diff options
author | Josh Boyer <jwboyer@redhat.com> | 2012-03-20 08:44:32 -0400 |
---|---|---|
committer | Josh Boyer <jwboyer@redhat.com> | 2012-03-20 08:47:13 -0400 |
commit | b7da64597e570ad8c8a5625e3486c73bf85a7e90 (patch) | |
tree | a422d0f2360e2394ab719167fb3665c8f86cea5f /mac80211-fix-possible-tid_rx-reorder_timer-use-after-free.patch | |
parent | 3008f9279141129059ba502412ed917c5876f25e (diff) | |
download | kernel-b7da64597e570ad8c8a5625e3486c73bf85a7e90.tar.gz kernel-b7da64597e570ad8c8a5625e3486c73bf85a7e90.tar.xz kernel-b7da64597e570ad8c8a5625e3486c73bf85a7e90.zip |
mac80211: fix possible tid_rx->reorder_timer use after free
from Stanislaw Gruska (rhbz 804007)
Diffstat (limited to 'mac80211-fix-possible-tid_rx-reorder_timer-use-after-free.patch')
-rw-r--r-- | mac80211-fix-possible-tid_rx-reorder_timer-use-after-free.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/mac80211-fix-possible-tid_rx-reorder_timer-use-after-free.patch b/mac80211-fix-possible-tid_rx-reorder_timer-use-after-free.patch new file mode 100644 index 000000000..accda8afc --- /dev/null +++ b/mac80211-fix-possible-tid_rx-reorder_timer-use-after-free.patch @@ -0,0 +1,42 @@ +Is possible that we will arm the tid_rx->reorder_timer after +del_timer_sync() in ___ieee80211_stop_rx_ba_session(). We need to stop +timer after RCU grace period finish, so move it to +ieee80211_free_tid_rx(). Timer will not be armed again, as +rcu_dereference(sta->ampdu_mlme.tid_rx[tid]) will return NULL. + +Debug object detected problem with the following warning: +ODEBUG: free active (active state 0) object type: timer_list hint: sta_rx_agg_reorder_timer_expired+0x0/0xf0 [mac80211] + +Bug report (with all warning messages): +https://bugzilla.redhat.com/show_bug.cgi?id=804007 + +Reported-by: "jan p. springer" <jsd@igroup.org> +Cc: stable@vger.kernel.org +Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> +--- + net/mac80211/agg-rx.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c +index 1068f66..64d3ce5 100644 +--- a/net/mac80211/agg-rx.c ++++ b/net/mac80211/agg-rx.c +@@ -49,6 +49,8 @@ static void ieee80211_free_tid_rx(struct rcu_head *h) + container_of(h, struct tid_ampdu_rx, rcu_head); + int i; + ++ del_timer_sync(&tid_rx->reorder_timer); ++ + for (i = 0; i < tid_rx->buf_size; i++) + dev_kfree_skb(tid_rx->reorder_buf[i]); + kfree(tid_rx->reorder_buf); +@@ -91,7 +93,6 @@ void ___ieee80211_stop_rx_ba_session(struct sta_info *sta, u16 tid, + tid, WLAN_BACK_RECIPIENT, reason); + + del_timer_sync(&tid_rx->session_timer); +- del_timer_sync(&tid_rx->reorder_timer); + + call_rcu(&tid_rx->rcu_head, ieee80211_free_tid_rx); + } +-- +1.7.1 |