nl80211: clear skb cb before passing to netlink

commit bd8c78e78d5011d8111bc2533ee73b13a3bd6c42 upstream. In testmode and vendor command reply/event SKBs we use the skb cb data to store nl80211 parameters between allocation and sending. This causes the code for CONFIG_NETLINK_MMAP to get confused, because it takes ownership of the skb cb data when the SKB is handed off to netlink, and it doesn't explicitly clear it. Clear the skb cb explicitly when we're done and before it gets passed to netlink to avoid this issue. Reported-by: Assaf Azulay <assaf.azulay@intel.com> Reported-by: David Spinadel <david.spinadel@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
author: Johannes Berg <johannes.berg@intel.com> 2014-07-30 14:55:26 +0200
committer: Jiri Slaby <jslaby@suse.cz> 2014-10-13 15:41:36 +0200
commit: b37091dddc1740b3a516004b29dca18bca84b314 (patch)
tree: 8f62b0d20a48acbfe281387bcbdf6719573a61d8 /net
parent: 2db0c704fe90710368581c2dcf5d33105a9b9600 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index c2853bbf8059..c3ef31a96de9 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -6797,6 +6797,9 @@ void cfg80211_testmode_event(struct sk_buff *skb, gfp_t gfp)
 	void *hdr = ((void **)skb->cb)[1];
 	struct nlattr *data = ((void **)skb->cb)[2];
 
+	/* clear CB data for netlink core to own from now on */
+	memset(skb->cb, 0, sizeof(skb->cb));
+
 	nla_nest_end(skb, data);
 	genlmsg_end(skb, hdr);
 	genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), skb, 0,
author	Johannes Berg <johannes.berg@intel.com>	2014-07-30 14:55:26 +0200
committer	Jiri Slaby <jslaby@suse.cz>	2014-10-13 15:41:36 +0200
commit	b37091dddc1740b3a516004b29dca18bca84b314 (patch)
tree	8f62b0d20a48acbfe281387bcbdf6719573a61d8 /net
parent	2db0c704fe90710368581c2dcf5d33105a9b9600 (diff)