From patchwork Fri Feb 2 10:36:45 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= X-Patchwork-Id: 10196453 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 5900360362 for ; Fri, 2 Feb 2018 10:37:58 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3F697285EE for ; Fri, 2 Feb 2018 10:37:58 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 33F712871B; Fri, 2 Feb 2018 10:37:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A811E285EE for ; Fri, 2 Feb 2018 10:37:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751774AbeBBKh4 (ORCPT ); Fri, 2 Feb 2018 05:37:56 -0500 Received: from mail.toke.dk ([52.28.52.200]:47147 "EHLO mail.toke.dk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751671AbeBBKhz (ORCPT ); Fri, 2 Feb 2018 05:37:55 -0500 From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023; t=1517567873; bh=nwiPKQF0hDNs1/2wDy/UlLBugi6XGx08+dKtfj0Z4MA=; h=From:To:Cc:Subject:Date:From; b=ykqG2tr3SUdEa+/M/ubE6Xkp27woAPxkroUW0rwpHRYSyFk3apVuGtP3RmNxy0EP5 LUu/TNOFNgalmHipGUcVF+T83EoJaGT730HOBdFj9iUK5Xts7qsir34FrONvWrOJal Abwo1NvNLsB/o5Vp7f/hwQYsyJJrgMSP9oC20jeoWjMBsbHbZ6SjVxdl16/EwUwSfR bj/9acFtT5KEW+gJVR812fHifSUwA4zRzAdUS2eoj1+yvg8QYEA7FSjAlgALKlRjsv ZdCaLrR44ntOS0H9MWb8UaQWoJkSA4zTUR9wwbi1IXg6VJXZaPAHorHP2c+VxYKnXv wi/k87f6Sf7GA== To: linux-wireless@vger.kernel.org Cc: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= , stable@vger.kernel.org Subject: [PATCH] ath9k: Protect queue draining by rcu_read_lock() Date: Fri, 2 Feb 2018 11:36:45 +0100 Message-Id: <20180202103645.12215-1-toke@toke.dk> MIME-Version: 1.0 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP When ath9k was switched over to use the mac80211 intermediate queues, node cleanup now drains the mac80211 queues. However, this call path is not protected by rcu_read_lock() as it was previously entirely internal to the driver which uses its own locking. This leads to a possible rcu_dereference() without holding rcu_read_lock(); but only if a station is cleaned up while having packets queued on the TXQ. Fix this by adding the rcu_read_lock() to the caller in ath9k. Fixes: 50f08edf9809 ("ath9k: Switch to using mac80211 intermediate software queues.") Cc: stable@vger.kernel.org Reported-by: Ben Greear Signed-off-by: Toke Høiland-Jørgensen --- drivers/net/wireless/ath/ath9k/xmit.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c index 396bf05c6bf6..d8b041f48ca8 100644 --- a/drivers/net/wireless/ath/ath9k/xmit.c +++ b/drivers/net/wireless/ath/ath9k/xmit.c @@ -2892,6 +2892,8 @@ void ath_tx_node_cleanup(struct ath_softc *sc, struct ath_node *an) struct ath_txq *txq; int tidno; + rcu_read_lock(); + for (tidno = 0; tidno < IEEE80211_NUM_TIDS; tidno++) { tid = ath_node_to_tid(an, tidno); txq = tid->txq; @@ -2909,6 +2911,8 @@ void ath_tx_node_cleanup(struct ath_softc *sc, struct ath_node *an) if (!an->sta) break; /* just one multicast ath_atx_tid */ } + + rcu_read_unlock(); } #ifdef CONFIG_ATH9K_TX99