From: Luca Coelho <luca@coelho.fi>
To: johannes@sipsolutions.net
Cc: luca@coelho.fi, linux-wireless@vger.kernel.org
Subject: [PATCH 06/31] cfg80211: avoid double free of PMSR request
Date: Fri, 18 Jun 2021 13:41:31 +0300 [thread overview]
Message-ID: <iwlwifi.20210618133832.1fbef57e269a.I00294bebdb0680b892f8d1d5c871fd9dbe785a5e@changeid> (raw)
In-Reply-To: <20210618104156.747775-1-luca@coelho.fi>
From: Avraham Stern <avraham.stern@intel.com>
If cfg80211_pmsr_process_abort() moves all the PMSR requests that
need to be freed into a local list before aborting and freeing them.
As a result, it is possible that cfg80211_pmsr_complete() will run in
parallel and free the same PMSR request.
Fix it by freeing the request in cfg80211_pmsr_complete() only if it
is still in the original pmsr list.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
---
net/wireless/pmsr.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c
index 6bdd96408022..d245968b74cb 100644
--- a/net/wireless/pmsr.c
+++ b/net/wireless/pmsr.c
@@ -334,6 +334,7 @@ void cfg80211_pmsr_complete(struct wireless_dev *wdev,
gfp_t gfp)
{
struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
+ struct cfg80211_pmsr_request *tmp, *prev, *to_free = NULL;
struct sk_buff *msg;
void *hdr;
@@ -364,9 +365,20 @@ void cfg80211_pmsr_complete(struct wireless_dev *wdev,
nlmsg_free(msg);
free_request:
spin_lock_bh(&wdev->pmsr_lock);
- list_del(&req->list);
+ /*
+ * cfg80211_pmsr_process_abort() may have already moved this request
+ * to the free list, and will free it later. In this case, don't free
+ * it here.
+ */
+ list_for_each_entry_safe(tmp, prev, &wdev->pmsr_list, list) {
+ if (tmp == req) {
+ list_del(&req->list);
+ to_free = req;
+ break;
+ }
+ }
spin_unlock_bh(&wdev->pmsr_lock);
- kfree(req);
+ kfree(to_free);
}
EXPORT_SYMBOL_GPL(cfg80211_pmsr_complete);
--
2.32.0
next prev parent reply other threads:[~2021-06-18 10:42 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-18 10:41 [PATCH 00/31] cfg80211/mac80211 patches from our internal tree 2021-06-18 Luca Coelho
2021-06-18 10:41 ` [PATCH 01/31] mac80211: add HE 6GHz cap IE in 6GHz band only Luca Coelho
2021-06-18 10:41 ` [PATCH 02/31] mac80211: do not add twice the HE 6GHz cap IE Luca Coelho
2021-06-18 17:14 ` Florian Fainelli
2021-06-18 20:17 ` Luca Coelho
2021-06-23 11:04 ` Luca Coelho
2021-06-18 10:41 ` [PATCH 03/31] ieee80211: define timing measurement in extended capabilities IE Luca Coelho
2021-06-18 10:41 ` [PATCH 04/31] cfg80211: make certificate generation more robust Luca Coelho
2021-06-18 10:41 ` [PATCH 05/31] mac80211: handle rate control (RC) racing with chanctx definition Luca Coelho
2021-06-18 10:41 ` Luca Coelho [this message]
2021-06-18 10:41 ` [PATCH 07/31] mac80211: allow SMPS requests only in client mode Luca Coelho
2021-06-18 10:41 ` [PATCH 08/31] mac80211: free skb in WEP error case Luca Coelho
2021-06-18 10:41 ` [PATCH 09/31] mac80211: move SMPS mode setting after ieee80211_prep_connection Luca Coelho
2021-06-18 10:41 ` [PATCH 10/31] mac80211: add to bss_conf if broadcast TWT is supported Luca Coelho
2021-06-18 10:41 ` [PATCH 11/31] nl80211/cfg80211: add BSS color to NDP ranging parameters Luca Coelho
2021-06-18 10:41 ` [PATCH 12/31] mac80211: Properly WARN on HW scan before restart Luca Coelho
2021-06-18 10:41 ` [PATCH 13/31] ieee80211: add defines for HE PHY cap byte 10 Luca Coelho
2021-06-18 10:41 ` [PATCH 14/31] cfg80211: add cfg80211_any_usable_channels() Luca Coelho
2021-06-18 10:41 ` [PATCH 15/31] mac80211: conditionally advertise HE in probe requests Luca Coelho
2021-06-18 10:41 ` [PATCH 16/31] cfg80211: Support hidden AP discovery over 6GHz band Luca Coelho
2021-06-18 10:41 ` [PATCH 17/31] mac80211: always include HE 6GHz capability in probe request Luca Coelho
2021-06-18 10:41 ` [PATCH 18/31] mac80211: always include HE 6GHz capability in assoc request Luca Coelho
2021-06-18 10:41 ` [PATCH 19/31] mac80211: rearrange struct txq_info for fewer holes Luca Coelho
2021-06-18 10:41 ` [PATCH 20/31] mac80211: handle various extensible elements correctly Luca Coelho
2021-06-18 10:41 ` [PATCH 21/31] cfg80211: set custom regdomain after wiphy registration Luca Coelho
2021-06-18 10:41 ` [PATCH 22/31] mac80211: improve AP disconnect message Luca Coelho
2021-06-18 10:41 ` [PATCH 23/31] cfg80211: trace more information in assoc trace event Luca Coelho
2021-06-18 10:41 ` [PATCH 24/31] mac80211: reset profile_periodicity/ema_ap Luca Coelho
2021-06-18 10:41 ` [PATCH 25/31] mac80211: remove use of ieee80211_get_he_sta_cap() Luca Coelho
2021-06-18 10:41 ` [PATCH 26/31] cfg80211: remove ieee80211_get_he_sta_cap() Luca Coelho
2021-06-18 10:41 ` [PATCH 27/31] cfg80211: allow advertising vendor-specific capabilities Luca Coelho
2021-06-18 10:41 ` [PATCH 28/31] mac80211: add vendor-specific capabilities to assoc request Luca Coelho
2021-06-18 10:41 ` [PATCH 29/31] mac8021: Allow probe request injection on passive non radar channels Luca Coelho
2021-06-18 10:41 ` [PATCH 30/31] mac80211: notify driver on mgd TX completion Luca Coelho
2021-06-18 10:41 ` [PATCH 31/31] cfg80211: reg: improve bad regulatory warning Luca Coelho
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=iwlwifi.20210618133832.1fbef57e269a.I00294bebdb0680b892f8d1d5c871fd9dbe785a5e@changeid \
--to=luca@coelho.fi \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).