diff options
| author | Koen Vandeputte <koen.vandeputte@ncentric.com> | 2018-09-21 13:48:53 +0200 |
|---|---|---|
| committer | Koen Vandeputte <koen.vandeputte@ncentric.com> | 2018-09-21 13:48:53 +0200 |
| commit | 8a006c24809cf2e2a368fdd13d42c55c56b9772b (patch) | |
| tree | 61c19d18aa84d82338dc7dddfb497bf5205c6809 /package/kernel/mac80211/patches/382-mac80211-Run-TXQ-teardown-code-before-de-registering.patch | |
| parent | 492bd8ddc906cec4a4fffe14f632622c808b90a5 (diff) | |
| download | upstream-8a006c24809cf2e2a368fdd13d42c55c56b9772b.tar.gz upstream-8a006c24809cf2e2a368fdd13d42c55c56b9772b.tar.bz2 upstream-8a006c24809cf2e2a368fdd13d42c55c56b9772b.zip | |
mac80211: backport upstream fixes
Backport most significant upstream fixes (excl. hwsim fixes)
Refreshed all patches.
Contains important fixes for CSA (Channel Switch Announcement)
and A-MSDU frames.
[slightly altered to apply cleanly]
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Diffstat (limited to 'package/kernel/mac80211/patches/382-mac80211-Run-TXQ-teardown-code-before-de-registering.patch')
| -rw-r--r-- | package/kernel/mac80211/patches/382-mac80211-Run-TXQ-teardown-code-before-de-registering.patch | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/package/kernel/mac80211/patches/382-mac80211-Run-TXQ-teardown-code-before-de-registering.patch b/package/kernel/mac80211/patches/382-mac80211-Run-TXQ-teardown-code-before-de-registering.patch new file mode 100644 index 0000000000..ad282f9892 --- /dev/null +++ b/package/kernel/mac80211/patches/382-mac80211-Run-TXQ-teardown-code-before-de-registering.patch @@ -0,0 +1,38 @@ +From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk> +Date: Mon, 13 Aug 2018 14:16:25 +0200 +Subject: [PATCH] mac80211: Run TXQ teardown code before de-registering + interfaces +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The TXQ teardown code can reference the vif data structures that are +stored in the netdev private memory area if there are still packets on +the queue when it is being freed. Since the TXQ teardown code is run +after the netdevs are freed, this can lead to a use-after-free. Fix this +by moving the TXQ teardown code to earlier in ieee80211_unregister_hw(). + +Reported-by: Ben Greear <greearb@candelatech.com> +Tested-by: Ben Greear <greearb@candelatech.com> +Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk> +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +--- + +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -1172,6 +1172,7 @@ void ieee80211_unregister_hw(struct ieee + #if IS_ENABLED(__disabled__CONFIG_IPV6) + unregister_inet6addr_notifier(&local->ifa6_notifier); + #endif ++ ieee80211_txq_teardown_flows(local); + + rtnl_lock(); + +@@ -1200,7 +1201,6 @@ void ieee80211_unregister_hw(struct ieee + skb_queue_purge(&local->skb_queue); + skb_queue_purge(&local->skb_queue_unreliable); + skb_queue_purge(&local->skb_queue_tdls_chsw); +- ieee80211_txq_teardown_flows(local); + + destroy_workqueue(local->workqueue); + wiphy_unregister(local->hw.wiphy); |