[PATCH AUTOSEL 5.0 18/34] mac80211: Fix kernel panic due to use of txq after free

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Bhagavathi Perumal S" <bperumal@codeaurora.org>,
	"Toke Høiland-Jørgensen" <toke@redhat.com>,
	"Johannes Berg" <johannes.berg@intel.com>,
	"Sasha Levin" <sashal@kernel.org>,
	linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.0 18/34] mac80211: Fix kernel panic due to use of txq after free
Date: Thu, 16 May 2019 07:39:15 -0400	[thread overview]
Message-ID: <20190516113932.8348-18-sashal@kernel.org> (raw)
In-Reply-To: <20190516113932.8348-1-sashal@kernel.org>

From: Bhagavathi Perumal S <bperumal@codeaurora.org>

[ Upstream commit f1267cf3c01b12e0f843fb6a7450a7f0b2efab8a ]

The txq of vif is added to active_txqs list for ATF TXQ scheduling
in the function ieee80211_queue_skb(), but it was not properly removed
before freeing the txq object. It was causing use after free of the txq
objects from the active_txqs list, result was kernel panic
due to invalid memory access.

Fix kernel invalid memory access by properly removing txq object
from active_txqs list before free the object.

Signed-off-by: Bhagavathi Perumal S <bperumal@codeaurora.org>
Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/mac80211/iface.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 4a6ff1482a9ff..02d2e6f11e936 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -1908,6 +1908,9 @@ void ieee80211_if_remove(struct ieee80211_sub_if_data *sdata)
 	list_del_rcu(&sdata->list);
 	mutex_unlock(&sdata->local->iflist_mtx);
 
+	if (sdata->vif.txq)
+		ieee80211_txq_purge(sdata->local, to_txq_info(sdata->vif.txq));
+
 	synchronize_rcu();
 
 	if (sdata->dev) {
-- 
2.20.1

next prev parent reply	other threads:[~2019-05-16 11:48 UTC|newest]

Thread overview: 46+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-16 11:38 [PATCH AUTOSEL 5.0 01/34] xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink Sasha Levin
2019-05-16 11:38 ` [PATCH AUTOSEL 5.0 02/34] xfrm: Reset secpath in xfrm failure Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 03/34] xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 04/34] vti4: ipip tunnel deregistration fixes Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 05/34] xfrm: clean up xfrm protocol checks Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 06/34] esp4: add length check for UDP encapsulation Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 07/34] xfrm: Honor original L3 slave device in xfrmi policy lookup Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 08/34] xfrm4: Fix uninitialized memory read in _decode_session4 Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 09/34] ARC: PAE40: don't panic and instead turn off hw ioc Sasha Levin
2019-05-16 11:39   ` Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 10/34] clk: sunxi-ng: nkmp: Avoid GENMASK(-1, 0) Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 11/34] KVM: PPC: Book3S HV: Perserve PSSCR FAKE_SUSPEND bit on guest exit Sasha Levin
2019-05-16 11:39   ` Sasha Levin
2019-05-16 11:39   ` Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 12/34] KVM: PPC: Book3S: Protect memslots while validating user address Sasha Levin
2019-05-16 11:39   ` Sasha Levin
2019-05-16 11:39   ` Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 13/34] power: supply: cpcap-battery: Fix division by zero Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 14/34] securityfs: fix use-after-free on symlink traversal Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 15/34] apparmorfs: " Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 16/34] PCI: Fix issue with "pci=disable_acs_redir" parameter being ignored Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 17/34] x86: kvm: hyper-v: deal with buggy TLB flush requests from WS2012 Sasha Levin
2019-05-16 11:39 ` Sasha Levin [this message]
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 19/34] net: ieee802154: fix missing checks for regmap_update_bits Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 20/34] KVM: arm/arm64: Ensure vcpu target is unset on reset failure Sasha Levin
2019-05-16 11:39   ` Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 21/34] power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 22/34] tools: bpftool: fix infinite loop in map create Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 23/34] bpf: Fix preempt_enable_no_resched() abuse Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 24/34] qmi_wwan: new Wistron, ZTE and D-Link devices Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 25/34] iwlwifi: mvm: check for length correctness in iwl_mvm_create_skb() Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 26/34] sched/cpufreq: Fix kobject memleak Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 27/34] x86/mm/mem_encrypt: Disable all instrumentation for early SME setup Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 28/34] KVM: fix KVM_CLEAR_DIRTY_LOG for memory slots of unaligned size Sasha Levin
2019-05-16 11:39   ` Sasha Levin
2019-05-16 11:39   ` sashal
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 29/34] KVM: selftests: make hyperv_cpuid test pass on AMD sashal
2019-05-16 11:39   ` Sasha Levin
2019-05-16 11:39   ` Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 30/34] ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 31/34] i2c: designware: ratelimit 'transfer when suspended' errors Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 32/34] perf bench numa: Add define for RUSAGE_THREAD if not present Sasha Levin
2019-05-16 11:39   ` Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 33/34] perf cs-etm: Always allocate memory for cs_etm_queue::prev_packet Sasha Levin
2019-05-16 11:39   ` Sasha Levin
2019-05-16 11:39 ` [PATCH AUTOSEL 5.0 34/34] perf/x86/intel: Fix race in intel_pmu_disable_event() Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:4a6ff1482a9f dfblob:02d2e6f11e93 )
 OR (
bs:"[PATCH AUTOSEL 5.0 18/34] mac80211: Fix kernel panic due to use of txq after free" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190516113932.8348-18-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=bperumal@codeaurora.org \
    --cc=johannes.berg@intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=toke@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.