aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohannes Berg <johannes@sipsolutions.net>2008-02-25 10:27:46 -0500
committerJohn W. Linville <linville@tuxdriver.com>2008-03-06 15:30:46 -0500
commitd0709a65181beb787ef3f58cfe45536a2bb254c8 (patch)
tree29e5f36583b0e0a3f11b291347e57672eab41dad
parent5cf121c3cdb955583bf0c5d28c992b7968a4aa1a (diff)
mac80211: RCU-ify STA info structure access
This makes access to the STA hash table/list use RCU to protect against freeing of items. However, it's not a true RCU, the copy step is missing: whenever somebody changes a STA item it is simply updated. This is an existing race condition that is now somewhat understandable. This patch also fixes the race key freeing vs. STA destruction by making sure that sta_info_destroy() is always called under RTNL and frees the key. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--drivers/net/wireless/iwlwifi/iwl-3945-rs.c31
-rw-r--r--drivers/net/wireless/iwlwifi/iwl-4965-rs.c27
-rw-r--r--net/mac80211/cfg.c110
-rw-r--r--net/mac80211/debugfs_sta.c4
-rw-r--r--net/mac80211/debugfs_sta.h2
-rw-r--r--net/mac80211/ieee80211.c78
-rw-r--r--net/mac80211/ieee80211_i.h13
-rw-r--r--net/mac80211/ieee80211_iface.c11
-rw-r--r--net/mac80211/ieee80211_ioctl.c42
-rw-r--r--net/mac80211/ieee80211_rate.c8
-rw-r--r--net/mac80211/ieee80211_rate.h1
-rw-r--r--net/mac80211/ieee80211_sta.c123
-rw-r--r--net/mac80211/key.c8
-rw-r--r--net/mac80211/mesh.c5
-rw-r--r--net/mac80211/mesh.h16
-rw-r--r--net/mac80211/mesh_hwmp.c6
-rw-r--r--net/mac80211/mesh_pathtbl.c30
-rw-r--r--net/mac80211/mesh_plink.c101
-rw-r--r--net/mac80211/rc80211_pid_algo.c25
-rw-r--r--net/mac80211/rc80211_simple.c18
-rw-r--r--net/mac80211/rx.c24
-rw-r--r--net/mac80211/sta_info.c387
-rw-r--r--net/mac80211/sta_info.h61
-rw-r--r--net/mac80211/tx.c48
-rw-r--r--net/mac80211/wme.c8
25 files changed, 701 insertions, 486 deletions
diff --git a/drivers/net/wireless/iwlwifi/iwl-3945-rs.c b/drivers/net/wireless/iwlwifi/iwl-3945-rs.c
index a8223c4cc97c..c4bfba6f3c2b 100644
--- a/drivers/net/wireless/iwlwifi/iwl-3945-rs.c
+++ b/drivers/net/wireless/iwlwifi/iwl-3945-rs.c
@@ -471,10 +471,11 @@ static void rs_tx_status(void *priv_rate,
471 return; 471 return;
472 } 472 }
473 473
474 rcu_read_lock();
475
474 sta = sta_info_get(local, hdr->addr1); 476 sta = sta_info_get(local, hdr->addr1);
475 if (!sta || !sta->rate_ctrl_priv) { 477 if (!sta || !sta->rate_ctrl_priv) {
476 if (sta) 478 rcu_read_unlock();
477 sta_info_put(sta);
478 IWL_DEBUG_RATE("leave: No STA priv data to update!\n"); 479 IWL_DEBUG_RATE("leave: No STA priv data to update!\n");
479 return; 480 return;
480 } 481 }
@@ -547,7 +548,7 @@ static void rs_tx_status(void *priv_rate,
547 548
548 spin_unlock_irqrestore(&rs_sta->lock, flags); 549 spin_unlock_irqrestore(&rs_sta->lock, flags);
549 550
550 sta_info_put(sta); 551 rcu_read_unlock();
551 552
552 IWL_DEBUG_RATE("leave\n"); 553 IWL_DEBUG_RATE("leave\n");
553 554
@@ -658,6 +659,8 @@ static void rs_get_rate(void *priv_rate, struct net_device *dev,
658 659
659 IWL_DEBUG_RATE("enter\n"); 660 IWL_DEBUG_RATE("enter\n");
660 661
662 rcu_read_lock();
663
661 sta = sta_info_get(local, hdr->addr1); 664 sta = sta_info_get(local, hdr->addr1);
662 665
663 /* Send management frames and broadcast/multicast data using lowest 666 /* Send management frames and broadcast/multicast data using lowest
@@ -668,8 +671,7 @@ static void rs_get_rate(void *priv_rate, struct net_device *dev,
668 !sta || !sta->rate_ctrl_priv) { 671 !sta || !sta->rate_ctrl_priv) {
669 IWL_DEBUG_RATE("leave: No STA priv data to update!\n"); 672 IWL_DEBUG_RATE("leave: No STA priv data to update!\n");
670 sel->rate = rate_lowest(local, band, sta); 673 sel->rate = rate_lowest(local, band, sta);
671 if (sta) 674 rcu_read_unlock();
672 sta_info_put(sta);
673 return; 675 return;
674 } 676 }
675 677
@@ -811,7 +813,7 @@ static void rs_get_rate(void *priv_rate, struct net_device *dev,
811 else 813 else
812 sta->txrate_idx = sta->last_txrate_idx; 814 sta->txrate_idx = sta->last_txrate_idx;
813 815
814 sta_info_put(sta); 816 rcu_read_unlock();
815 817
816 IWL_DEBUG_RATE("leave: %d\n", index); 818 IWL_DEBUG_RATE("leave: %d\n", index);
817 819
@@ -843,13 +845,15 @@ int iwl3945_fill_rs_info(struct ieee80211_hw *hw, char *buf, u8 sta_id)
843 unsigned long now = jiffies; 845 unsigned long now = jiffies;
844 u32 max_time = 0; 846 u32 max_time = 0;
845 847
848 rcu_read_lock();
849
846 sta = sta_info_get(local, priv->stations[sta_id].sta.sta.addr); 850 sta = sta_info_get(local, priv->stations[sta_id].sta.sta.addr);
847 if (!sta || !sta->rate_ctrl_priv) { 851 if (!sta || !sta->rate_ctrl_priv) {
848 if (sta) { 852 if (sta)
849 sta_info_put(sta);
850 IWL_DEBUG_RATE("leave - no private rate data!\n"); 853 IWL_DEBUG_RATE("leave - no private rate data!\n");
851 } else 854 else
852 IWL_DEBUG_RATE("leave - no station!\n"); 855 IWL_DEBUG_RATE("leave - no station!\n");
856 rcu_read_unlock();
853 return sprintf(buf, "station %d not found\n", sta_id); 857 return sprintf(buf, "station %d not found\n", sta_id);
854 } 858 }
855 859
@@ -890,7 +894,7 @@ int iwl3945_fill_rs_info(struct ieee80211_hw *hw, char *buf, u8 sta_id)
890 i = j; 894 i = j;
891 } 895 }
892 spin_unlock_irqrestore(&rs_sta->lock, flags); 896 spin_unlock_irqrestore(&rs_sta->lock, flags);
893 sta_info_put(sta); 897 rcu_read_unlock();
894 898
895 /* Display the average rate of all samples taken. 899 /* Display the average rate of all samples taken.
896 * 900 *
@@ -927,11 +931,12 @@ void iwl3945_rate_scale_init(struct ieee80211_hw *hw, s32 sta_id)
927 return; 931 return;
928 } 932 }
929 933
934 rcu_read_lock();
935
930 sta = sta_info_get(local, priv->stations[sta_id].sta.sta.addr); 936 sta = sta_info_get(local, priv->stations[sta_id].sta.sta.addr);
931 if (!sta || !sta->rate_ctrl_priv) { 937 if (!sta || !sta->rate_ctrl_priv) {
932 if (sta)
933 sta_info_put(sta);
934 IWL_DEBUG_RATE("leave - no private rate data!\n"); 938 IWL_DEBUG_RATE("leave - no private rate data!\n");
939 rcu_read_unlock();
935 return; 940 return;
936 } 941 }
937 942
@@ -958,7 +963,7 @@ void iwl3945_rate_scale_init(struct ieee80211_hw *hw, s32 sta_id)
958 break; 963 break;
959 } 964 }
960 965
961 sta_info_put(sta); 966 rcu_read_unlock();
962 spin_unlock_irqrestore(&rs_sta->lock, flags); 967 spin_unlock_irqrestore(&rs_sta->lock, flags);
963 968
964 rssi = priv->last_rx_rssi; 969 rssi = priv->last_rx_rssi;
diff --git a/drivers/net/wireless/iwlwifi/iwl-4965-rs.c b/drivers/net/wireless/iwlwifi/iwl-4965-rs.c
index 48a6a85355ec..46d85fd07faa 100644
--- a/drivers/net/wireless/iwlwifi/iwl-4965-rs.c
+++ b/drivers/net/wireless/iwlwifi/iwl-4965-rs.c
@@ -847,12 +847,12 @@ static void rs_tx_status(void *priv_rate, struct net_device *dev,
847 if (retries > 15) 847 if (retries > 15)
848 retries = 15; 848 retries = 15;
849 849
850 rcu_read_lock();
850 851
851 sta = sta_info_get(local, hdr->addr1); 852 sta = sta_info_get(local, hdr->addr1);
852 853
853 if (!sta || !sta->rate_ctrl_priv) { 854 if (!sta || !sta->rate_ctrl_priv) {
854 if (sta) 855 rcu_read_unlock();
855 sta_info_put(sta);
856 return; 856 return;
857 } 857 }
858 858
@@ -891,7 +891,7 @@ static void rs_tx_status(void *priv_rate, struct net_device *dev,
891 if ((rs_index < 0) || (rs_index >= IWL_RATE_COUNT)) { 891 if ((rs_index < 0) || (rs_index >= IWL_RATE_COUNT)) {
892 IWL_DEBUG_RATE("bad rate index at: %d rate 0x%X\n", 892 IWL_DEBUG_RATE("bad rate index at: %d rate 0x%X\n",
893 rs_index, tx_mcs.rate_n_flags); 893 rs_index, tx_mcs.rate_n_flags);
894 sta_info_put(sta); 894 rcu_read_unlock();
895 return; 895 return;
896 } 896 }
897 897
@@ -909,7 +909,7 @@ static void rs_tx_status(void *priv_rate, struct net_device *dev,
909 IWL_DEBUG_RATE("initial rate does not match 0x%x 0x%x\n", 909 IWL_DEBUG_RATE("initial rate does not match 0x%x 0x%x\n",
910 tx_mcs.rate_n_flags, 910 tx_mcs.rate_n_flags,
911 le32_to_cpu(table->rs_table[0].rate_n_flags)); 911 le32_to_cpu(table->rs_table[0].rate_n_flags));
912 sta_info_put(sta); 912 rcu_read_unlock();
913 return; 913 return;
914 } 914 }
915 915
@@ -1025,7 +1025,7 @@ static void rs_tx_status(void *priv_rate, struct net_device *dev,
1025 1025
1026 /* See if there's a better rate or modulation mode to try. */ 1026 /* See if there's a better rate or modulation mode to try. */
1027 rs_rate_scale_perform(priv, dev, hdr, sta); 1027 rs_rate_scale_perform(priv, dev, hdr, sta);
1028 sta_info_put(sta); 1028 rcu_read_unlock();
1029 return; 1029 return;
1030} 1030}
1031 1031
@@ -2219,6 +2219,8 @@ static void rs_get_rate(void *priv_rate, struct net_device *dev,
2219 2219
2220 IWL_DEBUG_RATE_LIMIT("rate scale calculate new rate for skb\n"); 2220 IWL_DEBUG_RATE_LIMIT("rate scale calculate new rate for skb\n");
2221 2221
2222 rcu_read_lock();
2223
2222 sta = sta_info_get(local, hdr->addr1); 2224 sta = sta_info_get(local, hdr->addr1);
2223 2225
2224 /* Send management frames and broadcast/multicast data using lowest 2226 /* Send management frames and broadcast/multicast data using lowest
@@ -2227,8 +2229,7 @@ static void rs_get_rate(void *priv_rate, struct net_device *dev,
2227 if (!ieee80211_is_data(fc) || is_multicast_ether_addr(hdr->addr1) || 2229 if (!ieee80211_is_data(fc) || is_multicast_ether_addr(hdr->addr1) ||
2228 !sta || !sta->rate_ctrl_priv) { 2230 !sta || !sta->rate_ctrl_priv) {
2229 sel->rate = rate_lowest(local, sband, sta); 2231 sel->rate = rate_lowest(local, sband, sta);
2230 if (sta) 2232 rcu_read_unlock();
2231 sta_info_put(sta);
2232 return; 2233 return;
2233 } 2234 }
2234 2235
@@ -2261,7 +2262,7 @@ static void rs_get_rate(void *priv_rate, struct net_device *dev,
2261 sel->rate = rate_lowest(local, sband, sta); 2262 sel->rate = rate_lowest(local, sband, sta);
2262 return; 2263 return;
2263 } 2264 }
2264 sta_info_put(sta); 2265 rcu_read_unlock();
2265 2266
2266 sel->rate = &priv->ieee_rates[i]; 2267 sel->rate = &priv->ieee_rates[i];
2267} 2268}
@@ -2735,13 +2736,15 @@ int iwl4965_fill_rs_info(struct ieee80211_hw *hw, char *buf, u8 sta_id)
2735 u32 max_time = 0; 2736 u32 max_time = 0;
2736 u8 lq_type, antenna; 2737 u8 lq_type, antenna;
2737 2738
2739 rcu_read_lock();
2740
2738 sta = sta_info_get(local, priv->stations[sta_id].sta.sta.addr); 2741 sta = sta_info_get(local, priv->stations[sta_id].sta.sta.addr);
2739 if (!sta || !sta->rate_ctrl_priv) { 2742 if (!sta || !sta->rate_ctrl_priv) {
2740 if (sta) { 2743 if (sta)
2741 sta_info_put(sta);
2742 IWL_DEBUG_RATE("leave - no private rate data!\n"); 2744 IWL_DEBUG_RATE("leave - no private rate data!\n");
2743 } else 2745 else
2744 IWL_DEBUG_RATE("leave - no station!\n"); 2746 IWL_DEBUG_RATE("leave - no station!\n");
2747 rcu_read_unlock();
2745 return sprintf(buf, "station %d not found\n", sta_id); 2748 return sprintf(buf, "station %d not found\n", sta_id);
2746 } 2749 }
2747 2750
@@ -2808,7 +2811,7 @@ int iwl4965_fill_rs_info(struct ieee80211_hw *hw, char *buf, u8 sta_id)
2808 "active_search %d rate index %d\n", lq_type, antenna, 2811 "active_search %d rate index %d\n", lq_type, antenna,
2809 lq_sta->search_better_tbl, sta->last_txrate_idx); 2812 lq_sta->search_better_tbl, sta->last_txrate_idx);
2810 2813
2811 sta_info_put(sta); 2814 rcu_read_unlock();
2812 return cnt; 2815 return cnt;
2813} 2816}
2814 2817
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 6ac49231efa9..e9ba6fcc0e45 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -136,7 +136,6 @@ static int ieee80211_add_key(struct wiphy *wiphy, struct net_device *dev,
136 struct ieee80211_sub_if_data *sdata; 136 struct ieee80211_sub_if_data *sdata;
137 struct sta_info *sta = NULL; 137 struct sta_info *sta = NULL;
138 enum ieee80211_key_alg alg; 138 enum ieee80211_key_alg alg;
139 int ret;
140 struct ieee80211_key *key; 139 struct ieee80211_key *key;
141 140
142 sdata = IEEE80211_DEV_TO_SUB_IF(dev); 141 sdata = IEEE80211_DEV_TO_SUB_IF(dev);
@@ -170,12 +169,7 @@ static int ieee80211_add_key(struct wiphy *wiphy, struct net_device *dev,
170 169
171 ieee80211_key_link(key, sdata, sta); 170 ieee80211_key_link(key, sdata, sta);
172 171
173 ret = 0; 172 return 0;
174
175 if (sta)
176 sta_info_put(sta);
177
178 return ret;
179} 173}
180 174
181static int ieee80211_del_key(struct wiphy *wiphy, struct net_device *dev, 175static int ieee80211_del_key(struct wiphy *wiphy, struct net_device *dev,
@@ -184,7 +178,6 @@ static int ieee80211_del_key(struct wiphy *wiphy, struct net_device *dev,
184 struct ieee80211_sub_if_data *sdata; 178 struct ieee80211_sub_if_data *sdata;
185 struct sta_info *sta; 179 struct sta_info *sta;
186 int ret; 180 int ret;
187 struct ieee80211_key *key;
188 181
189 sdata = IEEE80211_DEV_TO_SUB_IF(dev); 182 sdata = IEEE80211_DEV_TO_SUB_IF(dev);
190 183
@@ -195,21 +188,18 @@ static int ieee80211_del_key(struct wiphy *wiphy, struct net_device *dev,
195 188
196 ret = 0; 189 ret = 0;
197 if (sta->key) { 190 if (sta->key) {
198 key = sta->key; 191 ieee80211_key_free(sta->key);
199 ieee80211_key_free(key);
200 WARN_ON(sta->key); 192 WARN_ON(sta->key);
201 } else 193 } else
202 ret = -ENOENT; 194 ret = -ENOENT;
203 195
204 sta_info_put(sta);
205 return ret; 196 return ret;
206 } 197 }
207 198
208 if (!sdata->keys[key_idx]) 199 if (!sdata->keys[key_idx])
209 return -ENOENT; 200 return -ENOENT;
210 201
211 key = sdata->keys[key_idx]; 202 ieee80211_key_free(sdata->keys[key_idx]);
212 ieee80211_key_free(key);
213 WARN_ON(sdata->keys[key_idx]); 203 WARN_ON(sdata->keys[key_idx]);
214 204
215 return 0; 205 return 0;
@@ -292,8 +282,6 @@ static int ieee80211_get_key(struct wiphy *wiphy, struct net_device *dev,
292 err = 0; 282 err = 0;
293 283
294 out: 284 out:
295 if (sta)
296 sta_info_put(sta);
297 return err; 285 return err;
298} 286}
299 287
@@ -311,7 +299,7 @@ static int ieee80211_config_default_key(struct wiphy *wiphy,
311 299
312static void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo) 300static void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo)
313{ 301{
314 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev); 302 struct ieee80211_sub_if_data *sdata = sta->sdata;
315 303
316 sinfo->filled = STATION_INFO_INACTIVE_TIME | 304 sinfo->filled = STATION_INFO_INACTIVE_TIME |
317 STATION_INFO_RX_BYTES | 305 STATION_INFO_RX_BYTES |
@@ -340,16 +328,20 @@ static int ieee80211_dump_station(struct wiphy *wiphy, struct net_device *dev,
340{ 328{
341 struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr); 329 struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
342 struct sta_info *sta; 330 struct sta_info *sta;
331 int ret = -ENOENT;
332
333 rcu_read_lock();
343 334
344 sta = sta_info_get_by_idx(local, idx, dev); 335 sta = sta_info_get_by_idx(local, idx, dev);
345 if (!sta) 336 if (sta) {
346 return -ENOENT; 337 ret = 0;
338 memcpy(mac, sta->addr, ETH_ALEN);
339 sta_set_sinfo(sta, sinfo);
340 }
347 341
348 memcpy(mac, sta->addr, ETH_ALEN); 342 rcu_read_unlock();
349 sta_set_sinfo(sta, sinfo);
350 sta_info_put(sta);
351 343
352 return 0; 344 return ret;
353} 345}
354 346
355static int ieee80211_get_station(struct wiphy *wiphy, struct net_device *dev, 347static int ieee80211_get_station(struct wiphy *wiphy, struct net_device *dev,
@@ -357,16 +349,21 @@ static int ieee80211_get_station(struct wiphy *wiphy, struct net_device *dev,
357{ 349{
358 struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr); 350 struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
359 struct sta_info *sta; 351 struct sta_info *sta;
352 int ret = -ENOENT;
360 353
361 sta = sta_info_get(local, mac); 354 rcu_read_lock();
362 if (!sta)
363 return -ENOENT;
364 355
365 /* XXX: verify sta->dev == dev */ 356 /* XXX: verify sta->dev == dev */
366 sta_set_sinfo(sta, sinfo);
367 sta_info_put(sta);
368 357
369 return 0; 358 sta = sta_info_get(local, mac);
359 if (sta) {
360 ret = 0;
361 sta_set_sinfo(sta, sinfo);
362 }
363
364 rcu_read_unlock();
365
366 return ret;
370} 367}
371 368
372/* 369/*
@@ -559,8 +556,8 @@ static void ieee80211_send_layer2_update(struct sta_info *sta)
559 msg->xid_info[1] = 1; /* LLC types/classes: Type 1 LLC */ 556 msg->xid_info[1] = 1; /* LLC types/classes: Type 1 LLC */
560 msg->xid_info[2] = 0; /* XID sender's receive window size (RW) */ 557 msg->xid_info[2] = 0; /* XID sender's receive window size (RW) */
561 558
562 skb->dev = sta->dev; 559 skb->dev = sta->sdata->dev;
563 skb->protocol = eth_type_trans(skb, sta->dev); 560 skb->protocol = eth_type_trans(skb, sta->sdata->dev);
564 memset(skb->cb, 0, sizeof(skb->cb)); 561 memset(skb->cb, 0, sizeof(skb->cb));
565 netif_rx(skb); 562 netif_rx(skb);
566} 563}
@@ -572,7 +569,7 @@ static void sta_apply_parameters(struct ieee80211_local *local,
572 u32 rates; 569 u32 rates;
573 int i, j; 570 int i, j;
574 struct ieee80211_supported_band *sband; 571 struct ieee80211_supported_band *sband;
575 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev); 572 struct ieee80211_sub_if_data *sdata = sta->sdata;
576 573
577 if (params->station_flags & STATION_FLAG_CHANGED) { 574 if (params->station_flags & STATION_FLAG_CHANGED) {
578 sta->flags &= ~WLAN_STA_AUTHORIZED; 575 sta->flags &= ~WLAN_STA_AUTHORIZED;
@@ -644,14 +641,13 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev,
644 sdata = IEEE80211_DEV_TO_SUB_IF(dev); 641 sdata = IEEE80211_DEV_TO_SUB_IF(dev);
645 642
646 if (ieee80211_vif_is_mesh(&sdata->vif)) 643 if (ieee80211_vif_is_mesh(&sdata->vif))
647 sta = mesh_plink_add(mac, DEFAULT_RATES, dev); 644 sta = mesh_plink_add(mac, DEFAULT_RATES, sdata);
648 else 645 else
649 sta = sta_info_add(local, dev, mac, GFP_KERNEL); 646 sta = sta_info_add(sdata, mac);
650 647
651 if (IS_ERR(sta)) 648 if (IS_ERR(sta))
652 return PTR_ERR(sta); 649 return PTR_ERR(sta);
653 650
654 sta->dev = sdata->dev;
655 if (sdata->vif.type == IEEE80211_IF_TYPE_VLAN || 651 if (sdata->vif.type == IEEE80211_IF_TYPE_VLAN ||
656 sdata->vif.type == IEEE80211_IF_TYPE_AP) 652 sdata->vif.type == IEEE80211_IF_TYPE_AP)
657 ieee80211_send_layer2_update(sta); 653 ieee80211_send_layer2_update(sta);
@@ -662,15 +658,14 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev,
662 658
663 rate_control_rate_init(sta, local); 659 rate_control_rate_init(sta, local);
664 660
665 sta_info_put(sta);
666
667 return 0; 661 return 0;
668} 662}
669 663
670static int ieee80211_del_station(struct wiphy *wiphy, struct net_device *dev, 664static int ieee80211_del_station(struct wiphy *wiphy, struct net_device *dev,
671 u8 *mac) 665 u8 *mac)
672{ 666{
673 struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr); 667 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
668 struct ieee80211_local *local = sdata->local;
674 struct sta_info *sta; 669 struct sta_info *sta;
675 670
676 if (mac) { 671 if (mac) {
