Commit 4ae9a73be7ac5805a841a6da2bc792c046936c1c
Committed by
Greg Kroah-Hartman
Greg Kroah-Hartman
1 parent
3a738e7f73
Exists in
smarc_8mm_imx_4.14.98_2.0.0_ga
and in
6 other branches
mac80211: Run TXQ teardown code before de-registering interfaces
[ Upstream commit 77cfaf52eca5cac30ed029507e0cab065f888995 ] The TXQ teardown code can reference the vif data structures that are stored in the netdev private memory area if there are still packets on the queue when it is being freed. Since the TXQ teardown code is run after the netdevs are freed, this can lead to a use-after-free. Fix this by moving the TXQ teardown code to earlier in ieee80211_unregister_hw(). Reported-by: Ben Greear <greearb@candelatech.com> Tested-by: Ben Greear <greearb@candelatech.com> Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Showing 1 changed file with 1 additions and 1 deletions Side-by-side Diff
net/mac80211/main.c
| ... | ... | @@ -1171,6 +1171,7 @@ |
| 1171 | 1171 | #if IS_ENABLED(CONFIG_IPV6) |
| 1172 | 1172 | unregister_inet6addr_notifier(&local->ifa6_notifier); |
| 1173 | 1173 | #endif |
| 1174 | + ieee80211_txq_teardown_flows(local); | |
| 1174 | 1175 | |
| 1175 | 1176 | rtnl_lock(); |
| 1176 | 1177 | |
| ... | ... | @@ -1199,7 +1200,6 @@ |
| 1199 | 1200 | skb_queue_purge(&local->skb_queue); |
| 1200 | 1201 | skb_queue_purge(&local->skb_queue_unreliable); |
| 1201 | 1202 | skb_queue_purge(&local->skb_queue_tdls_chsw); |
| 1202 | - ieee80211_txq_teardown_flows(local); | |
| 1203 | 1203 | |
| 1204 | 1204 | destroy_workqueue(local->workqueue); |
| 1205 | 1205 | wiphy_unregister(local->hw.wiphy); |