1
linux/net/mac80211
Stanislaw Gruszka 05e7c99136 mac80211: fix conn_mon_timer running after disassociate
Low level driver could pass rx frames to us after disassociate, what
can lead to run conn_mon_timer by ieee80211_sta_rx_notify(). That
is obviously wrong, but nothing happens until we unload modules and
resources are used after free. If kernel debugging is enabled following
warning could be observed:

WARNING: at lib/debugobjects.c:259 debug_print_object+0x65/0x70()
Hardware name: HP xw8600 Workstation
ODEBUG: free active (active state 0) object type: timer_list
Modules linked in: iwlagn(-) iwlcore mac80211 cfg80211 aes_x86_64 aes_generic fuse cpufreq_ondemand acpi_cpufreq freq_table mperf xt_physdev ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ipv6 ext3 jbd dm_mirror dm_region_hash dm_log dm_mod uinput hp_wmi sparse_keymap sg wmi arc4 microcode serio_raw ecb tg3 shpchp rfkill ext4 mbcache jbd2 sr_mod cdrom sd_mod crc_t10dif firewire_ohci firewire_core crc_itu_t mptsas mptscsih mptbase scsi_transport_sas ahci libahci pata_acpi ata_generic ata_piix floppy nouveau ttm drm_kms_helper drm i2c_algo_bit i2c_core video [last unloaded: cfg80211]
Pid: 13827, comm: rmmod Tainted: G        W   2.6.38-rc4-wl+ #22
Call Trace:
 [<ffffffff810649cf>] ? warn_slowpath_common+0x7f/0xc0
 [<ffffffff81064ac6>] ? warn_slowpath_fmt+0x46/0x50
 [<ffffffff81226fc5>] ? debug_print_object+0x65/0x70
 [<ffffffff81227625>] ? debug_check_no_obj_freed+0x125/0x210
 [<ffffffff8109ebd7>] ? debug_check_no_locks_freed+0xf7/0x170
 [<ffffffff81156092>] ? kfree+0xc2/0x2f0
 [<ffffffff813ec5c5>] ? netdev_release+0x45/0x60
 [<ffffffff812f1067>] ? device_release+0x27/0xa0
 [<ffffffff81216ddd>] ? kobject_release+0x8d/0x1a0
 [<ffffffff81216d50>] ? kobject_release+0x0/0x1a0
 [<ffffffff812183b7>] ? kref_put+0x37/0x70
 [<ffffffff81216c57>] ? kobject_put+0x27/0x60
 [<ffffffff813d5d1b>] ? netdev_run_todo+0x1ab/0x270
 [<ffffffff813e771e>] ? rtnl_unlock+0xe/0x10
 [<ffffffffa0581188>] ? ieee80211_unregister_hw+0x58/0x120 [mac80211]
 [<ffffffffa0377ed7>] ? iwl_pci_remove+0xdb/0x22a [iwlagn]
 [<ffffffff8123cde2>] ? pci_device_remove+0x52/0x120
 [<ffffffff812f5205>] ? __device_release_driver+0x75/0xe0
 [<ffffffff812f5348>] ? driver_detach+0xd8/0xe0
 [<ffffffff812f4111>] ? bus_remove_driver+0x91/0x100
 [<ffffffff812f5b62>] ? driver_unregister+0x62/0xa0
 [<ffffffff8123d194>] ? pci_unregister_driver+0x44/0xa0
 [<ffffffffa0377df5>] ? iwl_exit+0x15/0x1c [iwlagn]
 [<ffffffff810ab492>] ? sys_delete_module+0x1a2/0x270
 [<ffffffff81498889>] ? trace_hardirqs_on_thunk+0x3a/0x3f
 [<ffffffff8100bf42>] ? system_call_fastpath+0x16/0x1b

Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-02-18 16:47:37 -05:00
..