@@ -679,10 +674,14 @@ static int ieee80211_del_station(struct wiphy *wiphy, struct net_device *dev,
679 if (!sta) 674 if (!sta)
680 return -ENOENT; 675 return -ENOENT;
681 676
682 sta_info_free(sta); 677 sta_info_unlink(&sta);
683 sta_info_put(sta); 678
679 if (sta) {
680 synchronize_rcu();
681 sta_info_destroy(sta);
682 }
684 } else 683 } else
685 sta_info_flush(local, dev); 684 sta_info_flush(local, sdata);
686 685
687 return 0; 686 return 0;
688} 687}
@@ -701,21 +700,19 @@ static int ieee80211_change_station(struct wiphy *wiphy,
701 if (!sta) 700 if (!sta)
702 return -ENOENT; 701 return -ENOENT;
703 702
704 if (params->vlan && params->vlan != sta->dev) { 703 if (params->vlan && params->vlan != sta->sdata->dev) {
705 vlansdata = IEEE80211_DEV_TO_SUB_IF(params->vlan); 704 vlansdata = IEEE80211_DEV_TO_SUB_IF(params->vlan);
706 705
707 if (vlansdata->vif.type != IEEE80211_IF_TYPE_VLAN || 706 if (vlansdata->vif.type != IEEE80211_IF_TYPE_VLAN ||
708 vlansdata->vif.type != IEEE80211_IF_TYPE_AP) 707 vlansdata->vif.type != IEEE80211_IF_TYPE_AP)
709 return -EINVAL; 708 return -EINVAL;
710 709
711 sta->dev = params->vlan; 710 sta->sdata = IEEE80211_DEV_TO_SUB_IF(params->vlan);
712 ieee80211_send_layer2_update(sta); 711 ieee80211_send_layer2_update(sta);
713 } 712 }
714 713
715 sta_apply_parameters(local, sta, params); 714 sta_apply_parameters(local, sta, params);
716 715
717 sta_info_put(sta);
718
719 return 0; 716 return 0;
720} 717}
721 718
@@ -735,23 +732,26 @@ static int ieee80211_add_mpath(struct wiphy *wiphy, struct net_device *dev,
735 if (sdata->vif.type != IEEE80211_IF_TYPE_MESH_POINT) 732 if (sdata->vif.type != IEEE80211_IF_TYPE_MESH_POINT)
736 return -ENOTSUPP; 733 return -ENOTSUPP;
737 734
735 rcu_read_lock();
738 sta = sta_info_get(local, next_hop); 736 sta = sta_info_get(local, next_hop);
739 if (!sta) 737 if (!sta) {
738 rcu_read_unlock();
740 return -ENOENT; 739 return -ENOENT;
740 }
741 741
742 err = mesh_path_add(dst, dev); 742 err = mesh_path_add(dst, dev);
743 if (err) 743 if (err) {
744 rcu_read_unlock();
744 return err; 745 return err;
746 }
745 747
746 rcu_read_lock();
747 mpath = mesh_path_lookup(dst, dev); 748 mpath = mesh_path_lookup(dst, dev);
748 if (!mpath) { 749 if (!mpath) {
749 rcu_read_unlock(); 750 rcu_read_unlock();
750 sta_info_put(sta);
751 return -ENXIO; 751 return -ENXIO;
752 } 752 }
753 mesh_path_fix_nexthop(mpath, sta); 753 mesh_path_fix_nexthop(mpath, sta);
754 sta_info_put(sta); 754
755 rcu_read_unlock(); 755 rcu_read_unlock();
756 return 0; 756 return 0;
757} 757}
@@ -760,7 +760,7 @@ static int ieee80211_del_mpath(struct wiphy *wiphy, struct net_device *dev,
760 u8 *dst) 760 u8 *dst)
761{ 761{
762 if (dst) 762 if (dst)
763 return mesh_path_del(dst, dev); 763 return mesh_path_del(dst, dev, false);
764 764
765 mesh_path_flush(dev); 765 mesh_path_flush(dev);
766 return 0; 766 return 0;
@@ -781,20 +781,22 @@ static int ieee80211_change_mpath(struct wiphy *wiphy,
781 if (sdata->vif.type != IEEE80211_IF_TYPE_MESH_POINT) 781 if (sdata->vif.type != IEEE80211_IF_TYPE_MESH_POINT)
782 return -ENOTSUPP; 782 return -ENOTSUPP;
783 783
784 rcu_read_lock();
785
784 sta = sta_info_get(local, next_hop); 786 sta = sta_info_get(local, next_hop);
785 if (!sta) 787 if (!sta) {
788 rcu_read_unlock();
786 return -ENOENT; 789 return -ENOENT;
790 }
787 791
788 rcu_read_lock();
789 mpath = mesh_path_lookup(dst, dev); 792 mpath = mesh_path_lookup(dst, dev);
790 if (!mpath) { 793 if (!mpath) {
791 rcu_read_unlock(); 794 rcu_read_unlock();
792 sta_info_put(sta);
793 return -ENOENT; 795 return -ENOENT;
794 } 796 }
795 797
796 mesh_path_fix_nexthop(mpath, sta); 798 mesh_path_fix_nexthop(mpath, sta);
797 sta_info_put(sta); 799
798 rcu_read_unlock(); 800 rcu_read_unlock();
799 return 0; 801 return 0;
800} 802}
diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c
index ed7c9f3b4602..73cfb4da464d 100644
--- a/net/mac80211/debugfs_sta.c
+++ b/net/mac80211/debugfs_sta.c
@@ -51,7 +51,7 @@ static const struct file_operations sta_ ##name## _ops = { \
51 STA_OPS(name) 51 STA_OPS(name)
52 52
53STA_FILE(aid, aid, D); 53STA_FILE(aid, aid, D);
54STA_FILE(dev, dev->name, S); 54STA_FILE(dev, sdata->dev->name, S);
55STA_FILE(rx_packets, rx_packets, LU); 55STA_FILE(rx_packets, rx_packets, LU);
56STA_FILE(tx_packets, tx_packets, LU); 56STA_FILE(tx_packets, tx_packets, LU);
57STA_FILE(rx_bytes, rx_bytes, LU); 57STA_FILE(rx_bytes, rx_bytes, LU);
@@ -200,7 +200,7 @@ static ssize_t sta_agg_status_write(struct file *file,
200 const char __user *user_buf, size_t count, loff_t *ppos) 200 const char __user *user_buf, size_t count, loff_t *ppos)
201{ 201{
202 struct sta_info *sta = file->private_data; 202 struct sta_info *sta = file->private_data;
203 struct net_device *dev = sta->dev; 203 struct net_device *dev = sta->sdata->dev;
204 struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr); 204 struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
205 struct ieee80211_hw *hw = &local->hw; 205 struct ieee80211_hw *hw = &local->hw;
206 u8 *da = sta->addr; 206 u8 *da = sta->addr;
diff --git a/net/mac80211/debugfs_sta.h b/net/mac80211/debugfs_sta.h
index 574a1cd54b96..8b608903259f 100644
--- a/net/mac80211/debugfs_sta.h
+++ b/net/mac80211/debugfs_sta.h
@@ -1,6 +1,8 @@
1#ifndef __MAC80211_DEBUGFS_STA_H 1#ifndef __MAC80211_DEBUGFS_STA_H
2#define __MAC80211_DEBUGFS_STA_H 2#define __MAC80211_DEBUGFS_STA_H
3 3
4#include "sta_info.h"
5
4#ifdef CONFIG_MAC80211_DEBUGFS 6#ifdef CONFIG_MAC80211_DEBUGFS
5void ieee80211_sta_debugfs_add(struct sta_info *sta); 7void ieee80211_sta_debugfs_add(struct sta_info *sta);
6void ieee80211_sta_debugfs_remove(struct sta_info *sta); 8void ieee80211_sta_debugfs_remove(struct sta_info *sta);
diff --git a/net/mac80211/ieee80211.c b/net/mac80211/ieee80211.c
index 727af295c969..85b1391375c0 100644
--- a/net/mac80211/ieee80211.c
+++ b/net/mac80211/ieee80211.c
@@ -375,15 +375,19 @@ static int ieee80211_stop(struct net_device *dev)
375 375
376 sdata = IEEE80211_DEV_TO_SUB_IF(dev); 376 sdata = IEEE80211_DEV_TO_SUB_IF(dev);
377 377
378 list_for_each_entry(sta, &local->sta_list, list) { 378 rcu_read_lock();
379 if (sta->dev == dev) 379
380 list_for_each_entry_rcu(sta, &local->sta_list, list) {
381 if (sta->sdata == sdata)
380 for (i = 0; i < STA_TID_NUM; i++) 382 for (i = 0; i < STA_TID_NUM; i++)
381 ieee80211_sta_stop_rx_ba_session(sta->dev, 383 ieee80211_sta_stop_rx_ba_session(sdata->dev,
382 sta->addr, i, 384 sta->addr, i,
383 WLAN_BACK_RECIPIENT, 385 WLAN_BACK_RECIPIENT,
384 WLAN_REASON_QSTA_LEAVE_QBSS); 386 WLAN_REASON_QSTA_LEAVE_QBSS);
385 } 387 }
386 388
389 rcu_read_unlock();
390
387 netif_stop_queue(dev); 391 netif_stop_queue(dev);
388 392
389 /* 393 /*
@@ -449,7 +453,7 @@ static int ieee80211_stop(struct net_device *dev)
449 netif_tx_unlock_bh(local->mdev); 453 netif_tx_unlock_bh(local->mdev);
450 break; 454 break;
451 case IEEE80211_IF_TYPE_MESH_POINT: 455 case IEEE80211_IF_TYPE_MESH_POINT:
452 sta_info_flush(local, dev); 456 sta_info_flush(local, sdata);
453 /* fall through */ 457 /* fall through */
454 case IEEE80211_IF_TYPE_STA: 458 case IEEE80211_IF_TYPE_STA:
455 case IEEE80211_IF_TYPE_IBSS: 459 case IEEE80211_IF_TYPE_IBSS:
@@ -522,9 +526,12 @@ int ieee80211_start_tx_ba_session(struct ieee80211_hw *hw, u8 *ra, u16 tid)
522 print_mac(mac, ra), tid); 526 print_mac(mac, ra), tid);
523#endif /* CONFIG_MAC80211_HT_DEBUG */ 527#endif /* CONFIG_MAC80211_HT_DEBUG */
524 528
529 rcu_read_lock();
530
525 sta = sta_info_get(local, ra); 531 sta = sta_info_get(local, ra);
526 if (!sta) { 532 if (!sta) {
527 printk(KERN_DEBUG "Could not find the station\n"); 533 printk(KERN_DEBUG "Could not find the station\n");
534 rcu_read_unlock();
528 return -ENOENT; 535 return -ENOENT;
529 } 536 }
530 537
@@ -564,7 +571,7 @@ int ieee80211_start_tx_ba_session(struct ieee80211_hw *hw, u8 *ra, u16 tid)
564 spin_unlock_bh(&local->mdev->queue_lock); 571 spin_unlock_bh(&local->mdev->queue_lock);
565 goto start_ba_exit; 572 goto start_ba_exit;
566 } 573 }
567 sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev); 574 sdata = sta->sdata;
568 575
569 /* Ok, the Addba frame hasn't been sent yet, but if the driver calls the 576 /* Ok, the Addba frame hasn't been sent yet, but if the driver calls the
570 * call back right away, it must see that the flow has begun */ 577 * call back right away, it must see that the flow has begun */
@@ -601,7 +608,7 @@ int ieee80211_start_tx_ba_session(struct ieee80211_hw *hw, u8 *ra, u16 tid)
601 sta->ampdu_mlme.dialog_token_allocator; 608 sta->ampdu_mlme.dialog_token_allocator;
602 sta->ampdu_mlme.tid_tx[tid].ssn = start_seq_num; 609 sta->ampdu_mlme.tid_tx[tid].ssn = start_seq_num;
603 610
604 ieee80211_send_addba_request(sta->dev, ra, tid, 611 ieee80211_send_addba_request(sta->sdata->dev, ra, tid,
605 sta->ampdu_mlme.tid_tx[tid].dialog_token, 612 sta->ampdu_mlme.tid_tx[tid].dialog_token,
606 sta->ampdu_mlme.tid_tx[tid].ssn, 613 sta->ampdu_mlme.tid_tx[tid].ssn,
607 0x40, 5000); 614 0x40, 5000);
@@ -614,7 +621,7 @@ int ieee80211_start_tx_ba_session(struct ieee80211_hw *hw, u8 *ra, u16 tid)
614 621
615start_ba_exit: 622start_ba_exit:
616 spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx); 623 spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx);
617 sta_info_put(sta); 624 rcu_read_unlock();
618 return ret; 625 return ret;
619} 626}
620EXPORT_SYMBOL(ieee80211_start_tx_ba_session); 627EXPORT_SYMBOL(ieee80211_start_tx_ba_session);
@@ -637,9 +644,12 @@ int ieee80211_stop_tx_ba_session(struct ieee80211_hw *hw,
637 print_mac(mac, ra), tid); 644 print_mac(mac, ra), tid);
638#endif /* CONFIG_MAC80211_HT_DEBUG */ 645#endif /* CONFIG_MAC80211_HT_DEBUG */
639 646
647 rcu_read_lock();
640 sta = sta_info_get(local, ra); 648 sta = sta_info_get(local, ra);
641 if (!sta) 649 if (!sta) {
650 rcu_read_unlock();
642 return -ENOENT; 651 return -ENOENT;
652 }
643 653
644 /* check if the TID is in aggregation */ 654 /* check if the TID is in aggregation */
645 state = &sta->ampdu_mlme.tid_tx[tid].state; 655 state = &sta->ampdu_mlme.tid_tx[tid].state;
@@ -673,7 +683,7 @@ int ieee80211_stop_tx_ba_session(struct ieee80211_hw *hw,
673 683
674stop_BA_exit: 684stop_BA_exit:
675 spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx); 685 spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx);
676 sta_info_put(sta); 686 rcu_read_unlock();
677 return ret; 687 return ret;
678} 688}
679EXPORT_SYMBOL(ieee80211_stop_tx_ba_session); 689EXPORT_SYMBOL(ieee80211_stop_tx_ba_session);
@@ -691,8 +701,10 @@ void ieee80211_start_tx_ba_cb(struct ieee80211_hw *hw, u8 *ra, u16 tid)
691 return; 701 return;
692 } 702 }
693 703
704 rcu_read_lock();
694 sta = sta_info_get(local, ra); 705 sta = sta_info_get(local, ra);
695 if (!sta) { 706 if (!sta) {
707 rcu_read_unlock();
696 printk(KERN_DEBUG "Could not find station: %s\n", 708 printk(KERN_DEBUG "Could not find station: %s\n",
697 print_mac(mac, ra)); 709 print_mac(mac, ra));
698 return; 710 return;
@@ -705,7 +717,7 @@ void ieee80211_start_tx_ba_cb(struct ieee80211_hw *hw, u8 *ra, u16 tid)
705 printk(KERN_DEBUG "addBA was not requested yet, state is %d\n", 717 printk(KERN_DEBUG "addBA was not requested yet, state is %d\n",
706 *state); 718 *state);
707 spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx); 719 spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx);
708 sta_info_put(sta); 720 rcu_read_unlock();
709 return; 721 return;
710 } 722 }
711 723
@@ -718,7 +730,7 @@ void ieee80211_start_tx_ba_cb(struct ieee80211_hw *hw, u8 *ra, u16 tid)
718 ieee80211_wake_queue(hw, sta->tid_to_tx_q[tid]); 730 ieee80211_wake_queue(hw, sta->tid_to_tx_q[tid]);
719 } 731 }
720 spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx); 732 spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx);
721 sta_info_put(sta); 733 rcu_read_unlock();
722} 734}
723EXPORT_SYMBOL(ieee80211_start_tx_ba_cb); 735EXPORT_SYMBOL(ieee80211_start_tx_ba_cb);
724 736
@@ -739,10 +751,12 @@ void ieee80211_stop_tx_ba_cb(struct ieee80211_hw *hw, u8 *ra, u8 tid)
739 printk(KERN_DEBUG "Stop a BA session requested on DA %s tid %d\n", 751 printk(KERN_DEBUG "Stop a BA session requested on DA %s tid %d\n",
740 print_mac(mac, ra), tid); 752 print_mac(mac, ra), tid);
741 753
754 rcu_read_lock();
742 sta = sta_info_get(local, ra); 755 sta = sta_info_get(local, ra);
743 if (!sta) { 756 if (!sta) {
744 printk(KERN_DEBUG "Could not find station: %s\n", 757 printk(KERN_DEBUG "Could not find station: %s\n",
745 print_mac(mac, ra)); 758 print_mac(mac, ra));
759 rcu_read_unlock();
746 return; 760 return;
747 } 761 }
748 state = &sta->ampdu_mlme.tid_tx[tid].state; 762 state = &sta->ampdu_mlme.tid_tx[tid].state;
@@ -750,13 +764,13 @@ void ieee80211_stop_tx_ba_cb(struct ieee80211_hw *hw, u8 *ra, u8 tid)
750 spin_lock_bh(&sta->ampdu_mlme.ampdu_tx); 764 spin_lock_bh(&sta->ampdu_mlme.ampdu_tx);
751 if ((*state & HT_AGG_STATE_REQ_STOP_BA_MSK) == 0) { 765 if ((*state & HT_AGG_STATE_REQ_STOP_BA_MSK) == 0) {
752 printk(KERN_DEBUG "unexpected callback to A-MPDU stop\n"); 766 printk(KERN_DEBUG "unexpected callback to A-MPDU stop\n");
753 sta_info_put(sta);
754 spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx); 767 spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx);
768 rcu_read_unlock();
755 return; 769 return;
756 } 770 }
757 771
758 if (*state & HT_AGG_STATE_INITIATOR_MSK) 772 if (*state & HT_AGG_STATE_INITIATOR_MSK)
759 ieee80211_send_delba(sta->dev, ra, tid, 773 ieee80211_send_delba(sta->sdata->dev, ra, tid,
760 WLAN_BACK_INITIATOR, WLAN_REASON_QSTA_NOT_USE); 774 WLAN_BACK_INITIATOR, WLAN_REASON_QSTA_NOT_USE);
761 775
762 agg_queue = sta->tid_to_tx_q[tid]; 776 agg_queue = sta->tid_to_tx_q[tid];
@@ -777,7 +791,7 @@ void ieee80211_stop_tx_ba_cb(struct ieee80211_hw *hw, u8 *ra, u8 tid)
777 sta->ampdu_mlme.tid_tx[tid].addba_req_num = 0; 791 sta->ampdu_mlme.tid_tx[tid].addba_req_num = 0;
778 spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx); 792 spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx);
779 793
780 sta_info_put(sta); 794 rcu_read_unlock();
781} 795}
782EXPORT_SYMBOL(ieee80211_stop_tx_ba_cb); 796EXPORT_SYMBOL(ieee80211_stop_tx_ba_cb);
783 797
@@ -887,32 +901,41 @@ int ieee80211_if_update_wds(struct net_device *dev, u8 *remote_addr)
887 struct sta_info *sta; 901 struct sta_info *sta;
888 DECLARE_MAC_BUF(mac); 902 DECLARE_MAC_BUF(mac);
889 903
904 might_sleep();
905
890 if (compare_ether_addr(remote_addr, sdata->u.wds.remote_addr) == 0) 906 if (compare_ether_addr(remote_addr, sdata->u.wds.remote_addr) == 0)
891 return 0; 907 return 0;
892 908
909 rcu_read_lock();
910
893 /* Create STA entry for the new peer */ 911 /* Create STA entry for the new peer */
894 sta = sta_info_add(local, dev, remote_addr, GFP_KERNEL); 912 sta = sta_info_add(sdata, remote_addr);
895 if (IS_ERR(sta)) 913 if (IS_ERR(sta)) {
914 rcu_read_unlock();
896 return PTR_ERR(sta); 915 return PTR_ERR(sta);
916 }
897 917
898 sta->flags |= WLAN_STA_AUTHORIZED; 918 sta->flags |= WLAN_STA_AUTHORIZED;
899 919
900 sta_info_put(sta);
901
902 /* Remove STA entry for the old peer */ 920 /* Remove STA entry for the old peer */
903 sta = sta_info_get(local, sdata->u.wds.remote_addr); 921 sta = sta_info_get(local, sdata->u.wds.remote_addr);
904 if (sta) { 922 if (sta)
905 sta_info_free(sta); 923 sta_info_unlink(&sta);
906 sta_info_put(sta); 924 else
907 } else {
908 printk(KERN_DEBUG "%s: could not find STA entry for WDS link " 925 printk(KERN_DEBUG "%s: could not find STA entry for WDS link "
909 "peer %s\n", 926 "peer %s\n",
910 dev->name, print_mac(mac, sdata->u.wds.remote_addr)); 927 dev->name, print_mac(mac, sdata->u.wds.remote_addr));
911 }
912 928
913 /* Update WDS link data */ 929 /* Update WDS link data */
914 memcpy(&sdata->u.wds.remote_addr, remote_addr, ETH_ALEN); 930 memcpy(&sdata->u.wds.remote_addr, remote_addr, ETH_ALEN);
915 931
932 rcu_read_unlock();
933
934 if (sta) {
935 synchronize_rcu();
936 sta_info_destroy(sta);
937 }
938
916 return 0; 939 return 0;
917} 940}
918 941
@@ -1330,6 +1353,8 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb,
1330 return; 1353 return;
1331 } 1354 }
1332 1355
1356 rcu_read_lock();
1357
1333 if (status->excessive_retries) { 1358 if (status->excessive_retries) {
1334 struct sta_info *sta; 1359 struct sta_info *sta;
1335 sta = sta_info_get(local, hdr->addr1); 1360 sta = sta_info_get(local, hdr->addr1);
@@ -1343,10 +1368,9 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb,
1343 status->flags |= IEEE80211_TX_STATUS_TX_FILTERED; 1368 status->flags |= IEEE80211_TX_STATUS_TX_FILTERED;
1344 ieee80211_handle_filtered_frame(local, sta, 1369 ieee80211_handle_filtered_frame(local, sta,
1345 skb, status); 1370 skb, status);
1346 sta_info_put(sta); 1371 rcu_read_unlock();
1347 return; 1372 return;
1348 } 1373 }
1349 sta_info_put(sta);
1350 } 1374 }
1351 } 1375 }
1352 1376
@@ -1356,12 +1380,14 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb,
1356 if (sta) { 1380 if (sta) {
1357 ieee80211_handle_filtered_frame(local, sta, skb, 1381 ieee80211_handle_filtered_frame(local, sta, skb,
1358 status); 1382 status);
1359 sta_info_put(sta); 1383 rcu_read_unlock();
1360 return; 1384 return;
1361 } 1385 }
1362 } else 1386 } else
1363 rate_control_tx_status(local->mdev, skb, status); 1387 rate_control_tx_status(local->mdev, skb, status);
1364 1388
1389 rcu_read_unlock();
1390
1365 ieee80211_led_tx(local, 0); 1391 ieee80211_led_tx(local, 0);
1366 1392
1367 /* SNMP counters 1393 /* SNMP counters
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index d3b5cc57af40..8e440c5706dd 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -574,6 +574,7 @@ struct ieee80211_local {
574 unsigned int filter_flags; /* FIF_* */ 574 unsigned int filter_flags; /* FIF_* */
575 struct iw_statistics wstats; 575 struct iw_statistics wstats;
576 u8 wstats_flags; 576 u8 wstats_flags;
577 bool tim_in_locked_section; /* see ieee80211_beacon_get() */
577 int tx_headroom; /* required headroom for hardware/radiotap */ 578 int tx_headroom; /* required headroom for hardware/radiotap */
578 579
579 enum { 580 enum {
@@ -591,9 +592,15 @@ struct ieee80211_local {
591 struct sk_buff_head skb_queue; 592 struct sk_buff_head skb_queue;
592 struct sk_buff_head skb_queue_unreliable; 593 struct sk_buff_head skb_queue_unreliable;
593 594
594 /* Station data structures */ 595 /* Station data */
595 rwlock_t sta_lock; /* protects STA data structures */ 596 /*
596 int num_sta; /* number of stations in sta_list */ 597 * The lock only protects the list, hash, timer and counter
598 * against manipulation, reads are done in RCU. Additionally,
599 * the lock protects each BSS's TIM bitmap and a few items
600 * in a STA info structure.
601 */
602 spinlock_t sta_lock;
603 unsigned long num_sta;
597 struct list_head sta_list; 604 struct list_head sta_list;
598 struct sta_info *sta_hash[STA_HASH_SIZE]; 605 struct sta_info *sta_hash[STA_HASH_SIZE];
599 struct timer_list sta_cleanup; 606 struct timer_list sta_cleanup;
diff --git a/net/mac80211/ieee80211_iface.c b/net/mac80211/ieee80211_iface.c
index b0f17a2b1a42..98b22736e883 100644
--- a/net/mac80211/ieee80211_iface.c
+++ b/net/mac80211/ieee80211_iface.c
@@ -240,16 +240,21 @@ void ieee80211_if_reinit(struct net_device *dev)
240 break; 240 break;
241 } 241 }
242 case IEEE80211_IF_TYPE_WDS: 242 case IEEE80211_IF_TYPE_WDS:
243 rcu_read_lock();
243 sta = sta_info_get(local, sdata->u.wds.remote_addr); 244 sta = sta_info_get(local, sdata->u.wds.remote_addr);
244 if (sta) { 245 if (sta) {
245 sta_info_free(sta); 246 sta_info_unlink(&sta);
246 sta_info_put(sta);
247 } else { 247 } else {
248#ifdef CONFIG_MAC80211_VERBOSE_DEBUG 248#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
249 printk(KERN_DEBUG "%s: Someone had deleted my STA " 249 printk(KERN_DEBUG "%s: Someone had deleted my STA "
250 "entry for the WDS link\n", dev->name); 250 "entry for the WDS link\n", dev->name);
251#endif /* CONFIG_MAC80211_VERBOSE_DEBUG */ 251#endif /* CONFIG_MAC80211_VERBOSE_DEBUG */
252 } 252 }
253 rcu_read_unlock();
254 if (sta) {
255 synchronize_rcu();
256 sta_info_destroy(sta);
257 }
253 break; 258 break;
254 case IEEE80211_IF_TYPE_MESH_POINT: 259 case IEEE80211_IF_TYPE_MESH_POINT:
255 case IEEE80211_IF_TYPE_STA: 260 case IEEE80211_IF_TYPE_STA:
@@ -275,7 +280,7 @@ void ieee80211_if_reinit(struct net_device *dev)
275 } 280 }
276 281
277 /* remove all STAs that are bound to this virtual interface */ 282 /* remove all STAs that are bound to this virtual interface */
278 sta_info_flush(local, dev); 283 sta_info_flush(local, sdata);
279 284
280 memset(&sdata->u, 0, sizeof(sdata->u)); 285 memset(&sdata->u, 0, sizeof(sdata->u));
281 ieee80211_if_sdata_init(sdata); 286 ieee80211_if_sdata_init(sdata);
diff --git a/net/mac80211/ieee80211_ioctl.c b/net/mac80211/ieee80211_ioctl.c
index 38e2d83e15f4..5147152b9268 100644
--- a/net/mac80211/ieee80211_ioctl.c
+++ b/net/mac80211/ieee80211_ioctl.c
@@ -33,8 +33,7 @@ static int ieee80211_set_encryption(struct net_device *dev, u8 *sta_addr,
33 size_t key_len) 33 size_t key_len)
34{ 34{
35 struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr); 35 struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
36 int ret; 36 struct sta_info *sta;
37 struct sta_info *sta = NULL;
38 struct ieee80211_key *key; 37 struct ieee80211_key *key;
39 struct ieee80211_sub_if_data *sdata; 38 struct ieee80211_sub_if_data *sdata;
40 39
@@ -51,24 +50,23 @@ static int ieee80211_set_encryption(struct net_device *dev, u8 *sta_addr,
51 key = sdata->keys[idx]; 50 key = sdata->keys[idx];
52 } else { 51 } else {
53 sta = sta_info_get(local, sta_addr); 52 sta = sta_info_get(local, sta_addr);
54 if (!sta) { 53 if (!sta)
55 ret = -ENOENT; 54 return -ENOENT;
56 key = NULL;
57 goto err_out;
58 }
59
60 key = sta->key; 55 key = sta->key;
61 } 56 }
62 57
63 if (!key) 58 if (!key)
64 ret = -ENOENT; 59 return -ENOENT;
65 else 60
66 ret = 0; 61 ieee80211_key_free(key);
62 return 0;
67 } else { 63 } else {
68 key = ieee80211_key_alloc(alg, idx, key_len, _key); 64 key = ieee80211_key_alloc(alg, idx, key_len, _key);
69 if (!key) 65 if (!key)
70 return -ENOMEM; 66 return -ENOMEM;
71 67
68 sta = NULL;
69
72 if (!is_broadcast_ether_addr(sta_addr)) { 70 if (!is_broadcast_ether_addr(sta_addr)) {
73 set_tx_key = 0; 71 set_tx_key = 0;
74 /* 72 /*
@@ -78,14 +76,14 @@ static int ieee80211_set_encryption(struct net_device *dev, u8 *sta_addr,
78 * work around this. 76 * work around this.
79 */ 77 */
80 if (idx != 0 && alg != ALG_WEP) { 78 if (idx != 0 && alg != ALG_WEP) {
81 ret = -EINVAL; 79 ieee80211_key_free(key);
82 goto err_out; 80 return -EINVAL;
83 } 81 }
84 82
85 sta = sta_info_get(local, sta_addr); 83 sta = sta_info_get(local, sta_addr);
86 if (!sta) { 84 if (!sta) {
87 ret = -ENOENT; 85 ieee80211_key_free(key);
88 goto err_out; 86 return -ENOENT;
89 } 87 }
90 } 88 }
91 89
@@ -93,18 +91,9 @@ static int ieee80211_set_encryption(struct net_device *dev, u8 *sta_addr,
93 91
94 if (set_tx_key || (!sta && !sdata->default_key && key)) 92 if (set_tx_key || (!sta && !sdata->default_key && key))
95 ieee80211_set_default_key(sdata, idx); 93 ieee80211_set_default_key(sdata, idx);
96
97 /* don't free key later */
98 key = NULL;
99
100 ret = 0;
101 } 94 }
102 95
103 err_out: 96 return 0;
104 if (sta)
105 sta_info_put(sta);
106 ieee80211_key_free(key);
107 return ret;
108} 97}
109 98
110static int ieee80211_ioctl_siwgenie(struct net_device *dev, 99static int ieee80211_ioctl_siwgenie(struct net_device *dev,
@@ -625,7 +614,7 @@ static int ieee80211_ioctl_giwrate(struct net_device *dev,
625 else 614 else
626 rate->value = 0; 615 rate->value = 0;
627 rate->value *= 100000; 616 rate->value *= 100000;
628 sta_info_put(sta); 617
629 return 0; 618 return 0;
630} 619}
631 620
@@ -1000,7 +989,6 @@ static struct iw_statistics *ieee80211_get_wireless_stats(struct net_device *dev
1000 wstats->qual.qual = sta->last_signal; 989 wstats->qual.qual = sta->last_signal;
1001 wstats->qual.noise = sta->last_noise; 990 wstats->qual.noise = sta->last_noise;
1002 wstats->qual.updated = local->wstats_flags; 991 wstats->qual.updated = local->wstats_flags;
1003 sta_info_put(sta);
1004 } 992 }
1005 return wstats; 993 return wstats;
1006} 994}
diff --git a/net/mac80211/ieee80211_rate.c b/net/mac80211/ieee80211_rate.c
index ebe29b716b27..4de06f128d90 100644
--- a/net/mac80211/ieee80211_rate.c
+++ b/net/mac80211/ieee80211_rate.c
@@ -170,9 +170,12 @@ void rate_control_get_rate(struct net_device *dev,
170 struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr); 170 struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
171 struct rate_control_ref *ref = local->rate_ctrl; 171 struct rate_control_ref *ref = local->rate_ctrl;
172 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 172 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
173 struct sta_info *sta = sta_info_get(local, hdr->addr1); 173 struct sta_info *sta;
174 int i; 174 int i;
175 175
176 rcu_read_lock();
177 sta = sta_info_get(local, hdr->addr1);
178
176 memset(sel, 0, sizeof(struct rate_selection)); 179 memset(sel, 0, sizeof(struct rate_selection));
177 180
178 ref->ops->get_rate(ref->priv, dev, sband, skb, sel); 181 ref->ops->get_rate(ref->priv, dev, sband, skb, sel);
@@ -190,8 +193,7 @@ void rate_control_get_rate(struct net_device *dev,
190 } 193 }
191 } 194 }
192 195
193 if (sta) 196 rcu_read_unlock();
194 sta_info_put(sta);
195} 197}
196 198
197struct rate_control_ref *rate_control_get(struct rate_control_ref *ref) 199struct rate_control_ref *rate_control_get(struct rate_control_ref *ref)
diff --git a/net/mac80211/ieee80211_rate.h b/net/mac80211/ieee80211_rate.h
index 5f9a2ca49a57..bfd0a1982e4a 100644
--- a/net/mac80211/ieee80211_rate.h
+++ b/net/mac80211/ieee80211_rate.h
@@ -14,6 +14,7 @@
14#include <linux/netdevice.h> 14#include <linux/netdevice.h>
15#include <linux/skbuff.h> 15#include <linux/skbuff.h>
16#include <linux/types.h> 16#include <linux/types.h>
17#include <linux/kref.h>
17#include <net/mac80211.h> 18#include <net/mac80211.h>
18#include "ieee80211_i.h" 19#include "ieee80211_i.h"
19#include "sta_info.h" 20#include "sta_info.h"
diff --git a/net/mac80211/ieee80211_sta.c b/net/mac80211/ieee80211_sta.c
index 9f933aeca719..a3e96eb59eb0 100644
--- a/net/mac80211/ieee80211_sta.c
+++ b/net/mac80211/ieee80211_sta.c
@@ -24,6 +24,7 @@
24#include <linux/wireless.h> 24#include <linux/wireless.h>
25#include <linux/random.h> 25#include <linux/random.h>
26#include <linux/etherdevice.h> 26#include <linux/etherdevice.h>
27#include <linux/rtnetlink.h>
27#include <net/iw_handler.h> 28#include <net/iw_handler.h>
28#include <asm/types.h> 29#include <asm/types.h>
29 30
@@ -845,6 +846,8 @@ static void ieee80211_associated(struct net_device *dev,
845 846
846 ifsta->state = IEEE80211_ASSOCIATED; 847 ifsta->state = IEEE80211_ASSOCIATED;
847 848
849 rcu_read_lock();
850
848 sta = sta_info_get(local, ifsta->bssid); 851 sta = sta_info_get(local, ifsta->bssid);
849 if (!sta) { 852 if (!sta) {
850 printk(KERN_DEBUG "%s: No STA entry for own AP %s\n", 853 printk(KERN_DEBUG "%s: No STA entry for own AP %s\n",
@@ -860,7 +863,7 @@ static void ieee80211_associated(struct net_device *dev,
860 "range\n", 863 "range\n",
861 dev->name, print_mac(mac, ifsta->bssid)); 864 dev->name, print_mac(mac, ifsta->bssid));
862 disassoc = 1; 865 disassoc = 1;
863 sta_info_free(sta); 866 sta_info_unlink(&sta);
864 } else 867 } else
865 ieee80211_send_probe_req(dev, ifsta->bssid, 868 ieee80211_send_probe_req(dev, ifsta->bssid,
866 local->scan_ssid, 869 local->scan_ssid,
@@ -876,8 +879,17 @@ static void ieee80211_associated(struct net_device *dev,
876 ifsta->ssid_len); 879 ifsta->ssid_len);
877 } 880 }
878 } 881 }
879 sta_info_put(sta);
880 } 882 }
883
884 rcu_read_unlock();
885
886 if (disassoc && sta) {
887 synchronize_rcu();
888 rtnl_lock();
889 sta_info_destroy(sta);
890 rtnl_unlock();
891 }
892
881 if (disassoc) { 893 if (disassoc) {
882 ifsta->state = IEEE80211_DISABLED; 894 ifsta->state = IEEE80211_DISABLED;
883 ieee80211_set_associated(dev, ifsta, 0); 895 ieee80211_set_associated(dev, ifsta, 0);
@@ -1103,9 +1115,13 @@ static void ieee80211_sta_process_addba_request(struct net_device *dev,
1103 int ret = -EOPNOTSUPP; 1115 int ret = -EOPNOTSUPP;
1104 DECLARE_MAC_BUF(mac); 1116 DECLARE_MAC_BUF(mac);
1105 1117
1118 rcu_read_lock();
1119
1106 sta = sta_info_get(local, mgmt->sa); 1120 sta = sta_info_get(local, mgmt->sa);
1107 if (!sta) 1121 if (!sta) {
1122 rcu_read_unlock();
1108 return; 1123 return;
1124 }
1109 1125
1110 /* extract session parameters from addba request frame */ 1126 /* extract session parameters from addba request frame */
1111 dialog_token = mgmt->u.action.u.addba_req.dialog_token; 1127 dialog_token = mgmt->u.action.u.addba_req.dialog_token;
@@ -1197,9 +1213,9 @@ end:
1197 spin_unlock_bh(&sta->ampdu_mlme.ampdu_rx); 1213 spin_unlock_bh(&sta->ampdu_mlme.ampdu_rx);
1198 1214
1199end_no_lock: 1215end_no_lock:
1200 ieee80211_send_addba_resp(sta->dev, sta->addr, tid, dialog_token, 1216 ieee80211_send_addba_resp(sta->sdata->dev, sta->addr, tid,
1201 status, 1, buf_size, timeout); 1217 dialog_token, status, 1, buf_size, timeout);
1202 sta_info_put(sta); 1218 rcu_read_unlock();
1203} 1219}
1204 1220
1205static void ieee80211_sta_process_addba_resp(struct net_device *dev, 1221static void ieee80211_sta_process_addba_resp(struct net_device *dev,
@@ -1213,9 +1229,13 @@ static void ieee80211_sta_process_addba_resp(struct net_device *dev,
1213 u16 tid; 1229 u16 tid;
1214 u8 *state; 1230 u8 *state;
1215 1231
1232 rcu_read_lock();
1233
1216 sta = sta_info_get(local, mgmt->sa); 1234 sta = sta_info_get(local, mgmt->sa);
1217 if (!sta) 1235 if (!sta) {
1236 rcu_read_unlock();
1218 return; 1237 return;
1238 }
1219 1239
1220 capab = le16_to_cpu(mgmt->u.action.u.addba_resp.capab); 1240 capab = le16_to_cpu(mgmt->u.action.u.addba_resp.capab);
1221 tid = (capab & IEEE80211_ADDBA_PARAM_TID_MASK) >> 2; 1241 tid = (capab & IEEE80211_ADDBA_PARAM_TID_MASK) >> 2;
@@ -1230,7 +1250,7 @@ static void ieee80211_sta_process_addba_resp(struct net_device *dev,
1230#ifdef CONFIG_MAC80211_HT_DEBUG 1250#ifdef CONFIG_MAC80211_HT_DEBUG
1231 printk(KERN_DEBUG "wrong addBA response token, tid %d\n", tid); 1251 printk(KERN_DEBUG "wrong addBA response token, tid %d\n", tid);
1232#endif /* CONFIG_MAC80211_HT_DEBUG */ 1252#endif /* CONFIG_MAC80211_HT_DEBUG */
1233 sta_info_put(sta); 1253 rcu_read_unlock();
1234 return; 1254 return;
1235 } 1255 }
1236 1256
@@ -1244,7 +1264,7 @@ static void ieee80211_sta_process_addba_resp(struct net_device *dev,
1244 spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx); 1264 spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx);
1245 printk(KERN_DEBUG "state not HT_ADDBA_REQUESTED_MSK:" 1265 printk(KERN_DEBUG "state not HT_ADDBA_REQUESTED_MSK:"
1246 "%d\n", *state); 1266 "%d\n", *state);
1247 sta_info_put(sta); 1267 rcu_read_unlock();
1248 return; 1268 return;
1249 } 1269 }
1250 1270
@@ -1271,7 +1291,7 @@ static void ieee80211_sta_process_addba_resp(struct net_device *dev,
1271 ieee80211_stop_tx_ba_session(hw, sta->addr, tid, 1291 ieee80211_stop_tx_ba_session(hw, sta->addr, tid,
1272 WLAN_BACK_INITIATOR); 1292 WLAN_BACK_INITIATOR);
1273 } 1293 }
1274 sta_info_put(sta); 1294 rcu_read_unlock();
1275} 1295}
1276 1296
1277void ieee80211_send_delba(struct net_device *dev, const u8 *da, u16 tid, 1297void ieee80211_send_delba(struct net_device *dev, const u8 *da, u16 tid,
@@ -1326,16 +1346,20 @@ void ieee80211_sta_stop_rx_ba_session(struct net_device *dev, u8 *ra, u16 tid,
1326 struct sta_info *sta; 1346 struct sta_info *sta;
1327 int ret, i; 1347 int ret, i;
1328 1348
1349 rcu_read_lock();
1350
1329 sta = sta_info_get(local, ra); 1351 sta = sta_info_get(local, ra);
1330 if (!sta) 1352 if (!sta) {
1353 rcu_read_unlock();
1331 return; 1354 return;
1355 }
1332 1356
1333 /* check if TID is in operational state */ 1357 /* check if TID is in operational state */
1334 spin_lock_bh(&sta->ampdu_mlme.ampdu_rx); 1358 spin_lock_bh(&sta->ampdu_mlme.ampdu_rx);
1335 if (sta->ampdu_mlme.tid_rx[tid].state 1359 if (sta->ampdu_mlme.tid_rx[tid].state
1336 != HT_AGG_STATE_OPERATIONAL) { 1360 != HT_AGG_STATE_OPERATIONAL) {
1337 spin_unlock_bh(&sta->ampdu_mlme.ampdu_rx); 1361 spin_unlock_bh(&sta->ampdu_mlme.ampdu_rx);
1338 sta_info_put(sta); 1362 rcu_read_unlock();
1339 return; 1363 return;
1340 } 1364 }
1341 sta->ampdu_mlme.tid_rx[tid].state = 1365 sta->ampdu_mlme.tid_rx[tid].state =
@@ -1374,7 +1398,7 @@ void ieee80211_sta_stop_rx_ba_session(struct net_device *dev, u8 *ra, u16 tid,
1374 kfree(sta->ampdu_mlme.tid_rx[tid].reorder_buf); 1398 kfree(sta->ampdu_mlme.tid_rx[tid].reorder_buf);
1375 1399
1376 sta->ampdu_mlme.tid_rx[tid].state = HT_AGG_STATE_IDLE; 1400 sta->ampdu_mlme.tid_rx[tid].state = HT_AGG_STATE_IDLE;
1377 sta_info_put(sta); 1401 rcu_read_unlock();
1378} 1402}
1379 1403
1380 1404
@@ -1387,9 +1411,13 @@ static void ieee80211_sta_process_delba(struct net_device *dev,
1387 u16 initiator; 1411 u16 initiator;
1388 DECLARE_MAC_BUF(mac); 1412 DECLARE_MAC_BUF(mac);
1389 1413
1414 rcu_read_lock();
1415
1390 sta = sta_info_get(local, mgmt->sa); 1416 sta = sta_info_get(local, mgmt->sa);
1391 if (!sta) 1417 if (!sta) {
1418 rcu_read_unlock();
1392 return; 1419 return;
1420 }
1393 1421
1394 params = le16_to_cpu(mgmt->u.action.u.delba.params); 1422 params = le16_to_cpu(mgmt->u.action.u.delba.params);
1395 tid = (params & IEEE80211_DELBA_PARAM_TID_MASK) >> 12; 1423 tid = (params & IEEE80211_DELBA_PARAM_TID_MASK) >> 12;
@@ -1414,7 +1442,7 @@ static void ieee80211_sta_process_delba(struct net_device *dev,
1414 ieee80211_stop_tx_ba_session(&local->hw, sta->addr, tid, 1442 ieee80211_stop_tx_ba_session(&local->hw, sta->addr, tid,
1415 WLAN_BACK_RECIPIENT); 1443 WLAN_BACK_RECIPIENT);
1416 } 1444 }
1417 sta_info_put(sta); 1445 rcu_read_unlock();
1418} 1446}
1419 1447
1420/* 1448/*
@@ -1437,9 +1465,13 @@ void sta_addba_resp_timer_expired(unsigned long data)
1437 struct sta_info *sta; 1465 struct sta_info *sta;
1438 u8 *state; 1466 u8 *state;
1439 1467
1468 rcu_read_lock();
1469
1440 sta = sta_info_get(local, temp_sta->addr); 1470 sta = sta_info_get(local, temp_sta->addr);
1441 if (!sta) 1471 if (!sta) {
1472 rcu_read_unlock();
1442 return; 1473 return;
1474 }
1443 1475
1444 state = &sta->ampdu_mlme.tid_tx[tid].state; 1476 state = &sta->ampdu_mlme.tid_tx[tid].state;
1445 /* check if the TID waits for addBA response */ 1477 /* check if the TID waits for addBA response */
@@ -1461,7 +1493,7 @@ void sta_addba_resp_timer_expired(unsigned long data)
1461 WLAN_BACK_INITIATOR); 1493 WLAN_BACK_INITIATOR);
1462 1494
1463timer_expired_exit: 1495timer_expired_exit:
1464 sta_info_put(sta); 1496 rcu_read_unlock();
1465} 1497}
1466 1498
1467/* 1499/*
@@ -1481,8 +1513,8 @@ void sta_rx_agg_session_timer_expired(unsigned long data)
1481 timer_to_tid[0]); 1513 timer_to_tid[0]);
1482 1514
1483 printk(KERN_DEBUG "rx session timer expired on tid %d\n", (u16)*ptid); 1515 printk(KERN_DEBUG "rx session timer expired on tid %d\n", (u16)*ptid);
1484 ieee80211_sta_stop_rx_ba_session(sta->dev, sta->addr, (u16)*ptid, 1516 ieee80211_sta_stop_rx_ba_session(sta->sdata->dev, sta->addr,
1485 WLAN_BACK_TIMER, 1517 (u16)*ptid, WLAN_BACK_TIMER,
1486 WLAN_REASON_QSTA_TIMEOUT); 1518 WLAN_REASON_QSTA_TIMEOUT);
1487} 1519}
1488 1520
@@ -1791,14 +1823,18 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
1791 if (ifsta->assocresp_ies) 1823 if (ifsta->assocresp_ies)
1792 memcpy(ifsta->assocresp_ies, pos, ifsta->assocresp_ies_len); 1824 memcpy(ifsta->assocresp_ies, pos, ifsta->assocresp_ies_len);
1793 1825
1826 rcu_read_lock();
1827
1794 /* Add STA entry for the AP */ 1828 /* Add STA entry for the AP */
1795 sta = sta_info_get(local, ifsta->bssid); 1829 sta = sta_info_get(local, ifsta->bssid);
1796 if (!sta) { 1830 if (!sta) {
1797 struct ieee80211_sta_bss *bss; 1831 struct ieee80211_sta_bss *bss;
1798 sta = sta_info_add(local, dev, ifsta->bssid, GFP_KERNEL); 1832
1833 sta = sta_info_add(sdata, ifsta->bssid);
1799 if (IS_ERR(sta)) { 1834 if (IS_ERR(sta)) {
1800 printk(KERN_DEBUG "%s: failed to add STA entry for the" 1835 printk(KERN_DEBUG "%s: failed to add STA entry for the"
1801 " AP (error %ld)\n", dev->name, PTR_ERR(sta)); 1836 " AP (error %ld)\n", dev->name, PTR_ERR(sta));
1837 rcu_read_unlock();
1802 return; 1838 return;
1803 } 1839 }
1804 bss = ieee80211_rx_bss_get(dev, ifsta->bssid, 1840 bss = ieee80211_rx_bss_get(dev, ifsta->bssid,
@@ -1812,7 +1848,6 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
1812 } 1848 }
1813 } 1849 }
1814 1850
1815 sta->dev = dev;
1816 sta->flags |= WLAN_STA_AUTH | WLAN_STA_ASSOC | WLAN_STA_ASSOC_AP | 1851 sta->flags |= WLAN_STA_AUTH | WLAN_STA_ASSOC | WLAN_STA_ASSOC_AP |
1817 WLAN_STA_AUTHORIZED; 1852 WLAN_STA_AUTHORIZED;
1818 1853
@@ -1883,7 +1918,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
1883 bss_conf->aid = aid; 1918 bss_conf->aid = aid;
1884 ieee80211_set_associated(dev, ifsta, 1); 1919 ieee80211_set_associated(dev, ifsta, 1);
1885 1920
1886 sta_info_put(sta); 1921 rcu_read_unlock();
1887 1922
1888 ieee80211_associated(dev, ifsta); 1923 ieee80211_associated(dev, ifsta);
1889} 1924}
@@ -2329,6 +2364,8 @@ static void ieee80211_rx_bss_info(struct net_device *dev,
2329 mesh_peer_accepts_plinks(&elems, dev)); 2364 mesh_peer_accepts_plinks(&elems, dev));
2330 } 2365 }
2331 2366
2367 rcu_read_lock();
2368
2332 if (sdata->vif.type == IEEE80211_IF_TYPE_IBSS && elems.supp_rates && 2369 if (sdata->vif.type == IEEE80211_IF_TYPE_IBSS && elems.supp_rates &&
2333 memcmp(mgmt->bssid, sdata->u.sta.bssid, ETH_ALEN) == 0 && 2370 memcmp(mgmt->bssid, sdata->u.sta.bssid, ETH_ALEN) == 0 &&
2334 (sta = sta_info_get(local, mgmt->sa))) { 2371 (sta = sta_info_get(local, mgmt->sa))) {
@@ -2354,9 +2391,10 @@ static void ieee80211_rx_bss_info(struct net_device *dev,
2354 (unsigned long long) supp_rates, 2391 (unsigned long long) supp_rates,
2355 (unsigned long long) sta->supp_rates[rx_status->band]); 2392 (unsigned long long) sta->supp_rates[rx_status->band]);
2356 } 2393 }
2357 sta_info_put(sta);
2358 } 2394 }
2359 2395
2396 rcu_read_unlock();
2397
2360 if (elems.ds_params && elems.ds_params_len == 1) 2398 if (elems.ds_params && elems.ds_params_len == 1)
2361 freq = ieee80211_channel_to_frequency(elems.ds_params[0]); 2399 freq = ieee80211_channel_to_frequency(elems.ds_params[0]);
2362 else 2400 else
@@ -2550,8 +2588,10 @@ static void ieee80211_rx_bss_info(struct net_device *dev,
2550 "local TSF - IBSS merge with BSSID %s\n", 2588 "local TSF - IBSS merge with BSSID %s\n",
2551 dev->name, print_mac(mac, mgmt->bssid)); 2589 dev->name, print_mac(mac, mgmt->bssid));
2552 ieee80211_sta_join_ibss(dev, &sdata->u.sta, bss); 2590 ieee80211_sta_join_ibss(dev, &sdata->u.sta, bss);
2591 rcu_read_lock();
2553 ieee80211_ibss_add_sta(dev, NULL, 2592 ieee80211_ibss_add_sta(dev, NULL,
2554 mgmt->bssid, mgmt->sa); 2593 mgmt->bssid, mgmt->sa);
2594 rcu_read_unlock();
2555 } 2595 }
2556 } 2596 }
2557 2597
@@ -2893,17 +2933,20 @@ static int ieee80211_sta_active_ibss(struct net_device *dev)
2893 struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr); 2933 struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
2894 int active = 0; 2934 int active = 0;
2895 struct sta_info *sta; 2935 struct sta_info *sta;
2936 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
2896 2937
2897 read_lock_bh(&local->sta_lock); 2938 rcu_read_lock();
2898 list_for_each_entry(sta, &local->sta_list, list) { 2939
2899 if (sta->dev == dev && 2940 list_for_each_entry_rcu(sta, &local->sta_list, list) {
2941 if (sta->sdata == sdata &&
2900 time_after(sta->last_rx + IEEE80211_IBSS_MERGE_INTERVAL, 2942 time_after(sta->last_rx + IEEE80211_IBSS_MERGE_INTERVAL,
2901 jiffies)) { 2943 jiffies)) {
2902 active++; 2944 active++;
2903 break; 2945 break;
2904 } 2946 }
2905 } 2947 }
2906 read_unlock_bh(&local->sta_lock); 2948
2949 rcu_read_unlock();
2907 2950
2908 return active; 2951 return active;
2909} 2952}
@@ -2915,22 +2958,25 @@ static void ieee80211_sta_expire(struct net_device *dev, unsigned long exp_time)
2915 struct sta_info *sta, *tmp; 2958 struct sta_info *sta, *tmp;
2916 LIST_HEAD(tmp_list); 2959 LIST_HEAD(tmp_list);
2917 DECLARE_MAC_BUF(mac); 2960 DECLARE_MAC_BUF(mac);
2961 unsigned long flags;
2918 2962
2919 write_lock_bh(&local->sta_lock); 2963 spin_lock_irqsave(&local->sta_lock, flags);
2920 list_for_each_entry_safe(sta, tmp, &local->sta_list, list) 2964 list_for_each_entry_safe(sta, tmp, &local->sta_list, list)
2921 if (time_after(jiffies, sta->last_rx + exp_time)) { 2965 if (time_after(jiffies, sta->last_rx + exp_time)) {
2922 printk(KERN_DEBUG "%s: expiring inactive STA %s\n", 2966 printk(KERN_DEBUG "%s: expiring inactive STA %s\n",
2923 dev->name, print_mac(mac, sta->addr)); 2967 dev->name, print_mac(mac, sta->addr));
2924 __sta_info_get(sta); 2968 sta_info_unlink(&sta);
2925 sta_info_remove(sta); 2969 if (sta)
2926 list_add(&sta->list, &tmp_list); 2970 list_add(&sta->list, &tmp_list);
2927 } 2971 }
2928 write_unlock_bh(&local->sta_lock); 2972 spin_unlock_irqrestore(&local->sta_lock, flags);
2929 2973
2930 list_for_each_entry_safe(sta, tmp, &tmp_list, list) { 2974 synchronize_rcu();
2931 sta_info_free(sta); 2975
2932 sta_info_put(sta); 2976 rtnl_lock();
2933 } 2977 list_for_each_entry_safe(sta, tmp, &tmp_list, list)
2978 sta_info_destroy(sta);
2979 rtnl_unlock();
2934} 2980}
2935 2981
2936 2982
@@ -3977,6 +4023,7 @@ int ieee80211_sta_set_extra_ie(struct net_device *dev, char *ie, size_t len)
3977} 4023}
3978 4024
3979 4025
4026/* must be called under RCU read lock */
3980struct sta_info * ieee80211_ibss_add_sta(struct net_device *dev, 4027struct sta_info * ieee80211_ibss_add_sta(struct net_device *dev,
3981 struct sk_buff *skb, u8 *bssid, 4028 struct sk_buff *skb, u8 *bssid,
3982 u8 *addr) 4029 u8 *addr)
@@ -3999,7 +4046,7 @@ struct sta_info * ieee80211_ibss_add_sta(struct net_device *dev,
3999 printk(KERN_DEBUG "%s: Adding new IBSS station %s (dev=%s)\n", 4046 printk(KERN_DEBUG "%s: Adding new IBSS station %s (dev=%s)\n",
4000 wiphy_name(local->hw.wiphy), print_mac(mac, addr), dev->name); 4047 wiphy_name(local->hw.wiphy), print_mac(mac, addr), dev->name);
4001 4048
4002 sta = sta_info_add(local, dev, addr, GFP_ATOMIC); 4049 sta = sta_info_add(sdata, addr);
4003 if (IS_ERR(sta)) 4050 if (IS_ERR(sta))
4004 return NULL; 4051 return NULL;
4005 4052
@@ -4010,7 +4057,7 @@ struct sta_info * ieee80211_ibss_add_sta(struct net_device *dev,
4010 4057
4011 rate_control_rate_init(sta, local); 4058 rate_control_rate_init(sta, local);
4012 4059
4013 return sta; /* caller will call sta_info_put() */ 4060 return sta;
4014} 4061}
4015 4062
4016 4063
diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index eac9c59dbc4d..df0c04cedbe4 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -240,14 +240,17 @@ void ieee80211_key_link(struct ieee80211_key *key,
240 if (sdata->vif.type == IEEE80211_IF_TYPE_STA) { 240 if (sdata->vif.type == IEEE80211_IF_TYPE_STA) {
241 struct sta_info *ap; 241 struct sta_info *ap;
242 242
243 rcu_read_lock();
244
243 /* same here, the AP could be using QoS */ 245 /* same here, the AP could be using QoS */
244 ap = sta_info_get(key->local, key->sdata->u.sta.bssid); 246 ap = sta_info_get(key->local, key->sdata->u.sta.bssid);
245 if (ap) { 247 if (ap) {
246 if (ap->flags & WLAN_STA_WME) 248 if (ap->flags & WLAN_STA_WME)
247 key->conf.flags |= 249 key->conf.flags |=
248 IEEE80211_KEY_FLAG_WMM_STA; 250 IEEE80211_KEY_FLAG_WMM_STA;
249 sta_info_put(ap);
250 } 251 }
252
253 rcu_read_unlock();
251 } 254 }
252 } 255 }
253 256
@@ -290,6 +293,9 @@ void ieee80211_key_free(struct ieee80211_key *key)
290 __ieee80211_key_replace(key->sdata, key->sta, 293 __ieee80211_key_replace(key->sdata, key->sta,
291 key, NULL); 294 key, NULL);
292 295
296 /*
297 * Do NOT remove this without looking at sta_info_destroy()
298 */
293 synchronize_rcu(); 299 synchronize_rcu();
294 300
295 /* 301 /*
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index ebe1a7a80bad..9de1ccc11cf9 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -83,11 +83,10 @@ bool mesh_peer_accepts_plinks(struct ieee802_11_elems *ie,
83/** 83/**
84 * mesh_accept_plinks_update: update accepting_plink in local mesh beacons 84 * mesh_accept_plinks_update: update accepting_plink in local mesh beacons
85 * 85 *
86 * @dev: mesh interface in which mesh beacons are going to be updated 86 * @sdata: mesh interface in which mesh beacons are going to be updated
87 */ 87 */
88void mesh_accept_plinks_update(struct net_device *dev) 88void mesh_accept_plinks_update(struct ieee80211_sub_if_data *sdata)
89{ 89{
90 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
91 bool free_plinks; 90 bool free_plinks;
92 91
93 /* In case mesh_plink_free_count > 0 and mesh_plinktbl_capacity == 0, 92 /* In case mesh_plink_free_count > 0 and mesh_plinktbl_capacity == 0,
diff --git a/net/mac80211/mesh.h b/net/mac80211/mesh.h
index d565b3fb9e6a..576eee83d859 100644
--- a/net/mac80211/mesh.h
+++ b/net/mac80211/mesh.h
@@ -65,9 +65,10 @@ enum mesh_path_flags {
65 * @state_lock: mesh pat state lock 65 * @state_lock: mesh pat state lock
66 * 66 *
67 * 67 *
68 * The combination of dst and dev is unique in the mesh path table. A reference 68 * The combination of dst and dev is unique in the mesh path table. Since the
69 * to the next_hop sta will be kept and in case this sta is removed, the 69 * next_hop STA is only protected by RCU as well, deleting the STA must also
70 * mesh_path structure must be also removed or substitued in a rcu safe way 70 * remove/substitute the mesh_path structure and wait until that is no longer
71 * reachable before destroying the STA completely.
71 */ 72 */
72struct mesh_path { 73struct mesh_path {
73 u8 dst[ETH_ALEN]; 74 u8 dst[ETH_ALEN];
@@ -230,8 +231,9 @@ void mesh_neighbour_update(u8 *hw_addr, u64 rates, struct net_device *dev,
230 bool add); 231 bool add);
231bool mesh_peer_accepts_plinks(struct ieee802_11_elems *ie, 232bool mesh_peer_accepts_plinks(struct ieee802_11_elems *ie,
232 struct net_device *dev); 233 struct net_device *dev);
233void mesh_accept_plinks_update(struct net_device *dev); 234void mesh_accept_plinks_update(struct ieee80211_sub_if_data *sdata);
234struct sta_info *mesh_plink_add(u8 *hw_addr, u64 rates, struct net_device *dev); 235struct sta_info *mesh_plink_add(u8 *hw_addr, u64 rates,
236 struct ieee80211_sub_if_data *sdata);
235void mesh_plink_broken(struct sta_info *sta); 237void mesh_plink_broken(struct sta_info *sta);
236void mesh_plink_deactivate(struct sta_info *sta); 238void mesh_plink_deactivate(struct sta_info *sta);
237int mesh_plink_open(struct sta_info *sta); 239int mesh_plink_open(struct sta_info *sta);
@@ -254,7 +256,7 @@ void mesh_path_flush_pending(struct mesh_path *mpath);
254void mesh_path_tx_pending(struct mesh_path *mpath); 256void mesh_path_tx_pending(struct mesh_path *mpath);
255int mesh_pathtbl_init(void); 257int mesh_pathtbl_init(void);
256void mesh_pathtbl_unregister(void); 258void mesh_pathtbl_unregister(void);
257int mesh_path_del(u8 *addr, struct net_device *dev); 259int mesh_path_del(u8 *addr, struct net_device *dev, bool force);
258void mesh_path_timer(unsigned long data); 260void mesh_path_timer(unsigned long data);
259void mesh_path_flush_by_nexthop(struct sta_info *sta); 261void mesh_path_flush_by_nexthop(struct sta_info *sta);
260void mesh_path_discard_frame(struct sk_buff *skb, struct net_device *dev); 262void mesh_path_discard_frame(struct sk_buff *skb, struct net_device *dev);
@@ -270,7 +272,7 @@ static inline int mesh_plink_free_count(struct ieee80211_sub_if_data *sdata)
270 272
271static inline bool mesh_plink_availables(struct ieee80211_sub_if_data *sdata) 273static inline bool mesh_plink_availables(struct ieee80211_sub_if_data *sdata)
272{ 274{
273 return (min(mesh_plink_free_count(sdata), 275 return (min_t(long, mesh_plink_free_count(sdata),
274 MESH_MAX_PLINKS - sdata->local->num_sta)) > 0; 276 MESH_MAX_PLINKS - sdata->local->num_sta)) > 0;
275} 277}
276 278
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index c2f40ef418cf..d8530fe7a0b3 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -294,7 +294,6 @@ static u32 hwmp_route_info_get(struct net_device *dev,
294 orig_metric = PREP_IE_METRIC(hwmp_ie); 294 orig_metric = PREP_IE_METRIC(hwmp_ie);
295 break; 295 break;
296 default: 296 default:
297 sta_info_put(sta);
298 rcu_read_unlock(); 297 rcu_read_unlock();
299 return 0; 298 return 0;
300 } 299 }
@@ -330,7 +329,6 @@ static u32 hwmp_route_info_get(struct net_device *dev,
330 mpath = mesh_path_lookup(orig_addr, dev); 329 mpath = mesh_path_lookup(orig_addr, dev);
331 if (!mpath) { 330 if (!mpath) {
332 rcu_read_unlock(); 331 rcu_read_unlock();
333 sta_info_put(sta);
334 return 0; 332 return 0;
335 } 333 }
336 spin_lock_bh(&mpath->state_lock); 334 spin_lock_bh(&mpath->state_lock);
@@ -372,7 +370,6 @@ static u32 hwmp_route_info_get(struct net_device *dev,
372 mpath = mesh_path_lookup(ta, dev); 370 mpath = mesh_path_lookup(ta, dev);
373 if (!mpath) { 371 if (!mpath) {
374 rcu_read_unlock(); 372 rcu_read_unlock();
375 sta_info_put(sta);
376 return 0; 373 return 0;
377 } 374 }
378 spin_lock_bh(&mpath->state_lock); 375 spin_lock_bh(&mpath->state_lock);
@@ -391,7 +388,6 @@ static u32 hwmp_route_info_get(struct net_device *dev,
391 spin_unlock_bh(&mpath->state_lock); 388 spin_unlock_bh(&mpath->state_lock);
392 } 389 }
393 390
394 sta_info_put(sta);
395 rcu_read_unlock(); 391 rcu_read_unlock();
396 392
397 return process ? new_metric : 0; 393 return process ? new_metric : 0;
@@ -861,5 +857,5 @@ void mesh_path_timer(unsigned long data)
861endmpathtimer: 857endmpathtimer:
862 rcu_read_unlock(); 858 rcu_read_unlock();
863 if (delete) 859 if (delete)
864 mesh_path_del(mpath->dst, mpath->dev); 860 mesh_path_del(mpath->dst, mpath->dev, false);
865} 861}
diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
index 3cbdbb23d75a..a17f2b299045 100644
--- a/net/mac80211/mesh_pathtbl.c
+++ b/net/mac80211/mesh_pathtbl.c
@@ -55,10 +55,7 @@ static DEFINE_RWLOCK(pathtbl_resize_lock);
55 */ 55 */
56void mesh_path_assign_nexthop(struct mesh_path *mpath, struct sta_info *sta) 56void mesh_path_assign_nexthop(struct mesh_path *mpath, struct sta_info *sta)
57{ 57{
58 __sta_info_get(sta); 58 rcu_assign_pointer(mpath->next_hop, sta);
59 if (mpath->next_hop)
60 sta_info_put(mpath->next_hop);
61 mpath->next_hop = sta;
62} 59}
63 60
64 61
@@ -236,7 +233,7 @@ void mesh_plink_broken(struct sta_info *sta)
236 struct mesh_path *mpath; 233 struct mesh_path *mpath;
237 struct mpath_node *node; 234 struct mpath_node *node;
238 struct hlist_node *p; 235 struct hlist_node *p;
239 struct net_device *dev = sta->dev; 236 struct net_device *dev = sta->sdata->dev;
240 int i; 237 int i;
241 238
242 rcu_read_lock(); 239 rcu_read_lock();
@@ -266,9 +263,9 @@ EXPORT_SYMBOL(mesh_plink_broken);
266 * 263 *
267 * RCU notes: this function is called when a mesh plink transitions from ESTAB 264 * RCU notes: this function is called when a mesh plink transitions from ESTAB
268 * to any other state, since ESTAB state is the only one that allows path 265 * to any other state, since ESTAB state is the only one that allows path
269 * creation. This will happen before the sta can be freed (since we hold 266 * creation. This will happen before the sta can be freed (because
270 * a reference to it) so any reader in a rcu read block will be protected 267 * sta_info_destroy() calls this) so any reader in a rcu read block will be
271 * against the plink dissapearing. 268 * protected against the plink disappearing.
272 */ 269 */
273void mesh_path_flush_by_nexthop(struct sta_info *sta) 270void mesh_path_flush_by_nexthop(struct sta_info *sta)
274{ 271{
@@ -280,7 +277,7 @@ void mesh_path_flush_by_nexthop(struct sta_info *sta)
280 for_each_mesh_entry(mesh_paths, p, node, i) { 277 for_each_mesh_entry(mesh_paths, p, node, i) {
281 mpath = node->mpath; 278 mpath = node->mpath;
282 if (mpath->next_hop == sta) 279 if (mpath->next_hop == sta)
283 mesh_path_del(mpath->dst, mpath->dev); 280 mesh_path_del(mpath->dst, mpath->dev, true);
284 } 281 }
285} 282}
286 283
@@ -294,7 +291,7 @@ void mesh_path_flush(struct net_device *dev)
294 for_each_mesh_entry(mesh_paths, p, node, i) { 291 for_each_mesh_entry(mesh_paths, p, node, i) {
295 mpath = node->mpath; 292 mpath = node->mpath;
296 if (mpath->dev == dev) 293 if (mpath->dev == dev)
297 mesh_path_del(mpath->dst, mpath->dev); 294 mesh_path_del(mpath->dst, mpath->dev, false);
298 } 295 }
299} 296}
300 297
@@ -303,8 +300,8 @@ static void mesh_path_node_reclaim(struct rcu_head *rp)
303 struct mpath_node *node = container_of(rp, struct mpath_node, rcu); 300 struct mpath_node *node = container_of(rp, struct mpath_node, rcu);
304 struct ieee80211_sub_if_data *sdata = 301 struct ieee80211_sub_if_data *sdata =
305 IEEE80211_DEV_TO_SUB_IF(node->mpath->dev); 302 IEEE80211_DEV_TO_SUB_IF(node->mpath->dev);
306 if (node->mpath->next_hop) 303
307 sta_info_put(node->mpath->next_hop); 304 rcu_assign_pointer(node->mpath->next_hop, NULL);
308 atomic_dec(&sdata->u.sta.mpaths); 305 atomic_dec(&sdata->u.sta.mpaths);
309 kfree(node->mpath); 306 kfree(node->mpath);
310 kfree(node); 307 kfree(node);
@@ -319,9 +316,10 @@ static void mesh_path_node_reclaim(struct rcu_head *rp)
319 * Returns: 0 if succesful 316 * Returns: 0 if succesful
320 * 317 *
321 * State: if the path is being resolved, the deletion will be postponed until 318 * State: if the path is being resolved, the deletion will be postponed until
322 * the path resolution completes or times out. 319 * the path resolution completes or times out, unless the force parameter
320 * is given.
323 */ 321 */
324int mesh_path_del(u8 *addr, struct net_device *dev) 322int mesh_path_del(u8 *addr, struct net_device *dev, bool force)
325{ 323{
326 struct mesh_path *mpath; 324 struct mesh_path *mpath;
327 struct mpath_node *node; 325 struct mpath_node *node;
@@ -340,7 +338,7 @@ int mesh_path_del(u8 *addr, struct net_device *dev)
340 if (mpath->dev == dev && 338 if (mpath->dev == dev &&
341 memcmp(addr, mpath->dst, ETH_ALEN) == 0) { 339 memcmp(addr, mpath->dst, ETH_ALEN) == 0) {
342 spin_lock_bh(&mpath->state_lock); 340 spin_lock_bh(&mpath->state_lock);
343 if (mpath->flags & MESH_PATH_RESOLVING) { 341 if (!force && mpath->flags & MESH_PATH_RESOLVING) {
344 mpath->flags |= MESH_PATH_DELETE; 342 mpath->flags |= MESH_PATH_DELETE;
345 } else { 343 } else {
346 mpath->flags |= MESH_PATH_RESOLVING; 344 mpath->flags |= MESH_PATH_RESOLVING;
@@ -510,7 +508,7 @@ void mesh_path_expire(struct net_device *dev)
510 time_after(jiffies, 508 time_after(jiffies,
511 mpath->exp_time + MESH_PATH_EXPIRE)) { 509 mpath->exp_time + MESH_PATH_EXPIRE)) {
512 spin_unlock_bh(&mpath->state_lock); 510 spin_unlock_bh(&mpath->state_lock);
513 mesh_path_del(mpath->dst, mpath->dev); 511 mesh_path_del(mpath->dst, mpath->dev, false);
514 } else 512 } else
515 spin_unlock_bh(&mpath->state_lock); 513 spin_unlock_bh(&mpath->state_lock);
516 } 514 }
diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
index b5fbe970e48f..c2b80500ae72 100644
--- a/net/mac80211/mesh_plink.c
+++ b/net/mac80211/mesh_plink.c
@@ -65,14 +65,14 @@ static inline
65void mesh_plink_inc_estab_count(struct ieee80211_sub_if_data *sdata) 65void mesh_plink_inc_estab_count(struct ieee80211_sub_if_data *sdata)
66{ 66{
67 atomic_inc(&sdata->u.sta.mshstats.estab_plinks); 67 atomic_inc(&sdata->u.sta.mshstats.estab_plinks);
68 mesh_accept_plinks_update(sdata->dev); 68 mesh_accept_plinks_update(sdata);
69} 69}
70 70
71static inline 71static inline
72void mesh_plink_dec_estab_count(struct ieee80211_sub_if_data *sdata) 72void mesh_plink_dec_estab_count(struct ieee80211_sub_if_data *sdata)
73{ 73{
74 atomic_dec(&sdata->u.sta.mshstats.estab_plinks); 74 atomic_dec(&sdata->u.sta.mshstats.estab_plinks);
75 mesh_accept_plinks_update(sdata->dev); 75 mesh_accept_plinks_update(sdata);
76} 76}
77 77
78/** 78/**
@@ -99,12 +99,13 @@ static inline void mesh_plink_fsm_restart(struct sta_info *sta)
99 * 99 *
100 * Returns: non-NULL on success, ERR_PTR() on error. 100 * Returns: non-NULL on success, ERR_PTR() on error.
101 */ 101 */
102struct sta_info *mesh_plink_add(u8 *hw_addr, u64 rates, struct net_device *dev) 102struct sta_info *mesh_plink_add(u8 *hw_addr, u64 rates,
103 struct ieee80211_sub_if_data *sdata)
103{ 104{
104 struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr); 105 struct ieee80211_local *local = sdata->local;
105 struct sta_info *sta; 106 struct sta_info *sta;
106 107
107 if (memcmp(hw_addr, dev->dev_addr, ETH_ALEN) == 0) 108 if (compare_ether_addr(hw_addr, sdata->dev->dev_addr) == 0)
108 /* never add ourselves as neighbours */ 109 /* never add ourselves as neighbours */
109 return ERR_PTR(-EINVAL); 110 return ERR_PTR(-EINVAL);
110 111
@@ -114,7 +115,7 @@ struct sta_info *mesh_plink_add(u8 *hw_addr, u64 rates, struct net_device *dev)
114 if (local->num_sta >= MESH_MAX_PLINKS) 115 if (local->num_sta >= MESH_MAX_PLINKS)
115 return ERR_PTR(-ENOSPC); 116 return ERR_PTR(-ENOSPC);
116 117
117 sta = sta_info_add(local, dev, hw_addr, GFP_KERNEL); 118 sta = sta_info_add(sdata, hw_addr);
118 if (IS_ERR(sta)) 119 if (IS_ERR(sta))
119 return sta; 120 return sta;
120 121
@@ -125,7 +126,7 @@ struct sta_info *mesh_plink_add(u8 *hw_addr, u64 rates, struct net_device *dev)
125 sta->supp_rates[local->hw.conf.channel->band] = rates; 126 sta->supp_rates[local->hw.conf.channel->band] = rates;
126 rate_control_rate_init(sta, local); 127 rate_control_rate_init(sta, local);
127 128
128 mesh_accept_plinks_update(dev); 129 mesh_accept_plinks_update(sdata);
129 130
130 return sta; 131 return sta;
131} 132}
@@ -141,7 +142,8 @@ struct sta_info *mesh_plink_add(u8 *hw_addr, u64 rates, struct net_device *dev)
141 */ 142 */
142static void __mesh_plink_deactivate(struct sta_info *sta) 143static void __mesh_plink_deactivate(struct sta_info *sta)
143{ 144{
144 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev); 145 struct ieee80211_sub_if_data *sdata = sta->sdata;
146
145 if (sta->plink_state == ESTAB) 147 if (sta->plink_state == ESTAB)
146 mesh_plink_dec_estab_count(sdata); 148 mesh_plink_dec_estab_count(sdata);
147 sta->plink_state = BLOCKED; 149 sta->plink_state = BLOCKED;
@@ -246,11 +248,15 @@ void mesh_neighbour_update(u8 *hw_addr, u64 rates, struct net_device *dev,
246 struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr); 248 struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
247 struct sta_info *sta; 249 struct sta_info *sta;
248 250
251 rcu_read_lock();
252
249 sta = sta_info_get(local, hw_addr); 253 sta = sta_info_get(local, hw_addr);
250 if (!sta) { 254 if (!sta) {
251 sta = mesh_plink_add(hw_addr, rates, dev); 255 sta = mesh_plink_add(hw_addr, rates, sdata);
252 if (IS_ERR(sta)) 256 if (IS_ERR(sta)) {
257 rcu_read_unlock();
253 return; 258 return;
259 }
254 } 260 }
255 261
256 sta->last_rx = jiffies; 262 sta->last_rx = jiffies;
@@ -260,7 +266,7 @@ void mesh_neighbour_update(u8 *hw_addr, u64 rates, struct net_device *dev,
260 sdata->u.sta.mshcfg.auto_open_plinks) 266 sdata->u.sta.mshcfg.auto_open_plinks)
261 mesh_plink_open(sta); 267 mesh_plink_open(sta);
262 268
263 sta_info_put(sta); 269 rcu_read_unlock();
264} 270}
265 271
266static void mesh_plink_timer(unsigned long data) 272static void mesh_plink_timer(unsigned long data)
@@ -273,6 +279,11 @@ static void mesh_plink_timer(unsigned long data)
273 DECLARE_MAC_BUF(mac); 279 DECLARE_MAC_BUF(mac);
274#endif 280#endif
275 281
282 /*
283 * This STA is valid because sta_info_destroy() will
284 * del_timer_sync() this timer after having made sure
285 * it cannot be readded (by deleting the plink.)
286 */
276 sta = (struct sta_info *) data; 287 sta = (struct sta_info *) data;
277 288
278 spin_lock_bh(&sta->plink_lock); 289 spin_lock_bh(&sta->plink_lock);
@@ -286,8 +297,8 @@ static void mesh_plink_timer(unsigned long data)
286 reason = 0; 297 reason = 0;
287 llid = sta->llid; 298 llid = sta->llid;
288 plid = sta->plid; 299 plid = sta->plid;
289 dev = sta->dev; 300 sdata = sta->sdata;
290 sdata = IEEE80211_DEV_TO_SUB_IF(dev); 301 dev = sdata->dev;
291 302
292 switch (sta->plink_state) { 303 switch (sta->plink_state) {
293 case OPN_RCVD: 304 case OPN_RCVD:
@@ -302,8 +313,7 @@ static void mesh_plink_timer(unsigned long data)
302 sta->plink_timeout = sta->plink_timeout + 313 sta->plink_timeout = sta->plink_timeout +
303 rand % sta->plink_timeout; 314 rand % sta->plink_timeout;
304 ++sta->plink_retries; 315 ++sta->plink_retries;
305 if (!mod_plink_timer(sta, sta->plink_timeout)) 316 mod_plink_timer(sta, sta->plink_timeout);
306 __sta_info_get(sta);
307 spin_unlock_bh(&sta->plink_lock); 317 spin_unlock_bh(&sta->plink_lock);
308 mesh_plink_frame_tx(dev, PLINK_OPEN, sta->addr, llid, 318 mesh_plink_frame_tx(dev, PLINK_OPEN, sta->addr, llid,
309 0, 0); 319 0, 0);
@@ -316,16 +326,14 @@ static void mesh_plink_timer(unsigned long data)
316 if (!reason) 326 if (!reason)
317 reason = cpu_to_le16(MESH_CONFIRM_TIMEOUT); 327 reason = cpu_to_le16(MESH_CONFIRM_TIMEOUT);
318 sta->plink_state = HOLDING; 328 sta->plink_state = HOLDING;
319 if (!mod_plink_timer(sta, dot11MeshHoldingTimeout(sdata))) 329 mod_plink_timer(sta, dot11MeshHoldingTimeout(sdata));
320 __sta_info_get(sta);
321 spin_unlock_bh(&sta->plink_lock); 330 spin_unlock_bh(&sta->plink_lock);
322 mesh_plink_frame_tx(dev, PLINK_CLOSE, sta->addr, llid, plid, 331 mesh_plink_frame_tx(dev, PLINK_CLOSE, sta->addr, llid, plid,
323 reason); 332 reason);
324 break; 333 break;
325 case HOLDING: 334 case HOLDING:
326 /* holding timer */ 335 /* holding timer */
327 if (del_timer(&sta->plink_timer)) 336 del_timer(&sta->plink_timer);
328 sta_info_put(sta);
329 mesh_plink_fsm_restart(sta); 337 mesh_plink_fsm_restart(sta);
330 spin_unlock_bh(&sta->plink_lock); 338 spin_unlock_bh(&sta->plink_lock);
331 break; 339 break;
@@ -333,8 +341,6 @@ static void mesh_plink_timer(unsigned long data)
333 spin_unlock_bh(&sta->plink_lock); 341 spin_unlock_bh(&sta->plink_lock);
334 break; 342 break;
335 } 343 }
336
337 sta_info_put(sta);
338} 344}
339 345
340static inline void mesh_plink_timer_set(struct sta_info *sta, int timeout) 346static inline void mesh_plink_timer_set(struct sta_info *sta, int timeout)
@@ -343,14 +349,13 @@ static inline void mesh_plink_timer_set(struct sta_info *sta, int timeout)
343 sta->plink_timer.data = (unsigned long) sta; 349 sta->plink_timer.data = (unsigned long) sta;
344 sta->plink_timer.function = mesh_plink_timer; 350 sta->plink_timer.function = mesh_plink_timer;
345 sta->plink_timeout = timeout; 351 sta->plink_timeout = timeout;
346 __sta_info_get(sta);
347 add_timer(&sta->plink_timer); 352 add_timer(&sta->plink_timer);
348} 353}
349 354
350int mesh_plink_open(struct sta_info *sta) 355int mesh_plink_open(struct sta_info *sta)
351{ 356{
352 __le16 llid; 357 __le16 llid;
353 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev); 358 struct ieee80211_sub_if_data *sdata = sta->sdata;
354#ifdef CONFIG_MAC80211_VERBOSE_MPL_DEBUG 359#ifdef CONFIG_MAC80211_VERBOSE_MPL_DEBUG
355 DECLARE_MAC_BUF(mac); 360 DECLARE_MAC_BUF(mac);
356#endif 361#endif
@@ -360,7 +365,6 @@ int mesh_plink_open(struct sta_info *sta)
360 sta->llid = llid; 365 sta->llid = llid;
361 if (sta->plink_state != LISTEN) { 366 if (sta->plink_state != LISTEN) {
362 spin_unlock_bh(&sta->plink_lock); 367 spin_unlock_bh(&sta->plink_lock);
363 sta_info_put(sta);
364 return -EBUSY; 368 return -EBUSY;
365 } 369 }
366 sta->plink_state = OPN_SNT; 370 sta->plink_state = OPN_SNT;
@@ -369,7 +373,8 @@ int mesh_plink_open(struct sta_info *sta)
369 mpl_dbg("Mesh plink: starting establishment with %s\n", 373 mpl_dbg("Mesh plink: starting establishment with %s\n",
370 print_mac(mac, sta->addr)); 374 print_mac(mac, sta->addr));
371 375
372 return mesh_plink_frame_tx(sta->dev, PLINK_OPEN, sta->addr, llid, 0, 0); 376 return mesh_plink_frame_tx(sdata->dev, PLINK_OPEN,
377 sta->addr, llid, 0, 0);
373} 378}
374 379
375void mesh_plink_block(struct sta_info *sta) 380void mesh_plink_block(struct sta_info *sta)
@@ -386,7 +391,7 @@ void mesh_plink_block(struct sta_info *sta)
386 391
387int mesh_plink_close(struct sta_info *sta) 392int mesh_plink_close(struct sta_info *sta)
388{ 393{
389 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev); 394 struct ieee80211_sub_if_data *sdata = sta->sdata;
390 int llid, plid, reason; 395 int llid, plid, reason;
391#ifdef CONFIG_MAC80211_VERBOSE_MPL_DEBUG 396#ifdef CONFIG_MAC80211_VERBOSE_MPL_DEBUG
392 DECLARE_MAC_BUF(mac); 397 DECLARE_MAC_BUF(mac);
@@ -401,13 +406,11 @@ int mesh_plink_close(struct sta_info *sta)
401 if (sta->plink_state == LISTEN || sta->plink_state == BLOCKED) { 406 if (sta->plink_state == LISTEN || sta->plink_state == BLOCKED) {
402 mesh_plink_fsm_restart(sta); 407 mesh_plink_fsm_restart(sta);
403 spin_unlock_bh(&sta->plink_lock); 408 spin_unlock_bh(&sta->plink_lock);
404 sta_info_put(sta);
405 return 0; 409 return 0;
406 } else if (sta->plink_state == ESTAB) { 410 } else if (sta->plink_state == ESTAB) {
407 __mesh_plink_deactivate(sta); 411 __mesh_plink_deactivate(sta);
408 /* The timer should not be running */ 412 /* The timer should not be running */
409 if (!mod_plink_timer(sta, dot11MeshHoldingTimeout(sdata))) 413 mod_plink_timer(sta, dot11MeshHoldingTimeout(sdata));
410 __sta_info_get(sta);
411 } else if (!mod_plink_timer(sta, dot11MeshHoldingTimeout(sdata))) 414 } else if (!mod_plink_timer(sta, dot11MeshHoldingTimeout(sdata)))
412 sta->ignore_plink_timer = true; 415 sta->ignore_plink_timer = true;
413 416
@@ -415,15 +418,16 @@ int mesh_plink_close(struct sta_info *sta)
415 llid = sta->llid; 418 llid = sta->llid;
416 plid = sta->plid; 419 plid = sta->plid;
417 spin_unlock_bh(&sta->plink_lock); 420 spin_unlock_bh(&sta->plink_lock);
418 mesh_plink_frame_tx(sta->dev, PLINK_CLOSE, sta->addr, llid, plid, 421 mesh_plink_frame_tx(sta->sdata->dev, PLINK_CLOSE, sta->addr, llid,
419 reason); 422 plid, reason);
420 return 0; 423 return 0;
421} 424}
422 425
423void mesh_rx_plink_frame(struct net_device *dev, struct ieee80211_mgmt *mgmt, 426void mesh_rx_plink_frame(struct net_device *dev, struct ieee80211_mgmt *mgmt,
424 size_t len, struct ieee80211_rx_status *rx_status) 427 size_t len, struct ieee80211_rx_status *rx_status)
425{ 428{
426 struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr); 429 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
430 struct ieee80211_local *local = sdata->local;
427 struct ieee802_11_elems elems; 431 struct ieee802_11_elems elems;
428 struct sta_info *sta; 432 struct sta_info *sta;
429 enum plink_event event; 433 enum plink_event event;
@@ -435,7 +439,6 @@ void mesh_rx_plink_frame(struct net_device *dev, struct ieee80211_mgmt *mgmt,
435#ifdef CONFIG_MAC80211_VERBOSE_MPL_DEBUG 439#ifdef CONFIG_MAC80211_VERBOSE_MPL_DEBUG
436 DECLARE_MAC_BUF(mac); 440 DECLARE_MAC_BUF(mac);
437#endif 441#endif
438 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
439 442
440 if (is_multicast_ether_addr(mgmt->da)) { 443 if (is_multicast_ether_addr(mgmt->da)) {
441 mpl_dbg("Mesh plink: ignore frame from multicast address"); 444 mpl_dbg("Mesh plink: ignore frame from multicast address");
@@ -474,14 +477,17 @@ void mesh_rx_plink_frame(struct net_device *dev, struct ieee80211_mgmt *mgmt,
474 if (ftype == PLINK_CONFIRM || (ftype == PLINK_CLOSE && ie_len == 7)) 477 if (ftype == PLINK_CONFIRM || (ftype == PLINK_CLOSE && ie_len == 7))
475 memcpy(&llid, PLINK_GET_PLID(elems.peer_link), 2); 478 memcpy(&llid, PLINK_GET_PLID(elems.peer_link), 2);
476 479
480 rcu_read_lock();
481
477 sta = sta_info_get(local, mgmt->sa); 482 sta = sta_info_get(local, mgmt->sa);
478 if (!sta && ftype != PLINK_OPEN) { 483 if (!sta && ftype != PLINK_OPEN) {
479 mpl_dbg("Mesh plink: cls or cnf from unknown peer\n"); 484 mpl_dbg("Mesh plink: cls or cnf from unknown peer\n");
485 rcu_read_unlock();
480 return; 486 return;
481 } 487 }
482 488
483 if (sta && sta->plink_state == BLOCKED) { 489 if (sta && sta->plink_state == BLOCKED) {
484 sta_info_put(sta); 490 rcu_read_unlock();
485 return; 491 return;
486 } 492 }
487 493
@@ -505,13 +511,15 @@ void mesh_rx_plink_frame(struct net_device *dev, struct ieee80211_mgmt *mgmt,
505 u64 rates; 511 u64 rates;
506 if (!mesh_plink_free_count(sdata)) { 512 if (!mesh_plink_free_count(sdata)) {
507 mpl_dbg("Mesh plink error: no more free plinks\n"); 513 mpl_dbg("Mesh plink error: no more free plinks\n");
514 rcu_read_unlock();
508 return; 515 return;
509 } 516 }
510 517
511 rates = ieee80211_sta_get_rates(local, &elems, rx_status->band); 518 rates = ieee80211_sta_get_rates(local, &elems, rx_status->band);
512 sta = mesh_plink_add(mgmt->sa, rates, dev); 519 sta = mesh_plink_add(mgmt->sa, rates, sdata);
513 if (IS_ERR(sta)) { 520 if (IS_ERR(sta)) {
514 mpl_dbg("Mesh plink error: plink table full\n"); 521 mpl_dbg("Mesh plink error: plink table full\n");
522 rcu_read_unlock();
515 return; 523 return;
516 } 524 }
517 event = OPN_ACPT; 525 event = OPN_ACPT;
@@ -521,14 +529,14 @@ void mesh_rx_plink_frame(struct net_device *dev, struct ieee80211_mgmt *mgmt,
521 switch (ftype) { 529 switch (ftype) {
522 case PLINK_OPEN: 530 case PLINK_OPEN:
523 if (!mesh_plink_free_count(sdata) || 531 if (!mesh_plink_free_count(sdata) ||
524 (sta->plid && sta->plid != plid)) 532 (sta->plid && sta->plid != plid))
525 event = OPN_IGNR; 533 event = OPN_IGNR;
526 else 534 else
527 event = OPN_ACPT; 535 event = OPN_ACPT;
528 break; 536 break;
529 case PLINK_CONFIRM: 537 case PLINK_CONFIRM:
530 if (!mesh_plink_free_count(sdata) || 538 if (!mesh_plink_free_count(sdata) ||
531 (sta->llid != llid || sta->plid != plid)) 539 (sta->llid != llid || sta->plid != plid))
532 event = CNF_IGNR; 540 event = CNF_IGNR;
533 else 541 else
534 event = CNF_ACPT; 542 event = CNF_ACPT;
@@ -555,7 +563,7 @@ void mesh_rx_plink_frame(struct net_device *dev, struct ieee80211_mgmt *mgmt,
555 default: 563 default:
556 mpl_dbg("Mesh plink: unknown frame subtype\n"); 564 mpl_dbg("Mesh plink: unknown frame subtype\n");
557 spin_unlock_bh(&sta->plink_lock); 565 spin_unlock_bh(&sta->plink_lock);
558 sta_info_put(sta); 566 rcu_read_unlock();
559 return; 567 return;
560 } 568 }
561 } 569 }
@@ -659,8 +667,7 @@ void mesh_rx_plink_frame(struct net_device *dev, struct ieee80211_mgmt *mgmt,
659 plid, 0); 667 plid, 0);
660 break; 668 break;
661 case CNF_ACPT: 669 case CNF_ACPT:
662 if (del_timer(&sta->plink_timer)) 670 del_timer(&sta->plink_timer);
663 sta_info_put(sta);
664 sta->plink_state = ESTAB; 671 sta->plink_state = ESTAB;
665 mesh_plink_inc_estab_count(sdata); 672 mesh_plink_inc_estab_count(sdata);
666 spin_unlock_bh(&sta->plink_lock); 673 spin_unlock_bh(&sta->plink_lock);
@@ -693,8 +700,7 @@ void mesh_rx_plink_frame(struct net_device *dev, struct ieee80211_mgmt *mgmt,
693 plid, reason); 700 plid, reason);
694 break; 701 break;
695 case OPN_ACPT: 702 case OPN_ACPT:
696 if (del_timer(&sta->plink_timer)) 703 del_timer(&sta->plink_timer);
697 sta_info_put(sta);
698 sta->plink_state = ESTAB; 704 sta->plink_state = ESTAB;
699 mesh_plink_inc_estab_count(sdata); 705 mesh_plink_inc_estab_count(sdata);
700 spin_unlock_bh(&sta->plink_lock); 706 spin_unlock_bh(&sta->plink_lock);
@@ -717,9 +723,7 @@ void mesh_rx_plink_frame(struct net_device *dev, struct ieee80211_mgmt *mgmt,
717 __mesh_plink_deactivate(sta); 723 __mesh_plink_deactivate(sta);
718 sta->plink_state = HOLDING; 724 sta->plink_state = HOLDING;
719 llid = sta->llid; 725 llid = sta->llid;
720 if (!mod_plink_timer(sta, 726 mod_plink_timer(sta, dot11MeshHoldingTimeout(sdata));
721 dot11MeshHoldingTimeout(sdata)))
722 __sta_info_get(sta);
723 spin_unlock_bh(&sta->plink_lock); 727 spin_unlock_bh(&sta->plink_lock);
724 mesh_plink_frame_tx(dev, PLINK_CLOSE, sta->addr, llid, 728 mesh_plink_frame_tx(dev, PLINK_CLOSE, sta->addr, llid,
725 plid, reason); 729 plid, reason);
@@ -738,10 +742,8 @@ void mesh_rx_plink_frame(struct net_device *dev, struct ieee80211_mgmt *mgmt,
738 case HOLDING: 742 case HOLDING:
739 switch (event) { 743 switch (event) {
740 case CLS_ACPT: 744 case CLS_ACPT:
741 if (del_timer(&sta->plink_timer)) { 745 if (del_timer(&sta->plink_timer))
742 sta->ignore_plink_timer = 1; 746 sta->ignore_plink_timer = 1;
743 sta_info_put(sta);
744 }
745 mesh_plink_fsm_restart(sta); 747 mesh_plink_fsm_restart(sta);
746 spin_unlock_bh(&sta->plink_lock); 748 spin_unlock_bh(&sta->plink_lock);
747 break; 749 break;
@@ -766,5 +768,6 @@ void mesh_rx_plink_frame(struct net_device *dev, struct ieee80211_mgmt *mgmt,
766 spin_unlock_bh(&sta->plink_lock); 768 spin_unlock_bh(&sta->plink_lock);
767 break; 769 break;
768 } 770 }
769 sta_info_put(sta); 771
772 rcu_read_unlock();
770} 773}
diff --git a/net/mac80211/rc80211_pid_algo.c b/net/mac80211/rc80211_pid_algo.c
index 217c0f487bba..a1993161de99 100644
--- a/net/mac80211/rc80211_pid_algo.c
+++ b/net/mac80211/rc80211_pid_algo.c
@@ -77,7 +77,7 @@ static void rate_control_pid_adjust_rate(struct ieee80211_local *local,
77 int cur_sorted, new_sorted, probe, tmp, n_bitrates, band; 77 int cur_sorted, new_sorted, probe, tmp, n_bitrates, band;
78 int cur = sta->txrate_idx; 78 int cur = sta->txrate_idx;
79 79
80 sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev); 80 sdata = sta->sdata;
81 sband = local->hw.wiphy->bands[local->hw.conf.channel->band]; 81 sband = local->hw.wiphy->bands[local->hw.conf.channel->band];
82 band = sband->band; 82 band = sband->band;
83 n_bitrates = sband->n_bitrates; 83 n_bitrates = sband->n_bitrates;
@@ -149,7 +149,7 @@ static void rate_control_pid_sample(struct rc_pid_info *pinfo,
149 struct sta_info *sta) 149 struct sta_info *sta)
150{ 150{
151#ifdef CONFIG_MAC80211_MESH 151#ifdef CONFIG_MAC80211_MESH
152 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev); 152 struct ieee80211_sub_if_data *sdata = sta->sdata;
153#endif 153#endif
154 struct rc_pid_sta_info *spinfo = sta->rate_ctrl_priv; 154 struct rc_pid_sta_info *spinfo = sta->rate_ctrl_priv;
155 struct rc_pid_rateinfo *rinfo = pinfo->rinfo; 155 struct rc_pid_rateinfo *rinfo = pinfo->rinfo;
@@ -249,23 +249,25 @@ static void rate_control_pid_tx_status(void *priv, struct net_device *dev,
249 unsigned long period; 249 unsigned long period;
250 struct ieee80211_supported_band *sband; 250 struct ieee80211_supported_band *sband;
251 251
252 rcu_read_lock();
253
252 sta = sta_info_get(local, hdr->addr1); 254 sta = sta_info_get(local, hdr->addr1);
253 sband = local->hw.wiphy->bands[local->hw.conf.channel->band]; 255 sband = local->hw.wiphy->bands[local->hw.conf.channel->band];
254 256
255 if (!sta) 257 if (!sta)
256 return; 258 goto unlock;
257 259
258 /* Don't update the state if we're not controlling the rate. */ 260 /* Don't update the state if we're not controlling the rate. */
259 sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev); 261 sdata = sta->sdata;
260 if (sdata->bss && sdata->bss->force_unicast_rateidx > -1) { 262 if (sdata->bss && sdata->bss->force_unicast_rateidx > -1) {
261 sta->txrate_idx = sdata->bss->max_ratectrl_rateidx; 263 sta->txrate_idx = sdata->bss->max_ratectrl_rateidx;
262 return; 264 goto unlock;
263 } 265 }
264 266
265 /* Ignore all frames that were sent with a different rate than the rate 267 /* Ignore all frames that were sent with a different rate than the rate
266 * we currently advise mac80211 to use. */ 268 * we currently advise mac80211 to use. */
267 if (status->control.tx_rate != &sband->bitrates[sta->txrate_idx]) 269 if (status->control.tx_rate != &sband->bitrates[sta->txrate_idx])
268 goto ignore; 270 goto unlock;
269 271
270 spinfo = sta->rate_ctrl_priv; 272 spinfo = sta->rate_ctrl_priv;
271 spinfo->tx_num_xmit++; 273 spinfo->tx_num_xmit++;
@@ -303,8 +305,8 @@ static void rate_control_pid_tx_status(void *priv, struct net_device *dev,
303 if (time_after(jiffies, spinfo->last_sample + period)) 305 if (time_after(jiffies, spinfo->last_sample + period))
304 rate_control_pid_sample(pinfo, local, sta); 306 rate_control_pid_sample(pinfo, local, sta);
305 307
306ignore: 308 unlock:
307 sta_info_put(sta); 309 rcu_read_unlock();
308} 310}
309 311
310static void rate_control_pid_get_rate(void *priv, struct net_device *dev, 312static void rate_control_pid_get_rate(void *priv, struct net_device *dev,
@@ -319,6 +321,8 @@ static void rate_control_pid_get_rate(void *priv, struct net_device *dev,
319 int rateidx; 321 int rateidx;
320 u16 fc; 322 u16 fc;
321 323
324 rcu_read_lock();
325
322 sta = sta_info_get(local, hdr->addr1); 326 sta = sta_info_get(local, hdr->addr1);
323 327
324 /* Send management frames and broadcast/multicast data using lowest 328 /* Send management frames and broadcast/multicast data using lowest
@@ -327,8 +331,7 @@ static void rate_control_pid_get_rate(void *priv, struct net_device *dev,
327 if ((fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA || 331 if ((fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA ||
328 is_multicast_ether_addr(hdr->addr1) || !sta) { 332 is_multicast_ether_addr(hdr->addr1) || !sta) {
329 sel->rate = rate_lowest(local, sband, sta); 333 sel->rate = rate_lowest(local, sband, sta);
330 if (sta) 334 rcu_read_unlock();
331 sta_info_put(sta);
332 return; 335 return;
333 } 336 }
334 337
@@ -344,7 +347,7 @@ static void rate_control_pid_get_rate(void *priv, struct net_device *dev,
344 347
345 sta->last_txrate_idx = rateidx; 348 sta->last_txrate_idx = rateidx;
346 349
347 sta_info_put(sta); 350 rcu_read_unlock();
348 351
349 sel->rate = &sband->bitrates[rateidx]; 352 sel->rate = &sband->bitrates[rateidx];
350 353
diff --git a/net/mac80211/rc80211_simple.c b/net/mac80211/rc80211_simple.c
index bcc541d4b95c..4f72fdca7f12 100644
--- a/net/mac80211/rc80211_simple.c
+++ b/net/mac80211/rc80211_simple.c
@@ -40,7 +40,7 @@ static void rate_control_rate_inc(struct ieee80211_local *local,
40 int i = sta->txrate_idx; 40 int i = sta->txrate_idx;
41 int maxrate; 41 int maxrate;
42 42
43 sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev); 43 sdata = sta->sdata;
44 if (sdata->bss && sdata->bss->force_unicast_rateidx > -1) { 44 if (sdata->bss && sdata->bss->force_unicast_rateidx > -1) {
45 /* forced unicast rate - do not change STA rate */ 45 /* forced unicast rate - do not change STA rate */
46 return; 46 return;
@@ -70,7 +70,7 @@ static void rate_control_rate_dec(struct ieee80211_local *local,
70 struct ieee80211_supported_band *sband; 70 struct ieee80211_supported_band *sband;
71 int i = sta->txrate_idx; 71 int i = sta->txrate_idx;
72 72
73 sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev); 73 sdata = sta->sdata;
74 if (sdata->bss && sdata->bss->force_unicast_rateidx > -1) { 74 if (sdata->bss && sdata->bss->force_unicast_rateidx > -1) {
75 /* forced unicast rate - do not change STA rate */ 75 /* forced unicast rate - do not change STA rate */
76 return; 76 return;
@@ -118,10 +118,12 @@ static void rate_control_simple_tx_status(void *priv, struct net_device *dev,
118 struct sta_info *sta; 118 struct sta_info *sta;
119 struct sta_rate_control *srctrl; 119 struct sta_rate_control *srctrl;
120 120
121 rcu_read_lock();
122
121 sta = sta_info_get(local, hdr->addr1); 123 sta = sta_info_get(local, hdr->addr1);
122 124
123 if (!sta) 125 if (!sta)
124 return; 126 goto unlock;
125 127
126 srctrl = sta->rate_ctrl_priv; 128 srctrl = sta->rate_ctrl_priv;
127 srctrl->tx_num_xmit++; 129 srctrl->tx_num_xmit++;
@@ -191,7 +193,8 @@ static void rate_control_simple_tx_status(void *priv, struct net_device *dev,
191 } 193 }
192 } 194 }
193 195
194 sta_info_put(sta); 196 unlock:
197 rcu_read_unlock();
195} 198}
196 199
197 200
@@ -208,6 +211,8 @@ rate_control_simple_get_rate(void *priv, struct net_device *dev,
208 int rateidx; 211 int rateidx;
209 u16 fc; 212 u16 fc;
210 213
214 rcu_read_lock();
215
211 sta = sta_info_get(local, hdr->addr1); 216 sta = sta_info_get(local, hdr->addr1);
212 217
213 /* Send management frames and broadcast/multicast data using lowest 218 /* Send management frames and broadcast/multicast data using lowest
@@ -216,8 +221,7 @@ rate_control_simple_get_rate(void *priv, struct net_device *dev,
216 if ((fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA || 221 if ((fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA ||
217 is_multicast_ether_addr(hdr->addr1) || !sta) { 222 is_multicast_ether_addr(hdr->addr1) || !sta) {
218 sel->rate = rate_lowest(local, sband, sta); 223 sel->rate = rate_lowest(local, sband, sta);
219 if (sta) 224 rcu_read_unlock();
220 sta_info_put(sta);
221 return; 225 return;
222 } 226 }
223 227
@@ -233,7 +237,7 @@ rate_control_simple_get_rate(void *priv, struct net_device *dev,
233 237
234 sta->last_txrate_idx = rateidx; 238 sta->last_txrate_idx = rateidx;
235 239
236 sta_info_put(sta); 240 rcu_read_unlock();
237 241
238 sel->rate = &sband->bitrates[rateidx]; 242 sel->rate = &sband->bitrates[rateidx];
239} 243}
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 2e65ca1cd1aa..8e1e2859bfd5 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -631,7 +631,7 @@ static void ap_sta_ps_start(struct net_device *dev, struct sta_info *sta)
631 struct ieee80211_sub_if_data *sdata; 631 struct ieee80211_sub_if_data *sdata;
632 DECLARE_MAC_BUF(mac); 632 DECLARE_MAC_BUF(mac);
633 633
634 sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev); 634 sdata = sta->sdata;
635 635
636 if (sdata->bss) 636 if (sdata->bss)
637 atomic_inc(&sdata->bss->num_sta_ps); 637 atomic_inc(&sdata->bss->num_sta_ps);
@@ -652,7 +652,7 @@ static int ap_sta_ps_end(struct net_device *dev, struct sta_info *sta)
652 struct ieee80211_tx_packet_data *pkt_data; 652 struct ieee80211_tx_packet_data *pkt_data;
653 DECLARE_MAC_BUF(mac); 653 DECLARE_MAC_BUF(mac);
654 654
655 sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev); 655 sdata = sta->sdata;
656 656
657 if (sdata->bss) 657 if (sdata->bss)
658 atomic_dec(&sdata->bss->num_sta_ps); 658 atomic_dec(&sdata->bss->num_sta_ps);
@@ -1287,7 +1287,7 @@ ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
1287 "multicast frame\n", dev->name); 1287 "multicast frame\n", dev->name);
1288 } else { 1288 } else {
1289 dsta = sta_info_get(local, skb->data); 1289 dsta = sta_info_get(local, skb->data);
1290 if (dsta && dsta->dev == dev) { 1290 if (dsta && dsta->sdata->dev == dev) {
1291 /* 1291 /*
1292 * The destination station is associated to 1292 * The destination station is associated to
1293 * this AP (in this VLAN), so send the frame 1293 * this AP (in this VLAN), so send the frame
@@ -1297,8 +1297,6 @@ ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
1297 xmit_skb = skb; 1297 xmit_skb = skb;
1298 skb = NULL; 1298 skb = NULL;
1299 } 1299 }
1300 if (dsta)
1301 sta_info_put(dsta);
1302 } 1300 }
1303 } 1301 }
1304 1302
@@ -1905,13 +1903,13 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
1905 1903
1906 rx.sta = sta_info_get(local, hdr->addr2); 1904 rx.sta = sta_info_get(local, hdr->addr2);
1907 if (rx.sta) { 1905 if (rx.sta) {
1908 rx.dev = rx.sta->dev; 1906 rx.sdata = rx.sta->sdata;
1909 rx.sdata = IEEE80211_DEV_TO_SUB_IF(rx.dev); 1907 rx.dev = rx.sta->sdata->dev;
1910 } 1908 }
1911 1909
1912 if ((status->flag & RX_FLAG_MMIC_ERROR)) { 1910 if ((status->flag & RX_FLAG_MMIC_ERROR)) {
1913 ieee80211_rx_michael_mic_report(local->mdev, hdr, &rx); 1911 ieee80211_rx_michael_mic_report(local->mdev, hdr, &rx);
1914 goto end; 1912 return;
1915 } 1913 }
1916 1914
1917 if (unlikely(local->sta_sw_scanning || local->sta_hw_scanning)) 1915 if (unlikely(local->sta_sw_scanning || local->sta_hw_scanning))
@@ -1970,10 +1968,6 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
1970 ieee80211_invoke_rx_handlers(prev, &rx, skb); 1968 ieee80211_invoke_rx_handlers(prev, &rx, skb);
1971 } else 1969 } else
1972 dev_kfree_skb(skb); 1970 dev_kfree_skb(skb);
1973
1974 end:
1975 if (rx.sta)
1976 sta_info_put(rx.sta);
1977} 1971}
1978 1972
1979#define SEQ_MODULO 0x1000 1973#define SEQ_MODULO 0x1000
@@ -2150,7 +2144,7 @@ static u8 ieee80211_rx_reorder_ampdu(struct ieee80211_local *local,
2150 /* if this mpdu is fragmented - terminate rx aggregation session */ 2144 /* if this mpdu is fragmented - terminate rx aggregation session */
2151 sc = le16_to_cpu(hdr->seq_ctrl); 2145 sc = le16_to_cpu(hdr->seq_ctrl);
2152 if (sc & IEEE80211_SCTL_FRAG) { 2146 if (sc & IEEE80211_SCTL_FRAG) {
2153 ieee80211_sta_stop_rx_ba_session(sta->dev, sta->addr, 2147 ieee80211_sta_stop_rx_ba_session(sta->sdata->dev, sta->addr,
2154 tid, 0, WLAN_REASON_QSTA_REQUIRE_SETUP); 2148 tid, 0, WLAN_REASON_QSTA_REQUIRE_SETUP);
2155 ret = 1; 2149 ret = 1;
2156 goto end_reorder; 2150 goto end_reorder;
@@ -2160,9 +2154,7 @@ static u8 ieee80211_rx_reorder_ampdu(struct ieee80211_local *local,
2160 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4; 2154 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4;
2161 ret = ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb, 2155 ret = ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb,
2162 mpdu_seq_num, 0); 2156 mpdu_seq_num, 0);
2163end_reorder: 2157 end_reorder:
2164 if (sta)
2165 sta_info_put(sta);
2166 return ret; 2158 return ret;
2167} 2159}
2168 2160
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 81c4e3392f40..ee5b66abc0f1 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -15,6 +15,7 @@
15#include <linux/skbuff.h> 15#include <linux/skbuff.h>
16#include <linux/if_arp.h> 16#include <linux/if_arp.h>
17#include <linux/timer.h> 17#include <linux/timer.h>
18#include <linux/rtnetlink.h>
18 19
19#include <net/mac80211.h> 20#include <net/mac80211.h>
20#include "ieee80211_i.h" 21#include "ieee80211_i.h"
@@ -23,14 +24,43 @@
23#include "debugfs_sta.h" 24#include "debugfs_sta.h"
24#include "mesh.h" 25#include "mesh.h"
25 26
26/* Caller must hold local->sta_lock */ 27/**
27static void sta_info_hash_add(struct ieee80211_local *local, 28 * DOC: STA information lifetime rules
28 struct sta_info *sta) 29 *
29{ 30 * STA info structures (&struct sta_info) are managed in a hash table
30 sta->hnext = local->sta_hash[STA_HASH(sta->addr)]; 31 * for faster lookup and a list for iteration. They are managed using
31 local->sta_hash[STA_HASH(sta->addr)] = sta; 32 * RCU, i.e. access to the list and hash table is protected by RCU.
32} 33 *
33 34 * STA info structures are always "alive" when they are added with
35 * @sta_info_add() [this may be changed in the future to allow allocating
36 * outside of a critical section!], they are then added to the hash
37 * table and list. Therefore, @sta_info_add() must also be RCU protected,
38 * also, the caller of @sta_info_add() cannot assume that it owns the
39 * structure.
40 *
41 * Because there are debugfs entries for each station, and adding those
42 * must be able to sleep, it is also possible to "pin" a station entry,
43 * that means it can be removed from the hash table but not be freed.
44 * See the comment in @__sta_info_unlink() for more information.
45 *
46 * In order to remove a STA info structure, the caller needs to first
47 * unlink it (@sta_info_unlink()) from the list and hash tables and
48 * then wait for an RCU synchronisation before it can be freed. Due to
49 * the pinning and the possibility of multiple callers trying to remove
50 * the same STA info at the same time, @sta_info_unlink() can clear the
51 * STA info pointer it is passed to indicate that the STA info is owned
52 * by somebody else now.
53 *
54 * If @sta_info_unlink() did not clear the pointer then the caller owns
55 * the STA info structure now and is responsible of destroying it with
56 * a call to @sta_info_destroy(), not before RCU synchronisation, of
57 * course. Note that sta_info_destroy() must be protected by the RTNL.
58 *
59 * In all other cases, there is no concept of ownership on a STA entry,
60 * each structure is owned by the global hash table/list until it is
61 * removed. All users of the structure need to be RCU protected so that
62 * the structure won't be freed before they are done using it.
63 */
34 64
35/* Caller must hold local->sta_lock */ 65/* Caller must hold local->sta_lock */
36static int sta_info_hash_del(struct ieee80211_local *local, 66static int sta_info_hash_del(struct ieee80211_local *local,
@@ -42,46 +72,39 @@ static int sta_info_hash_del(struct ieee80211_local *local,
42 if (!s) 72 if (!s)
43 return -ENOENT; 73 return -ENOENT;
44 if (s == sta) { 74 if (s == sta) {
45 local->sta_hash[STA_HASH(sta->addr)] = s->hnext; 75 rcu_assign_pointer(local->sta_hash[STA_HASH(sta->addr)],
76 s->hnext);
46 return 0; 77 return 0;
47 } 78 }
48 79
49 while (s->hnext && s->hnext != sta) 80 while (s->hnext && s->hnext != sta)
50 s = s->hnext; 81 s = s->hnext;
51 if (s->hnext) { 82 if (s->hnext) {
52 s->hnext = sta->hnext; 83 rcu_assign_pointer(s->hnext, sta->hnext);
53 return 0; 84 return 0;
54 } 85 }
55 86
56 return -ENOENT; 87 return -ENOENT;
57} 88}
58 89
59/* must hold local->sta_lock */ 90/* protected by RCU */
60static struct sta_info *__sta_info_find(struct ieee80211_local *local, 91static struct sta_info *__sta_info_find(struct ieee80211_local *local,
61 u8 *addr) 92 u8 *addr)
62{ 93{
63 struct sta_info *sta; 94 struct sta_info *sta;
64 95
65 sta = local->sta_hash[STA_HASH(addr)]; 96 sta = rcu_dereference(local->sta_hash[STA_HASH(addr)]);
66 while (sta) { 97 while (sta) {
67 if (compare_ether_addr(sta->addr, addr) == 0) 98 if (compare_ether_addr(sta->addr, addr) == 0)
68 break; 99 break;
69 sta = sta->hnext; 100 sta = rcu_dereference(sta->hnext);
70 } 101 }
71 return sta; 102 return sta;
72} 103}
73 104
74struct sta_info *sta_info_get(struct ieee80211_local *local, u8 *addr) 105struct sta_info *sta_info_get(struct ieee80211_local *local, u8 *addr)
75{ 106{
76 struct sta_info *sta; 107 return __sta_info_find(local, addr);
77
78 read_lock_bh(&local->sta_lock);
79 sta = __sta_info_find(local, addr);
80 if (sta)
81 __sta_info_get(sta);
82 read_unlock_bh(&local->sta_lock);
83
84 return sta;
85} 108}
86EXPORT_SYMBOL(sta_info_get); 109EXPORT_SYMBOL(sta_info_get);
87 110
@@ -91,81 +114,101 @@ struct sta_info *sta_info_get_by_idx(struct ieee80211_local *local, int idx,
91 struct sta_info *sta; 114 struct sta_info *sta;
92 int i = 0; 115 int i = 0;
93 116
94 read_lock_bh(&local->sta_lock); 117 list_for_each_entry_rcu(sta, &local->sta_list, list) {
95 list_for_each_entry(sta, &local->sta_list, list) {
96 if (i < idx) { 118 if (i < idx) {
97 ++i; 119 ++i;
98 continue; 120 continue;
99 } else if (!dev || dev == sta->dev) { 121 } else if (!dev || dev == sta->sdata->dev) {
100 __sta_info_get(sta);
101 read_unlock_bh(&local->sta_lock);
102 return sta; 122 return sta;
103 } 123 }
104 } 124 }
105 read_unlock_bh(&local->sta_lock);
106 125
107 return NULL; 126 return NULL;
108} 127}
109 128
110static void sta_info_release(struct kref *kref) 129void sta_info_destroy(struct sta_info *sta)
111{ 130{
112 struct sta_info *sta = container_of(kref, struct sta_info, kref);
113 struct ieee80211_local *local = sta->local; 131 struct ieee80211_local *local = sta->local;
114 struct sk_buff *skb; 132 struct sk_buff *skb;
115 int i; 133 int i;
116 134
117 /* free sta structure; it has already been removed from 135 ASSERT_RTNL();
118 * hash table etc. external structures. Make sure that all 136 might_sleep();
119 * buffered frames are release (one might have been added 137
120 * after sta_info_free() was called). */ 138 rate_control_remove_sta_debugfs(sta);
139 ieee80211_sta_debugfs_remove(sta);
140
141#ifdef CONFIG_MAC80211_MESH
142 if (ieee80211_vif_is_mesh(&sta->sdata->vif))
143 mesh_plink_deactivate(sta);
144#endif
145
146 /*
147 * NOTE: This will call synchronize_rcu() internally to
148 * make sure no key references can be in use. We rely on
149 * that here for the mesh code!
150 */
151 ieee80211_key_free(sta->key);
152 WARN_ON(sta->key);
153
154#ifdef CONFIG_MAC80211_MESH
155 if (ieee80211_vif_is_mesh(&sta->sdata->vif))
156 del_timer_sync(&sta->plink_timer);
157#endif
158
121 while ((skb = skb_dequeue(&sta->ps_tx_buf)) != NULL) { 159 while ((skb = skb_dequeue(&sta->ps_tx_buf)) != NULL) {
122 local->total_ps_buffered--; 160 local->total_ps_buffered--;
123 dev_kfree_skb_any(skb); 161 dev_kfree_skb_any(skb);
124 } 162 }
125 while ((skb = skb_dequeue(&sta->tx_filtered)) != NULL) { 163
164 while ((skb = skb_dequeue(&sta->tx_filtered)) != NULL)
126 dev_kfree_skb_any(skb); 165 dev_kfree_skb_any(skb);
127 } 166
128 for (i = 0; i < STA_TID_NUM; i++) { 167 for (i = 0; i < STA_TID_NUM; i++) {
129 del_timer_sync(&sta->ampdu_mlme.tid_rx[i].session_timer); 168 del_timer_sync(&sta->ampdu_mlme.tid_rx[i].session_timer);
130 del_timer_sync(&sta->ampdu_mlme.tid_tx[i].addba_resp_timer); 169 del_timer_sync(&sta->ampdu_mlme.tid_tx[i].addba_resp_timer);
131 } 170 }
132 rate_control_free_sta(sta->rate_ctrl, sta->rate_ctrl_priv); 171 rate_control_free_sta(sta->rate_ctrl, sta->rate_ctrl_priv);
133 rate_control_put(sta->rate_ctrl); 172 rate_control_put(sta->rate_ctrl);
173
134 kfree(sta); 174 kfree(sta);
135} 175}
136 176
137 177
138void sta_info_put(struct sta_info *sta) 178/* Caller must hold local->sta_lock */
179static void sta_info_hash_add(struct ieee80211_local *local,
180 struct sta_info *sta)
139{ 181{
140 kref_put(&sta->kref, sta_info_release); 182 sta->hnext = local->sta_hash[STA_HASH(sta->addr)];
183 rcu_assign_pointer(local->sta_hash[STA_HASH(sta->addr)], sta);
141} 184}
142EXPORT_SYMBOL(sta_info_put);
143
144 185
145struct sta_info *sta_info_add(struct ieee80211_local *local, 186struct sta_info *sta_info_add(struct ieee80211_sub_if_data *sdata,
146 struct net_device *dev, u8 *addr, gfp_t gfp) 187 u8 *addr)
147{ 188{
189 struct ieee80211_local *local = sdata->local;
148 struct sta_info *sta; 190 struct sta_info *sta;
149 int i; 191 int i;
150 DECLARE_MAC_BUF(mac); 192 DECLARE_MAC_BUF(mac);
193 unsigned long flags;
151 194
152 sta = kzalloc(sizeof(*sta), gfp); 195 sta = kzalloc(sizeof(*sta), GFP_ATOMIC);
153 if (!sta) 196 if (!sta)
154 return ERR_PTR(-ENOMEM); 197 return ERR_PTR(-ENOMEM);
155 198
156 kref_init(&sta->kref); 199 memcpy(sta->addr, addr, ETH_ALEN);
200 sta->local = local;
201 sta->sdata = sdata;
157 202
158 sta->rate_ctrl = rate_control_get(local->rate_ctrl); 203 sta->rate_ctrl = rate_control_get(local->rate_ctrl);
159 sta->rate_ctrl_priv = rate_control_alloc_sta(sta->rate_ctrl, gfp); 204 sta->rate_ctrl_priv = rate_control_alloc_sta(sta->rate_ctrl,
205 GFP_ATOMIC);
160 if (!sta->rate_ctrl_priv) { 206 if (!sta->rate_ctrl_priv) {
161 rate_control_put(sta->rate_ctrl); 207 rate_control_put(sta->rate_ctrl);
162 kfree(sta); 208 kfree(sta);
163 return ERR_PTR(-ENOMEM); 209 return ERR_PTR(-ENOMEM);
164 } 210 }
165 211
166 memcpy(sta->addr, addr, ETH_ALEN);
167 sta->local = local;
168 sta->dev = dev;
169 spin_lock_init(&sta->ampdu_mlme.ampdu_rx); 212 spin_lock_init(&sta->ampdu_mlme.ampdu_rx);
170 spin_lock_init(&sta->ampdu_mlme.ampdu_tx); 213 spin_lock_init(&sta->ampdu_mlme.ampdu_tx);
171 for (i = 0; i < STA_TID_NUM; i++) { 214 for (i = 0; i < STA_TID_NUM; i++) {
@@ -190,29 +233,26 @@ struct sta_info *sta_info_add(struct ieee80211_local *local,
190 } 233 }
191 skb_queue_head_init(&sta->ps_tx_buf); 234 skb_queue_head_init(&sta->ps_tx_buf);
192 skb_queue_head_init(&sta->tx_filtered); 235 skb_queue_head_init(&sta->tx_filtered);
193 write_lock_bh(&local->sta_lock); 236 spin_lock_irqsave(&local->sta_lock, flags);
194 /* mark sta as used (by caller) */
195 __sta_info_get(sta);
196 /* check if STA exists already */ 237 /* check if STA exists already */
197 if (__sta_info_find(local, addr)) { 238 if (__sta_info_find(local, addr)) {
198 write_unlock_bh(&local->sta_lock); 239 spin_unlock_irqrestore(&local->sta_lock, flags);
199 sta_info_put(sta);
200 return ERR_PTR(-EEXIST); 240 return ERR_PTR(-EEXIST);
201 } 241 }
202 list_add(&sta->list, &local->sta_list); 242 list_add(&sta->list, &local->sta_list);
203 local->num_sta++; 243 local->num_sta++;
204 sta_info_hash_add(local, sta); 244 sta_info_hash_add(local, sta);
205 if (local->ops->sta_notify) {
206 struct ieee80211_sub_if_data *sdata;
207 245
208 sdata = IEEE80211_DEV_TO_SUB_IF(dev); 246 /* notify driver */
247 if (local->ops->sta_notify) {
209 if (sdata->vif.type == IEEE80211_IF_TYPE_VLAN) 248 if (sdata->vif.type == IEEE80211_IF_TYPE_VLAN)
210 sdata = sdata->u.vlan.ap; 249 sdata = sdata->u.vlan.ap;
211 250
212 local->ops->sta_notify(local_to_hw(local), &sdata->vif, 251 local->ops->sta_notify(local_to_hw(local), &sdata->vif,
213 STA_NOTIFY_ADD, addr); 252 STA_NOTIFY_ADD, addr);
214 } 253 }
215 write_unlock_bh(&local->sta_lock); 254
255 spin_unlock_irqrestore(&local->sta_lock, flags);
216 256
217#ifdef CONFIG_MAC80211_VERBOSE_DEBUG 257#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
218 printk(KERN_DEBUG "%s: Added STA %s\n", 258 printk(KERN_DEBUG "%s: Added STA %s\n",
@@ -252,19 +292,20 @@ static void __sta_info_set_tim_bit(struct ieee80211_if_ap *bss,
252{ 292{
253 if (bss) 293 if (bss)
254 __bss_tim_set(bss, sta->aid); 294 __bss_tim_set(bss, sta->aid);
255 if (sta->local->ops->set_tim) 295 if (sta->local->ops->set_tim) {
296 sta->local->tim_in_locked_section = true;
256 sta->local->ops->set_tim(local_to_hw(sta->local), sta->aid, 1); 297 sta->local->ops->set_tim(local_to_hw(sta->local), sta->aid, 1);
298 sta->local->tim_in_locked_section = false;
299 }
257} 300}
258 301
259void sta_info_set_tim_bit(struct sta_info *sta) 302void sta_info_set_tim_bit(struct sta_info *sta)
260{ 303{
261 struct ieee80211_sub_if_data *sdata; 304 unsigned long flags;
262
263 sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev);
264 305
265 read_lock_bh(&sta->local->sta_lock); 306 spin_lock_irqsave(&sta->local->sta_lock, flags);
266 __sta_info_set_tim_bit(sdata->bss, sta); 307 __sta_info_set_tim_bit(sta->sdata->bss, sta);
267 read_unlock_bh(&sta->local->sta_lock); 308 spin_unlock_irqrestore(&sta->local->sta_lock, flags);
268} 309}
269 310
270static void __sta_info_clear_tim_bit(struct ieee80211_if_ap *bss, 311static void __sta_info_clear_tim_bit(struct ieee80211_if_ap *bss,
@@ -272,93 +313,135 @@ static void __sta_info_clear_tim_bit(struct ieee80211_if_ap *bss,
272{ 313{
273 if (bss) 314 if (bss)
274 __bss_tim_clear(bss, sta->aid); 315 __bss_tim_clear(bss, sta->aid);
275 if (sta->local->ops->set_tim) 316 if (sta->local->ops->set_tim) {
317 sta->local->tim_in_locked_section = true;
276 sta->local->ops->set_tim(local_to_hw(sta->local), sta->aid, 0); 318 sta->local->ops->set_tim(local_to_hw(sta->local), sta->aid, 0);
319 sta->local->tim_in_locked_section = false;
320 }
277} 321}
278 322
279void sta_info_clear_tim_bit(struct sta_info *sta) 323void sta_info_clear_tim_bit(struct sta_info *sta)
280{ 324{
281 struct ieee80211_sub_if_data *sdata; 325 unsigned long flags;
282
283 sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev);
284 326
285 read_lock_bh(&sta->local->sta_lock); 327 spin_lock_irqsave(&sta->local->sta_lock, flags);
286 __sta_info_clear_tim_bit(sdata->bss, sta); 328 __sta_info_clear_tim_bit(sta->sdata->bss, sta);
287 read_unlock_bh(&sta->local->sta_lock); 329 spin_unlock_irqrestore(&sta->local->sta_lock, flags);
288} 330}
289 331
290/* Caller must hold local->sta_lock */ 332/*
291void sta_info_remove(struct sta_info *sta) 333 * See comment in __sta_info_unlink,
334 * caller must hold local->sta_lock.
335 */
336static void __sta_info_pin(struct sta_info *sta)
292{ 337{
293 struct ieee80211_local *local = sta->local; 338 WARN_ON(sta->pin_status != STA_INFO_PIN_STAT_NORMAL);
294 struct ieee80211_sub_if_data *sdata; 339 sta->pin_status = STA_INFO_PIN_STAT_PINNED;
340}
295 341
296 /* don't do anything if we've been removed already */ 342/*
297 if (sta_info_hash_del(local, sta)) 343 * See comment in __sta_info_unlink, returns sta if it
298 return; 344 * needs to be destroyed.
345 */
346static struct sta_info *__sta_info_unpin(struct sta_info *sta)
347{
348 struct sta_info *ret = NULL;
349 unsigned long flags;
299 350
300 list_del(&sta->list); 351 spin_lock_irqsave(&sta->local->sta_lock, flags);
301 sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev); 352 WARN_ON(sta->pin_status != STA_INFO_PIN_STAT_DESTROY &&
302 if (sta->flags & WLAN_STA_PS) { 353 sta->pin_status != STA_INFO_PIN_STAT_PINNED);
303 sta->flags &= ~WLAN_STA_PS; 354 if (sta->pin_status == STA_INFO_PIN_STAT_DESTROY)
304 if (sdata->bss) 355 ret = sta;
305 atomic_dec(&sdata->bss->num_sta_ps); 356 sta->pin_status = STA_INFO_PIN_STAT_NORMAL;
306 __sta_info_clear_tim_bit(sdata->bss, sta); 357 spin_unlock_irqrestore(&sta->local->sta_lock, flags);
307 }
308 local->num_sta--;
309 358
310 if (ieee80211_vif_is_mesh(&sdata->vif)) 359 return ret;
311 mesh_accept_plinks_update(sdata->dev);
312} 360}
313 361
314void sta_info_free(struct sta_info *sta) 362static void __sta_info_unlink(struct sta_info **sta)
315{ 363{
316 struct sk_buff *skb; 364 struct ieee80211_local *local = (*sta)->local;
317 struct ieee80211_local *local = sta->local; 365 struct ieee80211_sub_if_data *sdata = (*sta)->sdata;
318 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev); 366#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
319 367 DECLARE_MAC_BUF(mbuf);
320 DECLARE_MAC_BUF(mac); 368#endif
321 369 /*
322 might_sleep(); 370 * pull caller's reference if we're already gone.
371 */
372 if (sta_info_hash_del(local, *sta)) {
373 *sta = NULL;
374 return;
375 }
323 376
324 write_lock_bh(&local->sta_lock); 377 /*
325 sta_info_remove(sta); 378 * Also pull caller's reference if the STA is pinned by the
326 write_unlock_bh(&local->sta_lock); 379 * task that is adding the debugfs entries. In that case, we
380 * leave the STA "to be freed".
381 *
382 * The rules are not trivial, but not too complex either:
383 * (1) pin_status is only modified under the sta_lock
384 * (2) sta_info_debugfs_add_work() will set the status
385 * to PINNED when it found an item that needs a new
386 * debugfs directory created. In that case, that item
387 * must not be freed although all *RCU* users are done
388 * with it. Hence, we tell the caller of _unlink()
389 * that the item is already gone (as can happen when
390 * two tasks try to unlink/destroy at the same time)
391 * (3) We set the pin_status to DESTROY here when we
392 * find such an item.
393 * (4) sta_info_debugfs_add_work() will reset the pin_status
394 * from PINNED to NORMAL when it is done with the item,
395 * but will check for DESTROY before resetting it in
396 * which case it will free the item.
