git.baikalelectronics.ru Git - kernel.git/commit

author	Michal Kazior <michal.kazior@tieto.com>
	Fri, 22 May 2015 08:22:40 +0000 (10:22 +0200)
committer	Johannes Berg <johannes.berg@intel.com>
	Fri, 29 May 2015 11:04:46 +0000 (13:04 +0200)
commit	a7091567dfb7e80ee5f502917d4de1457b884185
tree	bf05b367ff55e2c83955485ba836143c0b9b6ed2	tree \| snapshot
parent	2b5b5943c78858c2e15c817c2b17544d3ed2237a	commit \| diff

mac80211: prevent possible crypto tx tailroom corruption

There was a possible race between
ieee80211_reconfig() and
ieee80211_delayed_tailroom_dec(). This could
result in inability to transmit data if driver
crashed during roaming or rekeying and subsequent
skbs with insufficient tailroom appeared.

This race was probably never seen in the wild
because a device driver would have to crash AND
recover within 0.5s which is very unlikely.

I was able to prove this race exists after
changing the delay to 10s locally and crashing
ath10k via debugfs immediately after GTK
rekeying. In case of ath10k the counter went below
0. This was harmless but other drivers which
actually require tailroom (e.g. for WEP ICV or
MMIC) could end up with the counter at 0 instead
of >0 and introduce insufficient skb tailroom
failures because mac80211 would not resize skbs
appropriately anymore.

Fixes: 86b7bf9e40ee ("mac80211: defer tailroom counter manipulation when roaming")
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>