mac80211: fix sta_info mesh timer bug

I noticed a bug I introduced when mesh is enabled: sta_info_destroy()
will end up calling cancel_timer() on a timer that has never been
initialized because the timer is only initialized in mesh_plink_alloc(),
not in sta_info_alloc(). This patch moves the initialization of all mesh
related fields into sta_info_alloc(), adds a bit of sanity checking to
the cfg80211 handlers and sta_info_insert() and makes mesh_plink_alloc()
a static helper function that is only used from the mesh plink code.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Cc: Luis Carlos Cobo <luisca@cozybit.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

1 files changed, 25 insertions, 8 deletions

diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 42414b441592..909fa38edb6c 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -31,13 +31,12 @@
  * for faster lookup and a list for iteration. They are managed using
  * RCU, i.e. access to the list and hash table is protected by RCU.
  *
- * Upon allocating a STA info structure with sta_info_alloc() or
- * mesh_plink_alloc(), the caller owns that structure. It must then either
- * destroy it using sta_info_destroy() (which is pretty useless) or insert
- * it into the hash table using sta_info_insert() which demotes the reference
- * from ownership to a regular RCU-protected reference; if the function
- * is called without protection by an RCU critical section the reference
- * is instantly invalidated.
+ * Upon allocating a STA info structure with sta_info_alloc(), the caller owns
+ * that structure. It must then either destroy it using sta_info_destroy()
+ * (which is pretty useless) or insert it into the hash table using
+ * sta_info_insert() which demotes the reference from ownership to a regular
+ * RCU-protected reference; if the function is called without protection by an
+ * RCU critical section the reference is instantly invalidated.
  *
  * Because there are debugfs entries for each station, and adding those
  * must be able to sleep, it is also possible to "pin" a station entry,
@@ -248,6 +247,12 @@ struct sta_info *sta_info_alloc(struct ieee80211_sub_if_data *sdata,
                wiphy_name(local->hw.wiphy), print_mac(mbuf, sta->addr));
 #endif /* CONFIG_MAC80211_VERBOSE_DEBUG */
 
+#ifdef CONFIG_MAC80211_MESH
+        sta->plink_state = LISTEN;
+        spin_lock_init(&sta->plink_lock);
+        init_timer(&sta->plink_timer);
+#endif
+
         return sta;
 }
 
@@ -258,7 +263,19 @@ int sta_info_insert(struct sta_info *sta)
         unsigned long flags;
         DECLARE_MAC_BUF(mac);
 
-        WARN_ON(!netif_running(sdata->dev));
+        /*
+         * Can't be a WARN_ON because it can be triggered through a race:
+         * something inserts a STA (on one CPU) without holding the RTNL
+         * and another CPU turns off the net device.
+         */
+        if (unlikely(!netif_running(sdata->dev)))
+                return -ENETDOWN;
+
+        if (WARN_ON(compare_ether_addr(sta->addr, sdata->dev->dev_addr) == 0))
+                return -EINVAL;
+
+        if (WARN_ON(is_multicast_ether_addr(sta->addr)))
+                return -EINVAL;
 
         spin_lock_irqsave(&local->sta_lock, flags);
         /* check if STA exists already */