summaryrefslogtreecommitdiff
path: root/net/wireless
diff options
context:
space:
mode:
authorMichal Kazior <michal.kazior@tieto.com>2015-05-22 11:22:40 +0300
committerJohannes Berg <johannes.berg@intel.com>2015-05-29 14:04:46 +0300
commitab499db80fcf07c18e4053f91a619500f663e90e (patch)
treebf05b367ff55e2c83955485ba836143c0b9b6ed2 /net/wireless
parent80279fb7ba5b71981a60988b0307afa43f78f6b1 (diff)
downloadlinux-ab499db80fcf07c18e4053f91a619500f663e90e.tar.xz
mac80211: prevent possible crypto tx tailroom corruption
There was a possible race between ieee80211_reconfig() and ieee80211_delayed_tailroom_dec(). This could result in inability to transmit data if driver crashed during roaming or rekeying and subsequent skbs with insufficient tailroom appeared. This race was probably never seen in the wild because a device driver would have to crash AND recover within 0.5s which is very unlikely. I was able to prove this race exists after changing the delay to 10s locally and crashing ath10k via debugfs immediately after GTK rekeying. In case of ath10k the counter went below 0. This was harmless but other drivers which actually require tailroom (e.g. for WEP ICV or MMIC) could end up with the counter at 0 instead of >0 and introduce insufficient skb tailroom failures because mac80211 would not resize skbs appropriately anymore. Fixes: 8d1f7ecd2af5 ("mac80211: defer tailroom counter manipulation when roaming") Signed-off-by: Michal Kazior <michal.kazior@tieto.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/wireless')
0 files changed, 0 insertions, 0 deletions