korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-20 18:54:09 +08:00
Code Issues Packages Projects Releases Wiki Activity
749329594b
linux/net/mac80211
History
Bob Copeland 749329594b mac80211: mesh: fix crash in mesh_path_timer 
The mesh_path_reclaim() function, called from an rcu callback, cancels
the mesh_path_timer associated with a mesh path.  Unfortunately, this
call can happen much later, perhaps after the hash table itself is
destroyed.

Such a situation led to the following crash in mesh_path_send_to_gates()
when dereferencing the tbl pointer:

[   23.901661] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
[   23.905516] IP: [<ffffffff814c910b>] mesh_path_send_to_gates+0x2b/0x740
[   23.908757] PGD 99ca067 PUD 99c4067 PMD 0
[   23.910789] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[   23.913485] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.5.0-rc6-wt+ #43
[   23.916675] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1 04/01/2014
[   23.920471] task: ffffffff81685500 ti: ffffffff81678000 task.ti: ffffffff81678000
[   23.922619] RIP: 0010:[<ffffffff814c910b>]  [<ffffffff814c910b>] mesh_path_send_to_gates+0x2b/0x740
[   23.925237] RSP: 0018:ffff88000b403d30  EFLAGS: 00010286
[   23.926739] RAX: 0000000000000000 RBX: ffff880009bc0d20 RCX: 0000000000000102
[   23.928796] RDX: 000000000000002e RSI: 0000000000000001 RDI: ffff880009bc0d20
[   23.930895] RBP: ffff88000b403e18 R08: 0000000000000001 R09: 0000000000000001
[   23.932917] R10: 0000000000000000 R11: 0000000000000001 R12: ffff880009c20940
[   23.936370] R13: ffff880009bc0e70 R14: ffff880009c21c40 R15: ffff880009bc0d20
[   23.939823] FS:  0000000000000000(0000) GS:ffff88000b400000(0000) knlGS:0000000000000000
[   23.943688] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[   23.946429] CR2: 0000000000000008 CR3: 00000000099c5000 CR4: 00000000000006b0
[   23.949861] Stack:
[   23.950840]  000000000000002e ffff880009c20940 ffff88000b403da8 ffffffff8109e551
[   23.954467]  ffffffff82711be2 000000000000002e 0000000000000000 ffffffff8166a5f5
[   23.958141]  0000000000685ce8 0000000000000246 ffff880009bc0d20 ffff880009c20940
[   23.961801] Call Trace:
[   23.962987]  <IRQ>
[   23.963963]  [<ffffffff8109e551>] ? vprintk_emit+0x351/0x5e0
[   23.966782]  [<ffffffff8109e8ff>] ? vprintk_default+0x1f/0x30
[   23.969529]  [<ffffffff810ffa41>] ? printk+0x48/0x50
[   23.971956]  [<ffffffff814ceef3>] mesh_path_timer+0x133/0x160
[   23.974707]  [<ffffffff814cedc0>] ? mesh_nexthop_resolve+0x230/0x230
[   23.977775]  [<ffffffff810b04ee>] call_timer_fn+0xce/0x330
[   23.980448]  [<ffffffff810b0425>] ? call_timer_fn+0x5/0x330
[   23.983126]  [<ffffffff814cedc0>] ? mesh_nexthop_resolve+0x230/0x230
[   23.986091]  [<ffffffff810b097c>] run_timer_softirq+0x22c/0x390

Instead of cancelling in the RCU callback, set a new flag to prevent the
timer from being rearmed, and then cancel the timer synchronously when
freeing the mesh path.  This leaves mesh_path_reclaim() doing nothing
but kfree, so switch to kfree_rcu().

