Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3924563imm; Mon, 8 Oct 2018 11:46:34 -0700 (PDT) X-Google-Smtp-Source: ACcGV616xhuU6fZ0jgWrj6A/e47unpbx9vjh75BtrDdtGpGLce46jPvw/r/z/yTS+e1yrnGXx/FU X-Received: by 2002:a63:ec4b:: with SMTP id r11-v6mr22068100pgj.295.1539024394587; Mon, 08 Oct 2018 11:46:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539024394; cv=none; d=google.com; s=arc-20160816; b=SmahT9ykprK68q7LyxLpxITU5H19S1arDj8UDXOVdxOy2VkfOv2hka29NLZeE2gQEp ENebnX8HAanikkuYhCXyAHDB9INpCbEihVqjNxISAQkNjGrdhUgqvIlC9qrrmoFDm/n7 LA18Z7qTENHCmniMfE37jq1Gy7WImqubXgHFR3sdFv2EzMs3LyOB1fiNv9foKzNqaOQq 6jFRlXDtMRx3YDx8d2WJ+IkeOgQCFeLgLysl3T9Piy3EWsfLefEdCdc1hgkGibmdPt86 BpdpzF6j9BY9h1r7Ei0IQi8pChLlXFtLs+9SuX6m4myBBopdJC7C29rDte3R/xePky2Z n0DQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=mcZhNkwJjR/lOydTP0TMVcJV+eW+uZJrjsC4NE0iflk=; b=okxzB7gBrFHIqiJ6sQz9CQVe4bIxIr+ElHuPg7n6szUpmLD5dqVXxZEVJqnOAIBsmY PBxWkVD5bBrzKsIXXj+1wr5sIqU+6Ojk7mwx7Aaw1xwKiQsplDB3/c4HhXes8gVPfDZT b33gLoOomoCmK+ktFtW9/YXDLyGtXzDL2gI1N9Nva5Rhtko68OgP7nzXOaDUuT9/8ejI 27uO5hJ7giSGv3jdTkMvTTGUK+l7z3gPp3d4bw5c1qkHeWRo64FbrqYHn1dJ6IRJ0ohn jcEL1FGM76d3PIs+WdIFd8lbio/JNk2s9LCaQB1On2dqdKGU/fmM97JZUfFsR8DZKeHl 1yJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zZm1ZfkH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u5-v6si17296382pgm.268.2018.10.08.11.46.19; Mon, 08 Oct 2018 11:46:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zZm1ZfkH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731064AbeJIB6u (ORCPT + 99 others); Mon, 8 Oct 2018 21:58:50 -0400 Received: from mail.kernel.org ([198.145.29.99]:47002 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728570AbeJIB6u (ORCPT ); Mon, 8 Oct 2018 21:58:50 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BB48A204FD; Mon, 8 Oct 2018 18:45:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539024344; bh=41p9KN9k4s3tPZUftJb1EMAJYi5aofoZtntKxNIhtGs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zZm1ZfkHFZg36ega5JSkSoREiuR9dnYWfqXeEzzFW05aYdISRCXSzQFKijvtqE7TC UXU5FimjcTtmzUg1277SyaZANYHty40cvlF/sMWQ3dDd8rN6vy+FM4OlMR97wpkE4h LySxoerAvMjhpqOkpS/H29J5k/u20xUK9qeJAsss= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ben Greear , =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= , Johannes Berg , Sasha Levin Subject: [PATCH 4.18 002/168] mac80211: Run TXQ teardown code before de-registering interfaces Date: Mon, 8 Oct 2018 20:29:42 +0200 Message-Id: <20181008175620.132926836@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20181008175620.043587728@linuxfoundation.org> References: <20181008175620.043587728@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: "Toke H?iland-J?rgensen" [ Upstream commit 77cfaf52eca5cac30ed029507e0cab065f888995 ] The TXQ teardown code can reference the vif data structures that are stored in the netdev private memory area if there are still packets on the queue when it is being freed. Since the TXQ teardown code is run after the netdevs are freed, this can lead to a use-after-free. Fix this by moving the TXQ teardown code to earlier in ieee80211_unregister_hw(). Reported-by: Ben Greear Tested-by: Ben Greear Signed-off-by: Toke Høiland-Jørgensen Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/mac80211/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/mac80211/main.c +++ b/net/mac80211/main.c @@ -1182,6 +1182,7 @@ void ieee80211_unregister_hw(struct ieee #if IS_ENABLED(CONFIG_IPV6) unregister_inet6addr_notifier(&local->ifa6_notifier); #endif + ieee80211_txq_teardown_flows(local); rtnl_lock(); @@ -1210,7 +1211,6 @@ void ieee80211_unregister_hw(struct ieee skb_queue_purge(&local->skb_queue); skb_queue_purge(&local->skb_queue_unreliable); skb_queue_purge(&local->skb_queue_tdls_chsw); - ieee80211_txq_teardown_flows(local); destroy_workqueue(local->workqueue); wiphy_unregister(local->hw.wiphy);