package/kernel/mac80211/patches/313-mac80211-fix-crash-on-mesh-local-link-ID-generation-.patch

   1 From: Matthias Schiffer <mschiffer@universe-factory.net>
   2 Date: Sat, 24 Oct 2015 21:25:51 +0200
   3 Subject: [PATCH] mac80211: fix crash on mesh local link ID generation with
   4  VIFs
   5
   6 llid_in_use needs to be limited to stations of the same VIF, otherwise it
   7 will cause a NULL deref as the sta_info of non-mesh-VIFs don't have
   8 sta->mesh set.
   9
  10 Steps to reproduce:
  11
  12    modprobe mac80211_hwsim channels=2
  13    iw phy phy0 interface add ibss0 type ibss
  14    iw phy phy0 interface add mesh0 type mp
  15    iw phy phy1 interface add ibss1 type ibss
  16    iw phy phy1 interface add mesh1 type mp
  17    ip link set ibss0 up
  18    ip link set mesh0 up
  19    ip link set ibss1 up
  20    ip link set mesh1 up
  21    iw dev ibss0 ibss join foo 2412
  22    iw dev ibss1 ibss join foo 2412
  23    # Ensure that ibss0 and ibss1 are actually associated; I often need to
  24    # leave and join the cell on ibss1 a second time.
  25    iw dev mesh0 mesh join bar
  26    iw dev mesh1 mesh join bar # crash
  27
  28 Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
  29 ---
  30
  31 --- a/net/mac80211/mesh_plink.c
  32 +++ b/net/mac80211/mesh_plink.c
  33 @@ -686,6 +686,9 @@ static bool llid_in_use(struct ieee80211
  34
  35         rcu_read_lock();
  36         list_for_each_entry_rcu(sta, &local->sta_list, list) {
  37 +               if (sdata != sta->sdata)
  38 +                       continue;
  39 +
  40                 if (!memcmp(&sta->mesh->llid, &llid, sizeof(llid))) {
  41                         in_use = true;
  42                         break;