linux/net/mac80211
Johannes Berg 788211d81b mac80211: fix RX A-MPDU session reorder timer deletion
There's an issue with the way the RX A-MPDU reorder timer is
deleted that can cause a kernel crash like this:

 * tid_rx is removed - call_rcu(ieee80211_free_tid_rx)
 * station is destroyed
 * reorder timer fires before ieee80211_free_tid_rx() runs,
   accessing the station, thus potentially crashing due to
   the use-after-free

The station deletion is protected by synchronize_net(), but
that isn't enough -- ieee80211_free_tid_rx() need not have
run when that returns (it deletes the timer.) We could use
rcu_barrier() instead of synchronize_net(), but that's much
more expensive.

Instead, to fix this, add a field tracking that the session
is being deleted. In this case, the only re-arming of the
timer happens with the reorder spinlock held, so make that
code not rearm it if the session is being deleted and also
delete the timer after setting that field. This ensures the
timer cannot fire after ___ieee80211_stop_rx_ba_session()
returns, which fixes the problem.

Cc: stable@vger.kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2015-04-01 14:35:01 +02:00
..
aes_ccm.c mac80111: Add CCMP-256 cipher 2015-01-27 11:07:35 +01:00
aes_ccm.h mac80111: Add CCMP-256 cipher 2015-01-27 11:07:35 +01:00
aes_cmac.c mac80111: Add BIP-CMAC-256 cipher 2015-01-27 11:09:13 +01:00
aes_cmac.h mac80111: Add BIP-CMAC-256 cipher 2015-01-27 11:09:13 +01:00
aes_gcm.c mac80111: Add GCMP and GCMP-256 ciphers 2015-01-27 11:06:09 +01:00
aes_gcm.h mac80111: Add GCMP and GCMP-256 ciphers 2015-01-27 11:06:09 +01:00
aes_gmac.c mac80111: Add BIP-GMAC-128 and BIP-GMAC-256 ciphers 2015-01-27 11:10:13 +01:00
aes_gmac.h mac80111: Add BIP-GMAC-128 and BIP-GMAC-256 ciphers 2015-01-27 11:10:13 +01:00
agg-rx.c mac80211: fix RX A-MPDU session reorder timer deletion 2015-04-01 14:35:01 +02:00
agg-tx.c mac80211: synchronously reserve TID per station 2014-11-19 18:45:36 +01:00
cfg.c mac80111: Add BIP-GMAC-128 and BIP-GMAC-256 ciphers 2015-01-27 11:10:13 +01:00
cfg.h mac80211: make cfg80211 ops and privid const 2014-02-04 21:48:21 +01:00
chan.c mac80211: clear sdata->radar_required 2015-02-24 10:51:06 +01:00
debug.h mac80211: 802.11p OCB mode support 2014-11-04 13:18:21 +01:00
debugfs.c mac80211: move U-APSD enablement to vif flags 2014-12-15 12:34:45 +01:00
debugfs.h mac80211: fix some missing includes 2014-04-09 14:49:43 +02:00
debugfs_key.c mac80111: Add BIP-GMAC-128 and BIP-GMAC-256 ciphers 2015-01-27 11:10:13 +01:00
debugfs_key.h
debugfs_netdev.c mac80211: replace SMPS hw flags with wiphy feature bits 2014-09-11 13:37:02 +02:00
debugfs_netdev.h mac80211: fix some missing includes 2014-04-09 14:49:43 +02:00
debugfs_sta.c mac80211: introduce TDLS channel switch ops 2014-11-19 18:45:21 +01:00
debugfs_sta.h
driver-ops.h mac80211: allow drivers to provide most station statistics 2015-01-08 15:28:06 +01:00
ethtool.c cfg80211: remove enum station_info_flags 2015-01-08 15:28:10 +01:00
event.c
ht.c mac80211: set Rx highest rate in ht_cap 2014-07-21 12:14:04 +02:00
ibss.c mac80211: notify NSS changed when IBSS and HT 2014-12-17 11:47:26 +01:00
ieee80211_i.h mac80211: ignore CSA to same channel 2015-03-16 09:36:12 +01:00
iface.c mac80211: avoid races related to suspend flow 2015-01-23 10:54:22 +01:00
Kconfig mac80111: Add GCMP and GCMP-256 ciphers 2015-01-27 11:06:09 +01:00
key.c mac80111: Add BIP-GMAC-128 and BIP-GMAC-256 ciphers 2015-01-27 11:10:13 +01:00
key.h mac80111: Add BIP-GMAC-128 and BIP-GMAC-256 ciphers 2015-01-27 11:10:13 +01:00
led.c mac80211: use oneshot blink API for LED triggers 2013-08-01 10:48:49 +02:00
