• Mohammed Shafi Shajakhan's avatar
    mac80211: Fix possible sband related NULL pointer de-reference · 21a8e9dd
    Mohammed Shafi Shajakhan authored
    Existing API 'ieee80211_get_sdata_band' returns default 2 GHz band even
    if the channel context configuration is NULL. This crashes for chipsets
    which support 5 Ghz alone when it tries to access members of 'sband'.
    Channel context configuration can be NULL in multivif case and when
    channel switch is in progress (or) when it fails. Fix this by replacing
    the API 'ieee80211_get_sdata_band' with  'ieee80211_get_sband' which
    returns a NULL pointer for sband when the channel configuration is NULL.
    
    An example scenario is as below:
    
    In multivif mode (AP + STA) with drivers like ath10k, when we do a
    channel switch in the AP vif (which has a number of clients connected)
    and a STA vif which is connected to some other AP, when the channel
    switch in AP vif fails, while the STA vifs tries to connect to the
    other AP, there is a window where the channel context is NULL/invalid
    and this results in a crash  while the clients connected to the AP vif
    tries to reconnect and this race is very similar to the one investigated
    by Michal in https://patchwork.kernel.org/patch/3788161/ and this does
    happens with hardware that supports 5Ghz alone after long hours of
    testing with continuous channel switch on the AP vif
    
    ieee80211 phy0: channel context reservation cannot be finalized because
    some interfaces aren't switching
    wlan0: failed to finalize CSA, disconnecting
    wlan0-1: deauthenticating from 8c:fd:f0:01:54:9c by local choice
    	(Reason: 3=DEAUTH_LEAVING)
    
    	WARNING: CPU: 1 PID: 19032 at net/mac80211/ieee80211_i.h:1013 sta_info_alloc+0x374/0x3fc [mac80211]
    	[<bf77272c>] (sta_info_alloc [mac80211])
    	[<bf78776c>] (ieee80211_add_station [mac80211]))
    	[<bf73cc50>] (nl80211_new_station [cfg80211])
    
    	Unable to handle kernel NULL pointer dereference at virtual
    	address 00000014
    	pgd = d5f4c000
    	Internal error: Oops: 17 [#1] PREEMPT SMP ARM
    	PC is at sta_info_alloc+0x380/0x3fc [mac80211]
    	LR is at sta_info_alloc+0x37c/0x3fc [mac80211]
    	[<bf772738>] (sta_info_alloc [mac80211])
    	[<bf78776c>] (ieee80211_add_station [mac80211])
    	[<bf73cc50>] (nl80211_new_station [cfg80211]))
    
    Cc: Michal Kazior <michal.kazior@tieto.com>
    Signed-off-by: default avatarMohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
    Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
    21a8e9dd
ieee80211_i.h 68.2 KB