397 */
398 if ((*sta)->pin_status == STA_INFO_PIN_STAT_PINNED) {
399 (*sta)->pin_status = STA_INFO_PIN_STAT_DESTROY;
400 *sta = NULL;
401 return;
402 }
327 403
328 if (ieee80211_vif_is_mesh(&sdata->vif)) 404 list_del(&(*sta)->list);
329 mesh_plink_deactivate(sta);
330 405
331 while ((skb = skb_dequeue(&sta->ps_tx_buf)) != NULL) { 406 if ((*sta)->flags & WLAN_STA_PS) {
332 local->total_ps_buffered--; 407 (*sta)->flags &= ~WLAN_STA_PS;
333 dev_kfree_skb(skb); 408 if (sdata->bss)
334 } 409 atomic_dec(&sdata->bss->num_sta_ps);
335 while ((skb = skb_dequeue(&sta->tx_filtered)) != NULL) { 410 __sta_info_clear_tim_bit(sdata->bss, *sta);
336 dev_kfree_skb(skb);
337 } 411 }
338 412
339#ifdef CONFIG_MAC80211_VERBOSE_DEBUG 413 local->num_sta--;
340 printk(KERN_DEBUG "%s: Removed STA %s\n",
341 wiphy_name(local->hw.wiphy), print_mac(mac, sta->addr));
342#endif /* CONFIG_MAC80211_VERBOSE_DEBUG */
343
344 ieee80211_key_free(sta->key);
345 WARN_ON(sta->key);
346 414
347 if (local->ops->sta_notify) { 415 if (local->ops->sta_notify) {
348
349 if (sdata->vif.type == IEEE80211_IF_TYPE_VLAN) 416 if (sdata->vif.type == IEEE80211_IF_TYPE_VLAN)
350 sdata = sdata->u.vlan.ap; 417 sdata = sdata->u.vlan.ap;
351 418
352 local->ops->sta_notify(local_to_hw(local), &sdata->vif, 419 local->ops->sta_notify(local_to_hw(local), &sdata->vif,
353 STA_NOTIFY_REMOVE, sta->addr); 420 STA_NOTIFY_REMOVE, (*sta)->addr);
354 } 421 }
355 422
356 rate_control_remove_sta_debugfs(sta); 423 if (ieee80211_vif_is_mesh(&sdata->vif)) {
357 ieee80211_sta_debugfs_remove(sta); 424 mesh_accept_plinks_update(sdata);
425#ifdef CONFIG_MAC80211_MESH
426 del_timer(&(*sta)->plink_timer);
427#endif
428 }
358 429
359 sta_info_put(sta); 430#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
431 printk(KERN_DEBUG "%s: Removed STA %s\n",
432 wiphy_name(local->hw.wiphy), print_mac(mbuf, (*sta)->addr));
433#endif /* CONFIG_MAC80211_VERBOSE_DEBUG */
360} 434}
361 435
436void sta_info_unlink(struct sta_info **sta)
437{
438 struct ieee80211_local *local = (*sta)->local;
439 unsigned long flags;
440
441 spin_lock_irqsave(&local->sta_lock, flags);
442 __sta_info_unlink(sta);
443 spin_unlock_irqrestore(&local->sta_lock, flags);
444}
362 445
363static inline int sta_info_buffer_expired(struct ieee80211_local *local, 446static inline int sta_info_buffer_expired(struct ieee80211_local *local,
364 struct sta_info *sta, 447 struct sta_info *sta,
@@ -404,7 +487,7 @@ static void sta_info_cleanup_expire_buffered(struct ieee80211_local *local,
404 if (!skb) 487 if (!skb)
405 break; 488 break;
406 489
407 sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev); 490 sdata = sta->sdata;
408 local->total_ps_buffered--; 491 local->total_ps_buffered--;
409 printk(KERN_DEBUG "Buffered frame expired (STA " 492 printk(KERN_DEBUG "Buffered frame expired (STA "
410 "%s)\n", print_mac(mac, sta->addr)); 493 "%s)\n", print_mac(mac, sta->addr));
@@ -421,13 +504,10 @@ static void sta_info_cleanup(unsigned long data)
421 struct ieee80211_local *local = (struct ieee80211_local *) data; 504 struct ieee80211_local *local = (struct ieee80211_local *) data;
422 struct sta_info *sta; 505 struct sta_info *sta;
423 506
424 read_lock_bh(&local->sta_lock); 507 rcu_read_lock();
425 list_for_each_entry(sta, &local->sta_list, list) { 508 list_for_each_entry_rcu(sta, &local->sta_list, list)
426 __sta_info_get(sta);
427 sta_info_cleanup_expire_buffered(local, sta); 509 sta_info_cleanup_expire_buffered(local, sta);
428 sta_info_put(sta); 510 rcu_read_unlock();
429 }
430 read_unlock_bh(&local->sta_lock);
431 511
432 local->sta_cleanup.expires = 512 local->sta_cleanup.expires =
433 round_jiffies(jiffies + STA_INFO_CLEANUP_INTERVAL); 513 round_jiffies(jiffies + STA_INFO_CLEANUP_INTERVAL);
@@ -435,37 +515,45 @@ static void sta_info_cleanup(unsigned long data)
435} 515}
436 516
437#ifdef CONFIG_MAC80211_DEBUGFS 517#ifdef CONFIG_MAC80211_DEBUGFS
438static void sta_info_debugfs_add_task(struct work_struct *work) 518static void sta_info_debugfs_add_work(struct work_struct *work)
439{ 519{
440 struct ieee80211_local *local = 520 struct ieee80211_local *local =
441 container_of(work, struct ieee80211_local, sta_debugfs_add); 521 container_of(work, struct ieee80211_local, sta_debugfs_add);
442 struct sta_info *sta, *tmp; 522 struct sta_info *sta, *tmp;
523 unsigned long flags;
443 524
444 while (1) { 525 while (1) {
445 sta = NULL; 526 sta = NULL;
446 read_lock_bh(&local->sta_lock); 527
528 spin_lock_irqsave(&local->sta_lock, flags);
447 list_for_each_entry(tmp, &local->sta_list, list) { 529 list_for_each_entry(tmp, &local->sta_list, list) {
448 if (!tmp->debugfs.dir) { 530 if (!tmp->debugfs.dir) {
449 sta = tmp; 531 sta = tmp;
450 __sta_info_get(sta); 532 __sta_info_pin(sta);
451 break; 533 break;
452 } 534 }
453 } 535 }
454 read_unlock_bh(&local->sta_lock); 536 spin_unlock_irqrestore(&local->sta_lock, flags);
455 537
456 if (!sta) 538 if (!sta)
457 break; 539 break;
458 540
459 ieee80211_sta_debugfs_add(sta); 541 ieee80211_sta_debugfs_add(sta);
460 rate_control_add_sta_debugfs(sta); 542 rate_control_add_sta_debugfs(sta);
461 sta_info_put(sta); 543
544 sta = __sta_info_unpin(sta);
545
546 if (sta) {
547 synchronize_rcu();
548 sta_info_destroy(sta);
549 }
462 } 550 }
463} 551}
464#endif 552#endif
465 553
466void sta_info_init(struct ieee80211_local *local) 554void sta_info_init(struct ieee80211_local *local)
467{ 555{
468 rwlock_init(&local->sta_lock); 556 spin_lock_init(&local->sta_lock);
469 INIT_LIST_HEAD(&local->sta_list); 557 INIT_LIST_HEAD(&local->sta_list);
470 558
471 setup_timer(&local->sta_cleanup, sta_info_cleanup, 559 setup_timer(&local->sta_cleanup, sta_info_cleanup,
@@ -474,7 +562,7 @@ void sta_info_init(struct ieee80211_local *local)
474 round_jiffies(jiffies + STA_INFO_CLEANUP_INTERVAL); 562 round_jiffies(jiffies + STA_INFO_CLEANUP_INTERVAL);
475 563
476#ifdef CONFIG_MAC80211_DEBUGFS 564#ifdef CONFIG_MAC80211_DEBUGFS
477 INIT_WORK(&local->sta_debugfs_add, sta_info_debugfs_add_task); 565 INIT_WORK(&local->sta_debugfs_add, sta_info_debugfs_add_work);
478#endif 566#endif
479} 567}
480 568
@@ -493,24 +581,29 @@ void sta_info_stop(struct ieee80211_local *local)
493/** 581/**
494 * sta_info_flush - flush matching STA entries from the STA table 582 * sta_info_flush - flush matching STA entries from the STA table
495 * @local: local interface data 583 * @local: local interface data
496 * @dev: matching rule for the net device (sta->dev) or %NULL to match all STAs 584 * @sdata: matching rule for the net device (sta->dev) or %NULL to match all STAs
497 */ 585 */
498void sta_info_flush(struct ieee80211_local *local, struct net_device *dev) 586void sta_info_flush(struct ieee80211_local *local,
587 struct ieee80211_sub_if_data *sdata)
499{ 588{
500 struct sta_info *sta, *tmp; 589 struct sta_info *sta, *tmp;
501 LIST_HEAD(tmp_list); 590 LIST_HEAD(tmp_list);
591 unsigned long flags;
502 592
503 write_lock_bh(&local->sta_lock); 593 might_sleep();
504 list_for_each_entry_safe(sta, tmp, &local->sta_list, list)
505 if (!dev || dev == sta->dev) {
506 __sta_info_get(sta);
507 sta_info_remove(sta);
508 list_add_tail(&sta->list, &tmp_list);
509 }
510 write_unlock_bh(&local->sta_lock);
511 594
512 list_for_each_entry_safe(sta, tmp, &tmp_list, list) { 595 spin_lock_irqsave(&local->sta_lock, flags);
513 sta_info_free(sta); 596 list_for_each_entry_safe(sta, tmp, &local->sta_list, list) {
514 sta_info_put(sta); 597 if (!sdata || sdata == sta->sdata) {
598 __sta_info_unlink(&sta);
599 if (sta)
600 list_add_tail(&sta->list, &tmp_list);
601 }
515 } 602 }
603 spin_unlock_irqrestore(&local->sta_lock, flags);
604
605 synchronize_rcu();
606
607 list_for_each_entry_safe(sta, tmp, &tmp_list, list)
608 sta_info_destroy(sta);
516} 609}
diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h
index b9dfb6fa893a..787124c253af 100644
--- a/net/mac80211/sta_info.h
+++ b/net/mac80211/sta_info.h
@@ -12,7 +12,6 @@
12#include <linux/list.h> 12#include <linux/list.h>
13#include <linux/types.h> 13#include <linux/types.h>
14#include <linux/if_ether.h> 14#include <linux/if_ether.h>
15#include <linux/kref.h>
16#include "ieee80211_key.h" 15#include "ieee80211_key.h"
17 16
18/** 17/**
@@ -134,8 +133,14 @@ struct sta_ampdu_mlme {
134 u8 dialog_token_allocator; 133 u8 dialog_token_allocator;
135}; 134};
136 135
136
137/* see __sta_info_unlink */
138#define STA_INFO_PIN_STAT_NORMAL 0
139#define STA_INFO_PIN_STAT_PINNED 1
140#define STA_INFO_PIN_STAT_DESTROY 2
141
142
137struct sta_info { 143struct sta_info {
138 struct kref kref;
139 struct list_head list; 144 struct list_head list;
140 struct sta_info *hnext; /* next entry in hash table list */ 145 struct sta_info *hnext; /* next entry in hash table list */
141 146
@@ -166,8 +171,8 @@ struct sta_info {
166 /* last rates used to send a frame to this STA */ 171 /* last rates used to send a frame to this STA */
167 int last_txrate_idx, last_nonerp_txrate_idx; 172 int last_txrate_idx, last_nonerp_txrate_idx;
168 173
169 struct net_device *dev; /* which net device is this station associated 174 /* sub_if_data this sta belongs to */
170 * to */ 175 struct ieee80211_sub_if_data *sdata;
171 176
172 struct ieee80211_key *key; 177 struct ieee80211_key *key;
173 178
@@ -199,6 +204,12 @@ struct sta_info {
199 204
200 u16 listen_interval; 205 u16 listen_interval;
201 206
207 /*
208 * for use by the internal lifetime management,
209 * see __sta_info_unlink
210 */
211 u8 pin_status;
212
202 struct ieee80211_ht_info ht_info; /* 802.11n HT capabilities 213 struct ieee80211_ht_info ht_info; /* 802.11n HT capabilities
203 of this STA */ 214 of this STA */
204 struct sta_ampdu_mlme ampdu_mlme; 215 struct sta_ampdu_mlme ampdu_mlme;
@@ -262,25 +273,37 @@ static inline enum plink_state sta_plink_state(struct sta_info *sta)
262 */ 273 */
263#define STA_INFO_CLEANUP_INTERVAL (10 * HZ) 274#define STA_INFO_CLEANUP_INTERVAL (10 * HZ)
264 275
265static inline void __sta_info_get(struct sta_info *sta) 276/*
266{ 277 * Get a STA info, must have be under RCU read lock.
267 kref_get(&sta->kref); 278 */
268} 279struct sta_info *sta_info_get(struct ieee80211_local *local, u8 *addr);
269 280/*
270struct sta_info * sta_info_get(struct ieee80211_local *local, u8 *addr); 281 * Get STA info by index, BROKEN!
282 */
271struct sta_info *sta_info_get_by_idx(struct ieee80211_local *local, int idx, 283struct sta_info *sta_info_get_by_idx(struct ieee80211_local *local, int idx,
272 struct net_device *dev); 284 struct net_device *dev);
273void sta_info_put(struct sta_info *sta); 285/*
274struct sta_info *sta_info_add(struct ieee80211_local *local, 286 * Add a new STA info, must be under RCU read lock
275 struct net_device *dev, u8 *addr, gfp_t gfp); 287 * because otherwise the returned reference isn't
276void sta_info_remove(struct sta_info *sta); 288 * necessarily valid long enough.
277void sta_info_free(struct sta_info *sta); 289 */
278void sta_info_init(struct ieee80211_local *local); 290struct sta_info *sta_info_add(struct ieee80211_sub_if_data *sdata,
279int sta_info_start(struct ieee80211_local *local); 291 u8 *addr);
280void sta_info_stop(struct ieee80211_local *local); 292/*
281void sta_info_flush(struct ieee80211_local *local, struct net_device *dev); 293 * Unlink a STA info from the hash table/list.
294 * This can NULL the STA pointer if somebody else
295 * has already unlinked it.
296 */
297void sta_info_unlink(struct sta_info **sta);
282 298
299void sta_info_destroy(struct sta_info *sta);
283void sta_info_set_tim_bit(struct sta_info *sta); 300void sta_info_set_tim_bit(struct sta_info *sta);
284void sta_info_clear_tim_bit(struct sta_info *sta); 301void sta_info_clear_tim_bit(struct sta_info *sta);
285 302
303void sta_info_init(struct ieee80211_local *local);
304int sta_info_start(struct ieee80211_local *local);
305void sta_info_stop(struct ieee80211_local *local);
306void sta_info_flush(struct ieee80211_local *local,
307 struct ieee80211_sub_if_data *sdata);
308
286#endif /* STA_INFO_H */ 309#endif /* STA_INFO_H */
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 33e314f3aab7..80f4343a3007 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -327,10 +327,8 @@ static void purge_old_ps_buffers(struct ieee80211_local *local)
327 } 327 }
328 total += skb_queue_len(&ap->ps_bc_buf); 328 total += skb_queue_len(&ap->ps_bc_buf);
329 } 329 }
330 rcu_read_unlock();
331 330
332 read_lock_bh(&local->sta_lock); 331 list_for_each_entry_rcu(sta, &local->sta_list, list) {
333 list_for_each_entry(sta, &local->sta_list, list) {
334 skb = skb_dequeue(&sta->ps_tx_buf); 332 skb = skb_dequeue(&sta->ps_tx_buf);
335 if (skb) { 333 if (skb) {
336 purged++; 334 purged++;
@@ -338,7 +336,8 @@ static void purge_old_ps_buffers(struct ieee80211_local *local)
338 } 336 }
339 total += skb_queue_len(&sta->ps_tx_buf); 337 total += skb_queue_len(&sta->ps_tx_buf);
340 } 338 }
341 read_unlock_bh(&local->sta_lock); 339
340 rcu_read_unlock();
342 341
343 local->total_ps_buffered = total; 342 local->total_ps_buffered = total;
344 printk(KERN_DEBUG "%s: PS buffers full - purged %d frames\n", 343 printk(KERN_DEBUG "%s: PS buffers full - purged %d frames\n",
@@ -1141,20 +1140,17 @@ static int ieee80211_tx(struct net_device *dev, struct sk_buff *skb,
1141 return 0; 1140 return 0;
1142 } 1141 }
1143 1142
1143 rcu_read_lock();
1144
1144 /* initialises tx */ 1145 /* initialises tx */
1145 res_prepare = __ieee80211_tx_prepare(&tx, skb, dev, control); 1146 res_prepare = __ieee80211_tx_prepare(&tx, skb, dev, control);
1146 1147
1147 if (res_prepare == TX_DROP) { 1148 if (res_prepare == TX_DROP) {
1148 dev_kfree_skb(skb); 1149 dev_kfree_skb(skb);
1150 rcu_read_unlock();
1149 return 0; 1151 return 0;
1150 } 1152 }
1151 1153
1152 /*
1153 * key references are protected using RCU and this requires that
1154 * we are in a read-site RCU section during receive processing
1155 */
1156 rcu_read_lock();
1157
1158 sta = tx.sta; 1154 sta = tx.sta;
1159 tx.channel = local->hw.conf.channel; 1155 tx.channel = local->hw.conf.channel;
1160 1156
@@ -1167,9 +1163,6 @@ static int ieee80211_tx(struct net_device *dev, struct sk_buff *skb,
1167 1163
1168 skb = tx.skb; /* handlers are allowed to change skb */ 1164 skb = tx.skb; /* handlers are allowed to change skb */
1169 1165
1170 if (sta)
1171 sta_info_put(sta);
1172
1173 if (unlikely(res == TX_DROP)) { 1166 if (unlikely(res == TX_DROP)) {
1174 I802_DEBUG_INC(local->tx_handlers_drop); 1167 I802_DEBUG_INC(local->tx_handlers_drop);
1175 goto drop; 1168 goto drop;
@@ -1489,11 +1482,11 @@ int ieee80211_subif_start_xmit(struct sk_buff *skb,
1489 * in AP mode) 1482 * in AP mode)
1490 */ 1483 */
1491 if (!is_multicast_ether_addr(hdr.addr1)) { 1484 if (!is_multicast_ether_addr(hdr.addr1)) {
1485 rcu_read_lock();
1492 sta = sta_info_get(local, hdr.addr1); 1486 sta = sta_info_get(local, hdr.addr1);
1493 if (sta) { 1487 if (sta)
1494 sta_flags = sta->flags; 1488 sta_flags = sta->flags;
1495 sta_info_put(sta); 1489 rcu_read_unlock();
1496 }
1497 } 1490 }
1498 1491
1499 /* receiver is QoS enabled, use a QoS type frame */ 1492 /* receiver is QoS enabled, use a QoS type frame */
@@ -1722,7 +1715,6 @@ static void ieee80211_beacon_add_tim(struct ieee80211_local *local,
1722 1715
1723 /* Generate bitmap for TIM only if there are any STAs in power save 1716 /* Generate bitmap for TIM only if there are any STAs in power save
1724 * mode. */ 1717 * mode. */
1725 read_lock_bh(&local->sta_lock);
1726 if (atomic_read(&bss->num_sta_ps) > 0) 1718 if (atomic_read(&bss->num_sta_ps) > 0)
1727 /* in the hope that this is faster than 1719 /* in the hope that this is faster than
1728 * checking byte-for-byte */ 1720 * checking byte-for-byte */
@@ -1773,7 +1765,6 @@ static void ieee80211_beacon_add_tim(struct ieee80211_local *local,
1773 *pos++ = aid0; /* Bitmap control */ 1765 *pos++ = aid0; /* Bitmap control */
1774 *pos++ = 0; /* Part Virt Bitmap */ 1766 *pos++ = 0; /* Part Virt Bitmap */
1775 } 1767 }
1776 read_unlock_bh(&local->sta_lock);
1777} 1768}
1778 1769
1779struct sk_buff *ieee80211_beacon_get(struct ieee80211_hw *hw, 1770struct sk_buff *ieee80211_beacon_get(struct ieee80211_hw *hw,
@@ -1821,7 +1812,22 @@ struct sk_buff *ieee80211_beacon_get(struct ieee80211_hw *hw,
1821 ieee80211_include_sequence(sdata, 1812 ieee80211_include_sequence(sdata,
1822 (struct ieee80211_hdr *)skb->data); 1813 (struct ieee80211_hdr *)skb->data);
1823 1814
1824 ieee80211_beacon_add_tim(local, ap, skb, beacon); 1815 /*
1816 * Not very nice, but we want to allow the driver to call
1817 * ieee80211_beacon_get() as a response to the set_tim()
1818 * callback. That, however, is already invoked under the
1819 * sta_lock to guarantee consistent and race-free update
1820 * of the tim bitmap in mac80211 and the driver.
1821 */
1822 if (local->tim_in_locked_section) {
1823 ieee80211_beacon_add_tim(local, ap, skb, beacon);
1824 } else {
1825 unsigned long flags;
1826
1827 spin_lock_irqsave(&local->sta_lock, flags);
1828 ieee80211_beacon_add_tim(local, ap, skb, beacon);
1829 spin_unlock_irqrestore(&local->sta_lock, flags);
1830 }
1825 1831
1826 if (beacon->tail) 1832 if (beacon->tail)
1827 memcpy(skb_put(skb, beacon->tail_len), 1833 memcpy(skb_put(skb, beacon->tail_len),
@@ -1965,7 +1971,6 @@ ieee80211_get_buffered_bc(struct ieee80211_hw *hw,
1965 rcu_read_unlock(); 1971 rcu_read_unlock();
1966 return NULL; 1972 return NULL;
1967 } 1973 }
1968 rcu_read_unlock();
1969 1974
1970 if (bss->dtim_count != 0) 1975 if (bss->dtim_count != 0)
1971 return NULL; /* send buffered bc/mc only after DTIM beacon */ 1976 return NULL; /* send buffered bc/mc only after DTIM beacon */
@@ -2010,8 +2015,7 @@ ieee80211_get_buffered_bc(struct ieee80211_hw *hw,
2010 skb = NULL; 2015 skb = NULL;
2011 } 2016 }
2012 2017
2013 if (sta) 2018 rcu_read_unlock();
2014 sta_info_put(sta);
2015 2019
2016 return skb; 2020 return skb;
2017} 2021}
diff --git a/net/mac80211/wme.c b/net/mac80211/wme.c
index 8cc036decc82..4e94e4026e78 100644
--- a/net/mac80211/wme.c
+++ b/net/mac80211/wme.c
@@ -153,6 +153,7 @@ static int wme_qdiscop_enqueue(struct sk_buff *skb, struct Qdisc* qd)
153 153
154 if (pkt_data->flags & IEEE80211_TXPD_REQUEUE) { 154 if (pkt_data->flags & IEEE80211_TXPD_REQUEUE) {
155 queue = pkt_data->queue; 155 queue = pkt_data->queue;
156 rcu_read_lock();
156 sta = sta_info_get(local, hdr->addr1); 157 sta = sta_info_get(local, hdr->addr1);
157 tid = skb->priority & QOS_CONTROL_TAG1D_MASK; 158 tid = skb->priority & QOS_CONTROL_TAG1D_MASK;
158 if (sta) { 159 if (sta) {
@@ -164,8 +165,8 @@ static int wme_qdiscop_enqueue(struct sk_buff *skb, struct Qdisc* qd)
164 } else { 165 } else {
165 pkt_data->flags &= ~IEEE80211_TXPD_AMPDU; 166 pkt_data->flags &= ~IEEE80211_TXPD_AMPDU;
166 } 167 }
167 sta_info_put(sta);
168 } 168 }
169 rcu_read_unlock();
169 skb_queue_tail(&q->requeued[queue], skb); 170 skb_queue_tail(&q->requeued[queue], skb);
170 qd->q.qlen++; 171 qd->q.qlen++;
171 return 0; 172 return 0;
@@ -187,6 +188,8 @@ static int wme_qdiscop_enqueue(struct sk_buff *skb, struct Qdisc* qd)
187 p++; 188 p++;
188 *p = 0; 189 *p = 0;
189 190
191 rcu_read_lock();
192
190 sta = sta_info_get(local, hdr->addr1); 193 sta = sta_info_get(local, hdr->addr1);
191 if (sta) { 194 if (sta) {
192 int ampdu_queue = sta->tid_to_tx_q[tid]; 195 int ampdu_queue = sta->tid_to_tx_q[tid];
@@ -197,8 +200,9 @@ static int wme_qdiscop_enqueue(struct sk_buff *skb, struct Qdisc* qd)
197 } else { 200 } else {
198 pkt_data->flags &= ~IEEE80211_TXPD_AMPDU; 201 pkt_data->flags &= ~IEEE80211_TXPD_AMPDU;
199 } 202 }
200 sta_info_put(sta);
201 } 203 }
204
205 rcu_read_unlock();
202 } 206 }
203 207
204 if (unlikely(queue >= local->hw.queues)) { 208 if (unlikely(queue >= local->hw.queues)) {