mac80211: fix sta_info mesh timer bug

I noticed a bug I introduced when mesh is enabled: sta_info_destroy() will end up calling cancel_timer() on a timer that has never been initialized because the timer is only initialized in mesh_plink_alloc(), not in sta_info_alloc(). This patch moves the initialization of all mesh related fields into sta_info_alloc(), adds a bit of sanity checking to the cfg80211 handlers and sta_info_insert() and makes mesh_plink_alloc() a static helper function that is only used from the mesh plink code. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Cc: Luis Carlos Cobo <luisca@cozybit.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
author: Johannes Berg <johannes@sipsolutions.net> 2008-02-27 03:56:40 -0500
committer: John W. Linville <linville@tuxdriver.com> 2008-03-06 15:30:47 -0500
commit: 03e4497ebeaa8011eb0ab0a54496ed6413b9d1a4 (patch)
tree: 96eb34d88a56f84f06f155e1d4a0d6d34d0f7933
parent: dbbea6713d6096cd1c411cb453a6b71292c78b33 (diff)
4 files changed, 37 insertions, 42 deletions
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 6263cfc148c0..69238fa67bf2 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -17,8 +17,6 @@
 #include "ieee80211_rate.h"
 #include "mesh.h"
-#define DEFAULT_RATES 0
 static enum ieee80211_if_types
 nl80211_type_to_mac80211_type(enum nl80211_iftype type)
 {
@@ -654,10 +652,13 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev,
        } else
                sdata = IEEE80211_DEV_TO_SUB_IF(dev);
-        if (ieee80211_vif_is_mesh(&sdata->vif))
+        if (compare_ether_addr(mac, dev->dev_addr) == 0)
-                sta = mesh_plink_alloc(sdata, mac, DEFAULT_RATES, GFP_KERNEL);
+                return -EINVAL;
-        else
-                sta = sta_info_alloc(sdata, mac, GFP_KERNEL);
+        if (is_multicast_ether_addr(mac))
+                return -EINVAL;
+        sta = sta_info_alloc(sdata, mac, GFP_KERNEL);
        if (!sta)
                return -ENOMEM;
diff --git a/net/mac80211/mesh.h b/net/mac80211/mesh.h
index aee0b9eb36e3..add9b0ddda81 100644
--- a/net/mac80211/mesh.h
+++ b/net/mac80211/mesh.h
@@ -232,8 +232,6 @@ void mesh_neighbour_update(u8 *hw_addr, u64 rates, struct net_device *dev,
 bool mesh_peer_accepts_plinks(struct ieee802_11_elems *ie,
                              struct net_device *dev);
 void mesh_accept_plinks_update(struct ieee80211_sub_if_data *sdata);
-struct sta_info *mesh_plink_alloc(struct ieee80211_sub_if_data *sdata,
-                                  u8 *hw_addr, u64 rates, gfp_t gfp);
 void mesh_plink_broken(struct sta_info *sta);
 void mesh_plink_deactivate(struct sta_info *sta);
 int mesh_plink_open(struct sta_info *sta);
diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
index 85cb75d53c43..7f02ae8abe90 100644
--- a/net/mac80211/mesh_plink.c
+++ b/net/mac80211/mesh_plink.c
@@ -88,40 +88,19 @@ static inline void mesh_plink_fsm_restart(struct sta_info *sta)
        sta->llid = sta->plid = sta->reason = sta->plink_retries = 0;
 }
-/**
+static struct sta_info *mesh_plink_alloc(struct ieee80211_sub_if_data *sdata,
- * mesh_plink_alloc - allocate a new mesh peer link
+                                         u8 *hw_addr, u64 rates)
- *
- * @sdata: local mesh interface
- * @hw_addr: hardware address (ETH_ALEN length)
- * @rates: rates the mesh peer supports
- *
- * The initial state of the new plink is set to LISTEN
- *
- * Returns: NULL on error.
