diff options
Diffstat (limited to 'package/kernel/mac80211/patches/382-mac80211-Run-TXQ-teardown-code-before-de-registering.patch')
-rw-r--r-- | package/kernel/mac80211/patches/382-mac80211-Run-TXQ-teardown-code-before-de-registering.patch | 38 |
1 files changed, 0 insertions, 38 deletions
diff --git a/package/kernel/mac80211/patches/382-mac80211-Run-TXQ-teardown-code-before-de-registering.patch b/package/kernel/mac80211/patches/382-mac80211-Run-TXQ-teardown-code-before-de-registering.patch deleted file mode 100644 index ad282f9892..0000000000 --- a/package/kernel/mac80211/patches/382-mac80211-Run-TXQ-teardown-code-before-de-registering.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk> -Date: Mon, 13 Aug 2018 14:16:25 +0200 -Subject: [PATCH] mac80211: Run TXQ teardown code before de-registering - interfaces -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The TXQ teardown code can reference the vif data structures that are -stored in the netdev private memory area if there are still packets on -the queue when it is being freed. Since the TXQ teardown code is run -after the netdevs are freed, this can lead to a use-after-free. Fix this -by moving the TXQ teardown code to earlier in ieee80211_unregister_hw(). - -Reported-by: Ben Greear <greearb@candelatech.com> -Tested-by: Ben Greear <greearb@candelatech.com> -Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk> -Signed-off-by: Johannes Berg <johannes.berg@intel.com> ---- - ---- a/net/mac80211/main.c -+++ b/net/mac80211/main.c -@@ -1172,6 +1172,7 @@ void ieee80211_unregister_hw(struct ieee - #if IS_ENABLED(__disabled__CONFIG_IPV6) - unregister_inet6addr_notifier(&local->ifa6_notifier); - #endif -+ ieee80211_txq_teardown_flows(local); - - rtnl_lock(); - -@@ -1200,7 +1201,6 @@ void ieee80211_unregister_hw(struct ieee - skb_queue_purge(&local->skb_queue); - skb_queue_purge(&local->skb_queue_unreliable); - skb_queue_purge(&local->skb_queue_tdls_chsw); -- ieee80211_txq_teardown_flows(local); - - destroy_workqueue(local->workqueue); - wiphy_unregister(local->hw.wiphy); |