[PATCH] mac80211: fix wiphy supported_band access

[PATCH] mac80211: fix wiphy supported_band access

[Lorenzo Bianconi]

Fix wiphy supported_band access in tx radiotap parsing. In particular,
info->band is always set to 0 (IEEE80211_BAND_2GHZ) since it has not
assigned yet. This cause a kernel crash on 5GHz only devices.
Move ieee80211_parse_tx_radiotap() after info->band assignment

Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
---
 net/mac80211/tx.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 7bb67fa..b07d037 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1892,10 +1892,6 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb,
 	info->flags = IEEE80211_TX_CTL_REQ_TX_STATUS |
 		      IEEE80211_TX_CTL_INJECTED;
 
-	/* process and remove the injection radiotap header */
-	if (!ieee80211_parse_tx_radiotap(local, skb))
-		goto fail;
-
 	rcu_read_lock();
 
 	/*
@@ -1957,6 +1953,10 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb,
 		goto fail_rcu;
 
 	info->band = chandef->chan->band;
+	/* process and remove the injection radiotap header */
+	if (!ieee80211_parse_tx_radiotap(local, skb))
+		goto fail_rcu;
+
 	ieee80211_xmit(sdata, NULL, skb);
 	rcu_read_unlock();
 
-- 
2.5.0

Re: [PATCH] mac80211: fix wiphy supported_band access

[Sven Eckelmann]

[-- Attachment #1: Type: text/plain, Size: 1941 bytes --]

On Wednesday 10 February 2016 16:08:17 Lorenzo Bianconi wrote:
> Fix wiphy supported_band access in tx radiotap parsing. In particular,
> info->band is always set to 0 (IEEE80211_BAND_2GHZ) since it has not
> assigned yet. This cause a kernel crash on 5GHz only devices.
> Move ieee80211_parse_tx_radiotap() after info->band assignment
> 
> Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>

Thanks for the patch. I really never tested with 5GHz only cards and
forgot to check when info->band is assigned.

Can you please add a line describing which patch this one fixes (I hope
the ids are stable in this tree):

Fixes: 5ec3aed9ba4c ("mac80211: Parse legacy and HT rate in injected frames")

And btw., I am happy about the VHT patches. I should really get some MT76
compatible hardware to test how well AC works with a less annoying firmware.


@Felix, I saw that you've added the original patch to OpenWrt. Can you also
check this patch and maybe add it as fix for OpenWrt? Thanks

Kind regards,
	Sven


> ---
>  net/mac80211/tx.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
> index 7bb67fa..b07d037 100644
> --- a/net/mac80211/tx.c
> +++ b/net/mac80211/tx.c
> @@ -1892,10 +1892,6 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb,
>  	info->flags = IEEE80211_TX_CTL_REQ_TX_STATUS |
>  		      IEEE80211_TX_CTL_INJECTED;
>  
> -	/* process and remove the injection radiotap header */
> -	if (!ieee80211_parse_tx_radiotap(local, skb))
> -		goto fail;
> -
>  	rcu_read_lock();
>  
>  	/*
> @@ -1957,6 +1953,10 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb,
>  		goto fail_rcu;
>  
>  	info->band = chandef->chan->band;
> +	/* process and remove the injection radiotap header */
> +	if (!ieee80211_parse_tx_radiotap(local, skb))
> +		goto fail_rcu;
> +
>  	ieee80211_xmit(sdata, NULL, skb);
>  	rcu_read_unlock();
>  
> 

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 819 bytes --]