On 10/24/2015 09:25 PM, Matthias Schiffer wrote:
> llid_in_use needs to be limited to stations of the same VIF, otherwise it
> will cause a NULL deref as the sta_info of non-mesh-VIFs don't have
> sta->mesh set.
>
> Steps to reproduce:
>
> modprobe mac80211_hwsim channels=2
> iw phy phy0 interface add ibss0 type ibss
> iw phy phy0 interface add mesh0 type mp
> iw phy phy1 interface add ibss1 type ibss
> iw phy phy1 interface add mesh1 type mp
> ip link set ibss0 up
> ip link set mesh0 up
> ip link set ibss1 up
> ip link set mesh1 up
> iw dev ibss0 ibss join foo 2412
> iw dev ibss1 ibss join foo 2412
> # Ensure that ibss0 and ibss1 are actually associated; I often need to
> # leave and join the cell on ibss1 a second time.
> iw dev mesh0 mesh join bar
> iw dev mesh1 mesh join bar # crash
>
> Signed-off-by: Matthias Schiffer <mschiffer@xxxxxxxxxxxxxxxxxxxx>
> ---
> Should probably be queued for stable, at least for all kernels containing
> "mac80211: move mesh related station fields to own struct" (the bug was
> there before, but it didn't crash without that commit).
Forget the queuing for stable, I just noticed that the patch didn't hit
Linus' tree before the 4.3 merge window.
>
>
> net/mac80211/mesh_plink.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
> index 5838464..d1224d3 100644
> --- a/net/mac80211/mesh_plink.c
> +++ b/net/mac80211/mesh_plink.c
> @@ -677,6 +677,9 @@ static bool llid_in_use(struct ieee80211_sub_if_data *sdata,
>
> rcu_read_lock();
> list_for_each_entry_rcu(sta, &local->sta_list, list) {
> + if (sdata != sta->sdata)
> + continue;
> +
> if (!memcmp(&sta->mesh->llid, &llid, sizeof(llid))) {
> in_use = true;
> break;
>
Attachment:
signature.asc
Description: OpenPGP digital signature
