mac80211: fix possible tid_rx->reorder_timer use after free

from Stanislaw Gruska (rhbz 804007)
2012-03-20 08:44:32 -04:00 · 2012-03-20 08:44:32 -04:00 · b7da64597e
commit b7da64597e
parent 3008f92791
2 changed files with 53 additions and 1 deletions
--- a/kernel.spec
+++ b/kernel.spec
@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 3
+%global baserelease 4
 %global fedora_build %{baserelease}

 # base_sublevel is the kernel version we're starting with and patching
@ -767,6 +767,9 @@ Patch21302: sony-laptop-Enable-keyboard-backlight-by-default.patch
 #rhbz 803809 CVE-2012-1179
 Patch21304: mm-thp-fix-pmd_bad-triggering.patch

+#rhbz 804007
+Patch21305: mac80211-fix-possible-tid_rx-reorder_timer-use-after-free.patch
+
 Patch21400: unhandled-irqs-switch-to-polling.patch

 Patch22000: weird-root-dentry-name-debug.patch
@ -1478,6 +1481,9 @@ ApplyPatch ACPICA-Fix-regression-in-FADT-revision-checks.patch
 #rhbz 728478
 ApplyPatch sony-laptop-Enable-keyboard-backlight-by-default.patch

+#rhbz 804007
+ApplyPatch mac80211-fix-possible-tid_rx-reorder_timer-use-after-free.patch
+
 ApplyPatch unhandled-irqs-switch-to-polling.patch

 ApplyPatch weird-root-dentry-name-debug.patch
@ -2335,6 +2341,10 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Tue Mar 20 2012 Josh Boyer <jwboyer@redhat.com>
+- mac80211: fix possible tid_rx->reorder_timer use after free
+  from Stanislaw Gruska (rhbz 804007)
+
 * Mon Mar 19 2012 Dave Jones <davej@redhat.com> - 3.3.0-3
 - Reenable debugging options.

--- a/mac80211-fix-possible-tid_rx-reorder_timer-use-after-free.patch
+++ b/mac80211-fix-possible-tid_rx-reorder_timer-use-after-free.patch
@ -0,0 +1,42 @@
+Is possible that we will arm the tid_rx->reorder_timer after
+del_timer_sync() in ___ieee80211_stop_rx_ba_session(). We need to stop
+timer after RCU grace period finish, so move it to
+ieee80211_free_tid_rx(). Timer will not be armed again, as
+rcu_dereference(sta->ampdu_mlme.tid_rx[tid]) will return NULL.
+
+Debug object detected problem with the following warning:
+ODEBUG: free active (active state 0) object type: timer_list hint: sta_rx_agg_reorder_timer_expired+0x0/0xf0 [mac80211]
+
+Bug report (with all warning messages):
+https://bugzilla.redhat.com/show_bug.cgi?id=804007
+
+Reported-by: "jan p. springer" <jsd@igroup.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+---
+ net/mac80211/agg-rx.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
+index 1068f66..64d3ce5 100644
+--- a/net/mac80211/agg-rx.c
+++ b/net/mac80211/agg-rx.c
+@@ -49,6 +49,8 @@ static void ieee80211_free_tid_rx(struct rcu_head *h)
+ 		container_of(h, struct tid_ampdu_rx, rcu_head);
+ 	int i;
+ 
+	del_timer_sync(&tid_rx->reorder_timer);
+
+ 	for (i = 0; i < tid_rx->buf_size; i++)
+ 		dev_kfree_skb(tid_rx->reorder_buf[i]);
+ 	kfree(tid_rx->reorder_buf);
+@@ -91,7 +93,6 @@ void ___ieee80211_stop_rx_ba_session(struct sta_info *sta, u16 tid,
+ 				     tid, WLAN_BACK_RECIPIENT, reason);
+ 
+ 	del_timer_sync(&tid_rx->session_timer);
+-	del_timer_sync(&tid_rx->reorder_timer);
+ 
+ 	call_rcu(&tid_rx->rcu_head, ieee80211_free_tid_rx);
+ }
+-- 
+1.7.1