lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20101212234522.3A42BB27C0@basil.firstfloor.org>
Date:	Mon, 13 Dec 2010 00:45:22 +0100 (CET)
From:	Andi Kleen <andi@...stfloor.org>
To:	johannes.berg@...el.com, linville@...driver.com, gregkh@...e.de,
	ak@...ux.intel.com, linux-kernel@...r.kernel.org, stable@...nel.org
Subject: [PATCH] [26/223] mac80211: delete AddBA response timer

2.6.35-longterm review patch.  If anyone has any objections, please let me know.

------------------
From: Johannes Berg <johannes.berg@...el.com>

commit 44271488b91c9eecf249e075a1805dd887e222d2 upstream.

We never delete the addBA response timer, which
is typically fine, but if the station it belongs
to is deleted very quickly after starting the BA
session, before the peer had a chance to reply,
the timer may fire after the station struct has
been freed already. Therefore, we need to delete
the timer in a suitable spot -- best when the
session is being stopped (which will happen even
then) in which case the delete will be a no-op
most of the time.

I've reproduced the scenario and tested the fix.

This fixes the crash reported at
http://mid.gmane.org/4CAB6F96.6090701@candelatech.com

Reported-by: Ben Greear <greearb@...delatech.com>
Signed-off-by: Johannes Berg <johannes.berg@...el.com>
Signed-off-by: John W. Linville <linville@...driver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@...e.de>
Signed-off-by: Andi Kleen <ak@...ux.intel.com>

---
 net/mac80211/agg-tx.c |    3 +++
 1 file changed, 3 insertions(+)

Index: linux/net/mac80211/agg-tx.c
===================================================================
--- linux.orig/net/mac80211/agg-tx.c
+++ linux/net/mac80211/agg-tx.c
@@ -128,6 +128,7 @@ void ieee80211_send_bar(struct ieee80211
 int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
 				    enum ieee80211_back_parties initiator)
 {
+	struct tid_ampdu_tx *tid_tx = sta->ampdu_mlme.tid_tx[tid];
 	struct ieee80211_local *local = sta->local;
 	int ret;
 	u8 *state;
@@ -137,6 +138,8 @@ int ___ieee80211_stop_tx_ba_session(stru
 	       sta->sta.addr, tid);
 #endif /* CONFIG_MAC80211_HT_DEBUG */
 
+	del_timer_sync(&tid_tx->addba_resp_timer);
+
 	state = &sta->ampdu_mlme.tid_state_tx[tid];
 
 	if (*state == HT_AGG_STATE_OPERATIONAL)
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