q3k/linux
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
linux/net
History
Luis R. Rodriguez ac46d48e00 cfg80211: fix race condition with wiphy_apply_custom_regulatory() 
We forgot to lock using the cfg80211_mutex in
wiphy_apply_custom_regulatory(). Without the lock
there is possible race between processing a reply from CRDA
and a driver calling wiphy_apply_custom_regulatory(). During
the processing of the reply from CRDA we free last_request and
wiphy_apply_custom_regulatory() eventually accesses an
element from last_request in the through freq_reg_info_regd().

This is very difficult to reproduce (I haven't), it takes us
3 hours and you need to be banging hard, but the race is obvious
by looking at the code.

This should only affect those who use this caller, which currently
is ath5k, ath9k, and ar9170.

EIP: 0060:[<f8ebec50>] EFLAGS: 00210282 CPU: 1
EIP is at freq_reg_info_regd+0x24/0x121 [cfg80211]
EAX: 00000000 EBX: f7ca0060 ECX: f5183d94 EDX: 0024cde0
ESI: f8f56edc EDI: 00000000 EBP: 00000000 ESP: f5183d44
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process modprobe (pid: 14617, ti=f5182000 task=f3934d10 task.ti=f5182000)
Stack: c0505300 f7ca0ab4 f5183d94 0024cde0 f8f403a6 f8f63160 f7ca0060 00000000
00000000 f8ebedf8 f5183d90 f8f56edc 00000000 00000004 00000f40 f8f56edc
f7ca0060 f7ca1234 00000000 00000000 00000000 f7ca14f0 f7ca0ab4 f7ca1289
Call Trace:
[<f8ebedf8>] wiphy_apply_custom_regulatory+0x8f/0x122 [cfg80211]
[<f8f3f798>] ath_attach+0x707/0x9e6 [ath9k]
[<f8f45e46>] ath_pci_probe+0x18d/0x29a [ath9k]
[<c023c7ba>] pci_device_probe+0xa3/0xe4
[<c02a860b>] really_probe+0xd7/0x1de
[<c02a87e7>] __driver_attach+0x37/0x55
[<c02a7eed>] bus_for_each_dev+0x31/0x57
[<c02a83bd>] driver_attach+0x16/0x18
[<c02a78e6>] bus_add_driver+0xec/0x21b
[<c02a8959>] driver_register+0x85/0xe2
[<c023c9bb>] __pci_register_driver+0x3c/0x69
[<f8e93043>] ath9k_init+0x43/0x68 [ath9k]
[<c010112b>] _stext+0x3b/0x116
[<c014a872>] sys_init_module+0x8a/0x19e
[<c01049ad>] sysenter_do_call+0x12/0x21
[<ffffe430>] 0xffffe430
=======================
Code: 0f 94 c0 c3 31 c0 c3 55 57 56 53 89 c3 83 ec 14 8b 74 24 2c 89 54 24 0c 89 4c 24 08 85 f6 75
06 8b 35 c8 bb ec f8 a1 cc bb ec f8 <8b> 40 04 83 f8 03 74 3a 48 74 37 8b 43 28 85 c0 74 30 89 c6
8b
EIP: [<f8ebec50>] freq_reg_info_regd+0x24/0x121 [cfg80211] SS:ESP 0068:f5183d44

