diff options
| author | Johannes Berg <johannes@sipsolutions.net> | 2010-04-06 05:18:43 -0400 |
|---|---|---|
| committer | John W. Linville <linville@tuxdriver.com> | 2010-04-07 14:38:00 -0400 |
| commit | e64b379574d6c92c15b4239ee0a5173317176547 (patch) | |
| tree | f0fff7261109f18c8063f7aa38736df685fa3713 /net/mac80211 | |
| parent | 1c3652a5732879263aeebe606ca7af9e66fe0b2f (diff) | |
mac80211: fix station destruction problem
When a station w/o a key is destroyed, or when
a driver submits work for a station and thereby
references it again, it seems like potentially
we could reference the station structure while
it is being destroyed.
Wait for an RCU grace period to elapse before
finishing destroying the station after we have
removed the station from the driver and from
the hash table etc., even in the case where no
key is associated with the station.
Also, there's no point in deleting the plink
timer here since it'll be properly deleted just
a bit later.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net/mac80211')
| -rw-r--r-- | net/mac80211/sta_info.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c index 211c475f73c6..bd11753c1525 100644 --- a/net/mac80211/sta_info.c +++ b/net/mac80211/sta_info.c | |||
| @@ -632,9 +632,6 @@ static int __must_check __sta_info_destroy(struct sta_info *sta) | |||
| 632 | * may mean it is removed from hardware which requires that | 632 | * may mean it is removed from hardware which requires that |
| 633 | * the key->sta pointer is still valid, so flush the key todo | 633 | * the key->sta pointer is still valid, so flush the key todo |
| 634 | * list here. | 634 | * list here. |
| 635 | * | ||
| 636 | * ieee80211_key_todo() will synchronize_rcu() so after this | ||
| 637 | * nothing can reference this sta struct any more. | ||
| 638 | */ | 635 | */ |
| 639 | ieee80211_key_todo(); | 636 | ieee80211_key_todo(); |
| 640 | 637 | ||
| @@ -666,11 +663,17 @@ static int __must_check __sta_info_destroy(struct sta_info *sta) | |||
| 666 | sdata = sta->sdata; | 663 | sdata = sta->sdata; |
| 667 | } | 664 | } |
| 668 | 665 | ||
| 666 | /* | ||
| 667 | * At this point, after we wait for an RCU grace period, | ||
| 668 | * neither mac80211 nor the driver can reference this | ||
| 669 | * sta struct any more except by still existing timers | ||
| 670 | * associated with this station that we clean up below. | ||
| 671 | */ | ||
| 672 | synchronize_rcu(); | ||
| 673 | |||
| 669 | #ifdef CONFIG_MAC80211_MESH | 674 | #ifdef CONFIG_MAC80211_MESH |
| 670 | if (ieee80211_vif_is_mesh(&sdata->vif)) { | 675 | if (ieee80211_vif_is_mesh(&sdata->vif)) |
| 671 | mesh_accept_plinks_update(sdata); | 676 | mesh_accept_plinks_update(sdata); |
| 672 | del_timer(&sta->plink_timer); | ||
| 673 | } | ||
| 674 | #endif | 677 | #endif |
| 675 | 678 | ||
| 676 | #ifdef CONFIG_MAC80211_VERBOSE_DEBUG | 679 | #ifdef CONFIG_MAC80211_VERBOSE_DEBUG |