From patchwork Sat Aug 27 00:18:07 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Cardona X-Patchwork-Id: 1103572 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter1.kernel.org (8.14.4/8.14.4) with ESMTP id p7R0IOGw031622 for ; Sat, 27 Aug 2011 00:33:03 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754544Ab1H0AS2 (ORCPT ); Fri, 26 Aug 2011 20:18:28 -0400 Received: from mail-gx0-f174.google.com ([209.85.161.174]:39904 "EHLO mail-gx0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754390Ab1H0AS1 (ORCPT ); Fri, 26 Aug 2011 20:18:27 -0400 Received: by gxk21 with SMTP id 21so3308768gxk.19 for ; Fri, 26 Aug 2011 17:18:27 -0700 (PDT) Received: by 10.42.154.3 with SMTP id o3mr1713367icw.221.1314404306817; Fri, 26 Aug 2011 17:18:26 -0700 (PDT) Received: from localhost.localdomain (99-8-184-170.lightspeed.snfcca.sbcglobal.net [99.8.184.170]) by mx.google.com with ESMTPS id a9sm2203245icy.18.2011.08.26.17.18.24 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 26 Aug 2011 17:18:25 -0700 (PDT) From: Javier Cardona To: "John W. Linville" Cc: Javier Cardona , Thomas Pedersen , devel@lists.open80211s.org, Johannes Berg , linux-wireless@vger.kernel.org, jlopex@gmail.com Subject: [PATCH v2 1/8] mac80211: Fix RCU pointer dereference in mesh_path_discard_frame() Date: Fri, 26 Aug 2011 17:18:07 -0700 Message-Id: <1314404294-4233-2-git-send-email-javier@cozybit.com> X-Mailer: git-send-email 1.7.6 In-Reply-To: <1314404294-4233-1-git-send-email-javier@cozybit.com> References: <1314236452-7226-1-git-send-email-thomas@cozybit.com> <1314404294-4233-1-git-send-email-javier@cozybit.com> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.6 (demeter1.kernel.org [140.211.167.41]); Sat, 27 Aug 2011 00:38:34 +0000 (UTC) Reported by Pedro Larbig (ASPj) Signed-off-by: Javier Cardona --- v2: - Extend the rcu_read_lock section to protect mpath (Johannes) - Take state lock when increasing mpath serial number (Johannes) net/mac80211/mesh_pathtbl.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c index 3c2bcb2..c92fd70 100644 --- a/net/mac80211/mesh_pathtbl.c +++ b/net/mac80211/mesh_pathtbl.c @@ -991,9 +991,14 @@ void mesh_path_discard_frame(struct sk_buff *skb, da = hdr->addr3; ra = hdr->addr1; + rcu_read_lock(); mpath = mesh_path_lookup(da, sdata); - if (mpath) + if (mpath) { + spin_lock_bh(&mpath->state_lock); sn = ++mpath->sn; + spin_unlock_bh(&mpath->state_lock); + } + rcu_read_unlock(); mesh_path_error_tx(sdata->u.mesh.mshcfg.element_ttl, skb->data, cpu_to_le32(sn), reason, ra, sdata); }