From 716ca530e1c4515d8683c9d5be3d56b301758b66 Mon Sep 17 00:00:00 2001
From: James <>
Date: Wed, 4 Nov 2015 11:49:21 +0000
Subject: trunk-47381

---
 ...x-crash-on-mesh-local-link-ID-generation-.patch | 42 ++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 package/kernel/mac80211/patches/313-mac80211-fix-crash-on-mesh-local-link-ID-generation-.patch

(limited to 'package/kernel/mac80211/patches/313-mac80211-fix-crash-on-mesh-local-link-ID-generation-.patch')

diff --git a/package/kernel/mac80211/patches/313-mac80211-fix-crash-on-mesh-local-link-ID-generation-.patch b/package/kernel/mac80211/patches/313-mac80211-fix-crash-on-mesh-local-link-ID-generation-.patch
new file mode 100644
index 0000000..7424ca4
--- /dev/null
+++ b/package/kernel/mac80211/patches/313-mac80211-fix-crash-on-mesh-local-link-ID-generation-.patch
@@ -0,0 +1,42 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Sat, 24 Oct 2015 21:25:51 +0200
+Subject: [PATCH] mac80211: fix crash on mesh local link ID generation with
+ VIFs
+
+llid_in_use needs to be limited to stations of the same VIF, otherwise it
+will cause a NULL deref as the sta_info of non-mesh-VIFs don't have
+sta->mesh set.
+
+Steps to reproduce:
+
+   modprobe mac80211_hwsim channels=2
+   iw phy phy0 interface add ibss0 type ibss
+   iw phy phy0 interface add mesh0 type mp
+   iw phy phy1 interface add ibss1 type ibss
+   iw phy phy1 interface add mesh1 type mp
+   ip link set ibss0 up
+   ip link set mesh0 up
+   ip link set ibss1 up
+   ip link set mesh1 up
+   iw dev ibss0 ibss join foo 2412
+   iw dev ibss1 ibss join foo 2412
+   # Ensure that ibss0 and ibss1 are actually associated; I often need to
+   # leave and join the cell on ibss1 a second time.
+   iw dev mesh0 mesh join bar
+   iw dev mesh1 mesh join bar # crash
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+---
+
+--- a/net/mac80211/mesh_plink.c
++++ b/net/mac80211/mesh_plink.c
+@@ -686,6 +686,9 @@ static bool llid_in_use(struct ieee80211
+ 
+ 	rcu_read_lock();
+ 	list_for_each_entry_rcu(sta, &local->sta_list, list) {
++		if (sdata != sta->sdata)
++			continue;
++
+ 		if (!memcmp(&sta->mesh->llid, &llid, sizeof(llid))) {
+ 			in_use = true;
+ 			break;
-- 
cgit v1.2.3