Search Linux Wireless

Re: [PATCH] Clear subdir_stations when stations directory is removed (was Re: Null pointer dereference when station associates [introduced by 4.0.5?])

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 2015-06-29 at 19:41 +0100, Tom Hughes wrote:
> On 29/06/15 11:28, Tom Hughes wrote:
> > On 29/06/15 11:24, Tom Hughes wrote:
> > 
> > > So I think this happens when hostapd switches the interface
> > > to AP mode, which causes the netdev to be torn down and then
> > > recreated, and the debugfs directory along with it.
> > > 
> > > Except that if the netlink message to change the mode was
> > > sent from a daemon whose selinux context prevents searching
> > > debugfs the recreation somehow fails and leaves an invalid
> > > state that later causes the null pointer deref.
> > 
> > Think I have it...
> > 
> > The teardown runs ieee80211_debugfs_remove_netdev
> > which clears sdata->vif.debugfs_dir but does not clear 
> > sdata->debugfs.subdir_stations so that when 
> > ieee80211_debugfs_add_netdev 
> > later fails to create the top level
> > netdev directory we are left with a bogus pointer for the stations 
> > directory.
> > 
> > Then when we try and add an entry to the stations directory things 
> > blow up.
> 
> Here's a proposed patch. I have booted 4.0.6 with this applied and so 
> far
> it hasn't failed even with selinux in enforcing mode.
> 
> commit 30624496e9f411081d7ea1a407deabe0e32d0c62
> Author: Tom Hughes <tom@xxxxxxxxxx>
> Date:   Mon Jun 29 11:31:04 2015 +0100
> 
>     Clear subdir_stations when stations directory is removed
>     
>     If we don't do this, and we then fail to recreate the debugfs
>     directory during a mode change, then we will fail later trying
>     to add stations to this now bogus directory:
>     
>     BUG: unable to handle kernel NULL pointer dereference at 0000006c
>     IP: [<c0a92202>] mutex_lock+0x12/0x30
>     Call Trace:
>     [<c0678ab4>] start_creating+0x44/0xc0
>     [<c0679203>] debugfs_create_dir+0x13/0xf0
>     [<f8a938ae>] ieee80211_sta_debugfs_add+0x6e/0x490 [mac80211]
>     
>     Signed-off-by: Tom Hughes <tom@xxxxxxxxxx>
> 

Applied.

johannes
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux