If the device uses the HT mode and receives a frame from a sta whith state < IEEE80211_STA_ASSOC
then the null pointer exception crashes the Linnux kernel.
In the case of ath9k, the function ath_tx_node_init is indirectly called by drv_sta_state (in net/mac80211/driver-ops.h) only when the sta_state goes to IEEE80211_STA_ASSOC from IEEE80211_STA_AUTH.
Signed-off-by: cedric VONCKEN <[email protected]>
---
net/mac80211/sta_info.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 11216bc..bcfd7b0 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -1040,7 +1040,8 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
BUILD_BUG_ON(BITS_TO_LONGS(IEEE80211_NUM_TIDS) > 1);
sta->driver_buffered_tids = 0;
- if (!(local->hw.flags & IEEE80211_HW_AP_LINK_PS))
+ if (!(local->hw.flags & IEEE80211_HW_AP_LINK_PS &&
+ sta->sta_state >= IEEE80211_STA_ASSOC))
drv_sta_notify(local, sdata, STA_NOTIFY_AWAKE, &sta->sta);
skb_queue_head_init(&pending);
--
1.7.2.5
Any comment on my patch ?
Cedric Voncken
-----Message d'origine-----
De?: [email protected]
[mailto:[email protected]] De la part de cedric voncken
Envoy??: vendredi 19 avril 2013 11:21
??: [email protected]
Cc?: cedric voncken
Objet?: [PATCH] mac80211: Fix driver crash when STA_NOTIFY_AWAKE occures
If the device uses the HT mode and receives a frame from a sta whith state <
IEEE80211_STA_ASSOC then the null pointer exception crashes the Linnux
kernel.
In the case of ath9k, the function ath_tx_node_init is indirectly called by
drv_sta_state (in net/mac80211/driver-ops.h) only when the sta_state goes to
IEEE80211_STA_ASSOC from IEEE80211_STA_AUTH.
Signed-off-by: cedric VONCKEN <[email protected]>
---
net/mac80211/sta_info.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c index
11216bc..bcfd7b0 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -1040,7 +1040,8 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info
*sta)
BUILD_BUG_ON(BITS_TO_LONGS(IEEE80211_NUM_TIDS) > 1);
sta->driver_buffered_tids = 0;
- if (!(local->hw.flags & IEEE80211_HW_AP_LINK_PS))
+ if (!(local->hw.flags & IEEE80211_HW_AP_LINK_PS &&
+ sta->sta_state >= IEEE80211_STA_ASSOC))
drv_sta_notify(local, sdata, STA_NOTIFY_AWAKE, &sta->sta);
skb_queue_head_init(&pending);
--
1.7.2.5
On Fri, 2013-04-19 at 11:20 +0200, cedric voncken wrote:
> If the device uses the HT mode and receives a frame from a sta whith state < IEEE80211_STA_ASSOC
> then the null pointer exception crashes the Linnux kernel.
>
> In the case of ath9k, the function ath_tx_node_init is indirectly called by drv_sta_state (in net/mac80211/driver-ops.h) only when the sta_state goes to IEEE80211_STA_ASSOC from IEEE80211_STA_AUTH.
>
> Signed-off-by: cedric VONCKEN <[email protected]>
> ---
> net/mac80211/sta_info.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
> index 11216bc..bcfd7b0 100644
> --- a/net/mac80211/sta_info.c
> +++ b/net/mac80211/sta_info.c
> @@ -1040,7 +1040,8 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
> BUILD_BUG_ON(BITS_TO_LONGS(IEEE80211_NUM_TIDS) > 1);
> sta->driver_buffered_tids = 0;
>
> - if (!(local->hw.flags & IEEE80211_HW_AP_LINK_PS))
> + if (!(local->hw.flags & IEEE80211_HW_AP_LINK_PS &&
> + sta->sta_state >= IEEE80211_STA_ASSOC))
This seems like a bad workaround -- how are you getting to this point
w/o being associated?
johannes
This default occurs when I set a mesh interface with HT mode and SAE user
daemon from cozibit.
I have put more information in thread "ath9k null pointer with mesh network"
in the linux-wireless mailing list.
Cedric Voncken
-----Message d'origine-----
De?: [email protected]
[mailto:[email protected]] De la part de cedric voncken
Envoy??: vendredi 19 avril 2013 11:21
??: [email protected]
Cc?: cedric voncken
Objet?: [PATCH] mac80211: Fix driver crash when STA_NOTIFY_AWAKE occures
If the device uses the HT mode and receives a frame from a sta whith state <
IEEE80211_STA_ASSOC then the null pointer exception crashes the Linnux
kernel.
In the case of ath9k, the function ath_tx_node_init is indirectly called by
drv_sta_state (in net/mac80211/driver-ops.h) only when the sta_state goes to
IEEE80211_STA_ASSOC from IEEE80211_STA_AUTH.
Signed-off-by: cedric VONCKEN <[email protected]>
---
net/mac80211/sta_info.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c index
11216bc..bcfd7b0 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -1040,7 +1040,8 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info
*sta)
BUILD_BUG_ON(BITS_TO_LONGS(IEEE80211_NUM_TIDS) > 1);
sta->driver_buffered_tids = 0;
- if (!(local->hw.flags & IEEE80211_HW_AP_LINK_PS))
+ if (!(local->hw.flags & IEEE80211_HW_AP_LINK_PS &&
+ sta->sta_state >= IEEE80211_STA_ASSOC))
drv_sta_notify(local, sdata, STA_NOTIFY_AWAKE, &sta->sta);
skb_queue_head_init(&pending);
--
1.7.2.5