Cc: stable@kernel.org
Reported-by: Nataraj Sadasivam <Nataraj.Sadasivam@Atheros.com>
Reported-by: Vivek Natarajan <Vivek.Natarajan@Atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-04 16:22:12 -04:00
..
9p 9p: fix sparse warning: cast adds address space 2009-02-26 23:13:32 -08:00
802 tr: fix leakage of device in net/802/tr.c 2009-04-11 01:43:17 -07:00
8021q vlan: update vlan carrier state for admin up/down 2009-04-25 18:03:35 -07:00
appletalk proc 2/2: remove struct proc_dir_entry::owner 2009-03-31 01:14:44 +04:00
atm Subject: [PATCH] br2684: restore net_dev initialization 2009-05-02 13:49:36 -07:00
ax25 ax25: proc uid file misses header 2009-04-20 02:14:59 -07:00
bluetooth Bluetooth: Fix connection establishment with low security requirement 2009-04-28 09:31:39 -07:00
bridge netfilter: bridge: allow fragmentation of VLAN packets traversing a bridge 2009-04-20 17:12:35 +02:00
can can: Network Drop Monitor: Make use of consume_skb() in af_can.c 2009-04-17 01:38:46 -07:00
core net: Fix skb_tx_hash() for forwarding workloads. 2009-05-01 09:05:06 -07:00
dcb DCB: fix kfree(skb) 2009-01-04 17:29:21 -08:00
dccp dccp: Do not let initial option overhead shrink the MPS 2009-03-02 03:07:23 -08:00
decnet net/*: use linux/kernel.h swap() 2009-03-21 13:36:17 -07:00
dsa dsa: add switch chip cascading support 2009-03-21 19:06:54 -07:00
econet net: convert usage of packet_type to read_mostly 2009-03-10 05:22:43 -07:00
ethernet eth: Declare an optimized compare_ether_addr_64bits() function 2008-11-23 23:24:32 -08:00
ipv4 netfilter: revised locking for x_tables 2009-04-28 22:36:33 -07:00
ipv6 netfilter: revised locking for x_tables 2009-04-28 22:36:33 -07:00
ipx ipx: use constant for strings and desciptor 2009-03-21 19:06:51 -07:00
irda proc tty: switch ircomm to ->proc_fops 2009-04-01 08:59:10 -07:00
iucv af_iucv: Fix race when queuing incoming iucv messages 2009-04-21 23:43:15 -07:00
key af_key: remove some pointless conditionals before kfree_skb() 2009-02-26 23:07:32 -08:00
lapb
llc proc 2/2: remove struct proc_dir_entry::owner 2009-03-31 01:14:44 +04:00
mac80211 mac80211: correct fragmentation threshold check 2009-05-04 16:22:08 -04:00
netfilter xt_socket: checks for the state of nf_conntrack 2009-05-01 15:23:10 -07:00
netlabel netlabel: Always remove the correct address selector 2009-04-22 00:46:09 -07:00
netlink Merge branch 'master' of /home/davem/src/GIT/linux-2.6/ 2009-03-26 15:23:24 -07:00
netrom net/netrom: Fix socket locking 2009-04-22 00:49:51 -07:00
packet packet: avoid warnings when high-order page allocation fails 2009-04-15 03:39:52 -07:00
phonet trivial: fix typos/grammar errors in Kconfig texts 2009-03-30 15:22:01 +02:00
rds RDS: Use spinlock to protect 64b value update on 32b archs 2009-04-02 00:52:22 -07:00
rfkill net/rfkill/rfkill.c: fix unused rfkill_led_trigger() warning 2009-01-04 17:11:24 -08:00
rose Revert "rose: zero length frame filtering in af_rose.c" 2009-04-14 20:28:00 -07:00
rxrpc RxRPC: Fix a potential NULL dereference 2009-02-06 21:50:52 -08:00
sched net: Only store high 16 bits of kernel generated filter priorities 2009-05-02 13:48:32 -07:00
sctp proc 2/2: remove struct proc_dir_entry::owner 2009-03-31 01:14:44 +04:00
sunrpc Merge branch 'for-2.6.30' of git://linux-nfs.org/~bfields/linux 2009-04-06 13:25:56 -07:00
tipc tipc: fix non-const printf format arguments 2009-03-18 19:11:29 -07:00
unix New helper - current_umask() 2009-03-31 23:00:26 -04:00
wanrouter wanrouter: fix sparse warnings: context imbalance 2009-02-26 23:13:36 -08:00
wimax trivial: fix typos/grammar errors in Kconfig texts 2009-03-30 15:22:01 +02:00
wireless cfg80211: fix race condition with wiphy_apply_custom_regulatory() 2009-05-04 16:22:12 -04:00
x25 af_rose/x25: Sanity check the maximum user frame size 2009-03-27 00:28:21 -07:00
xfrm xfrm: wrong hash value for temporary SA 2009-04-27 02:58:59 -07:00
compat.c net: socket infrastructure for SO_TIMESTAMPING 2009-02-15 22:43:35 -08:00
Kconfig trivial: fix typos/grammar errors in Kconfig texts 2009-03-30 15:22:01 +02:00
Makefile RDS: Kconfig and Makefile 2009-02-26 23:43:35 -08:00
nonet.c
socket.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2009-04-06 18:05:43 -07:00
sysctl_net.c net: sysctl_net - use net_eq to compare nets 2009-03-16 16:23:30 +01:00
TUNABLE