led.h mac80211: use oneshot blink API for LED triggers 2013-08-01 10:48:49 +02:00
main.c mac80111: Add BIP-GMAC-128 and BIP-GMAC-256 ciphers 2015-01-27 11:10:13 +01:00
Makefile mac80111: Add BIP-GMAC-128 and BIP-GMAC-256 ciphers 2015-01-27 11:10:13 +01:00
mesh.c mac80211: use secondary channel offset IE also beacons during CSA 2014-10-29 16:37:45 +01:00
mesh.h mac80211: implement cfg80211_ops to query mesh proxy path table 2014-10-09 11:19:07 +02:00
mesh_hwmp.c mac80211: remove unnecessary break after return 2014-07-15 16:27:00 -07:00
mesh_pathtbl.c mac80211: implement cfg80211_ops to query mesh proxy path table 2014-10-09 11:19:07 +02:00
mesh_plink.c Revert "mac80211: keep sending peer candidate events while in listen state" 2015-01-23 10:57:19 +01:00
mesh_ps.c mac80211: clear sequence/fragment number in QoS-null frames 2014-03-05 15:49:54 +01:00
mesh_sync.c mac80211: remove BUG_ON usage 2014-04-29 17:59:27 +02:00
michael.c
michael.h mac80211: fix some missing includes 2014-04-09 14:49:43 +02:00
mlme.c mac80211: ignore CSA to same channel 2015-03-16 09:36:12 +01:00
ocb.c mac80211: 802.11p OCB mode support 2014-11-04 13:18:21 +01:00
offchannel.c mac80211: let flush() drop packets when possible 2015-01-14 09:31:18 +01:00
pm.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-01-27 16:59:56 -08:00
rate.c mac80211: add more missing checks for VHT tx rates 2014-11-28 14:24:23 +01:00
rate.h mac80211: add ieee80211_tx_status_noskb 2014-11-28 15:01:51 +01:00
rc80211_minstrel.c mac80211/minstrel: fix !x!=0 confusion 2015-02-24 21:12:07 +01:00
rc80211_minstrel.h mac80211: minstrel: reduce size of struct minstrel_rate_stats 2014-12-19 21:34:22 +01:00
rc80211_minstrel_debugfs.c mac80211: minstrels: fix buffer overflow in HT debugfs rc_stats 2014-10-20 16:37:01 +02:00
rc80211_minstrel_ht.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless 2014-12-08 13:58:58 -05:00
rc80211_minstrel_ht.h mac80211: minstrel_ht: add basic support for VHT rates <= 3SS@80MHz 2014-10-21 13:25:26 +02:00
rc80211_minstrel_ht_debugfs.c mac80211: minstrel_ht: use group flags instead of index to display rates 2014-10-23 20:36:13 +02:00
rx.c mac80211: fix RX A-MPDU session reorder timer deletion 2015-04-01 14:35:01 +02:00
scan.c mac80211: complete scan work immediately if quiesced or suspended 2015-01-23 10:54:22 +01:00
spectmgmt.c mac80211: remove unused variable in ieee80211_parse_ch_switch_ie() 2014-12-17 15:45:17 +01:00
sta_info.c mac80211: support beacon statistics 2015-01-23 15:51:38 +01:00
sta_info.h mac80211: fix RX A-MPDU session reorder timer deletion 2015-04-01 14:35:01 +02:00
status.c mac80211: remove doubled semicolon 2015-01-16 13:27:56 +01:00
tdls.c mac80211: tdls: disentangle HT supported conditions 2015-01-23 11:42:14 +01:00
tkip.c mac80211: fix checkpatch errors 2013-12-18 10:33:06 +01:00
tkip.h
trace.c mac80211: trace debug messages 2012-06-24 11:33:18 +02:00
trace.h mac80211: allow drivers to provide most station statistics 2015-01-08 15:28:06 +01:00
tx.c mac80211: Send EAPOL frames at lowest rate 2015-02-26 21:03:06 +01:00
util.c mac80211: count interfaces correctly for combination checks 2015-03-16 09:35:59 +01:00
vht.c mac80211: update sta bw on ht chanwidth action frame 2014-12-17 15:45:16 +01:00
wep.c mac80211: fix network header breakage during encryption 2014-10-23 20:40:01 +02:00
wep.h
wme.c mac80211: synchronously reserve TID per station 2014-11-19 18:45:36 +01:00
wme.h mac80211: add WMM admission control support 2014-10-22 10:42:09 +02:00
wpa.c mac80111: Add BIP-GMAC-128 and BIP-GMAC-256 ciphers 2015-01-27 11:10:13 +01:00
wpa.h mac80111: Add BIP-GMAC-128 and BIP-GMAC-256 ciphers 2015-01-27 11:10:13 +01:00