diff options
author | Christian Lamparter <chunkeey@googlemail.com> | 2010-08-24 13:22:42 -0400 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2010-08-25 14:34:56 -0400 |
commit | 2c15a0cf27a74213a714cc7be31685b841f7c1ac (patch) | |
tree | 7d2e0bcf9b3c04922ddce91e4641eeed4387c11f /net | |
parent | 74b70a4e38d542843fccfb367dce1ac861cc3890 (diff) |
mac80211: fix rcu-unsafe pointer dereference
This patch fixes a potential crash (null-pointer de-
reference) which was introduced in my previous patch:
"mac80211: AMPDU rx reorder timeout timer"
During a BA teardown, the pointer to the soon-to-be-gone
tid_ampdu_rx element will be nullified. Therefore the
release timer mechanism has to be careful not to
accidentally access the item without any RCU protection.
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net')
-rw-r--r-- | net/mac80211/rx.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index e1844f7085de..e67deb48af5c 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c | |||
@@ -2479,6 +2479,11 @@ void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid) | |||
2479 | { | 2479 | { |
2480 | struct sk_buff_head frames; | 2480 | struct sk_buff_head frames; |
2481 | struct ieee80211_rx_data rx = { }; | 2481 | struct ieee80211_rx_data rx = { }; |
2482 | struct tid_ampdu_rx *tid_agg_rx; | ||
2483 | |||
2484 | tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]); | ||
2485 | if (!tid_agg_rx) | ||
2486 | return; | ||
2482 | 2487 | ||
2483 | __skb_queue_head_init(&frames); | 2488 | __skb_queue_head_init(&frames); |
2484 | 2489 | ||
@@ -2493,10 +2498,9 @@ void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid) | |||
2493 | test_bit(SCAN_OFF_CHANNEL, &sta->local->scanning))) | 2498 | test_bit(SCAN_OFF_CHANNEL, &sta->local->scanning))) |
2494 | rx.flags |= IEEE80211_RX_IN_SCAN; | 2499 | rx.flags |= IEEE80211_RX_IN_SCAN; |
2495 | 2500 | ||
2496 | spin_lock(&sta->ampdu_mlme.tid_rx[tid]->reorder_lock); | 2501 | spin_lock(&tid_agg_rx->reorder_lock); |
2497 | ieee80211_sta_reorder_release(&sta->local->hw, | 2502 | ieee80211_sta_reorder_release(&sta->local->hw, tid_agg_rx, &frames); |
2498 | sta->ampdu_mlme.tid_rx[tid], &frames); | 2503 | spin_unlock(&tid_agg_rx->reorder_lock); |
2499 | spin_unlock(&sta->ampdu_mlme.tid_rx[tid]->reorder_lock); | ||
2500 | 2504 | ||
2501 | ieee80211_rx_handlers(&rx, &frames); | 2505 | ieee80211_rx_handlers(&rx, &frames); |
2502 | } | 2506 | } |