diff options
author | Toke Høiland-Jørgensen <toke@toke.dk> | 2018-02-27 18:09:44 +0100 |
---|---|---|
committer | Kalle Valo <kvalo@codeaurora.org> | 2018-03-14 10:55:51 +0100 |
commit | 182b1917109892ab9f26d66bfdcbc4ba6f0a0a65 (patch) | |
tree | f5c2be05646afedf7805781e2f4887fbf05de893 | |
parent | ath10k: dma unmap mgmt tx buffer if wmi cmd send fails (diff) | |
download | linux-182b1917109892ab9f26d66bfdcbc4ba6f0a0a65.tar.xz linux-182b1917109892ab9f26d66bfdcbc4ba6f0a0a65.zip |
ath9k: Protect queue draining by rcu_read_lock()
When ath9k was switched over to use the mac80211 intermediate queues,
node cleanup now drains the mac80211 queues. However, this call path is
not protected by rcu_read_lock() as it was previously entirely internal
to the driver which uses its own locking.
This leads to a possible rcu_dereference() without holding
rcu_read_lock(); but only if a station is cleaned up while having
packets queued on the TXQ. Fix this by adding the rcu_read_lock() to the
caller in ath9k.
Fixes: 50f08edf9809 ("ath9k: Switch to using mac80211 intermediate software queues.")
Cc: stable@vger.kernel.org
Reported-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-rw-r--r-- | drivers/net/wireless/ath/ath9k/xmit.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c index 396bf05c6bf6..d8b041f48ca8 100644 --- a/drivers/net/wireless/ath/ath9k/xmit.c +++ b/drivers/net/wireless/ath/ath9k/xmit.c @@ -2892,6 +2892,8 @@ void ath_tx_node_cleanup(struct ath_softc *sc, struct ath_node *an) struct ath_txq *txq; int tidno; + rcu_read_lock(); + for (tidno = 0; tidno < IEEE80211_NUM_TIDS; tidno++) { tid = ath_node_to_tid(an, tidno); txq = tid->txq; @@ -2909,6 +2911,8 @@ void ath_tx_node_cleanup(struct ath_softc *sc, struct ath_node *an) if (!an->sta) break; /* just one multicast ath_atx_tid */ } + + rcu_read_unlock(); } #ifdef CONFIG_ATH9K_TX99 |