aboutsummaryrefslogtreecommitdiffstats
path: root/net/mac80211
diff options
context:
space:
mode:
authorChristian Lamparter <chunkeey@googlemail.com>2010-08-24 13:22:42 -0400
committerJohn W. Linville <linville@tuxdriver.com>2010-08-25 14:34:56 -0400
commit2c15a0cf27a74213a714cc7be31685b841f7c1ac (patch)
tree7d2e0bcf9b3c04922ddce91e4641eeed4387c11f /net/mac80211
parent74b70a4e38d542843fccfb367dce1ac861cc3890 (diff)
mac80211: fix rcu-unsafe pointer dereference
This patch fixes a potential crash (null-pointer de- reference) which was introduced in my previous patch: "mac80211: AMPDU rx reorder timeout timer" During a BA teardown, the pointer to the soon-to-be-gone tid_ampdu_rx element will be nullified. Therefore the release timer mechanism has to be careful not to accidentally access the item without any RCU protection. Signed-off-by: Christian Lamparter <chunkeey@googlemail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net/mac80211')
-rw-r--r--net/mac80211/rx.c12
1 files changed, 8 insertions, 4 deletions
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index e1844f7085de..e67deb48af5c 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2479,6 +2479,11 @@ void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
2479{ 2479{
2480 struct sk_buff_head frames; 2480 struct sk_buff_head frames;
2481 struct ieee80211_rx_data rx = { }; 2481 struct ieee80211_rx_data rx = { };
2482 struct tid_ampdu_rx *tid_agg_rx;
2483
2484 tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
2485 if (!tid_agg_rx)
2486 return;
2482 2487
2483 __skb_queue_head_init(&frames); 2488 __skb_queue_head_init(&frames);
2484 2489
@@ -2493,10 +2498,9 @@ void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
2493 test_bit(SCAN_OFF_CHANNEL, &sta->local->scanning))) 2498 test_bit(SCAN_OFF_CHANNEL, &sta->local->scanning)))
2494 rx.flags |= IEEE80211_RX_IN_SCAN; 2499 rx.flags |= IEEE80211_RX_IN_SCAN;
2495 2500
2496 spin_lock(&sta->ampdu_mlme.tid_rx[tid]->reorder_lock); 2501 spin_lock(&tid_agg_rx->reorder_lock);
2497 ieee80211_sta_reorder_release(&sta->local->hw, 2502 ieee80211_sta_reorder_release(&sta->local->hw, tid_agg_rx, &frames);
2498 sta->ampdu_mlme.tid_rx[tid], &frames); 2503 spin_unlock(&tid_agg_rx->reorder_lock);
2499 spin_unlock(&sta->ampdu_mlme.tid_rx[tid]->reorder_lock);
2500 2504
2501 ieee80211_rx_handlers(&rx, &frames); 2505 ieee80211_rx_handlers(&rx, &frames);
2502} 2506}