From 0e41f715c04f85a40ae6531d660be2241717be1c Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Thu, 23 Apr 2009 11:48:56 +0200 Subject: [PATCH] mac80211: fix various problems in ibss code There are a few problems in the IBSS code: a) it tries to activate interfaces that are down after scanning b) it crashes after scanning on an IBSS iface that isn't active c) since the ssid_len is used as a flag, need to make it visible only after all other settings are set, this helps protect against b) For b), we get a system crash: wlan0: Creating new IBSS network, BSSID ce:f9:88:76:1e:4d BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<...>] ieee80211_sta_find_ibss+0x294/0x37d [mac80211] Call Trace: [<...>] ieee80211_ibss_notify_scan_completed+0x0/0x88 [mac80211] Signed-off-by: Johannes Berg Signed-off-by: John W. Linville --- net/mac80211/ibss.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c index 6030e003180c..895f4854760c 100644 --- a/net/mac80211/ibss.c +++ b/net/mac80211/ibss.c @@ -786,8 +786,12 @@ void ieee80211_ibss_notify_scan_completed(struct ieee80211_local *local) mutex_lock(&local->iflist_mtx); list_for_each_entry(sdata, &local->interfaces, list) { + if (!netif_running(sdata->dev)) + continue; if (sdata->vif.type != NL80211_IFTYPE_ADHOC) continue; + if (!sdata->u.ibss.ssid_len) + continue; sdata->u.ibss.last_scan_completed = jiffies; ieee80211_sta_find_ibss(sdata); } @@ -827,9 +831,6 @@ int ieee80211_ibss_join(struct ieee80211_sub_if_data *sdata, { struct sk_buff *skb; - memcpy(sdata->u.ibss.ssid, params->ssid, IEEE80211_MAX_SSID_LEN); - sdata->u.ibss.ssid_len = params->ssid_len; - if (params->bssid) { memcpy(sdata->u.ibss.bssid, params->bssid, ETH_ALEN); sdata->u.ibss.fixed_bssid = true; @@ -859,6 +860,17 @@ int ieee80211_ibss_join(struct ieee80211_sub_if_data *sdata, sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH; sdata->u.ibss.ibss_join_req = jiffies; + memcpy(sdata->u.ibss.ssid, params->ssid, IEEE80211_MAX_SSID_LEN); + + /* + * The ssid_len setting below is used to see whether + * we are active, and we need all other settings + * before that may get visible. + */ + mb(); + + sdata->u.ibss.ssid_len = params->ssid_len; + set_bit(IEEE80211_IBSS_REQ_RUN, &sdata->u.ibss.request); queue_work(sdata->local->hw.workqueue, &sdata->u.ibss.work); -- 2.30.2