mac80211: fix some RX aggregation locking

A few places in mac80211 do not currently acquire the sta lock for RX aggregation, but they should. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
author: Johannes Berg <johannes@sipsolutions.net> 2010-04-06 05:18:48 -0400
committer: John W. Linville <linville@tuxdriver.com> 2010-04-07 14:38:06 -0400
commit: 54297e4d60b74e602138594c131097347d128b5a (patch)
tree: 5985dc4483e001b1029e3ca9355a80f2180f7832 /net
parent: 098a607091426e79178b9a6c318d993fea131791 (diff)
1 files changed, 15 insertions, 4 deletions
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 62053fa711f3..f42d5060a7bb 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -720,14 +720,16 @@ static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
        tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK;
+        spin_lock(&sta->lock);
        if (!sta->ampdu_mlme.tid_active_rx[tid])
-                goto dont_reorder;
+                goto dont_reorder_unlock;
        tid_agg_rx = sta->ampdu_mlme.tid_rx[tid];
        /* qos null data frames are excluded */
        if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC)))
-                goto dont_reorder;
+                goto dont_reorder_unlock;
        /* new, potentially un-ordered, ampdu frame - process it */
@@ -739,15 +741,20 @@ static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
        /* if this mpdu is fragmented - terminate rx aggregation session */
        sc = le16_to_cpu(hdr->seq_ctrl);
        if (sc & IEEE80211_SCTL_FRAG) {
+                spin_unlock(&sta->lock);
                __ieee80211_stop_rx_ba_session(sta, tid, WLAN_BACK_RECIPIENT,
                                               WLAN_REASON_QSTA_REQUIRE_SETUP);
                dev_kfree_skb(skb);
                return;
        }
-        if (ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb, frames))
+        if (ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb, frames)) {
+                spin_unlock(&sta->lock);
                return;
+        }
+ dont_reorder_unlock:
+        spin_unlock(&sta->lock);
 dont_reorder:
        __skb_queue_tail(frames, skb);
 }
@@ -1804,9 +1811,12 @@ ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames)
        if (ieee80211_is_back_req(bar->frame_control)) {
                if (!rx->sta)
                        return RX_DROP_MONITOR;
+                spin_lock(&rx->sta->lock);
                tid = le16_to_cpu(bar->control) >> 12;
-                if (!rx->sta->ampdu_mlme.tid_active_rx[tid])
+                if (!rx->sta->ampdu_mlme.tid_active_rx[tid]) {
+                        spin_unlock(&rx->sta->lock);
                        return RX_DROP_MONITOR;
+                }
                tid_agg_rx = rx->sta->ampdu_mlme.tid_rx[tid];
                start_seq_num = le16_to_cpu(bar->start_seq_num) >> 4;
@@ -1820,6 +1830,7 @@ ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames)
                ieee80211_release_reorder_frames(hw, tid_agg_rx, start_seq_num,
                                                 frames);
                kfree_skb(skb);
+                spin_unlock(&rx->sta->lock);
                return RX_QUEUED;
        }
author	Johannes Berg <johannes@sipsolutions.net>	2010-04-06 05:18:48 -0400
committer	John W. Linville <linville@tuxdriver.com>	2010-04-07 14:38:06 -0400
commit	54297e4d60b74e602138594c131097347d128b5a (patch)
tree	5985dc4483e001b1029e3ca9355a80f2180f7832 /net
parent	098a607091426e79178b9a6c318d993fea131791 (diff)