mac80211: fix rcu-unsafe pointer dereference
authorChristian Lamparter <chunkeey@googlemail.com>
Tue, 24 Aug 2010 17:22:42 +0000 (19:22 +0200)
committerJohn W. Linville <linville@tuxdriver.com>
Wed, 25 Aug 2010 18:34:56 +0000 (14:34 -0400)
This patch fixes a potential crash (null-pointer de-
reference) which was introduced in my previous patch:
 "mac80211: AMPDU rx reorder timeout timer"

During a BA teardown, the pointer to the soon-to-be-gone
tid_ampdu_rx element will be nullified. Therefore the
release timer mechanism has to be careful not to
accidentally access the item without any RCU protection.

Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
net/mac80211/rx.c

index e1844f7085debca9aff358a332260d634b160d51..e67deb48af5cc31653730472316486a3016be7e9 100644 (file)
@@ -2479,6 +2479,11 @@ void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
 {
        struct sk_buff_head frames;
        struct ieee80211_rx_data rx = { };
+       struct tid_ampdu_rx *tid_agg_rx;
+
+       tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
+       if (!tid_agg_rx)
+               return;
 
        __skb_queue_head_init(&frames);
 
@@ -2493,10 +2498,9 @@ void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
                     test_bit(SCAN_OFF_CHANNEL, &sta->local->scanning)))
                rx.flags |= IEEE80211_RX_IN_SCAN;
 
-       spin_lock(&sta->ampdu_mlme.tid_rx[tid]->reorder_lock);
-       ieee80211_sta_reorder_release(&sta->local->hw,
-               sta->ampdu_mlme.tid_rx[tid], &frames);
-       spin_unlock(&sta->ampdu_mlme.tid_rx[tid]->reorder_lock);
+       spin_lock(&tid_agg_rx->reorder_lock);
+       ieee80211_sta_reorder_release(&sta->local->hw, tid_agg_rx, &frames);
+       spin_unlock(&tid_agg_rx->reorder_lock);
 
        ieee80211_rx_handlers(&rx, &frames);
 }