package/kernel/mac80211/patches/374-ath9k-Protect-queue-draining-by-rcu_read_lock.patch

   1 From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>
   2 Date: Fri, 2 Feb 2018 11:36:45 +0100
   3 Subject: [PATCH] ath9k: Protect queue draining by rcu_read_lock()
   4 MIME-Version: 1.0
   5 Content-Type: text/plain; charset=UTF-8
   6 Content-Transfer-Encoding: 8bit
   7
   8 When ath9k was switched over to use the mac80211 intermediate queues,
   9 node cleanup now drains the mac80211 queues. However, this call path is
  10 not protected by rcu_read_lock() as it was previously entirely internal
  11 to the driver which uses its own locking.
  12
  13 This leads to a possible rcu_dereference() without holding
  14 rcu_read_lock(); but only if a station is cleaned up while having
  15 packets queued on the TXQ. Fix this by adding the rcu_read_lock() to the
  16 caller in ath9k.
  17
  18 Fixes: 50f08edf9809 ("ath9k: Switch to using mac80211 intermediate software queues.")
  19 Cc: stable@vger.kernel.org
  20 Reported-by: Ben Greear <greearb@candelatech.com>
  21 Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
  22 ---
  23
  24 --- a/drivers/net/wireless/ath/ath9k/xmit.c
  25 +++ b/drivers/net/wireless/ath/ath9k/xmit.c
  26 @@ -2915,6 +2915,8 @@ void ath_tx_node_cleanup(struct ath_soft
  27         struct ath_txq *txq;
  28         int tidno;
  29
  30 +       rcu_read_lock();
  31 +
  32         for (tidno = 0; tidno < IEEE80211_NUM_TIDS; tidno++) {
  33                 tid = ath_node_to_tid(an, tidno);
  34                 txq = tid->txq;
  35 @@ -2932,6 +2934,8 @@ void ath_tx_node_cleanup(struct ath_soft
  36                 if (!an->sta)
  37                         break; /* just one multicast ath_atx_tid */
  38         }
  39 +
  40 +       rcu_read_unlock();
  41  }
  42
  43  #ifdef CPTCFG_ATH9K_TX99