On Wed, Nov 19, 2014 at 12:14 AM, Felix Fietkau <nbd@xxxxxxxxxxx> wrote:
>
> +static void ieee80211_drv_tx(struct ieee80211_local *local,
> + struct ieee80211_vif *vif,
> + struct ieee80211_sta *pubsta,
> + struct sk_buff *skb)
> +{
> + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
> + struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
> + struct ieee80211_tx_control control = {
> + .sta = pubsta
> + };
> + struct ieee80211_txq *pubtxq = NULL;
> + struct txq_info *txq;
> + u8 ac;
> +
> + if (ieee80211_is_mgmt(hdr->frame_control) ||
> + ieee80211_is_ctl(hdr->frame_control))
> + goto tx_normal;
> +
> + if (pubsta) {
> + u8 tid = skb->priority & IEEE80211_QOS_CTL_TID_MASK;
> + pubtxq = pubsta->txq[tid];
> + } else {
> + pubtxq = vif->txq;
> + }
In the monitor frame injection tx path the vif pointer may actually be
NULL when we get here, see the function __ieee80211_tx(). This causes
a NULL pointer dereference crash. The wperf tool
(https://github.com/anyfi/wperf) can be used to reproduce the crash by
specifying a BSSID that does not belong to a vif.
The following one-line change in the patch fixes the crash for me:
if (pubsta) {
u8 tid = skb->priority & IEEE80211_QOS_CTL_TID_MASK;
pubtxq = pubsta->txq[tid];
- } else {
+ } else if (vif) {
pubtxq = vif->txq;
}
Johan
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
