctx for a split second. All places that aren't protected by chanctx_mtx (i.e. RCU) can get NULL chanctx during the reassignment. One way to trigger that would be to spam-call ieee80211_get_station(). If you get a NULL chanctx and you have 5GHz only hardware you get NULL dereference kernel splat. With multi-vif CSA the vulnerability timeframe will increase. Michał -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html