Fixes: 3b302ada7f0a ("mac80211: mesh: move path tables into if_mesh")
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2016-04-05 21:34:49 +02:00
..
aes_ccm.c mac80211: Switch to new AEAD interface 2015-05-28 11:23:20 +08:00
aes_ccm.h mac80111: Add CCMP-256 cipher 2015-01-27 11:07:35 +01:00
aes_cmac.c mac80211: remove ieee80211_aes_cmac_calculate_k1_k2() 2015-08-13 11:31:45 +02:00
aes_cmac.h mac80111: Add BIP-CMAC-256 cipher 2015-01-27 11:09:13 +01:00
aes_gcm.c mac80211: Switch to new AEAD interface 2015-05-28 11:23:20 +08:00
aes_gcm.h mac80111: Add GCMP and GCMP-256 ciphers 2015-01-27 11:06:09 +01:00
aes_gmac.c mac80211: Switch to new AEAD interface 2015-05-28 11:23:20 +08:00
aes_gmac.h mac80111: Add BIP-GMAC-128 and BIP-GMAC-256 ciphers 2015-01-27 11:10:13 +01:00
agg-rx.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-03-08 12:34:12 -05:00
agg-tx.c mac80211: pass block ack session timeout to to driver 2016-01-14 11:13:17 +01:00
cfg.c mac80211: track and tell driver about GO client P2P PS abilities 2016-04-05 21:34:49 +02:00
chan.c mac80211: Recalc min chandef when station is associated 2016-02-24 09:04:19 +01:00
debug.h mac80211: 802.11p OCB mode support 2014-11-04 13:18:21 +01:00
debugfs_key.c mac80211: move TKIP TX IVs to public part of key struct 2016-02-24 09:04:38 +01:00
debugfs_key.h
debugfs_netdev.c mac80211: remove last_beacon/ave_beacon debugfs files 2015-09-22 15:21:25 +02:00
debugfs_netdev.h mac80211: fix some missing includes 2014-04-09 14:49:43 +02:00
debugfs_sta.c mac80211: clean up station flags debugfs 2016-04-05 12:12:26 +02:00
debugfs_sta.h
debugfs.c Here's another round of updates for -next: 2016-03-01 17:03:27 -05:00
debugfs.h mac80211: fix some missing includes 2014-04-09 14:49:43 +02:00
driver-ops.c mac80211: pass block ack session timeout to to driver 2016-01-14 11:13:17 +01:00
driver-ops.h mac80211: synchronize driver rx queues before removing a station 2016-04-05 10:56:34 +02:00
ethtool.c mac80211: move station statistics into sub-structs 2015-10-21 10:08:22 +02:00
ht.c mac80211: limit the A-MSDU Tx based on peer's capabilities 2016-02-24 09:04:20 +01:00
ibss.c Here's another round of updates for -next: 2016-03-01 17:03:27 -05:00
ieee80211_i.h mac80211: mesh: convert path table to rhashtable 2016-04-05 10:56:33 +02:00
iface.c mac80211: expose txq queue depth and size to drivers 2016-02-24 09:04:30 +01:00
Kconfig mac80211: use DECLARE_EWMA 2015-08-14 17:49:53 +02:00
key.c mac80211: remove ieee80211_get_key_tx_seq/ieee80211_set_key_tx_seq 2016-02-24 09:04:39 +01:00
key.h mac80211: move TKIP TX IVs to public part of key struct 2016-02-24 09:04:38 +01:00
led.c mac80211: fix throughput LED trigger 2015-05-11 19:16:04 +02:00
led.h mac80211: make LED triggering depend on activation 2015-05-05 14:21:56 +02:00
main.c mac80211: add NETIF_F_RXCSUM to features white list 2016-04-05 11:45:51 +02:00
Makefile mac80211: remove event.c 2015-10-14 18:40:26 +02:00
mesh_hwmp.c mac80211: mesh: fix crash in mesh_path_timer 2016-04-05 21:34:49 +02:00
mesh_pathtbl.c mac80211: mesh: fix crash in mesh_path_timer 2016-04-05 21:34:49 +02:00
mesh_plink.c mac80211: mesh_plink: remove redundant sta_info check 2016-02-24 09:04:25 +01:00
mesh_ps.c mac80211: mesh: separate plid and aid concepts 2015-07-17 15:47:11 +02:00
