Search Linux Wireless

[PATCH] cfg80211: fix rcu in cfg80211_unregister_wdev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

We are seeing intermittent crashes when calling cfg80211_unregister_wdev()
and then immediately free'ing the wdev object, like is done in wil6210 (see
[1]).
We believe this is due to cfg80211_unregister_wdev doing list_del_rcu()
without synchronize_cpu() afterwards.

====================================

From: Dedy Lansky <dlansky@xxxxxxxxxxxxxx>
Subject: [PATCH] cfg80211: fix rcu in cfg80211_unregister_wdev

Callers of cfg80211_unregister_wdev can free the wdev object
immediately after this function returns. This may crash the kernel
because this wdev object is still in use by other threads.
Add synchronize_rcu() after list_del_rcu to make sure wdev object can
be safely freed.

Signed-off-by: Dedy Lansky <dlansky@xxxxxxxxxxxxxx>
---
 net/wireless/core.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/wireless/core.c b/net/wireless/core.c
index 5fe35aa..48e80973 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -1012,6 +1012,7 @@ void cfg80211_unregister_wdev(struct wireless_dev
*wdev)
        nl80211_notify_iface(rdev, wdev, NL80211_CMD_DEL_INTERFACE);

        list_del_rcu(&wdev->list);
+       synchronize_rcu();
        rdev->devlist_generation++;

        switch (wdev->iftype) {
--
1.9.1

[1]
https://elixir.bootlin.com/linux/latest/source/drivers/net/wireless/ath/wil6
210/cfg80211.c#L2234
[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Wireless Regulations]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux