From owner-svn-src-projects@FreeBSD.ORG Sun Jul 5 21:35:05 2009 Return-Path: Delivered-To: svn-src-projects@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA22D1065670; Sun, 5 Jul 2009 21:35:05 +0000 (UTC) (envelope-from sam@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id A83C68FC0A; Sun, 5 Jul 2009 21:35:05 +0000 (UTC) (envelope-from sam@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n65LZ5WG060321; Sun, 5 Jul 2009 21:35:05 GMT (envelope-from sam@svn.freebsd.org) Received: (from sam@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n65LZ5JJ060318; Sun, 5 Jul 2009 21:35:05 GMT (envelope-from sam@svn.freebsd.org) Message-Id: <200907052135.n65LZ5JJ060318@svn.freebsd.org> From: Sam Leffler Date: Sun, 5 Jul 2009 21:35:05 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r195384 - projects/mesh11s/sys/net80211 X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Jul 2009 21:35:06 -0000 Author: sam Date: Sun Jul 5 21:35:05 2009 New Revision: 195384 URL: http://svn.freebsd.org/changeset/base/195384 Log: o clear vap pointers to private state to catch use-after-free instances o fix use-after-free problem on mesh detach; the last reference to the bss node is reclaimed after mesh (and hwmp) state has been reclaimed so must not touch anything outside the node (or that we know is still accessible) Modified: projects/mesh11s/sys/net80211/ieee80211_hwmp.c projects/mesh11s/sys/net80211/ieee80211_mesh.c Modified: projects/mesh11s/sys/net80211/ieee80211_hwmp.c ============================================================================== --- projects/mesh11s/sys/net80211/ieee80211_hwmp.c Sun Jul 5 21:19:10 2009 (r195383) +++ projects/mesh11s/sys/net80211/ieee80211_hwmp.c Sun Jul 5 21:35:05 2009 (r195384) @@ -302,6 +302,7 @@ ieee80211_hwmp_vdetach(struct ieee80211v callout_drain(&hs->hs_roottimer); mtx_destroy(&hs->hs_lock); free(vap->iv_hwmp, M_80211_HWMP); + vap->iv_hwmp = NULL; } int Modified: projects/mesh11s/sys/net80211/ieee80211_mesh.c ============================================================================== --- projects/mesh11s/sys/net80211/ieee80211_mesh.c Sun Jul 5 21:19:10 2009 (r195383) +++ projects/mesh11s/sys/net80211/ieee80211_mesh.c Sun Jul 5 21:35:05 2009 (r195384) @@ -177,6 +177,7 @@ mesh_vdetach(struct ieee80211vap *vap) NULL); ieee80211_hwmp_vdetach(vap); free(vap->iv_mesh, M_80211_VAP); + vap->iv_mesh = NULL; } static void @@ -2099,8 +2100,12 @@ ieee80211_mesh_node_init(struct ieee8021 void ieee80211_mesh_node_cleanup(struct ieee80211_node *ni) { + struct ieee80211vap *vap = ni->ni_vap; + callout_drain(&ni->ni_mltimer); - ieee80211_hwmp_peerdown(ni); + /* NB: short-circuit callbacks after mesh_vdetach */ + if (vap->iv_mesh != NULL) + ieee80211_hwmp_peerdown(ni); } void