Skip to main content

Browse the archive

https://github.com/torvalds/linux
23 October 2021, 00:29:24 UTC
Revision 788211d81bfdf9b6a547d0530f206ba6ee76b107 authored by Johannes Berg on 01 April 2015, 12:20:42 UTC, committed by Johannes Berg on 01 April 2015, 12:35:01 UTC 
mac80211: fix RX A-MPDU session reorder timer deletion
 
There's an issue with the way the RX A-MPDU reorder timer is
deleted that can cause a kernel crash like this:

 * tid_rx is removed - call_rcu(ieee80211_free_tid_rx)
 * station is destroyed
 * reorder timer fires before ieee80211_free_tid_rx() runs,
   accessing the station, thus potentially crashing due to
   the use-after-free

The station deletion is protected by synchronize_net(), but
that isn't enough -- ieee80211_free_tid_rx() need not have
run when that returns (it deletes the timer.) We could use
rcu_barrier() instead of synchronize_net(), but that's much
more expensive.

Instead, to fix this, add a field tracking that the session
is being deleted. In this case, the only re-arming of the
timer happens with the reorder spinlock held, so make that
code not rearm it if the session is being deleted and also
delete the timer after setting that field. This ensures the
timer cannot fire after ___ieee80211_stop_rx_ba_session()
returns, which fixes the problem.

Cc: stable@vger.kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
1 parent f84eaa1
History
Tip revision: 788211d81bfdf9b6a547d0530f206ba6ee76b107 authored by Johannes Berg on 01 April 2015, 12:20:42 UTC
mac80211: fix RX A-MPDU session reorder timer deletion
Tip revision: 788211d
File Mode Size
Documentation
arch
block
crypto
drivers
firmware
fs
include
init
ipc
kernel
lib
mm
net
samples
scripts
security
sound
tools
usr
virt
.gitignore -rw-r--r-- 1.2 KB
.mailmap -rw-r--r-- 4.9 KB
COPYING -rw-r--r-- 18.3 KB
CREDITS -rw-r--r-- 94.0 KB
Kbuild -rw-r--r-- 2.5 KB
Kconfig -rw-r--r-- 252 bytes
MAINTAINERS -rw-r--r-- 297.9 KB
Makefile -rw-r--r-- 53.3 KB
README -rw-r--r-- 18.3 KB
REPORTING-BUGS -rw-r--r-- 7.3 KB

README

back to top