Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3920401imm; Mon, 8 Oct 2018 11:42:24 -0700 (PDT) X-Google-Smtp-Source: ACcGV60SCaViWh7btSm5p8ZMG+C94pKJzsFArLOQ0dFRdoqz+K2UaGIh4EaBN7HPKD6EQHCm1zE2 X-Received: by 2002:a17:902:4e:: with SMTP id 72-v6mr574078pla.204.1539024144858; Mon, 08 Oct 2018 11:42:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539024144; cv=none; d=google.com; s=arc-20160816; b=IfcSW/jVRUAaaiS73rD9Aj4zMGuhG2zwp0j9kE9W3YZ2GlG5CgNafl/hB7EyYnzCO6 ttDbWalT8SSeqETt+BM2jqAjTOt7qbghijHDQnrs5o27K/6QlPArLzsm3Yb1dcM7piN6 pz7/2rHEc2KQ9KHISLN66JXttlCjw0BwIWP+ObATxqDqJNempc+8ylIJLyGGLYTOdqxu 2wkMmhAeomFB44DYS8jxtZC2nW3yXH035SjjSaIrDwNrduMq3Po+hoNZ6x02RTUmSrx0 9NxPZaeX9OtKkWH8omlGGOYXvUhMbyp06XXwejNpsH8MoaEEzhC/gFMnXvhpfNnuOSCq Qxfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=wDK7eV5Aq9nijHSwbgUUljSnC0zzjR8VUtbootI0wrU=; b=ORuFE1vyCocWdSNywKrI/HpPvF+o2EmuqyRqYLYz0sDXO11IyLdxpE1U25XYWsbxgL 0eVbwX7M+Px5XeoQxuozgl8xkAg+H+oP2gd6CzNfYlH1sTncPqhWpsCAo5zMOaxOO1kB xggrRHfX+f2n7kSbmOQp0d0UnYmLd0PyZT0Kh/JFONlmQNT1zwGUPlV8ozts9pQ9pzHK 5w7tnTirLzdbMMiC1EZzS6JQRy9lkUQ/2M6kWOp71zMsVRQOf7VTL3Vkj1P6G/VFGCEF 64vgll5+ElxZvAmrJGSli6XIto3phgBmW9NO6Zf4FsEimJmWiTtEpsLJOeIYYX1Mp6xt AWLA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=IcEybA78; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b35-v6si19145040plh.308.2018.10.08.11.42.09; Mon, 08 Oct 2018 11:42:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=IcEybA78; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730138AbeJIBzH (ORCPT + 99 others); Mon, 8 Oct 2018 21:55:07 -0400 Received: from mail.kernel.org ([198.145.29.99]:42644 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729698AbeJIBzF (ORCPT ); Mon, 8 Oct 2018 21:55:05 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 962A62064A; Mon, 8 Oct 2018 18:42:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539024121; bh=TNVg3ttGWhiM1WZBRAJB94Very+byzv1U5CC/HP28po=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IcEybA78aCZjUSwNkkMNrSAm4NsJLhHbXJyCF0wBo+5phHk8DEhNrDuXjDmjle71i SWSX+RnnQruCr/8mx/u/hETgksWNeK5/dWMr+bxvSwyN0DccfoQNth51eHRumXl4Lx Val3kNRbHtctn9RSdAWwGeXuuLdnOpBRtkL/Uels= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ben Greear , =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= , Johannes Berg , Sasha Levin Subject: [PATCH 4.14 05/94] mac80211: Run TXQ teardown code before de-registering interfaces Date: Mon, 8 Oct 2018 20:30:46 +0200 Message-Id: <20181008175605.316344007@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20181008175605.067676667@linuxfoundation.org> References: <20181008175605.067676667@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: "Toke H?iland-J?rgensen" [ Upstream commit 77cfaf52eca5cac30ed029507e0cab065f888995 ] The TXQ teardown code can reference the vif data structures that are stored in the netdev private memory area if there are still packets on the queue when it is being freed. Since the TXQ teardown code is run after the netdevs are freed, this can lead to a use-after-free. Fix this by moving the TXQ teardown code to earlier in ieee80211_unregister_hw(). Reported-by: Ben Greear Tested-by: Ben Greear Signed-off-by: Toke Høiland-Jørgensen Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/mac80211/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/mac80211/main.c +++ b/net/mac80211/main.c @@ -1171,6 +1171,7 @@ void ieee80211_unregister_hw(struct ieee #if IS_ENABLED(CONFIG_IPV6) unregister_inet6addr_notifier(&local->ifa6_notifier); #endif + ieee80211_txq_teardown_flows(local); rtnl_lock(); @@ -1199,7 +1200,6 @@ void ieee80211_unregister_hw(struct ieee skb_queue_purge(&local->skb_queue); skb_queue_purge(&local->skb_queue_unreliable); skb_queue_purge(&local->skb_queue_tdls_chsw); - ieee80211_txq_teardown_flows(local); destroy_workqueue(local->workqueue); wiphy_unregister(local->hw.wiphy);