From: Johannes Berg <johannes@sipsolutions.net>
To: Stanislaw Gruszka <sgruszka@redhat.com>
Cc: linux-wireless@vger.kernel.org
Subject: Re: [RFC] mac80211: fix possible tid_rx->reorder_timer use after free
Date: Mon, 19 Mar 2012 14:50:36 +0100 [thread overview]
Message-ID: <1332165036.3359.37.camel@jlt3.sipsolutions.net> (raw)
In-Reply-To: <20120319134016.GC6169@redhat.com>
On Mon, 2012-03-19 at 14:40 +0100, Stanislaw Gruszka wrote:
> > > +static void ieee80211_free_tid_rx(struct tid_ampdu_rx *tid_rx)
> > > {
> > > - struct tid_ampdu_rx *tid_rx =
> > > - container_of(h, struct tid_ampdu_rx, rcu_head);
> > > int i;
> > >
> > > for (i = 0; i < tid_rx->buf_size; i++)
> > > @@ -90,10 +88,12 @@ void ___ieee80211_stop_rx_ba_session(struct sta_info *sta, u16 tid,
> > > ieee80211_send_delba(sta->sdata, sta->sta.addr,
> > > tid, WLAN_BACK_RECIPIENT, reason);
> > >
> > > + synchronize_rcu();
> > > +
> > > del_timer_sync(&tid_rx->session_timer);
> > > del_timer_sync(&tid_rx->reorder_timer);
> > >
> > > - call_rcu(&tid_rx->rcu_head, ieee80211_free_tid_rx);
> > > + ieee80211_free_tid_rx(tid_rx);
> >
> > Hmmm. That synchronize_rcu() could become rather expensive. I've been
> > trying to reduce our use of synchronize_rcu() now.
>
> Expensive in what sense? Since we are in process context we are allowed
> to sleep, and some other processes will run while we sleep.
It takes a long time, and we have to wait for it. So for example, it
could delay roaming by another 100ms or however long it takes (yes, it
can take a very long time, we've seen up to 200ms I think)
johannes
prev parent reply other threads:[~2012-03-19 13:50 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-19 12:50 [RFC] mac80211: fix possible tid_rx->reorder_timer use after free Stanislaw Gruszka
2012-03-19 13:03 ` Johannes Berg
2012-03-19 13:07 ` Johannes Berg
2012-03-19 13:43 ` Stanislaw Gruszka
2012-03-19 13:49 ` Johannes Berg
2012-03-19 13:57 ` Stanislaw Gruszka
2012-03-19 13:40 ` Stanislaw Gruszka
2012-03-19 13:50 ` Johannes Berg [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1332165036.3359.37.camel@jlt3.sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=sgruszka@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.