On Sat, 2007-08-18 at 15:13 -0500, Larry Finger wrote:
> The rest of the call trace is available if needed. The crash occurred when ieee80211_key_free was
> trying to unlock the mutex key_idx. I added printk's to dump the pointer to sdata at the point where
> that mutex is initialized and where the key is freed. The mutex that errs was inited.
Ho humm, yes, I'm dumb, patch below but I'll fold it into my key patch.
Sorry about that, classic use-after-free condition here.
johannes
--- wireless-dev.orig/net/mac80211/key.c 2007-08-20 14:07:43.165963896 +0200
+++ wireless-dev/net/mac80211/key.c 2007-08-20 14:08:04.265963896 +0200
@@ -255,12 +255,16 @@ static void __ieee80211_key_free(struct
void ieee80211_key_free(struct ieee80211_key *key)
{
+ struct ieee80211_sub_if_data *sdata;
+
if (!key)
return;
- mutex_lock(&key->sdata->key_mtx);
+ sdata = key->sdata;
+
+ mutex_lock(&sdata->key_mtx);
__ieee80211_key_free(key);
- mutex_unlock(&key->sdata->key_mtx);
+ mutex_unlock(&sdata->key_mtx);
}
void ieee80211_set_default_key(struct ieee80211_sub_if_data *sdata, int idx)
-
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
