From 848a4abf27d8fb49714330d6ecafa6a51104d611 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Thu, 22 Feb 2018 15:36:05 +0100 Subject: ath9k: merge a RCU fix for station tx cleanup Signed-off-by: Felix Fietkau --- ...k-Protect-queue-draining-by-rcu_read_lock.patch | 43 ++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 package/kernel/mac80211/patches/330-ath9k-Protect-queue-draining-by-rcu_read_lock.patch (limited to 'package/kernel') diff --git a/package/kernel/mac80211/patches/330-ath9k-Protect-queue-draining-by-rcu_read_lock.patch b/package/kernel/mac80211/patches/330-ath9k-Protect-queue-draining-by-rcu_read_lock.patch new file mode 100644 index 0000000000..9970574e14 --- /dev/null +++ b/package/kernel/mac80211/patches/330-ath9k-Protect-queue-draining-by-rcu_read_lock.patch @@ -0,0 +1,43 @@ +From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= +Date: Fri, 2 Feb 2018 11:36:45 +0100 +Subject: [PATCH] ath9k: Protect queue draining by rcu_read_lock() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When ath9k was switched over to use the mac80211 intermediate queues, +node cleanup now drains the mac80211 queues. However, this call path is +not protected by rcu_read_lock() as it was previously entirely internal +to the driver which uses its own locking. + +This leads to a possible rcu_dereference() without holding +rcu_read_lock(); but only if a station is cleaned up while having +packets queued on the TXQ. Fix this by adding the rcu_read_lock() to the +caller in ath9k. + +Fixes: 50f08edf9809 ("ath9k: Switch to using mac80211 intermediate software queues.") +Cc: stable@vger.kernel.org +Reported-by: Ben Greear +Signed-off-by: Toke Høiland-Jørgensen +--- + +--- a/drivers/net/wireless/ath/ath9k/xmit.c ++++ b/drivers/net/wireless/ath/ath9k/xmit.c +@@ -2930,6 +2930,8 @@ void ath_tx_node_cleanup(struct ath_soft + struct ath_txq *txq; + int tidno; + ++ rcu_read_lock(); ++ + for (tidno = 0; tidno < IEEE80211_NUM_TIDS; tidno++) { + tid = ath_node_to_tid(an, tidno); + txq = tid->txq; +@@ -2947,6 +2949,8 @@ void ath_tx_node_cleanup(struct ath_soft + if (!an->sta) + break; /* just one multicast ath_atx_tid */ + } ++ ++ rcu_read_unlock(); + } + + #ifdef CPTCFG_ATH9K_TX99 -- cgit v1.2.3