aboutsummaryrefslogtreecommitdiffstats
path: root/package/kernel
diff options
context:
space:
mode:
authorFelix Fietkau <nbd@openwrt.org>2015-11-02 18:26:15 +0000
committerFelix Fietkau <nbd@openwrt.org>2015-11-02 18:26:15 +0000
commit946c7256b6eb19867afed297752acddcb1d222ac (patch)
tree7c4fceb2dfa9546056d87b2fa19d74dc60bdf679 /package/kernel
parentf92acf9810cb10decdae02b3e22dee6aae6854d6 (diff)
downloadmaster-187ad058-946c7256b6eb19867afed297752acddcb1d222ac.tar.gz
master-187ad058-946c7256b6eb19867afed297752acddcb1d222ac.tar.bz2
master-187ad058-946c7256b6eb19867afed297752acddcb1d222ac.zip
mac80211: fix crash when using mesh (11s) VIF together with another VIF
llid_in_use needs to be limited to stations of the same VIF, otherwise it will cause a NULL deref as the sta_info of non-mesh-VIFs don't have sta->mesh set. Steps to reproduce: modprobe mac80211_hwsim channels=2 iw phy phy0 interface add ibss0 type ibss iw phy phy0 interface add mesh0 type mp iw phy phy1 interface add ibss1 type ibss iw phy phy1 interface add mesh1 type mp ip link set ibss0 up ip link set mesh0 up ip link set ibss1 up ip link set mesh1 up iw dev ibss0 ibss join foo 2412 iw dev ibss1 ibss join foo 2412 # Ensure that ibss0 and ibss1 are actually associated; I often need to # leave and join the cell on ibss1 a second time. iw dev mesh0 mesh join bar iw dev mesh1 mesh join bar # crash Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@47364 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'package/kernel')
-rw-r--r--package/kernel/mac80211/patches/313-mac80211-fix-crash-on-mesh-local-link-ID-generation-.patch42
1 files changed, 42 insertions, 0 deletions
diff --git a/package/kernel/mac80211/patches/313-mac80211-fix-crash-on-mesh-local-link-ID-generation-.patch b/package/kernel/mac80211/patches/313-mac80211-fix-crash-on-mesh-local-link-ID-generation-.patch
new file mode 100644
index 0000000000..7424ca43e2
--- /dev/null
+++ b/package/kernel/mac80211/patches/313-mac80211-fix-crash-on-mesh-local-link-ID-generation-.patch
@@ -0,0 +1,42 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Sat, 24 Oct 2015 21:25:51 +0200
+Subject: [PATCH] mac80211: fix crash on mesh local link ID generation with
+ VIFs
+
+llid_in_use needs to be limited to stations of the same VIF, otherwise it
+will cause a NULL deref as the sta_info of non-mesh-VIFs don't have
+sta->mesh set.
+
+Steps to reproduce:
+
+ modprobe mac80211_hwsim channels=2
+ iw phy phy0 interface add ibss0 type ibss
+ iw phy phy0 interface add mesh0 type mp
+ iw phy phy1 interface add ibss1 type ibss
+ iw phy phy1 interface add mesh1 type mp
+ ip link set ibss0 up
+ ip link set mesh0 up
+ ip link set ibss1 up
+ ip link set mesh1 up
+ iw dev ibss0 ibss join foo 2412
+ iw dev ibss1 ibss join foo 2412
+ # Ensure that ibss0 and ibss1 are actually associated; I often need to
+ # leave and join the cell on ibss1 a second time.
+ iw dev mesh0 mesh join bar
+ iw dev mesh1 mesh join bar # crash
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+---
+
+--- a/net/mac80211/mesh_plink.c
++++ b/net/mac80211/mesh_plink.c
+@@ -686,6 +686,9 @@ static bool llid_in_use(struct ieee80211
+
+ rcu_read_lock();
+ list_for_each_entry_rcu(sta, &local->sta_list, list) {
++ if (sdata != sta->sdata)
++ continue;
++
+ if (!memcmp(&sta->mesh->llid, &llid, sizeof(llid))) {
+ in_use = true;
+ break;