From patchwork Tue May 19 12:37:00 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michal Kazior <michal.kazior@tieto.com>
X-Patchwork-Id: 6436741
X-Patchwork-Delegate: johannes@sipsolutions.net
Return-Path: <linux-wireless-owner@kernel.org>
X-Original-To: patchwork-linux-wireless@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id A75D79F38D
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Tue, 19 May 2015 12:37:21 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 85AC420453
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Tue, 19 May 2015 12:37:20 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id A35A92054D
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Tue, 19 May 2015 12:37:19 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755660AbbESMhS (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Tue, 19 May 2015 08:37:18 -0400
Received: from mail-wg0-f44.google.com ([74.125.82.44]:35798 "EHLO
	mail-wg0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755211AbbESMhQ (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Tue, 19 May 2015 08:37:16 -0400
Received: by wgfl8 with SMTP id l8so16204468wgf.2
	for <linux-wireless@vger.kernel.org>;
	Tue, 19 May 2015 05:37:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tieto.com; s=google;
	h=from:to:cc:subject:date:message-id;
	bh=vTAe1I8BoSugCXYAF9zgciqs+nbDmKWKhhFeypNWoyA=;
	b=hZgC2ql+XXJdcbTzxIk5N6OY7KlA6oUbp3vDcSo6vPcHZC7xgoCDxQpEVlgnxF+Jwa
	X04Q2Fvxq2Vel70HtH9pLGeUOWLFILoWNyaH/BzRjhZ7hkicX9yCY9p9lsqd/i6rpBtj
	V71H4uybVXCaoSqGNPsoT66j8yMAwe2NjTtlY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=vTAe1I8BoSugCXYAF9zgciqs+nbDmKWKhhFeypNWoyA=;
	b=NfFWBppFZfQs3j8T8LYN4h6Yuua4O54MCM/hNGZOfQwKXpgDF5cvRzqJ9dqZNdsXrx
	yo9thnZr0w+MfZzPOQulQDQTXx4J8mt7pA+eDXyVsCh+IukJz/X/Cpx9d0Git8iwiP8R
	sxC7A0gwTyLc018gOYX5AxuwTBOC/Sra+w4x5UbnroENe1Z6SjTkaD7KZZLAv7aliP4f
	lCQXodAgdk+2xcNDPwkORzK59SZhquRWaYeHTz7Tg0irD8Mig1jn57Jad0cpxUQqH3Mq
	pnKUGpHEcRswwV/11rbUW6g6Q5PXyjDeUsN8z5c73/0JoEW9UVJstfCcfVrmojkYT/xF
	0B6w==
X-Gm-Message-State: 
 ALoCoQmLRC8+64u9/RuMGeMxFltpGO6kVvqsROLMbWHSU07EwFXsEVcFQGOsIfwExTGfPJc5cDrygtFKbV6CC3AXUGmuu57mczgY/Yf8StAk3Mq/fg6aLYi0+Ul7tnefhCiHXstV4mzNnf3Yimp/LCMfb2Xuf8OwAOkMeUZniLEq8lUabBJmzg4/IGChntLtQswK721wXakN
X-Received: by 10.195.11.3 with SMTP id ee3mr41853056wjd.89.1432039034830;
	Tue, 19 May 2015 05:37:14 -0700 (PDT)
Received: from localhost.localdomain ([91.198.246.8])
	by mx.google.com with ESMTPSA id
	ch2sm17166331wib.18.2015.05.19.05.37.13
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Tue, 19 May 2015 05:37:14 -0700 (PDT)
From: Michal Kazior <michal.kazior@tieto.com>
To: linux-wireless@vger.kernel.org
Cc: johannes@sipsolutions.net, Michal Kazior <michal.kazior@tieto.com>
Subject: [PATCH 1/2] cfg80211: ignore netif running state when changing
	iftype
Date: Tue, 19 May 2015 14:37:00 +0200
Message-Id: <1432039021-29666-1-git-send-email-michal.kazior@tieto.com>
X-Mailer: git-send-email 2.1.4
X-DomainID: tieto.com
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

This isn't a revert of f8cdddb8d61d ("cfg80211:
check iface combinations only when iface is
running") as far as functionality is considred
because b6a550156bc ("cfg80211/mac80211: move more
combination checks to mac80211") moved the logic
somewhere else.

It was possible for mac80211 to be coerced into an
unexpected flow causing sdata union to become
corrupted. Station pointer was put into
sdata->u.vlan.sta memory location while it was
really master AP's sdata->u.ap.next_beacon. This
led to station entry being later freed as CSA
beacon before __sta_info_flush() in
ieee80211_stop_ap() and a subsequent invalid
pointer dereference crash.

The problem was observed with the following test
steps:

 1. prepare 2 devices
 2. start hostapd AP with wds_sta=1
 3. connect client with 4addr
 4. disconnect
 5. swap roles & connect
 6. disconnect
    [ During AP (which was a client first)
      teardown kernel would crash. ]

Fixes: f8cdddb8d61d ("cfg80211: check iface combinations only when iface is running")
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
---
 net/wireless/util.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wireless/util.c b/net/wireless/util.c
index 70051ab52f4f..7e4e3fffe7ce 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -944,7 +944,7 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev,
 	     ntype == NL80211_IFTYPE_P2P_CLIENT))
 		return -EBUSY;
 
-	if (ntype != otype && netif_running(dev)) {
+	if (ntype != otype) {
 		dev->ieee80211_ptr->use_4addr = false;
 		dev->ieee80211_ptr->mesh_id_up_len = 0;
 		wdev_lock(dev->ieee80211_ptr);