Commit a93db944 authored by Johannes Berg's avatar Johannes Berg Committed by Ben Hutchings

nl80211: clear skb cb before passing to netlink

commit bd8c78e7 upstream.

In testmode and vendor command reply/event SKBs we use the
skb cb data to store nl80211 parameters between allocation
and sending. This causes the code for CONFIG_NETLINK_MMAP
to get confused, because it takes ownership of the skb cb
data when the SKB is handed off to netlink, and it doesn't
explicitly clear it.

Clear the skb cb explicitly when we're done and before it
gets passed to netlink to avoid this issue.
Reported-by: default avatarAssaf Azulay <assaf.azulay@intel.com>
Reported-by: default avatarDavid Spinadel <david.spinadel@intel.com>
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
parent b2d0a271
...@@ -4804,6 +4804,9 @@ int cfg80211_testmode_reply(struct sk_buff *skb) ...@@ -4804,6 +4804,9 @@ int cfg80211_testmode_reply(struct sk_buff *skb)
void *hdr = ((void **)skb->cb)[1]; void *hdr = ((void **)skb->cb)[1];
struct nlattr *data = ((void **)skb->cb)[2]; struct nlattr *data = ((void **)skb->cb)[2];
/* clear CB data for netlink core to own from now on */
memset(skb->cb, 0, sizeof(skb->cb));
if (WARN_ON(!rdev->testmode_info)) { if (WARN_ON(!rdev->testmode_info)) {
kfree_skb(skb); kfree_skb(skb);
return -EINVAL; return -EINVAL;
...@@ -4830,6 +4833,9 @@ void cfg80211_testmode_event(struct sk_buff *skb, gfp_t gfp) ...@@ -4830,6 +4833,9 @@ void cfg80211_testmode_event(struct sk_buff *skb, gfp_t gfp)
void *hdr = ((void **)skb->cb)[1]; void *hdr = ((void **)skb->cb)[1];
struct nlattr *data = ((void **)skb->cb)[2]; struct nlattr *data = ((void **)skb->cb)[2];
/* clear CB data for netlink core to own from now on */
memset(skb->cb, 0, sizeof(skb->cb));
nla_nest_end(skb, data); nla_nest_end(skb, data);
genlmsg_end(skb, hdr); genlmsg_end(skb, hdr);
genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), skb, 0, genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), skb, 0,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment