mac80211: fix station destruction in AP/mesh modes

Unfortunately, commit b22cfcfcae5b, intended to speed up roaming
by avoiding the synchronize_rcu() broke AP/mesh modes as it moved
some code into that work item that will still call into the driver
at a time where it's no longer expected to handle this: after the
AP or mesh has been stopped.

To fix this problem remove the per-station work struct, maintain a
station cleanup list instead and flush this list when stations are
flushed. To keep this patch smaller for stable, do this when the
stations are flushed (sta_info_flush()). This unfortunately brings
back the original roaming delay; I'll fix that again in a separate
patch.

Also, Ben reported that the original commit could sometimes (with
many interfaces) cause long delays when an interface is set down,
due to blocking on flush_workqueue(). Since we now maintain the
cleanup list, this particular change of the original patch can be
reverted.

Cc: stable@vger.kernel.org [3.7]
Reported-by: Ben Greear <greearb@candelatech.com>
Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

1 files changed, 16 insertions, 12 deletions

diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 54fb7f9db564..0f2a9f987f79 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -868,20 +868,11 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
                 cancel_work_sync(&sdata->work);
                 /*
                  * When we get here, the interface is marked down.
-                 * Call rcu_barrier() to wait both for the RX path
+                 * Call synchronize_rcu() to wait for the RX path
                  * should it be using the interface and enqueuing
-                 * frames at this very time on another CPU, and
-                 * for the sta free call_rcu callbacks.
+                 * frames at this very time on another CPU.
                  */
-                rcu_barrier();
-
-                /*
-                 * free_sta_rcu() enqueues a work for the actual
-                 * sta cleanup, so we need to flush it while
-                 * sdata is still valid.
-                 */
-                flush_workqueue(local->workqueue);
-
+                synchronize_rcu();
                 skb_queue_purge(&sdata->skb_queue);
 
                 /*
@@ -1501,6 +1492,15 @@ static void ieee80211_assign_perm_addr(struct ieee80211_local *local,
         mutex_unlock(&local->iflist_mtx);
 }
 
+static void ieee80211_cleanup_sdata_stas_wk(struct work_struct *wk)
+{
+        struct ieee80211_sub_if_data *sdata;
+
+        sdata = container_of(wk, struct ieee80211_sub_if_data, cleanup_stations_wk);
+
+        ieee80211_cleanup_sdata_stas(sdata);
+}
+
 int ieee80211_if_add(struct ieee80211_local *local, const char *name,
                      struct wireless_dev **new_wdev, enum nl80211_iftype type,
                      struct vif_params *params)
@@ -1576,6 +1576,10 @@ int ieee80211_if_add(struct ieee80211_local *local, const char *name,
 
         INIT_LIST_HEAD(&sdata->key_list);
 
+        spin_lock_init(&sdata->cleanup_stations_lock);
+        INIT_LIST_HEAD(&sdata->cleanup_stations);
+        INIT_WORK(&sdata->cleanup_stations_wk, ieee80211_cleanup_sdata_stas_wk);
+
         for (i = 0; i < IEEE80211_NUM_BANDS; i++) {
                 struct ieee80211_supported_band *sband;
                 sband = local->hw.wiphy->bands[i];