Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754098AbcDRDPw (ORCPT ); Sun, 17 Apr 2016 23:15:52 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:36296 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753958AbcDRCev (ORCPT ); Sun, 17 Apr 2016 22:34:51 -0400 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Michal Kazior , Johannes Berg Subject: [PATCH 4.5 091/124] mac80211: fix txq queue related crashes Date: Mon, 18 Apr 2016 11:29:23 +0900 Message-Id: <20160418022620.419984028@linuxfoundation.org> X-Mailer: git-send-email 2.8.0 In-Reply-To: <20160418022615.726954227@linuxfoundation.org> References: <20160418022615.726954227@linuxfoundation.org> User-Agent: quilt/0.64 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1129 Lines: 37 4.5-stable review patch. If anyone has any objections, please let me know. ------------------ From: Michal Kazior commit 2a58d42c1e018ad514d4e23fd33fb2ded95d3ee6 upstream. The driver can access the queue simultanously while mac80211 tears down the interface. Without spinlock protection this could lead to corrupting sk_buff_head and subsequently to an invalid pointer dereference. Fixes: ba8c3d6f16a1 ("mac80211: add an intermediate software queue implementation") Signed-off-by: Michal Kazior Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/mac80211/iface.c | 3 +++ 1 file changed, 3 insertions(+) --- a/net/mac80211/iface.c +++ b/net/mac80211/iface.c @@ -977,7 +977,10 @@ static void ieee80211_do_stop(struct iee if (sdata->vif.txq) { struct txq_info *txqi = to_txq_info(sdata->vif.txq); + spin_lock_bh(&txqi->queue.lock); ieee80211_purge_tx_queue(&local->hw, &txqi->queue); + spin_unlock_bh(&txqi->queue.lock); + atomic_set(&sdata->txqs_len[txqi->txq.ac], 0); }