mac80211: RCU-ify STA info structure access

This makes access to the STA hash table/list use RCU to protect
against freeing of items. However, it's not a true RCU, the
copy step is missing: whenever somebody changes a STA item it
is simply updated. This is an existing race condition that is
now somewhat understandable.

This patch also fixes the race key freeing vs. STA destruction
by making sure that sta_info_destroy() is always called under
RTNL and frees the key.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

1 files changed, 7 insertions, 1 deletions

diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index eac9c59dbc4d..df0c04cedbe4 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -240,14 +240,17 @@ void ieee80211_key_link(struct ieee80211_key *key,
                 if (sdata->vif.type == IEEE80211_IF_TYPE_STA) {
                         struct sta_info *ap;
 
+                        rcu_read_lock();
+
                         /* same here, the AP could be using QoS */
                         ap = sta_info_get(key->local, key->sdata->u.sta.bssid);
                         if (ap) {
                                 if (ap->flags & WLAN_STA_WME)
                                         key->conf.flags |=
                                                 IEEE80211_KEY_FLAG_WMM_STA;
-                                sta_info_put(ap);
                         }
+
+                        rcu_read_unlock();
                 }
         }
 
@@ -290,6 +293,9 @@ void ieee80211_key_free(struct ieee80211_key *key)
                         __ieee80211_key_replace(key->sdata, key->sta,
                                                 key, NULL);
 
+                /*
+                 * Do NOT remove this without looking at sta_info_destroy()
+                 */
                 synchronize_rcu();
 
                 /*