mac80211: fix txq queue related crashes

[ Upstream commit 2a58d42c ] The driver can access the queue simultanously while mac80211 tears down the interface. Without spinlock protection this could lead to corrupting sk_buff_head and subsequently to an invalid pointer dereference. Fixes: ba8c3d6f ("mac80211: add an intermediate software queue implementation") Signed-off-by: Michal Kazior <michal.kazior@tieto.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

mac80211: fix txq queue related crashes
[ Upstream commit 2a58d42c ] The driver can access the queue simultanously while mac80211 tears down the interface. Without spinlock protection this could lead to corrupting sk_buff_head and subsequently to an invalid pointer dereference. Fixes: ba8c3d6f ("mac80211: add an intermediate software queue implementation") Signed-off-by: Michal Kazior <michal.kazior@tieto.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
17e8cd1e · Michal Kazior · Sasha Levin · 193517ef · 17e8cd1e
Commit 17e8cd1e authored Jan 21, 2016 by Michal Kazior Committed by Sasha Levin Jul 10, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

net/mac80211/iface.c net/mac80211/iface.c +3 -0

No files found.
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -980,7 +980,10 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
 	if (sdata->vif.txq) {
 		struct txq_info *txqi = to_txq_info(sdata->vif.txq);

+		spin_lock_bh(&txqi->queue.lock);
 		ieee80211_purge_tx_queue(&local->hw, &txqi->queue);
+		spin_unlock_bh(&txqi->queue.lock);
+
 		atomic_set(&sdata->txqs_len[txqi->txq.ac], 0);
 	}