From 4581d91b7717152001192112027596fbdeec06f6 Mon Sep 17 00:00:00 2001 From: Thomas Huehn Date: Tue, 17 Jul 2012 22:16:13 +0200 Subject: mac80211_hwsim: fix possible race condition in usage of info->control.sta & control.vif info->control.sta and control.vif may only be dereferenced during the drv_tx call otherwise could lead to use-after-free bugs. Signed-off-by: Thomas Huehn Signed-off-by: John W. Linville --- drivers/net/wireless/mac80211_hwsim.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'drivers/net') diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c index 643f968b05e..00838395778 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -739,11 +739,6 @@ static void mac80211_hwsim_tx(struct ieee80211_hw *hw, struct sk_buff *skb) txi = IEEE80211_SKB_CB(skb); - if (txi->control.vif) - hwsim_check_magic(txi->control.vif); - if (txi->control.sta) - hwsim_check_sta_magic(txi->control.sta); - ieee80211_tx_info_clear_status(txi); /* frame was transmitted at most favorable rate at first attempt */ -- cgit v1.2.3 From e4c7f259c5be99dcfc3d98f913590663b0305bf8 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Fri, 27 Jul 2012 01:46:51 +0000 Subject: USB: kaweth.c: use GFP_ATOMIC under spin_lock The problem is that we call this with a spin lock held. The call tree is: kaweth_start_xmit() holds kaweth->device_lock. -> kaweth_async_set_rx_mode() -> kaweth_control() -> kaweth_internal_control_msg() The kaweth_internal_control_msg() function is only called from kaweth_control() which used GFP_ATOMIC for its allocations. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller --- drivers/net/usb/kaweth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/net') diff --git a/drivers/net/usb/kaweth.c b/drivers/net/usb/kaweth.c index d8ad5528438..c3d03490c97 100644 --- a/drivers/net/usb/kaweth.c +++ b/drivers/net/usb/kaweth.c @@ -1314,7 +1314,7 @@ static int kaweth_internal_control_msg(struct usb_device *usb_dev, int retv; int length = 0; /* shut up GCC */ - urb = usb_alloc_urb(0, GFP_NOIO); + urb = usb_alloc_urb(0, GFP_ATOMIC); if (!urb) return -ENOMEM; -- cgit v1.2.3