- */
-struct sta_info *mesh_plink_alloc(struct ieee80211_sub_if_data *sdata,
-                                  u8 *hw_addr, u64 rates, gfp_t gfp)
 {
        struct ieee80211_local *local = sdata->local;
        struct sta_info *sta;
-        if (compare_ether_addr(hw_addr, sdata->dev->dev_addr) == 0)
-                /* never add ourselves as neighbours */
-                return NULL;
-        if (is_multicast_ether_addr(hw_addr))
-                return NULL;
        if (local->num_sta >= MESH_MAX_PLINKS)
                return NULL;
-        sta = sta_info_alloc(sdata, hw_addr, gfp);
+        sta = sta_info_alloc(sdata, hw_addr, GFP_ATOMIC);
        if (!sta)
                return NULL;
-        sta->plink_state = LISTEN;
-        spin_lock_init(&sta->plink_lock);
-        init_timer(&sta->plink_timer);
        sta->flags |= WLAN_STA_AUTHORIZED;
        sta->supp_rates[local->hw.conf.channel->band] = rates;
@@ -249,7 +228,7 @@ void mesh_neighbour_update(u8 *hw_addr, u64 rates, struct net_device *dev,
        sta = sta_info_get(local, hw_addr);
        if (!sta) {
-                sta = mesh_plink_alloc(sdata, hw_addr, rates, GFP_ATOMIC);
+                sta = mesh_plink_alloc(sdata, hw_addr, rates);
                if (!sta) {
                        rcu_read_unlock();
                        return;
@@ -518,7 +497,7 @@ void mesh_rx_plink_frame(struct net_device *dev, struct ieee80211_mgmt *mgmt,
                }
                rates = ieee80211_sta_get_rates(local, &elems, rx_status->band);
-                sta = mesh_plink_alloc(sdata, mgmt->sa, rates, GFP_ATOMIC);
+                sta = mesh_plink_alloc(sdata, mgmt->sa, rates);
                if (!sta) {
                        mpl_dbg("Mesh plink error: plink table full\n");
                        rcu_read_unlock();
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 42414b441592..909fa38edb6c 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -31,13 +31,12 @@
 * for faster lookup and a list for iteration. They are managed using
 * RCU, i.e. access to the list and hash table is protected by RCU.
 *
- * Upon allocating a STA info structure with sta_info_alloc() or
+ * Upon allocating a STA info structure with sta_info_alloc(), the caller owns
- * mesh_plink_alloc(), the caller owns that structure. It must then either
+ * that structure. It must then either destroy it using sta_info_destroy()
- * destroy it using sta_info_destroy() (which is pretty useless) or insert
+ * (which is pretty useless) or insert it into the hash table using
- * it into the hash table using sta_info_insert() which demotes the reference
+ * sta_info_insert() which demotes the reference from ownership to a regular
- * from ownership to a regular RCU-protected reference; if the function
+ * RCU-protected reference; if the function is called without protection by an
- * is called without protection by an RCU critical section the reference
+ * RCU critical section the reference is instantly invalidated.
- * is instantly invalidated.
 *
 * Because there are debugfs entries for each station, and adding those
 * must be able to sleep, it is also possible to "pin" a station entry,
@@ -248,6 +247,12 @@ struct sta_info *sta_info_alloc(struct ieee80211_sub_if_data *sdata,
               wiphy_name(local->hw.wiphy), print_mac(mbuf, sta->addr));
 #endif /* CONFIG_MAC80211_VERBOSE_DEBUG */
+#ifdef CONFIG_MAC80211_MESH
+        sta->plink_state = LISTEN;
+        spin_lock_init(&sta->plink_lock);
+        init_timer(&sta->plink_timer);
+#endif
        return sta;
 }
@@ -258,7 +263,19 @@ int sta_info_insert(struct sta_info *sta)
        unsigned long flags;
        DECLARE_MAC_BUF(mac);
-        WARN_ON(!netif_running(sdata->dev));
+        /*
+         * Can't be a WARN_ON because it can be triggered through a race:
+         * something inserts a STA (on one CPU) without holding the RTNL
+         * and another CPU turns off the net device.
+         */
+        if (unlikely(!netif_running(sdata->dev)))
+                return -ENETDOWN;
+        if (WARN_ON(compare_ether_addr(sta->addr, sdata->dev->dev_addr) == 0))
+                return -EINVAL;
+        if (WARN_ON(is_multicast_ether_addr(sta->addr)))
+                return -EINVAL;
