linux/net/wireless
Michal Kazior 6cbfb1bb66 cfg80211: ignore netif running state when changing iftype
It was possible for mac80211 to be coerced into an
unexpected flow causing sdata union to become
corrupted. Station pointer was put into
sdata->u.vlan.sta memory location while it was
really master AP's sdata->u.ap.next_beacon. This
led to station entry being later freed as
next_beacon before __sta_info_flush() in
ieee80211_stop_ap() and a subsequent invalid
pointer dereference crash.

The problem was that ieee80211_ptr->use_4addr
wasn't cleared on interface type changes.

This could be reproduced with the following steps:

 # host A and host B have just booted; no
 # wpa_s/hostapd running; all vifs are down
 host A> iw wlan0 set type station
 host A> iw wlan0 set 4addr on
 host A> printf 'interface=wlan0\nssid=4addrcrash\nchannel=1\nwds_sta=1' > /tmp/hconf
 host A> hostapd -B /tmp/conf
 host B> iw wlan0 set 4addr on
 host B> ifconfig wlan0 up
 host B> iw wlan0 connect -w hostAssid
 host A> pkill hostapd
 # host A crashed:

 [  127.928192] BUG: unable to handle kernel NULL pointer dereference at 00000000000006c8
 [  127.929014] IP: [<ffffffff816f4f32>] __sta_info_flush+0xac/0x158
 ...
 [  127.934578]  [<ffffffff8170789e>] ieee80211_stop_ap+0x139/0x26c
 [  127.934578]  [<ffffffff8100498f>] ? dump_trace+0x279/0x28a
 [  127.934578]  [<ffffffff816dc661>] __cfg80211_stop_ap+0x84/0x191
 [  127.934578]  [<ffffffff816dc7ad>] cfg80211_stop_ap+0x3f/0x58
 [  127.934578]  [<ffffffff816c5ad6>] nl80211_stop_ap+0x1b/0x1d
 [  127.934578]  [<ffffffff815e53f8>] genl_family_rcv_msg+0x259/0x2b5

Note: This isn't a revert of f8cdddb8d6
("cfg80211: check iface combinations only when
iface is running") as far as functionality is
considered because b6a550156b ("cfg80211/mac80211:
move more combination checks to mac80211") moved
the logic somewhere else already.

Fixes: f8cdddb8d6 ("cfg80211: check iface combinations only when iface is running")
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2015-05-29 13:05:40 +02:00
..
.gitignore
Kconfig cfg80211: don't allow disabling WEXT if it's required 2015-04-08 09:19:29 +02:00
Makefile cfg80211: 802.11p OCB mode handling 2014-11-04 13:18:17 +01:00
ap.c cfg80211: export interface stopping function 2014-05-06 15:16:34 +02:00
chan.c cfg80211: change GO_CONCURRENT to IR_CONCURRENT for STA 2015-05-06 15:50:02 +02:00
core.c cfg80211: calls nl80211_exit on error 2015-02-24 11:41:21 +01:00
core.h cfg80211: properly send NL80211_ATTR_DISCONNECTED_BY_AP in disconnect 2015-05-26 15:21:27 +02:00
db.txt
debugfs.c mac80211: fix some snprintf misuses 2013-10-01 12:16:51 +02:00
debugfs.h
ethtool.c cfg80211: make ethtool the driver's responsibility 2014-06-23 11:05:33 +02:00
genregdb.awk wireless: fixup genregdb.awk for remove of antenna gain from wireless-regd 2014-07-21 12:24:20 +02:00
ibss.c Lots of updates for net-next; along with the usual flurry 2015-03-31 16:39:04 -04:00
lib80211.c lib80211: remove unused print_ssid() 2014-10-14 02:18:27 +02:00
lib80211_crypt_ccmp.c hostap: Don't use create_proc_read_entry() 2013-04-29 15:41:56 -04:00
lib80211_crypt_tkip.c hostap: Don't use create_proc_read_entry() 2013-04-29 15:41:56 -04:00
lib80211_crypt_wep.c hostap: Don't use create_proc_read_entry() 2013-04-29 15:41:56 -04:00
mesh.c cfg80211: export interface stopping function 2014-05-06 15:16:34 +02:00
mlme.c cfg80211: add bss_type and privacy arguments in cfg80211_get_bss() 2015-03-03 15:56:01 +01:00
nl80211.c cfg80211: change GO_CONCURRENT to IR_CONCURRENT for STA 2015-05-06 15:50:02 +02:00
nl80211.h cfg80211: allow wiphy specific regdomain management 2014-12-17 11:49:55 +01:00
ocb.c cfg80211: 802.11p OCB mode handling 2014-11-04 13:18:17 +01:00
radiotap.c radiotap: fix bitmap-end-finding buffer overrun 2013-12-16 12:06:43 +01:00
rdev-ops.h cfg80211: pass name_assign_type to rdev_add_virtual_intf() 2015-03-30 10:36:17 +02:00
reg.c cfg80211: change GO_CONCURRENT to IR_CONCURRENT for STA 2015-05-06 15:50:02 +02:00
reg.h cfg80211: Stop calling crda if it is not responsive 2015-04-01 11:22:38 +02:00
regdb.h cfg80211: relicense reg.c reg.h and genregdb.awk to ISC 2012-01-04 14:30:41 -05:00
scan.c cfg80211: add bss_type and privacy arguments in cfg80211_get_bss() 2015-03-03 15:56:01 +01:00
sme.c cfg80211: properly send NL80211_ATTR_DISCONNECTED_BY_AP in disconnect 2015-05-26 15:21:27 +02:00
sysfs.c cfg80211: Switch to PM ops 2015-05-20 15:00:12 +02:00
sysfs.h net: misc: Remove extern from function prototypes 2013-10-19 19:12:11 -04:00
trace.c cfg80211: add tracing to rdev-ops 2012-10-18 10:53:37 +02:00
trace.h Lots of updates for net-next; along with the usual flurry 2015-03-31 16:39:04 -04:00
util.c cfg80211: ignore netif running state when changing iftype 2015-05-29 13:05:40 +02:00
wext-compat.c cfg80211-wext: export symbols only when needed 2015-02-28 21:31:09 +01:00
wext-compat.h cfg80211-wext: export symbols only when needed 2015-02-28 21:31:09 +01:00
wext-core.c wext: include wireless event id when it has a size problem 2012-09-05 16:12:44 +02:00
wext-priv.c wext: fix potential private ioctl memory content leak 2010-09-20 13:41:40 -04:00
wext-proc.c net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
wext-sme.c wireless: Use eth_<foo>_addr instead of memset 2015-03-03 17:01:38 -05:00
wext-spy.c wireless: Convert compare_ether_addr to ether_addr_equal 2012-05-09 20:49:19 -04:00