You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
39 lines
1.4 KiB
39 lines
1.4 KiB
6 years ago
|
From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>
|
||
|
Date: Mon, 13 Aug 2018 14:16:25 +0200
|
||
|
Subject: [PATCH] mac80211: Run TXQ teardown code before de-registering
|
||
|
interfaces
|
||
|
MIME-Version: 1.0
|
||
|
Content-Type: text/plain; charset=UTF-8
|
||
|
Content-Transfer-Encoding: 8bit
|
||
|
|
||
|
The TXQ teardown code can reference the vif data structures that are
|
||
|
stored in the netdev private memory area if there are still packets on
|
||
|
the queue when it is being freed. Since the TXQ teardown code is run
|
||
|
after the netdevs are freed, this can lead to a use-after-free. Fix this
|
||
|
by moving the TXQ teardown code to earlier in ieee80211_unregister_hw().
|
||
|
|
||
|
Reported-by: Ben Greear <greearb@candelatech.com>
|
||
|
Tested-by: Ben Greear <greearb@candelatech.com>
|
||
|
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
|
||
|
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
||
|
---
|
||
|
|
||
|
--- a/net/mac80211/main.c
|
||
|
+++ b/net/mac80211/main.c
|
||
|
@@ -1172,6 +1172,7 @@ void ieee80211_unregister_hw(struct ieee
|
||
|
#if IS_ENABLED(__disabled__CONFIG_IPV6)
|
||
|
unregister_inet6addr_notifier(&local->ifa6_notifier);
|
||
|
#endif
|
||
|
+ ieee80211_txq_teardown_flows(local);
|
||
|
|
||
|
rtnl_lock();
|
||
|
|
||
|
@@ -1200,7 +1201,6 @@ void ieee80211_unregister_hw(struct ieee
|
||
|
skb_queue_purge(&local->skb_queue);
|
||
|
skb_queue_purge(&local->skb_queue_unreliable);
|
||
|
skb_queue_purge(&local->skb_queue_tdls_chsw);
|
||
|
- ieee80211_txq_teardown_flows(local);
|
||
|
|
||
|
destroy_workqueue(local->workqueue);
|
||
|
wiphy_unregister(local->hw.wiphy);
|