| developer | ec4ebe4 | 2022-04-12 11:17:45 +0800 | [diff] [blame] | 1 | From: Lorenzo Bianconi <lorenzo@kernel.org> |
| 2 | Date: Wed, 3 Nov 2021 18:02:35 +0100 |
| 3 | Subject: [PATCH] cfg80211: fix possible NULL pointer dereference in |
| 4 | cfg80211_stop_offchan_radar_detection |
| 5 | |
| 6 | Fix the following NULL pointer dereference in |
| 7 | cfg80211_stop_offchan_radar_detection routine that occurs when hostapd |
| 8 | is stopped during the CAC on offchannel chain: |
| 9 | |
| 10 | Sat Jan 1 0[ 779.567851] ESR = 0x96000005 |
| 11 | 0:12:50 2000 dae[ 779.572346] EC = 0x25: DABT (current EL), IL = 32 bits |
| 12 | mon.debug hostap[ 779.578984] SET = 0, FnV = 0 |
| 13 | d: hostapd_inter[ 779.583445] EA = 0, S1PTW = 0 |
| 14 | face_deinit_free[ 779.587936] Data abort info: |
| 15 | : num_bss=1 conf[ 779.592224] ISV = 0, ISS = 0x00000005 |
| 16 | ->num_bss=1 |
| 17 | Sat[ 779.597403] CM = 0, WnR = 0 |
| 18 | Jan 1 00:12:50[ 779.601749] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000418b2000 |
| 19 | 2000 daemon.deb[ 779.609601] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 |
| 20 | ug hostapd: host[ 779.619657] Internal error: Oops: 96000005 [#1] SMP |
| 21 | [ 779.770810] CPU: 0 PID: 2202 Comm: hostapd Not tainted 5.10.75 #0 |
| 22 | [ 779.776892] Hardware name: MediaTek MT7622 RFB1 board (DT) |
| 23 | [ 779.782370] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--) |
| 24 | [ 779.788384] pc : cfg80211_chandef_valid+0x10/0x490 [cfg80211] |
| 25 | [ 779.794128] lr : cfg80211_check_station_change+0x3190/0x3950 [cfg80211] |
| 26 | [ 779.800731] sp : ffffffc01204b7e0 |
| 27 | [ 779.804036] x29: ffffffc01204b7e0 x28: ffffff80039bdc00 |
| 28 | [ 779.809340] x27: 0000000000000000 x26: ffffffc008cb3050 |
| 29 | [ 779.814644] x25: 0000000000000000 x24: 0000000000000002 |
| 30 | [ 779.819948] x23: ffffff8002630000 x22: ffffff8003e748d0 |
| 31 | [ 779.825252] x21: 0000000000000cc0 x20: ffffff8003da4a00 |
| 32 | [ 779.830556] x19: 0000000000000000 x18: ffffff8001bf7ce0 |
| 33 | [ 779.835860] x17: 00000000ffffffff x16: 0000000000000000 |
| 34 | [ 779.841164] x15: 0000000040d59200 x14: 00000000000019c0 |
| 35 | [ 779.846467] x13: 00000000000001c8 x12: 000636b9e9dab1c6 |
| 36 | [ 779.851771] x11: 0000000000000141 x10: 0000000000000820 |
| 37 | [ 779.857076] x9 : 0000000000000000 x8 : ffffff8003d7d038 |
| 38 | [ 779.862380] x7 : 0000000000000000 x6 : ffffff8003d7d038 |
| 39 | [ 779.867683] x5 : 0000000000000e90 x4 : 0000000000000038 |
| 40 | [ 779.872987] x3 : 0000000000000002 x2 : 0000000000000004 |
| 41 | [ 779.878291] x1 : 0000000000000000 x0 : 0000000000000000 |
| 42 | [ 779.883594] Call trace: |
| 43 | [ 779.886039] cfg80211_chandef_valid+0x10/0x490 [cfg80211] |
