Return-path: Received: from s3.sipsolutions.net ([144.76.43.152]:42234 "EHLO sipsolutions.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933966Ab3FSHy7 (ORCPT ); Wed, 19 Jun 2013 03:54:59 -0400 Message-ID: <1371628488.8349.3.camel@jlt4.sipsolutions.net> (sfid-20130619_095509_334897_6BA231FA) Subject: Re: nl80211 NULL pointer dereference From: Johannes Berg To: Linus Torvalds Cc: David Miller , John Linville , Linux Wireless List , Network Development Date: Wed, 19 Jun 2013 09:54:48 +0200 In-Reply-To: (sfid-20130619_042459_700600_08CD35A3) References: <20130618.190632.33329016434510583.davem@davemloft.net> (sfid-20130619_042459_700600_08CD35A3) Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Sender: linux-wireless-owner@vger.kernel.org List-ID: On Tue, 2013-06-18 at 16:24 -1000, Linus Torvalds wrote: > So it would seem that it's that > > info->attrs[NL80211_ATTR_REG_RULES] > > thing that is NULL. > > And yes, the code checks that for being non-NULL in at the top of the > function, but maybe there is a race with something else setting it to > NULL? There is a kzalloc(GFP_KERNEL) in between, so it doesn't even > have to be a very small race... Yes. I looked at it, and reproduced it (after making the window larger by putting some sleeps in there and WARN_ON()). It's really just a stupid mistake I made: in nl80211_dump_wiphy() I parse attributes into the global nl80211_fam.attrbuf, without making sure that it has proper locking. Normally we do something like that only on the first iteration of a dump which is OK because it's locked, but here I did it always, which is clearly a bug. I'll have a patch in a minute. johannes