Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp275629pxk;
        Thu, 17 Sep 2020 02:47:11 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxASM+jJbDPXpWve0ENtMwZU9RSHHUG5tBIVVuPPHn8dllVIZwaobE2OqBZQyMGkEvClzdp
X-Received: by 2002:a17:907:213b:: with SMTP id qo27mr29048260ejb.441.1600336031033;
        Thu, 17 Sep 2020 02:47:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1600336031; cv=none;
        d=google.com; s=arc-20160816;
        b=VMLnUoYAGLgIfqYcoB4rB5BJ11vtaGKA9dY7E/CzOFXClDSOUEpyH7sHr2clefzLUl
         KOt9oFwuS7KaPm+FdhNuVCxS3s4mvtm9HB4Xx777IhtuYh2gsu7z1y0Zdo8i1vdRqnuI
         H9Ifp6IYpnkQ/bv8Unz/5V2SsH2jZPbAWy6Aw5IJSMAc6QMZTnm/MO2WPCYk9mkDWJTT
         hW492U9Mb+eBXSTysoxVklB2JYSJajPGe9Qd7uXm1ONiIk9WR5fiscZGCMDMvyJlLczj
         unusHiomNbqAvLgKHq7nW2EaIY41EZtOxwftbGfK5VLG5uzBJrTzowBx+5wwUWIY6QKi
         BnQA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:date:to:from:subject:message-id;
        bh=LZj2uzvbI8RRxQwfh6EhtKy+3qd/A8TCnZPOeMojbII=;
        b=fOMj1zatSjqfQjoTC3ugtSboO1jqKnXcfGqWzcVChy15IZ/MiRCNba6pN1Y9+RgQ2d
         SzhvLCEDti0lOR8QYyIKoUDRBqpkHcGLJxiyXhbZZS1H6PZOrpG3ep3XO1jw9Kdq4Cjn
         2PqkKERQNpbB1NXUBI78tiCL9WTJ6lAL1Hk4GGct120tZdjPA+Gu9okxCrdXH5TYVuwV
         fTfUmgjdWXsi1yerjTjbP7O4mi/j9umeJGdo9yf/+vww9rAe6SuGO4fBwIXJSCTZpTNs
         tZ2oMW2JADMHTKJF5u9qdr5CgJtbvRIPX5R1gLm8P+bHwK8y9O6euDcW/cVk6O6XLucz
         UZdQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id kt18si13437743ejb.338.2020.09.17.02.46.36;
        Thu, 17 Sep 2020 02:47:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726505AbgIQJqP (ORCPT <rfc822;adscvr@gmail.com> + 99 others);
        Thu, 17 Sep 2020 05:46:15 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43024 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726180AbgIQJqN (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Thu, 17 Sep 2020 05:46:13 -0400
Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7215FC06174A
        for <linux-wireless@vger.kernel.org>; Thu, 17 Sep 2020 02:46:12 -0700 (PDT)
Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
        (Exim 4.94)
        (envelope-from <johannes@sipsolutions.net>)
        id 1kIqUU-005VBH-Es; Thu, 17 Sep 2020 11:46:10 +0200
Message-ID: <23f8106d26ec9122a7ba4cbff60ae28e2c410ce9.camel@sipsolutions.net>
Subject: Re: [RFC 1/1] mac80211_hwsim: fix crash when receiving frame
From:   Johannes Berg <johannes@sipsolutions.net>
To:     James Prestwood <prestwoj@gmail.com>,
        linux-wireless@vger.kernel.org
Date:   Thu, 17 Sep 2020 11:46:02 +0200
In-Reply-To: <20200910235707.7732-2-prestwoj@gmail.com> (sfid-20200911_015725_167183_373D4325)
References: <20200910235707.7732-1-prestwoj@gmail.com>
         <20200910235707.7732-2-prestwoj@gmail.com>
         (sfid-20200911_015725_167183_373D4325)
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.36.5 (3.36.5-1.fc32) 
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

On Thu, 2020-09-10 at 16:57 -0700, James Prestwood wrote:
> This crash has rarely happened to me on bare metal, but when running
> in a virtual environment it happens much more frequently. It would
> appear that the mac80211_hwsim_data (data2) obtained from
> get_hwsim_data_ref_from_addr() is not fully initialized. When the
> crash happens the 'channel' member (ieee80211_channel*) is NULL. This
> is not checked for and eventually dereferenced which causes the
> segmentation fault.

Seems reasonable to me. I guess data2 is somehow getting packets
delivered but never even started operating.

johannes