mac80211: fix race condition caused by late addBA response

If addBA responses comes in just after addba_resp_timer has expired mac80211 will still accept it and try to open the aggregation session. This causes drivers to be confused and in some cases even crash. This patch fixes the race condition and makes sure that if addba_resp_timer has expired addBA response is not longer accepted and we do not try to open half-closed session. Cc: stable@vger.kernel.org Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com> [some adjustments] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
author: Nikolay Martynov <mar.kolya@gmail.com> 2011-11-28 03:18:00 -0500
committer: John W. Linville <linville@tuxdriver.com> 2011-11-28 13:46:41 -0500
commit: d305a6557b2c4dca0110f05ffe745b1ef94adb80 (patch)
tree: 5b4f95d4c8f2535d5971aaff0cde15a96695a1f1 /net
parent: a73228124bed4022d4d4c5663d9679ba2fb99c6c (diff)
1 files changed, 17 insertions, 1 deletions
diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
index 674b345ade81..eea6e5c8d168 100644
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -762,11 +762,27 @@ void ieee80211_process_addba_resp(struct ieee80211_local *local,
                goto out;
        }
-        del_timer(&tid_tx->addba_resp_timer);
+        del_timer_sync(&tid_tx->addba_resp_timer);
 #ifdef CONFIG_MAC80211_HT_DEBUG
        printk(KERN_DEBUG "switched off addBA timer for tid %d\n", tid);
 #endif
+        /*
+         * addba_resp_timer may have fired before we got here, and
+         * caused WANT_STOP to be set. If the stop then was already
+         * processed further, STOPPING might be set.
+         */
+        if (test_bit(HT_AGG_STATE_WANT_STOP, &tid_tx->state) ||
+            test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) {
+#ifdef CONFIG_MAC80211_HT_DEBUG
+                printk(KERN_DEBUG
+                       "got addBA resp for tid %d but we already gave up\n",
+                       tid);
+#endif
+                goto out;
+        }
        /*
         * IEEE 802.11-2007 7.3.1.14:
         * In an ADDBA Response frame, when the Status Code field
author	Nikolay Martynov <mar.kolya@gmail.com>	2011-11-28 03:18:00 -0500
committer	John W. Linville <linville@tuxdriver.com>	2011-11-28 13:46:41 -0500
commit	d305a6557b2c4dca0110f05ffe745b1ef94adb80 (patch)
tree	5b4f95d4c8f2535d5971aaff0cde15a96695a1f1 /net
parent	a73228124bed4022d4d4c5663d9679ba2fb99c6c (diff)

diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c index 674b345ade81..eea6e5c8d168 100644 --- a/net/mac80211/agg-tx.c +++ b/net/mac80211/agg-tx.c
@@ -762,11 +762,27 @@ void ieee80211_process_addba_resp(struct ieee80211_local *local,
762	goto out;	762	goto out;
763	}	763	}
764		764
765	del_timer(&tid_tx->addba_resp_timer);	765	del_timer_sync(&tid_tx->addba_resp_timer);
766		766
767	#ifdef CONFIG_MAC80211_HT_DEBUG	767	#ifdef CONFIG_MAC80211_HT_DEBUG
768	printk(KERN_DEBUG "switched off addBA timer for tid %d\n", tid);	768	printk(KERN_DEBUG "switched off addBA timer for tid %d\n", tid);
769	#endif	769	#endif
		770
		771	/*
		772	* addba_resp_timer may have fired before we got here, and
		773	* caused WANT_STOP to be set. If the stop then was already
		774	* processed further, STOPPING might be set.
		775	*/
		776	if (test_bit(HT_AGG_STATE_WANT_STOP, &tid_tx->state) \|\|
		777	test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) {
		778	#ifdef CONFIG_MAC80211_HT_DEBUG
		779	printk(KERN_DEBUG
		780	"got addBA resp for tid %d but we already gave up\n",
		781	tid);
		782	#endif
		783	goto out;
		784	}
		785
770	/*	786	/*
771	* IEEE 802.11-2007 7.3.1.14:	787	* IEEE 802.11-2007 7.3.1.14:
772	* In an ADDBA Response frame, when the Status Code field	788	* In an ADDBA Response frame, when the Status Code field