Commit 3d065356 authored Feb 27, 2018 by Toke Høiland-Jørgensen Committed by Greg Kroah-Hartman Apr 19, 2018

ath9k: Protect queue draining by rcu_read_lock()



commit 182b1917 upstream.

When ath9k was switched over to use the mac80211 intermediate queues,
node cleanup now drains the mac80211 queues. However, this call path is
not protected by rcu_read_lock() as it was previously entirely internal
to the driver which uses its own locking.

This leads to a possible rcu_dereference() without holding
rcu_read_lock(); but only if a station is cleaned up while having
packets queued on the TXQ. Fix this by adding the rcu_read_lock() to the
caller in ath9k.

Fixes: 50f08edf ("ath9k: Switch to using mac80211 intermediate software queues.")
Cc: stable@vger.kernel.org
Reported-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent aa3bfa29

drivers/net/wireless/ath/ath9k/xmit.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -2892,6 +2892,8 @@ void ath_tx_node_cleanup(struct ath_softc sc, struct ath_node an)
		struct ath_txq *txq;
		int tidno;

		rcu_read_lock();

		for (tidno = 0; tidno < IEEE80211_NUM_TIDS; tidno++) {
		tid = ath_node_to_tid(an, tidno);
		txq = tid->txq;
		@@ -2909,6 +2911,8 @@ void ath_tx_node_cleanup(struct ath_softc sc, struct ath_node an)
		if (!an->sta)
		break; /* just one multicast ath_atx_tid */
		}

		rcu_read_unlock();
		}

		#ifdef CONFIG_ATH9K_TX99