| 1234567891011121314151617181920212223242526272829303132333435363738 |
- From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <[email protected]>
- Date: Mon, 13 Aug 2018 14:16:25 +0200
- Subject: [PATCH] mac80211: Run TXQ teardown code before de-registering
- interfaces
- MIME-Version: 1.0
- Content-Type: text/plain; charset=UTF-8
- Content-Transfer-Encoding: 8bit
- The TXQ teardown code can reference the vif data structures that are
- stored in the netdev private memory area if there are still packets on
- the queue when it is being freed. Since the TXQ teardown code is run
- after the netdevs are freed, this can lead to a use-after-free. Fix this
- by moving the TXQ teardown code to earlier in ieee80211_unregister_hw().
- Reported-by: Ben Greear <[email protected]>
- Tested-by: Ben Greear <[email protected]>
- Signed-off-by: Toke Høiland-Jørgensen <[email protected]>
- Signed-off-by: Johannes Berg <[email protected]>
- ---
- --- a/net/mac80211/main.c
- +++ b/net/mac80211/main.c
- @@ -1172,6 +1172,7 @@ void ieee80211_unregister_hw(struct ieee
- #if IS_ENABLED(__disabled__CONFIG_IPV6)
- unregister_inet6addr_notifier(&local->ifa6_notifier);
- #endif
- + ieee80211_txq_teardown_flows(local);
-
- rtnl_lock();
-
- @@ -1200,7 +1201,6 @@ void ieee80211_unregister_hw(struct ieee
- skb_queue_purge(&local->skb_queue);
- skb_queue_purge(&local->skb_queue_unreliable);
- skb_queue_purge(&local->skb_queue_tdls_chsw);
- - ieee80211_txq_teardown_flows(local);
-
- destroy_workqueue(local->workqueue);
- wiphy_unregister(local->hw.wiphy);
|
