summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--package/kernel/mac80211/patches/313-mac80211-fix-crash-on-mesh-local-link-ID-generation-.patch42
1 files changed, 42 insertions, 0 deletions
diff --git a/package/kernel/mac80211/patches/313-mac80211-fix-crash-on-mesh-local-link-ID-generation-.patch b/package/kernel/mac80211/patches/313-mac80211-fix-crash-on-mesh-local-link-ID-generation-.patch
new file mode 100644
index 0000000..7424ca4
--- /dev/null
+++ b/package/kernel/mac80211/patches/313-mac80211-fix-crash-on-mesh-local-link-ID-generation-.patch
@@ -0,0 +1,42 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Sat, 24 Oct 2015 21:25:51 +0200
+Subject: [PATCH] mac80211: fix crash on mesh local link ID generation with
+ VIFs
+
+llid_in_use needs to be limited to stations of the same VIF, otherwise it
+will cause a NULL deref as the sta_info of non-mesh-VIFs don't have
+sta->mesh set.
+
+Steps to reproduce:
+
+ modprobe mac80211_hwsim channels=2
+ iw phy phy0 interface add ibss0 type ibss
+ iw phy phy0 interface add mesh0 type mp
+ iw phy phy1 interface add ibss1 type ibss
+ iw phy phy1 interface add mesh1 type mp
+ ip link set ibss0 up
+ ip link set mesh0 up
+ ip link set ibss1 up
+ ip link set mesh1 up
+ iw dev ibss0 ibss join foo 2412
+ iw dev ibss1 ibss join foo 2412
+ # Ensure that ibss0 and ibss1 are actually associated; I often need to
+ # leave and join the cell on ibss1 a second time.
+ iw dev mesh0 mesh join bar
+ iw dev mesh1 mesh join bar # crash
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+---
+
+--- a/net/mac80211/mesh_plink.c
++++ b/net/mac80211/mesh_plink.c
+@@ -686,6 +686,9 @@ static bool llid_in_use(struct ieee80211
+
+ rcu_read_lock();
+ list_for_each_entry_rcu(sta, &local->sta_list, list) {
++ if (sdata != sta->sdata)
++ continue;
++
+ if (!memcmp(&sta->mesh->llid, &llid, sizeof(llid))) {
+ in_use = true;
+ break;