606897d1fe9acaea76a4f13a187fe6bc3f80e669
[openwrt/staging/blogic.git] /
1 From a50e5fb8db83c5b57392204c21ea6c5c4ccefde6 Mon Sep 17 00:00:00 2001
2 From: Sara Sharon <sara.sharon@intel.com>
3 Date: Sat, 15 Dec 2018 11:03:10 +0200
4 Subject: [PATCH 1/3] mac80211: fix a kernel panic when TXing after TXQ
5 teardown
6
7 Recently TXQ teardown was moved earlier in ieee80211_unregister_hw(),
8 to avoid a use-after-free of the netdev data. However, interfaces
9 aren't fully removed at the point, and cfg80211_shutdown_all_interfaces
10 can for example, TX a deauth frame. Move the TXQ teardown to the
11 point between cfg80211_shutdown_all_interfaces and the free of
12 netdev queues, so we can be sure they are torn down before netdev
13 is freed, but after there is no ongoing TX.
14
15 Fixes: 77cfaf52eca5 ("mac80211: Run TXQ teardown code before de-registering interfaces")
16 Signed-off-by: Sara Sharon <sara.sharon@intel.com>
17 Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
18 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
19 ---
20 net/mac80211/iface.c | 3 +++
21 net/mac80211/main.c | 2 --
22 2 files changed, 3 insertions(+), 2 deletions(-)
23
24 --- a/net/mac80211/iface.c
25 +++ b/net/mac80211/iface.c
26 @@ -7,6 +7,7 @@
27 * Copyright 2008, Johannes Berg <johannes@sipsolutions.net>
28 * Copyright 2013-2014 Intel Mobile Communications GmbH
29 * Copyright (c) 2016 Intel Deutschland GmbH
30 + * Copyright (C) 2018 Intel Corporation
31 *
32 * This program is free software; you can redistribute it and/or modify
33 * it under the terms of the GNU General Public License version 2 as
34 @@ -2035,6 +2036,8 @@ void ieee80211_remove_interfaces(struct
35 WARN(local->open_count, "%s: open count remains %d\n",
36 wiphy_name(local->hw.wiphy), local->open_count);
37
38 + ieee80211_txq_teardown_flows(local);
39 +
40 mutex_lock(&local->iflist_mtx);
41 list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
42 list_del(&sdata->list);
43 --- a/net/mac80211/main.c
44 +++ b/net/mac80211/main.c
45 @@ -1200,7 +1200,6 @@ int ieee80211_register_hw(struct ieee802
46 rtnl_unlock();
47 ieee80211_led_exit(local);
48 ieee80211_wep_free(local);
49 - ieee80211_txq_teardown_flows(local);
50 fail_flows:
51 destroy_workqueue(local->workqueue);
52 fail_workqueue:
53 @@ -1226,7 +1225,6 @@ void ieee80211_unregister_hw(struct ieee
54 #if IS_ENABLED(__disabled__CONFIG_IPV6)
55 unregister_inet6addr_notifier(&local->ifa6_notifier);
56 #endif
57 - ieee80211_txq_teardown_flows(local);
58
59 rtnl_lock();
60