android_kernel_samsung_msm8976/net
Miaoqing Pan e1fde381ff nl80211: fix null pointer dereference
[ Upstream commit b501426cf86e70649c983c52f4c823b3c40d72a3 ]

If the interface is not in MESH mode, the command 'iw wlanx mpath del'
will cause kernel panic.

The root cause is null pointer access in mpp_flush_by_proxy(), as the
pointer 'sdata->u.mesh.mpp_paths' is NULL for non MESH interface.

Unable to handle kernel NULL pointer dereference at virtual address 00000068
[...]
PC is at _raw_spin_lock_bh+0x20/0x5c
LR is at mesh_path_del+0x1c/0x17c [mac80211]
[...]
Process iw (pid: 4537, stack limit = 0xd83e0238)
[...]
[<c021211c>] (_raw_spin_lock_bh) from [<bf8c7648>] (mesh_path_del+0x1c/0x17c [mac80211])
[<bf8c7648>] (mesh_path_del [mac80211]) from [<bf6cdb7c>] (extack_doit+0x20/0x68 [compat])
[<bf6cdb7c>] (extack_doit [compat]) from [<c05c309c>] (genl_rcv_msg+0x274/0x30c)
[<c05c309c>] (genl_rcv_msg) from [<c05c25d8>] (netlink_rcv_skb+0x58/0xac)
[<c05c25d8>] (netlink_rcv_skb) from [<c05c2e14>] (genl_rcv+0x20/0x34)
[<c05c2e14>] (genl_rcv) from [<c05c1f90>] (netlink_unicast+0x11c/0x204)
[<c05c1f90>] (netlink_unicast) from [<c05c2420>] (netlink_sendmsg+0x30c/0x370)
[<c05c2420>] (netlink_sendmsg) from [<c05886d0>] (sock_sendmsg+0x70/0x84)
[<c05886d0>] (sock_sendmsg) from [<c0589f4c>] (___sys_sendmsg.part.3+0x188/0x228)
[<c0589f4c>] (___sys_sendmsg.part.3) from [<c058add4>] (__sys_sendmsg+0x4c/0x70)
[<c058add4>] (__sys_sendmsg) from [<c0208c80>] (ret_fast_syscall+0x0/0x44)
Code: e2822c02 e2822001 e5832004 f590f000 (e1902f9f)
---[ end trace bbd717600f8f884d ]---

Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
Link: https://lore.kernel.org/r/1569485810-761-1-git-send-email-miaoqing@codeaurora.org
[trim useless data from commit message]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: I0af06ab88a75b6f7528bb1a134115b530cfb7595
2020-01-01 23:22:35 +01:00
..
9p
802
8021q
appletalk net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
atm
ax25 net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
batman-adv
bluetooth Bluetooth: Check state in l2cap_disconnect_rsp 2019-08-05 03:10:33 +02:00
bridge net: bridge: multicast: use rcu to access port list from br_multicast_start_querier 2019-08-15 21:02:28 +02:00
caif
can net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
ceph
core tcp: make sure EPOLLOUT wont be missed 2019-12-21 19:59:22 +01:00
dcb
dccp net/dccp: fix use after free in tw_timer_handler() 2019-07-27 22:08:37 +02:00
decnet net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
dns_resolver dns_resolver: Do not accept domain names longer than 255 chars 2019-07-27 22:07:53 +02:00
dsa
ethernet
ieee802154 net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
ipc_router net: ipc_router: Initialize the sockaddr in recvmsg() handler 2019-07-27 22:08:44 +02:00
ipv4 igmp: fix memory leak in igmpv3_del_delrec() 2019-10-27 19:33:52 +01:00
ipv6 igmp, mld: Fix memory leak in igmpv3/mld_del_delrec() 2019-10-27 19:33:52 +01:00
ipx net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
irda net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
iucv
key af_key: fix leaks in key_pol_get_resp and dump_sp. 2019-10-27 19:33:52 +01:00
l2tp net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
lapb
llc net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
mac80211
mac802154
netfilter netfilter: compat: initialize all fields in xt_init 2019-07-27 22:10:42 +02:00
netlabel netlabel: check for IPV4MASK in addrinfo_get 2019-09-28 20:28:33 +02:00
netlink net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
netrom net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
nfc net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
openvswitch
packet net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
phonet net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
rds net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
rfkill net: rfkill: move poll work to power efficient workqueue 2019-07-27 22:11:06 +02:00
rmnet_data net: rmnet_data: Change the log level for unknown IOCTL's 2019-07-27 21:51:01 +02:00
rose net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
rxrpc net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
sched net: Prevent invalid access to skb->prev in __qdisc_drop_all 2019-07-27 21:53:24 +02:00
sctp
sunrpc kernel: make groups_sort calling a responsibility group_info allocators 2019-07-27 21:46:18 +02:00
tipc net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
unix net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
vmw_vsock net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
wimax
wireless nl80211: fix null pointer dereference 2020-01-01 23:22:35 +01:00
x25 net: add build-time checks for msg->msg_name size 2019-08-16 03:55:59 +02:00
xfrm xfrm: validate template mode 2019-09-28 20:28:33 +02:00
activity_stats.c
compat.c net: support compat 64-bit time in {s,g}etsockopt 2019-07-27 21:49:09 +02:00
Kconfig
Makefile
nonet.c
socket.c kernel-wide: fix missing validations on __get/__put/__copy_to/__copy_from_user() 2019-07-27 22:10:26 +02:00
sysctl_net.c