Commit 2c15a0cf authored by Christian Lamparter's avatar Christian Lamparter Committed by John W. Linville

mac80211: fix rcu-unsafe pointer dereference

This patch fixes a potential crash (null-pointer de-
reference) which was introduced in my previous patch:
 "mac80211: AMPDU rx reorder timeout timer"

During a BA teardown, the pointer to the soon-to-be-gone
tid_ampdu_rx element will be nullified. Therefore the
release timer mechanism has to be careful not to
accidentally access the item without any RCU protection.
Signed-off-by: default avatarChristian Lamparter <chunkeey@googlemail.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 74b70a4e
...@@ -2479,6 +2479,11 @@ void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid) ...@@ -2479,6 +2479,11 @@ void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
{ {
struct sk_buff_head frames; struct sk_buff_head frames;
struct ieee80211_rx_data rx = { }; struct ieee80211_rx_data rx = { };
struct tid_ampdu_rx *tid_agg_rx;
tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
if (!tid_agg_rx)
return;
__skb_queue_head_init(&frames); __skb_queue_head_init(&frames);
...@@ -2493,10 +2498,9 @@ void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid) ...@@ -2493,10 +2498,9 @@ void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
test_bit(SCAN_OFF_CHANNEL, &sta->local->scanning))) test_bit(SCAN_OFF_CHANNEL, &sta->local->scanning)))
rx.flags |= IEEE80211_RX_IN_SCAN; rx.flags |= IEEE80211_RX_IN_SCAN;
spin_lock(&sta->ampdu_mlme.tid_rx[tid]->reorder_lock); spin_lock(&tid_agg_rx->reorder_lock);
ieee80211_sta_reorder_release(&sta->local->hw, ieee80211_sta_reorder_release(&sta->local->hw, tid_agg_rx, &frames);
sta->ampdu_mlme.tid_rx[tid], &frames); spin_unlock(&tid_agg_rx->reorder_lock);
spin_unlock(&sta->ampdu_mlme.tid_rx[tid]->reorder_lock);
ieee80211_rx_handlers(&rx, &frames); ieee80211_rx_handlers(&rx, &frames);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment