diff options
| author | Koen Vandeputte <koen.vandeputte@ncentric.com> | 2018-09-04 15:09:48 +0200 |
|---|---|---|
| committer | Koen Vandeputte <koen.vandeputte@ncentric.com> | 2018-09-07 17:21:24 +0200 |
| commit | 77024a9d953d394b02226367357b0570c52b9119 (patch) | |
| tree | 59b72a6b0776dec814d07f62d0d1c1c768646ee9 /package/kernel/mac80211/patches/382-mac80211-Run-TXQ-teardown-code-before-de-registering.patch | |
| parent | 079871983c90eee18f6926d10c8d2fdc16b1cafd (diff) | |
| download | upstream-77024a9d953d394b02226367357b0570c52b9119.tar.gz upstream-77024a9d953d394b02226367357b0570c52b9119.tar.bz2 upstream-77024a9d953d394b02226367357b0570c52b9119.zip | |
mac80211: backport upstream fixes
Backport most significant upstream fixes (excl. hwsim fixes)
Refreshed all patches.
Contains important fixes for CSA (Channel Switch Announcement)
and A-MSDU frames.
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Diffstat (limited to 'package/kernel/mac80211/patches/382-mac80211-Run-TXQ-teardown-code-before-de-registering.patch')
| -rw-r--r-- | package/kernel/mac80211/patches/382-mac80211-Run-TXQ-teardown-code-before-de-registering.patch | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/package/kernel/mac80211/patches/382-mac80211-Run-TXQ-teardown-code-before-de-registering.patch b/package/kernel/mac80211/patches/382-mac80211-Run-TXQ-teardown-code-before-de-registering.patch new file mode 100644 index 0000000000..ad282f9892 --- /dev/null +++ b/package/kernel/mac80211/patches/382-mac80211-Run-TXQ-teardown-code-before-de-registering.patch @@ -0,0 +1,38 @@ +From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk> +Date: Mon, 13 Aug 2018 14:16:25 +0200 +Subject: [PATCH] mac80211: Run TXQ teardown code before de-registering + interfaces +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The TXQ teardown code can reference the vif data structures that are +stored in the netdev private memory area if there are still packets on +the queue when it is being freed. Since the TXQ teardown code is run +after the netdevs are freed, this can lead to a use-after-free. Fix this +by moving the TXQ teardown code to earlier in ieee80211_unregister_hw(). + +Reported-by: Ben Greear <greearb@candelatech.com> +Tested-by: Ben Greear <greearb@candelatech.com> +Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk> +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +--- + +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -1172,6 +1172,7 @@ void ieee80211_unregister_hw(struct ieee + #if IS_ENABLED(__disabled__CONFIG_IPV6) + unregister_inet6addr_notifier(&local->ifa6_notifier); + #endif ++ ieee80211_txq_teardown_flows(local); + + rtnl_lock(); + +@@ -1200,7 +1201,6 @@ void ieee80211_unregister_hw(struct ieee + skb_queue_purge(&local->skb_queue); + skb_queue_purge(&local->skb_queue_unreliable); + skb_queue_purge(&local->skb_queue_tdls_chsw); +- ieee80211_txq_teardown_flows(local); + + destroy_workqueue(local->workqueue); + wiphy_unregister(local->hw.wiphy); |