sta_info_cleanup locks the sta_list using rcu_read_lock however
the delete operation isn't rcu safe. A race between sta_info_cleanup
timer being called and a STA being removed can occur which leads
to a panic while traversing sta_list. Fix this by switching to the
RCU-safe versions.
Cc: [email protected]
Reported-by: Eyal Shapira <[email protected]>
Signed-off-by: Arik Nemtsov <[email protected]>
---
net/mac80211/sta_info.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index f5c2b7e..a37c905 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -378,7 +378,7 @@ static int sta_info_insert_finish(struct sta_info *sta) __acquires(RCU)
/* make the station visible */
sta_info_hash_add(local, sta);
- list_add(&sta->list, &local->sta_list);
+ list_add_rcu(&sta->list, &local->sta_list);
set_sta_flag(sta, WLAN_STA_INSERTED);
@@ -688,7 +688,7 @@ int __must_check __sta_info_destroy(struct sta_info *sta)
if (ret)
return ret;
- list_del(&sta->list);
+ list_del_rcu(&sta->list);
mutex_lock(&local->key_mtx);
for (i = 0; i < NUM_DEFAULT_KEYS; i++)
--
1.7.9.5
On Sun, 2012-06-03 at 23:32 +0300, Arik Nemtsov wrote:
> sta_info_cleanup locks the sta_list using rcu_read_lock however
> the delete operation isn't rcu safe. A race between sta_info_cleanup
> timer being called and a STA being removed can occur which leads
> to a panic while traversing sta_list. Fix this by switching to the
> RCU-safe versions.
Good catch!
johannes