[kernel/f16] mac80211: fix possible tid_rx->reorder_timer use after free

Josh Boyer jwboyer at fedoraproject.org
Tue Mar 20 12:54:07 UTC 2012 

commit 85be624b7a7483af54e1be852f0e39c0a3f98ecb
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Tue Mar 20 08:44:32 2012 -0400

    mac80211: fix possible tid_rx->reorder_timer use after free
    
      from Stanislaw Gruska (rhbz 804007)

 kernel.spec                                        |   12 +++++-
 ...sible-tid_rx-reorder_timer-use-after-free.patch |   42 ++++++++++++++++++++
 2 files changed, 53 insertions(+), 1 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 823c367..7b7cde5 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 2
+%global baserelease 3
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -765,6 +765,9 @@ Patch21244: mm-thp-fix-pmd_bad-triggering.patch
 
 Patch21300: unhandled-irqs-switch-to-polling.patch
 
+#rhbz 804007
+Patch21305: mac80211-fix-possible-tid_rx-reorder_timer-use-after-free.patch
+
 Patch21350: x86-ioapic-add-register-checks-for-bogus-io-apic-entries.patch
 
 Patch22000: weird-root-dentry-name-debug.patch
@@ -1415,6 +1418,9 @@ ApplyPatch ACPICA-Fix-regression-in-FADT-revision-checks.patch
 #rhbz 728478
 ApplyPatch sony-laptop-Enable-keyboard-backlight-by-default.patch
 
+#rhbz 804007
+ApplyPatch mac80211-fix-possible-tid_rx-reorder_timer-use-after-free.patch
+
 ApplyPatch unhandled-irqs-switch-to-polling.patch
 
 ApplyPatch weird-root-dentry-name-debug.patch
@@ -2156,6 +2162,10 @@ fi
 # and build.
 
 %changelog
+* Tue Mar 20 2012 Josh Boyer <jwboyer at redhat.com>
+- mac80211: fix possible tid_rx->reorder_timer use after free
+  from Stanislaw Gruska (rhbz 804007)
+
 * Mon Mar 19 2012 Adam Jackson <ajax at redhat.com> - 3.3.0-2
 - drm-i915-dp-stfu.patch: Muzzle a bunch of DP WARN()s.  They're not wrong,
   but they're not helpful at this point.
diff --git a/mac80211-fix-possible-tid_rx-reorder_timer-use-after-free.patch b/mac80211-fix-possible-tid_rx-reorder_timer-use-after-free.patch
new file mode 100644
index 0000000..accda8a
--- /dev/null
+++ b/mac80211-fix-possible-tid_rx-reorder_timer-use-after-free.patch
@@ -0,0 +1,42 @@
+Is possible that we will arm the tid_rx->reorder_timer after
+del_timer_sync() in ___ieee80211_stop_rx_ba_session(). We need to stop
+timer after RCU grace period finish, so move it to
+ieee80211_free_tid_rx(). Timer will not be armed again, as
+rcu_dereference(sta->ampdu_mlme.tid_rx[tid]) will return NULL.
+
+Debug object detected problem with the following warning:
+ODEBUG: free active (active state 0) object type: timer_list hint: sta_rx_agg_reorder_timer_expired+0x0/0xf0 [mac80211]
+
+Bug report (with all warning messages):
+https://bugzilla.redhat.com/show_bug.cgi?id=804007
+
+Reported-by: "jan p. springer" <jsd at igroup.org>
+Cc: stable at vger.kernel.org
+Signed-off-by: Stanislaw Gruszka <sgruszka at redhat.com>
+---
+ net/mac80211/agg-rx.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
+index 1068f66..64d3ce5 100644
+--- a/net/mac80211/agg-rx.c
++++ b/net/mac80211/agg-rx.c
+@@ -49,6 +49,8 @@ static void ieee80211_free_tid_rx(struct rcu_head *h)
+ 		container_of(h, struct tid_ampdu_rx, rcu_head);
+ 	int i;
+ 
++	del_timer_sync(&tid_rx->reorder_timer);
++
+ 	for (i = 0; i < tid_rx->buf_size; i++)
+ 		dev_kfree_skb(tid_rx->reorder_buf[i]);
+ 	kfree(tid_rx->reorder_buf);
+@@ -91,7 +93,6 @@ void ___ieee80211_stop_rx_ba_session(struct sta_info *sta, u16 tid,
+ 				     tid, WLAN_BACK_RECIPIENT, reason);
+ 
+ 	del_timer_sync(&tid_rx->session_timer);
+-	del_timer_sync(&tid_rx->reorder_timer);
+ 
+ 	call_rcu(&tid_rx->rcu_head, ieee80211_free_tid_rx);
+ }
+-- 
+1.7.1

More information about the scm-commits mailing list