[tip:core/locking] mac80211: fix rcu-unsafe pointer dereference

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Commit-ID:  2c15a0cf27a74213a714cc7be31685b841f7c1ac
Gitweb:     http://git.kernel.org/tip/2c15a0cf27a74213a714cc7be31685b841f7c1ac
Author:     Christian Lamparter <chunkeey@xxxxxxxxxxxxxx>
AuthorDate: Tue, 24 Aug 2010 19:22:42 +0200
Committer:  John W. Linville <linville@xxxxxxxxxxxxx>
CommitDate: Wed, 25 Aug 2010 14:34:56 -0400

mac80211: fix rcu-unsafe pointer dereference

This patch fixes a potential crash (null-pointer de-
reference) which was introduced in my previous patch:
 "mac80211: AMPDU rx reorder timeout timer"

During a BA teardown, the pointer to the soon-to-be-gone
tid_ampdu_rx element will be nullified. Therefore the
release timer mechanism has to be careful not to
accidentally access the item without any RCU protection.

Signed-off-by: Christian Lamparter <chunkeey@xxxxxxxxxxxxxx>
Signed-off-by: John W. Linville <linville@xxxxxxxxxxxxx>
---
 net/mac80211/rx.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index e1844f7..e67deb4 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2479,6 +2479,11 @@ void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
 {
 	struct sk_buff_head frames;
 	struct ieee80211_rx_data rx = { };
+	struct tid_ampdu_rx *tid_agg_rx;
+
+	tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
+	if (!tid_agg_rx)
+		return;
 
 	__skb_queue_head_init(&frames);
 
@@ -2493,10 +2498,9 @@ void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
 		     test_bit(SCAN_OFF_CHANNEL, &sta->local->scanning)))
 		rx.flags |= IEEE80211_RX_IN_SCAN;
 
-	spin_lock(&sta->ampdu_mlme.tid_rx[tid]->reorder_lock);
-	ieee80211_sta_reorder_release(&sta->local->hw,
-		sta->ampdu_mlme.tid_rx[tid], &frames);
-	spin_unlock(&sta->ampdu_mlme.tid_rx[tid]->reorder_lock);
+	spin_lock(&tid_agg_rx->reorder_lock);
+	ieee80211_sta_reorder_release(&sta->local->hw, tid_agg_rx, &frames);
+	spin_unlock(&tid_agg_rx->reorder_lock);
 
 	ieee80211_rx_handlers(&rx, &frames);
 }
--
To unsubscribe from this list: send the line "unsubscribe linux-tip-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Stable Commits]     [Linux Stable Kernel]     [Linux Kernel]     [Linux USB Devel]     [Linux Video &Media]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux