From patchwork Mon Aug 29 20:23:03 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Javier Cardona X-Patchwork-Id: 1110462 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter1.kernel.org (8.14.4/8.14.4) with ESMTP id p7TKNLah026114 for ; Mon, 29 Aug 2011 20:23:26 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755042Ab1H2UXV (ORCPT ); Mon, 29 Aug 2011 16:23:21 -0400 Received: from mail-yw0-f46.google.com ([209.85.213.46]:33745 "EHLO mail-yw0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755023Ab1H2UXV (ORCPT ); Mon, 29 Aug 2011 16:23:21 -0400 Received: by ywf7 with SMTP id 7so5057048ywf.19 for ; Mon, 29 Aug 2011 13:23:20 -0700 (PDT) Received: by 10.143.76.9 with SMTP id d9mr280267wfl.329.1314649399945; Mon, 29 Aug 2011 13:23:19 -0700 (PDT) Received: from localhost.localdomain (99-8-184-170.lightspeed.snfcca.sbcglobal.net [99.8.184.170]) by mx.google.com with ESMTPS id g14sm5303323wfh.22.2011.08.29.13.23.18 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 29 Aug 2011 13:23:19 -0700 (PDT) From: Javier Cardona To: "John W. Linville" Cc: Javier Cardona , Thomas Pedersen , devel@lists.open80211s.org, Johannes Berg , linux-wireless@vger.kernel.org, jlopex@gmail.com Subject: [PATCH v3 1/7] mac80211: Fix RCU pointer dereference in mesh_path_discard_frame() Date: Mon, 29 Aug 2011 13:23:03 -0700 Message-Id: <1314649389-7115-2-git-send-email-javier@cozybit.com> X-Mailer: git-send-email 1.7.6 In-Reply-To: <1314649389-7115-1-git-send-email-javier@cozybit.com> References: <1314649389-7115-1-git-send-email-javier@cozybit.com> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.6 (demeter1.kernel.org [140.211.167.41]); Mon, 29 Aug 2011 20:23:27 +0000 (UTC) Reported by Pedro Larbig (ASPj) Signed-off-by: Javier Cardona --- v2: - Extend the rcu_read_lock section to protect mpath (Johannes) - Take state lock when increasing mpath serial number (Johannes) net/mac80211/mesh_pathtbl.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c index 3c2bcb2..c92fd70 100644 --- a/net/mac80211/mesh_pathtbl.c +++ b/net/mac80211/mesh_pathtbl.c @@ -991,9 +991,14 @@ void mesh_path_discard_frame(struct sk_buff *skb, da = hdr->addr3; ra = hdr->addr1; + rcu_read_lock(); mpath = mesh_path_lookup(da, sdata); - if (mpath) + if (mpath) { + spin_lock_bh(&mpath->state_lock); sn = ++mpath->sn; + spin_unlock_bh(&mpath->state_lock); + } + rcu_read_unlock(); mesh_path_error_tx(sdata->u.mesh.mshcfg.element_ttl, skb->data, cpu_to_le32(sn), reason, ra, sdata); }