releases/5.0.19/mac80211-fix-kernel-panic-due-to-use-of-txq-after-fr.patch

   1 From d16bb43e6ea7108401d7f329efa5e955d02b2e84 Mon Sep 17 00:00:00 2001
   2 From: Bhagavathi Perumal S <bperumal@codeaurora.org>
   3 Date: Tue, 16 Apr 2019 12:54:40 +0530
   4 Subject: mac80211: Fix kernel panic due to use of txq after free
   5 MIME-Version: 1.0
   6 Content-Type: text/plain; charset=UTF-8
   7 Content-Transfer-Encoding: 8bit
   8
   9 [ Upstream commit f1267cf3c01b12e0f843fb6a7450a7f0b2efab8a ]
  10
  11 The txq of vif is added to active_txqs list for ATF TXQ scheduling
  12 in the function ieee80211_queue_skb(), but it was not properly removed
  13 before freeing the txq object. It was causing use after free of the txq
  14 objects from the active_txqs list, result was kernel panic
  15 due to invalid memory access.
  16
  17 Fix kernel invalid memory access by properly removing txq object
  18 from active_txqs list before free the object.
  19
  20 Signed-off-by: Bhagavathi Perumal S <bperumal@codeaurora.org>
  21 Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
  22 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
  23 Signed-off-by: Sasha Levin <sashal@kernel.org>
  24 ---
  25  net/mac80211/iface.c | 3 +++
  26  1 file changed, 3 insertions(+)
  27
  28 diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
  29 index 4a6ff1482a9ff..02d2e6f11e936 100644
  30 --- a/net/mac80211/iface.c
  31 +++ b/net/mac80211/iface.c
  32 @@ -1908,6 +1908,9 @@ void ieee80211_if_remove(struct ieee80211_sub_if_data *sdata)
  33         list_del_rcu(&sdata->list);
  34         mutex_unlock(&sdata->local->iflist_mtx);
  35
  36 +       if (sdata->vif.txq)
  37 +               ieee80211_txq_purge(sdata->local, to_txq_info(sdata->vif.txq));
  38 +
  39         synchronize_rcu();
  40
  41         if (sdata->dev) {
  42 --
  43 2.20.1
  44