| 44 | [ 779.891434] cfg80211_check_station_change+0x3190/0x3950 [cfg80211] |
| 45 | [ 779.897697] nl80211_radar_notify+0x138/0x19c [cfg80211] |
| 46 | [ 779.903005] cfg80211_stop_offchan_radar_detection+0x7c/0x8c [cfg80211] |
| 47 | [ 779.909616] __cfg80211_leave+0x2c/0x190 [cfg80211] |
| 48 | [ 779.914490] cfg80211_register_netdevice+0x1c0/0x6d0 [cfg80211] |
| 49 | [ 779.920404] raw_notifier_call_chain+0x50/0x70 |
| 50 | [ 779.924841] call_netdevice_notifiers_info+0x54/0xa0 |
| 51 | [ 779.929796] __dev_close_many+0x40/0x100 |
| 52 | [ 779.933712] __dev_change_flags+0x98/0x190 |
| 53 | [ 779.937800] dev_change_flags+0x20/0x60 |
| 54 | [ 779.941628] devinet_ioctl+0x534/0x6d0 |
| 55 | [ 779.945370] inet_ioctl+0x1bc/0x230 |
| 56 | [ 779.948849] sock_do_ioctl+0x44/0x200 |
| 57 | [ 779.952502] sock_ioctl+0x268/0x4c0 |
| 58 | [ 779.955985] __arm64_sys_ioctl+0xac/0xd0 |
| 59 | [ 779.959900] el0_svc_common.constprop.0+0x60/0x110 |
| 60 | [ 779.964682] do_el0_svc+0x1c/0x24 |
| 61 | [ 779.967990] el0_svc+0x10/0x1c |
| 62 | [ 779.971036] el0_sync_handler+0x9c/0x120 |
| 63 | [ 779.974950] el0_sync+0x148/0x180 |
| 64 | [ 779.978259] Code: a9bc7bfd 910003fd a90153f3 aa0003f3 (f9400000) |
| 65 | [ 779.984344] ---[ end trace 0e67b4f5d6cdeec7 ]--- |
| 66 | [ 779.996400] Kernel panic - not syncing: Oops: Fatal exception |
| 67 | [ 780.002139] SMP: stopping secondary CPUs |
| 68 | [ 780.006057] Kernel Offset: disabled |
| 69 | [ 780.009537] CPU features: 0x0000002,04002004 |
| 70 | [ 780.013796] Memory Limit: none |
| 71 | |
| 72 | Fixes: b8f5facf286b ("cfg80211: implement APIs for dedicated radar detection HW") |
| 73 | Reported-by: Evelyn Tsai <evelyn.tsai@mediatek.com> |
| 74 | Tested-by: Evelyn Tsai <evelyn.tsai@mediatek.com> |
| 75 | Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> |
| 76 | Link: https://lore.kernel.org/r/c2e34c065bf8839c5ffa45498ae154021a72a520.1635958796.git.lorenzo@kernel.org |
| 77 | Signed-off-by: Johannes Berg <johannes.berg@intel.com> |
| 78 | --- |
| 79 | |
| 80 | --- a/net/wireless/mlme.c |
| 81 | +++ b/net/wireless/mlme.c |
| 82 | @@ -982,6 +982,9 @@ __cfg80211_offchan_cac_event(struct cfg8 |
| 83 | |
| 84 | lockdep_assert_wiphy(&rdev->wiphy); |
| 85 | |
| 86 | + if (!cfg80211_chandef_valid(chandef)) |
| 87 | + return; |
| 88 | + |
| 89 | if (event != NL80211_RADAR_CAC_STARTED && !rdev->offchan_radar_wdev) |
| 90 | return; |
| 91 | |
| 92 | @@ -1096,6 +1099,6 @@ void cfg80211_stop_offchan_radar_detecti |
| 93 | |
| 94 | rdev_set_radar_offchan(rdev, NULL); |
| 95 | |
| 96 | - __cfg80211_offchan_cac_event(rdev, NULL, NULL, |
| 97 | + __cfg80211_offchan_cac_event(rdev, wdev, &rdev->offchan_radar_chandef, |
| 98 | NL80211_RADAR_CAC_ABORTED); |
| 99 | } |