mesh_sync.c mac80211: move mesh related station fields to own struct 2015-07-17 15:38:06 +02:00
mesh.c mac80211: mesh: convert path table to rhashtable 2016-04-05 10:56:33 +02:00
mesh.h mac80211: mesh: fix crash in mesh_path_timer 2016-04-05 21:34:49 +02:00
michael.c
michael.h mac80211: fix some missing includes 2014-04-09 14:49:43 +02:00
mlme.c mac80211: avoid useless memory write on each frame RX 2016-04-05 21:34:21 +02:00
ocb.c mac80211: move station statistics into sub-structs 2015-10-21 10:08:22 +02:00
offchannel.c mac80211: avoid ROC during hw restart 2016-01-14 11:10:14 +01:00
pm.c mac80211: don't reconfigure sched scan in case of wowlan 2015-11-03 10:42:05 +01:00
rate.c mac80211: further improve "no supported rates" warning 2015-11-03 10:56:42 +01:00
rate.h mac80211: remove sta_info debugfs sub-struct 2016-04-05 11:59:05 +02:00
rc80211_minstrel_debugfs.c mac80211: minstrel[_ht]: remove non-ascii debugfs characters 2015-09-29 15:56:47 +02:00
rc80211_minstrel_ht_debugfs.c mac80211: minstrel[_ht]: remove non-ascii debugfs characters 2015-09-29 15:56:47 +02:00
rc80211_minstrel_ht.c mac80211: minstrel_ht: improve sample rate skip logic 2016-04-05 11:40:06 +02:00
rc80211_minstrel_ht.h mac80211: add max lossless throughput per rate 2015-04-01 20:44:32 +02:00
rc80211_minstrel.c mac80211: minstrel: Change expected throughput unit back to Kbps 2016-02-02 15:57:02 +01:00
rc80211_minstrel.h mac80211: add standard deviation to Minstrel stats 2015-04-01 20:44:33 +02:00
rx.c mac80211: fix cipher scheme function name 2016-04-05 12:12:41 +02:00
scan.c mac80211: Support a scan request for a specific BSSID 2016-04-05 10:56:28 +02:00
spectmgmt.c mac80211: remove unused variable in ieee80211_parse_ch_switch_ie() 2014-12-17 15:45:17 +01:00
sta_info.c mac80211: track and tell driver about GO client P2P PS abilities 2016-04-05 21:34:49 +02:00
sta_info.h mac80211: clean up station flags debugfs 2016-04-05 12:12:26 +02:00
status.c mac80211: use reset to set header pointer 2016-03-04 22:45:13 -05:00
tdls.c mac80211: TDLS: add proper HT-oper IE 2015-11-03 10:42:47 +01:00
tkip.c mac80211: move TKIP TX IVs to public part of key struct 2016-02-24 09:04:38 +01:00
tkip.h mac80211: move TKIP TX IVs to public part of key struct 2016-02-24 09:04:38 +01:00
trace_msg.h mac80211: Move message tracepoints to their own header 2015-04-07 12:32:09 -04:00
trace.c mac80211: Move message tracepoints to their own header 2015-04-07 12:32:09 -04:00
trace.h mac80211: synchronize driver rx queues before removing a station 2016-04-05 10:56:34 +02:00
tx.c mac80211: do not pass injected frames without a valid rate to the driver 2016-04-05 10:58:21 +02:00
util.c mac80211: allow not sending MIC up from driver for HW crypto 2016-04-05 10:48:56 +02:00
vht.c mac80211: move MU_MIMO_OWNER flag to ieee80211_vif 2016-02-24 09:04:40 +01:00
wep.c mac80211: move WEP tailroom size check 2015-05-11 14:51:29 +02:00
wep.h mac80211: move RX WEP weak IV counting 2012-03-13 14:54:16 -04:00
wme.c mac80211: synchronously reserve TID per station 2014-11-19 18:45:36 +01:00
wme.h mac80211: add WMM admission control support 2014-10-22 10:42:09 +02:00
wpa.c mac80211: allow not sending MIC up from driver for HW crypto 2016-04-05 10:48:56 +02:00
wpa.h mac80111: Add BIP-GMAC-128 and BIP-GMAC-256 ciphers 2015-01-27 11:10:13 +01:00