aes_ccm.c mac80211: Remove redundant checks for NULL before calls to crypto_free_cipher() 2010-11-15 13:26:11 -05:00
aes_ccm.h
aes_cmac.c mac80211: Remove redundant checks for NULL before calls to crypto_free_cipher() 2010-11-15 13:26:11 -05:00
aes_cmac.h mac80211: 802.11w - Add BIP (AES-128-CMAC) 2009-01-29 16:00:02 -05:00
agg-rx.c mac80211: use maximum number of AMPDU frames as default in BA RX 2011-01-13 15:46:45 -05:00
agg-tx.c mac80211: Add timeout to BA session start API 2010-12-15 17:03:59 -05:00
cfg.c mac80211: fix TX status cookie in HW offload case 2011-02-02 16:38:59 -05:00
cfg.h
chan.c cfg80211/mac80211: use lockdep_assert_held 2010-09-16 15:46:00 -04:00
debugfs_key.c mac80211: support separate default keys 2010-12-13 15:23:29 -05:00
debugfs_key.h mac80211: support separate default keys 2010-12-13 15:23:29 -05:00
debugfs_netdev.c nl80211/mac80211: define and allow configuring mesh element TTL 2010-12-06 16:01:28 -05:00
debugfs_netdev.h mac80211: reduce reliance on netdev 2009-12-21 18:38:52 -05:00
debugfs_sta.c mac80211: Add timeout to BA session start API 2010-12-15 17:03:59 -05:00
debugfs_sta.h
debugfs.c mac80211: refactor debugfs function generation code 2010-11-15 13:24:48 -05:00
debugfs.h mac80211: refactor debugfs function generation code 2010-11-15 13:24:48 -05:00
driver-ops.h mac80211: implement hardware offload for remain-on-channel 2011-01-05 16:07:12 -05:00
driver-trace.c mac80211: fix sparse warnings/errors 2009-08-04 16:43:25 -04:00
driver-trace.h mac80211: implement hardware offload for remain-on-channel 2011-01-05 16:07:12 -05:00
event.c cfg80211: use proper allocation flags 2009-07-10 15:01:49 -04:00
ht.c mac80211: fix SMPS request 2010-10-13 15:45:23 -04:00
ibss.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2010-12-15 16:33:28 -05:00
ieee80211_i.h mac80211: fix TX status cookie in HW offload case 2011-02-02 16:38:59 -05:00
iface.c mac80211: implement hardware offload for remain-on-channel 2011-01-05 16:07:12 -05:00
Kconfig Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-12-26 22:37:05 -08:00
key.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2011-01-05 14:35:41 -05:00
key.h mac80211: support separate default keys 2010-12-13 15:23:29 -05:00
led.c mac80211: remove stray extern 2011-01-05 16:07:12 -05:00
led.h mac80211: selective throughput LED trigger active 2010-12-22 14:33:37 -05:00
main.c mac80211: fix lockdep warning 2011-01-13 15:46:45 -05:00
Makefile mac80211: add the minstrel_ht rate control algorithm 2010-06-02 16:12:59 -04:00
mesh_hwmp.c nl80211/mac80211: define and allow configuring mesh element TTL 2010-12-06 16:01:28 -05:00
mesh_pathtbl.c nl80211/mac80211: define and allow configuring mesh element TTL 2010-12-06 16:01:28 -05:00
mesh_plink.c mac80211: Let userspace enable and configure vendor specific path selection. 2010-12-20 14:46:57 -05:00
mesh.c mac80211: Remove unused third address from mesh address extension header. 2010-12-20 14:49:47 -05:00
mesh.h mac80211: Remove unused third address from mesh address extension header. 2010-12-20 14:49:47 -05:00
michael.c
michael.h
mlme.c mac80211: fix conn_mon_timer running after disassociate 2011-02-18 16:47:37 -05:00
offchannel.c mac80211: implement off-channel TX using hw r-o-c offload 2011-01-05 16:07:12 -05:00
pm.c mac80211: assure we also cancel deferred scan request 2010-10-06 16:30:42 -04:00
rate.c cfg80211/mac80211: improve ad-hoc multicast rate handling 2010-11-24 16:19:35 -05:00
rate.h mac80211: add the minstrel_ht rate control algorithm 2010-06-02 16:12:59 -04:00
rc80211_minstrel_debugfs.c llseek: automatically add .llseek fop 2010-10-15 15:53:27 +02:00
rc80211_minstrel_ht_debugfs.c mac80211: disallow seeks in minstrel debug code 2010-09-16 10:33:17 +02:00
rc80211_minstrel_ht.c mac80211: Add timeout to BA session start API 2010-12-15 17:03:59 -05:00
rc80211_minstrel_ht.h minstrel_ht: move minstrel_mcs_groups declaration to header file 2010-06-24 15:42:18 -04:00
rc80211_minstrel.c minstrel: don't complain about feedback for unrequested rates 2010-07-26 15:09:04 -04:00
rc80211_minstrel.h minstrel: make the rate control ops reusable from another rc implementation 2010-03-10 17:44:23 -05:00
rc80211_pid_algo.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
rc80211_pid_debugfs.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2010-10-23 11:47:02 -07:00
rc80211_pid.h
rx.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 into for-davem 2011-01-05 16:06:25 -05:00
scan.c mac80211: fix sw scan locking 2010-10-07 14:41:27 -04:00
spectmgmt.c mac80211: reduce reliance on netdev 2009-12-21 18:38:52 -05:00
sta_info.c nl80211/mac80211: Report signal average 2010-12-07 16:09:12 -05:00
sta_info.h mac80211: Add timeout to BA session start API 2010-12-15 17:03:59 -05:00
status.c mac80211: fix TX status cookie in HW offload case 2011-02-02 16:38:59 -05:00
tkip.c mac80211: remove wep dependency 2010-07-08 16:35:50 -04:00
tkip.h mac80211: remove wep dependency 2010-07-08 16:35:50 -04:00
tx.c mac80211: fix the skb cloned check in the tx path 2011-02-07 16:02:14 -05:00
util.c mac80211: add missing locking in ieee80211_reconfig 2011-02-09 15:35:13 -05:00
wep.c mac80211: don't kmalloc 16 bytes 2010-10-11 15:04:23 -04:00
wep.h mac80211: remove wep dependency 2010-07-08 16:35:50 -04:00
wme.c mac80211: cleanup select_queue 2010-12-22 15:44:22 -05:00
wme.h mac80211: fix skb buffering issue 2010-01-05 16:21:40 -05:00
work.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2010-12-15 16:33:28 -05:00
wpa.c mac80211: move packet flags into packet 2010-09-27 15:57:54 -04:00
wpa.h mac80211: 802.11w - Add BIP (AES-128-CMAC) 2009-01-29 16:00:02 -05:00