From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Miaoqing Pan <miaoqing@codeaurora.org>,
Johannes Berg <johannes.berg@intel.com>,
Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.4 07/11] nl80211: fix null pointer dereference
Date: Wed, 9 Oct 2019 13:06:41 -0400 [thread overview]
Message-ID: <20191009170646.696-7-sashal@kernel.org> (raw)
In-Reply-To: <20191009170646.696-1-sashal@kernel.org>
From: Miaoqing Pan <miaoqing@codeaurora.org>
[ Upstream commit b501426cf86e70649c983c52f4c823b3c40d72a3 ]
If the interface is not in MESH mode, the command 'iw wlanx mpath del'
will cause kernel panic.
The root cause is null pointer access in mpp_flush_by_proxy(), as the
pointer 'sdata->u.mesh.mpp_paths' is NULL for non MESH interface.
Unable to handle kernel NULL pointer dereference at virtual address 00000068
[...]
PC is at _raw_spin_lock_bh+0x20/0x5c
LR is at mesh_path_del+0x1c/0x17c [mac80211]
[...]
Process iw (pid: 4537, stack limit = 0xd83e0238)
[...]
[<c021211c>] (_raw_spin_lock_bh) from [<bf8c7648>] (mesh_path_del+0x1c/0x17c [mac80211])
[<bf8c7648>] (mesh_path_del [mac80211]) from [<bf6cdb7c>] (extack_doit+0x20/0x68 [compat])
[<bf6cdb7c>] (extack_doit [compat]) from [<c05c309c>] (genl_rcv_msg+0x274/0x30c)
[<c05c309c>] (genl_rcv_msg) from [<c05c25d8>] (netlink_rcv_skb+0x58/0xac)
[<c05c25d8>] (netlink_rcv_skb) from [<c05c2e14>] (genl_rcv+0x20/0x34)
[<c05c2e14>] (genl_rcv) from [<c05c1f90>] (netlink_unicast+0x11c/0x204)
[<c05c1f90>] (netlink_unicast) from [<c05c2420>] (netlink_sendmsg+0x30c/0x370)
[<c05c2420>] (netlink_sendmsg) from [<c05886d0>] (sock_sendmsg+0x70/0x84)
[<c05886d0>] (sock_sendmsg) from [<c0589f4c>] (___sys_sendmsg.part.3+0x188/0x228)
[<c0589f4c>] (___sys_sendmsg.part.3) from [<c058add4>] (__sys_sendmsg+0x4c/0x70)
[<c058add4>] (__sys_sendmsg) from [<c0208c80>] (ret_fast_syscall+0x0/0x44)
Code: e2822c02 e2822001 e5832004 f590f000 (e1902f9f)
---[ end trace bbd717600f8f884d ]---
Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
Link: https://lore.kernel.org/r/1569485810-761-1-git-send-email-miaoqing@codeaurora.org
[trim useless data from commit message]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/nl80211.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 1968998e6c6c2..4c9fc29ee1edf 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -4779,6 +4779,9 @@ static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
if (!rdev->ops->del_mpath)
return -EOPNOTSUPP;
+ if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
+ return -EOPNOTSUPP;
+
return rdev_del_mpath(rdev, dev, dst);
}
--
2.20.1
next prev parent reply other threads:[~2019-10-09 17:25 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-09 17:06 [PATCH AUTOSEL 4.4 01/11] scsi: ufs: skip shutdown if hba is not powered Sasha Levin
2019-10-09 17:06 ` [PATCH AUTOSEL 4.4 02/11] scsi: megaraid: disable device when probe failed after enabled device Sasha Levin
2019-10-09 17:06 ` [PATCH AUTOSEL 4.4 03/11] scsi: qla2xxx: Fix unbound sleep in fcport delete path Sasha Levin
2019-10-09 17:06 ` [PATCH AUTOSEL 4.4 04/11] ARM: OMAP2+: Fix missing reset done flag for am3 and am43 Sasha Levin
2019-10-09 17:06 ` [PATCH AUTOSEL 4.4 05/11] ARM: dts: am4372: Set memory bandwidth limit for DISPC Sasha Levin
2019-10-09 17:06 ` [PATCH AUTOSEL 4.4 06/11] kvm: vmx: Limit guest PMCs to those supported on the host Sasha Levin
2019-10-09 17:06 ` Sasha Levin [this message]
2019-10-09 17:06 ` [PATCH AUTOSEL 4.4 08/11] mips: Loongson: Fix the link time qualifier of 'serial_exit()' Sasha Levin
2019-10-09 17:06 ` [PATCH AUTOSEL 4.4 09/11] net: hisilicon: Fix usage of uninitialized variable in function mdio_sc_cfg_reg_write() Sasha Levin
2019-10-09 17:06 ` [PATCH AUTOSEL 4.4 10/11] namespace: fix namespace.pl script to support relative paths Sasha Levin
2019-10-09 17:06 ` [PATCH AUTOSEL 4.4 11/11] Make filldir[64]() verify the directory entry filename is valid Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191009170646.696-7-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=johannes.berg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=miaoqing@codeaurora.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).