tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

mac80211: mesh: fix call_rcu() usage

When using call_rcu(), the called function may be delayed quite
significantly, and without a matching rcu_barrier() there's no
way to be sure it has finished.
Therefore, global state that could be gone/freed/reused should
never be touched in the callback.

Fix this in mesh by moving the atomic_dec() into the caller;
that's not really a problem since we already unlinked the path
and it will be destroyed anyway.

This fixes a crash Jouni observed when running certain tests in
a certain order, in which the mesh interface was torn down, the
memory reused for a function pointer (work struct) and running
that then crashed since the pointer had been decremented by 1,
resulting in an invalid instruction byte stream.

Cc: stable@vger.kernel.org
Fixes: eb2b9311fd00 ("mac80211: mesh path table implementation")
Reported-by: Jouni Malinen <j@w1.fi>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

Johannes Berg c2e703a5 45bb780a

+4 -4
+4 -4
net/mac80211/mesh_pathtbl.c
··· 779 779 static void mesh_path_node_reclaim(struct rcu_head *rp) 780 780 { 781 781 struct mpath_node *node = container_of(rp, struct mpath_node, rcu); 782 - struct ieee80211_sub_if_data *sdata = node->mpath->sdata; 783 782 784 783 del_timer_sync(&node->mpath->timer); 785 - atomic_dec(&sdata->u.mesh.mpaths); 786 784 kfree(node->mpath); 787 785 kfree(node); 788 786 } ··· 788 790 /* needs to be called with the corresponding hashwlock taken */ 789 791 static void __mesh_path_del(struct mesh_table *tbl, struct mpath_node *node) 790 792 { 791 - struct mesh_path *mpath; 792 - mpath = node->mpath; 793 + struct mesh_path *mpath = node->mpath; 794 + struct ieee80211_sub_if_data *sdata = node->mpath->sdata; 795 + 793 796 spin_lock(&mpath->state_lock); 794 797 mpath->flags |= MESH_PATH_RESOLVING; 795 798 if (mpath->is_gate) ··· 798 799 hlist_del_rcu(&node->list); 799 800 call_rcu(&node->rcu, mesh_path_node_reclaim); 800 801 spin_unlock(&mpath->state_lock); 802 + atomic_dec(&sdata->u.mesh.mpaths); 801 803 atomic_dec(&tbl->entries); 802 804 } 803 805