Michal Kazior <michal.kazior@xxxxxxxxx> wrote: > Station pointers are RCU protected so driver must > be extra careful if it tries to store them > internally for later use outside of the RCU > section it obtained it in. > > It was possible for station teardown to race with > some htt events. The possible outcome could be a > use-after-free and a crash. > > Only peer-flow-control capable firmware was > affected (so hardware-wise qca99x0 and qca4019). > > This could be done in sta_state() itself via > explicit synchronize_net() call but there's > already a convenient sta_pre_rcu_remove() op that > can be hooked up to avoid extra rcu stall. > > The peer->sta pointer itself can't be set to > NULL/ERR_PTR because it is later used in > sta_state() for extra sanity checks. > > Signed-off-by: Michal Kazior <michal.kazior@xxxxxxxxx> Patch applied to ath-next branch of ath.git, thanks. 0a744d927406 ath10k: prevent sta pointer rcu violation -- https://patchwork.kernel.org/patch/9513391/ Documentation about submitting wireless patches and checking status from patchwork: https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
