aboutsummaryrefslogtreecommitdiffstats
path: root/net/mac80211
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2010-10-05 15:40:33 -0400
committerJohn W. Linville <linville@tuxdriver.com>2010-10-06 15:58:29 -0400
commit44271488b91c9eecf249e075a1805dd887e222d2 (patch)
tree7c0bb66a9ac50d2f583f4020847d6f7c69563b44 /net/mac80211
parent918df629d6a558ab9eb53350493f618812239a4c (diff)
mac80211: delete AddBA response timer
We never delete the addBA response timer, which is typically fine, but if the station it belongs to is deleted very quickly after starting the BA session, before the peer had a chance to reply, the timer may fire after the station struct has been freed already. Therefore, we need to delete the timer in a suitable spot -- best when the session is being stopped (which will happen even then) in which case the delete will be a no-op most of the time. I've reproduced the scenario and tested the fix. This fixes the crash reported at http://mid.gmane.org/4CAB6F96.6090701@candelatech.com Cc: stable@kernel.org Reported-by: Ben Greear <greearb@candelatech.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net/mac80211')
-rw-r--r--net/mac80211/agg-tx.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
index c893f236acea..8f23401832b7 100644
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -175,6 +175,8 @@ int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
175 175
176 set_bit(HT_AGG_STATE_STOPPING, &tid_tx->state); 176 set_bit(HT_AGG_STATE_STOPPING, &tid_tx->state);
177 177
178 del_timer_sync(&tid_tx->addba_resp_timer);
179
178 /* 180 /*
179 * After this packets are no longer handed right through 181 * After this packets are no longer handed right through
180 * to the driver but are put onto tid_tx->pending instead, 182 * to the driver but are put onto tid_tx->pending instead,