        spin_lock_irqsave(&local->sta_lock, flags);
        /* check if STA exists already */
author	Johannes Berg <johannes@sipsolutions.net>	2008-02-27 03:56:40 -0500
committer	John W. Linville <linville@tuxdriver.com>	2008-03-06 15:30:47 -0500
commit	03e4497ebeaa8011eb0ab0a54496ed6413b9d1a4 (patch)
tree	96eb34d88a56f84f06f155e1d4a0d6d34d0f7933
parent	dbbea6713d6096cd1c411cb453a6b71292c78b33 (diff)

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index 6263cfc148c0..69238fa67bf2 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c
@@ -17,8 +17,6 @@
17	#include "ieee80211_rate.h"	17	#include "ieee80211_rate.h"
18	#include "mesh.h"	18	#include "mesh.h"
19		19
20	#define DEFAULT_RATES 0
21
22	static enum ieee80211_if_types	20	static enum ieee80211_if_types
23	nl80211_type_to_mac80211_type(enum nl80211_iftype type)	21	nl80211_type_to_mac80211_type(enum nl80211_iftype type)
24	{	22	{
@@ -654,10 +652,13 @@ static int ieee80211_add_station(struct wiphy wiphy, struct net_device dev,
654	} else	652	} else
655	sdata = IEEE80211_DEV_TO_SUB_IF(dev);	653	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
656		654
657	if (ieee80211_vif_is_mesh(&sdata->vif))	655	if (compare_ether_addr(mac, dev->dev_addr) == 0)
658	sta = mesh_plink_alloc(sdata, mac, DEFAULT_RATES, GFP_KERNEL);	656	return -EINVAL;
659	else	657
660	sta = sta_info_alloc(sdata, mac, GFP_KERNEL);	658	if (is_multicast_ether_addr(mac))
		659	return -EINVAL;
		660
		661	sta = sta_info_alloc(sdata, mac, GFP_KERNEL);
661	if (!sta)	662	if (!sta)
662	return -ENOMEM;	663	return -ENOMEM;
663		664


diff --git a/net/mac80211/mesh.h b/net/mac80211/mesh.h index aee0b9eb36e3..add9b0ddda81 100644 --- a/net/mac80211/mesh.h +++ b/net/mac80211/mesh.h
@@ -232,8 +232,6 @@ void mesh_neighbour_update(u8 hw_addr, u64 rates, struct net_device dev,
232	bool mesh_peer_accepts_plinks(struct ieee802_11_elems *ie,	232	bool mesh_peer_accepts_plinks(struct ieee802_11_elems *ie,
233	struct net_device *dev);	233	struct net_device *dev);
234	void mesh_accept_plinks_update(struct ieee80211_sub_if_data *sdata);	234	void mesh_accept_plinks_update(struct ieee80211_sub_if_data *sdata);
235	struct sta_info mesh_plink_alloc(struct ieee80211_sub_if_data sdata,
236	u8 *hw_addr, u64 rates, gfp_t gfp);
237	void mesh_plink_broken(struct sta_info *sta);	235	void mesh_plink_broken(struct sta_info *sta);
238	void mesh_plink_deactivate(struct sta_info *sta);	236	void mesh_plink_deactivate(struct sta_info *sta);
239	int mesh_plink_open(struct sta_info *sta);	237	int mesh_plink_open(struct sta_info *sta);


diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c index 85cb75d53c43..7f02ae8abe90 100644 --- a/net/mac80211/mesh_plink.c +++ b/net/mac80211/mesh_plink.c
@@ -88,40 +88,19 @@ static inline void mesh_plink_fsm_restart(struct sta_info *sta)
88	sta->llid = sta->plid = sta->reason = sta->plink_retries = 0;	88	sta->llid = sta->plid = sta->reason = sta->plink_retries = 0;
89	}	89	}
90		90
91	/**	91	static struct sta_info mesh_plink_alloc(struct ieee80211_sub_if_data sdata,
92	* mesh_plink_alloc - allocate a new mesh peer link	92	u8 *hw_addr, u64 rates)
93	*
94	* @sdata: local mesh interface
95	* @hw_addr: hardware address (ETH_ALEN length)
96	* @rates: rates the mesh peer supports
97	*
98	* The initial state of the new plink is set to LISTEN
99	*
100	* Returns: NULL on error.
101	*/
102	struct sta_info mesh_plink_alloc(struct ieee80211_sub_if_data sdata,
103	u8 *hw_addr, u64 rates, gfp_t gfp)
104	{	93	{
105	struct ieee80211_local *local = sdata->local;	94	struct ieee80211_local *local = sdata->local;
106	struct sta_info *sta;	95	struct sta_info *sta;
107		96
108	if (compare_ether_addr(hw_addr, sdata->dev->dev_addr) == 0)
109	/* never add ourselves as neighbours */
110	return NULL;
111
112	if (is_multicast_ether_addr(hw_addr))
113	return NULL;
114
115	if (local->num_sta >= MESH_MAX_PLINKS)	97	if (local->num_sta >= MESH_MAX_PLINKS)
116	return NULL;	98	return NULL;
117		99
118	sta = sta_info_alloc(sdata, hw_addr, gfp);	100	sta = sta_info_alloc(sdata, hw_addr, GFP_ATOMIC);
119	if (!sta)	101	if (!sta)
120	return NULL;	102	return NULL;
121		103
122	sta->plink_state = LISTEN;
123	spin_lock_init(&sta->plink_lock);
124	init_timer(&sta->plink_timer);
125	sta->flags \|= WLAN_STA_AUTHORIZED;	104	sta->flags \|= WLAN_STA_AUTHORIZED;
126	sta->supp_rates[local->hw.conf.channel->band] = rates;	105	sta->supp_rates[local->hw.conf.channel->band] = rates;
127		106
@@ -249,7 +228,7 @@ void mesh_neighbour_update(u8 hw_addr, u64 rates, struct net_device dev,
249		228
250	sta = sta_info_get(local, hw_addr);	229	sta = sta_info_get(local, hw_addr);
251	if (!sta) {	230	if (!sta) {
252	sta = mesh_plink_alloc(sdata, hw_addr, rates, GFP_ATOMIC);	231	sta = mesh_plink_alloc(sdata, hw_addr, rates);
253	if (!sta) {	232	if (!sta) {
254	rcu_read_unlock();	233	rcu_read_unlock();
255	return;	234	return;
@@ -518,7 +497,7 @@ void mesh_rx_plink_frame(struct net_device dev, struct ieee80211_mgmt mgmt,
518	}	497	}
519		498
520	rates = ieee80211_sta_get_rates(local, &elems, rx_status->band);	499	rates = ieee80211_sta_get_rates(local, &elems, rx_status->band);
521	sta = mesh_plink_alloc(sdata, mgmt->sa, rates, GFP_ATOMIC);	500	sta = mesh_plink_alloc(sdata, mgmt->sa, rates);
522	if (!sta) {	501	if (!sta) {
523	mpl_dbg("Mesh plink error: plink table full\n");	502	mpl_dbg("Mesh plink error: plink table full\n");
524	rcu_read_unlock();	503	rcu_read_unlock();


diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c index 42414b441592..909fa38edb6c 100644 --- a/net/mac80211/sta_info.c +++ b/net/mac80211/sta_info.c
@@ -31,13 +31,12 @@
31	* for faster lookup and a list for iteration. They are managed using	31	* for faster lookup and a list for iteration. They are managed using
32	* RCU, i.e. access to the list and hash table is protected by RCU.	32	* RCU, i.e. access to the list and hash table is protected by RCU.
33	*	33	*
34	* Upon allocating a STA info structure with sta_info_alloc() or	34	* Upon allocating a STA info structure with sta_info_alloc(), the caller owns
35	* mesh_plink_alloc(), the caller owns that structure. It must then either	35	* that structure. It must then either destroy it using sta_info_destroy()
36	* destroy it using sta_info_destroy() (which is pretty useless) or insert	36	* (which is pretty useless) or insert it into the hash table using
37	* it into the hash table using sta_info_insert() which demotes the reference	37	* sta_info_insert() which demotes the reference from ownership to a regular
38	* from ownership to a regular RCU-protected reference; if the function	38	* RCU-protected reference; if the function is called without protection by an
39	* is called without protection by an RCU critical section the reference	39	* RCU critical section the reference is instantly invalidated.
40	* is instantly invalidated.
41	*	40	*
42	* Because there are debugfs entries for each station, and adding those	41	* Because there are debugfs entries for each station, and adding those
43	* must be able to sleep, it is also possible to "pin" a station entry,	42	* must be able to sleep, it is also possible to "pin" a station entry,
@@ -248,6 +247,12 @@ struct sta_info sta_info_alloc(struct ieee80211_sub_if_data sdata,
248	wiphy_name(local->hw.wiphy), print_mac(mbuf, sta->addr));	247	wiphy_name(local->hw.wiphy), print_mac(mbuf, sta->addr));
249	#endif /* CONFIG_MAC80211_VERBOSE_DEBUG */	248	#endif /* CONFIG_MAC80211_VERBOSE_DEBUG */
250		249
		250	#ifdef CONFIG_MAC80211_MESH
		251	sta->plink_state = LISTEN;
		252	spin_lock_init(&sta->plink_lock);
		253	init_timer(&sta->plink_timer);
		254	#endif
		255
251	return sta;	256	return sta;
252	}	257	}
253		258
@@ -258,7 +263,19 @@ int sta_info_insert(struct sta_info *sta)
258	unsigned long flags;	263	unsigned long flags;
259	DECLARE_MAC_BUF(mac);	264	DECLARE_MAC_BUF(mac);
260		265
261	WARN_ON(!netif_running(sdata->dev));	266	/*
		267	* Can't be a WARN_ON because it can be triggered through a race:
		268	* something inserts a STA (on one CPU) without holding the RTNL
		269	* and another CPU turns off the net device.
		270	*/
		271	if (unlikely(!netif_running(sdata->dev)))
		272	return -ENETDOWN;
		273
		274	if (WARN_ON(compare_ether_addr(sta->addr, sdata->dev->dev_addr) == 0))
		275	return -EINVAL;
		276
		277	if (WARN_ON(is_multicast_ether_addr(sta->addr)))
		278	return -EINVAL;
262		279
263	spin_lock_irqsave(&local->sta_lock, flags);	280	spin_lock_irqsave(&local->sta_lock, flags);
264	/* check if STA exists already */	281	/* check if STA exists already */