aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2015-04-01 14:19:22 -0400
committerDavid S. Miller <davem@davemloft.net>2015-04-01 14:19:22 -0400
commitaf3e09e666428f9493e0dd309e0f2ac8480cde8a (patch)
tree8322bc0a03372a87f47630f78be8a63de7b791aa /net
parent9c026424dbdb89e2cef9962562cbfd576b293d29 (diff)
parent788211d81bfdf9b6a547d0530f206ba6ee76b107 (diff)
Merge tag 'mac80211-for-davem-2015-04-01' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
Johannes Berg says: ==================== This contains just a single fix for a crash I happened to randomly run into today during testing. It's clearly been around for a while, but is pretty hard to trigger, even when I tried explicitly (and modified the code to make it more likely) it rarely did. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/mac80211/agg-rx.c8
-rw-r--r--net/mac80211/rx.c7
-rw-r--r--net/mac80211/sta_info.h2
3 files changed, 12 insertions, 5 deletions
diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
index a48bad468880..7702978a4c99 100644
--- a/net/mac80211/agg-rx.c
+++ b/net/mac80211/agg-rx.c
@@ -49,8 +49,6 @@ static void ieee80211_free_tid_rx(struct rcu_head *h)
49 container_of(h, struct tid_ampdu_rx, rcu_head); 49 container_of(h, struct tid_ampdu_rx, rcu_head);
50 int i; 50 int i;
51 51
52 del_timer_sync(&tid_rx->reorder_timer);
53
54 for (i = 0; i < tid_rx->buf_size; i++) 52 for (i = 0; i < tid_rx->buf_size; i++)
55 __skb_queue_purge(&tid_rx->reorder_buf[i]); 53 __skb_queue_purge(&tid_rx->reorder_buf[i]);
56 kfree(tid_rx->reorder_buf); 54 kfree(tid_rx->reorder_buf);
@@ -93,6 +91,12 @@ void ___ieee80211_stop_rx_ba_session(struct sta_info *sta, u16 tid,
93 91
94 del_timer_sync(&tid_rx->session_timer); 92 del_timer_sync(&tid_rx->session_timer);
95 93
94 /* make sure ieee80211_sta_reorder_release() doesn't re-arm the timer */
95 spin_lock_bh(&tid_rx->reorder_lock);
96 tid_rx->removed = true;
97 spin_unlock_bh(&tid_rx->reorder_lock);
98 del_timer_sync(&tid_rx->reorder_timer);
99
96 call_rcu(&tid_rx->rcu_head, ieee80211_free_tid_rx); 100 call_rcu(&tid_rx->rcu_head, ieee80211_free_tid_rx);
97} 101}
98 102
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 944bdc04e913..1eb730bf8752 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -873,9 +873,10 @@ static void ieee80211_sta_reorder_release(struct ieee80211_sub_if_data *sdata,
873 873
874 set_release_timer: 874 set_release_timer:
875 875
876 mod_timer(&tid_agg_rx->reorder_timer, 876 if (!tid_agg_rx->removed)
877 tid_agg_rx->reorder_time[j] + 1 + 877 mod_timer(&tid_agg_rx->reorder_timer,
878 HT_RX_REORDER_BUF_TIMEOUT); 878 tid_agg_rx->reorder_time[j] + 1 +
879 HT_RX_REORDER_BUF_TIMEOUT);
879 } else { 880 } else {
880 del_timer(&tid_agg_rx->reorder_timer); 881 del_timer(&tid_agg_rx->reorder_timer);
881 } 882 }
diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h
index 925e68fe64c7..fb0fc1302a58 100644
--- a/net/mac80211/sta_info.h
+++ b/net/mac80211/sta_info.h
@@ -175,6 +175,7 @@ struct tid_ampdu_tx {
175 * @reorder_lock: serializes access to reorder buffer, see below. 175 * @reorder_lock: serializes access to reorder buffer, see below.
176 * @auto_seq: used for offloaded BA sessions to automatically pick head_seq_and 176 * @auto_seq: used for offloaded BA sessions to automatically pick head_seq_and
177 * and ssn. 177 * and ssn.
178 * @removed: this session is removed (but might have been found due to RCU)
178 * 179 *
179 * This structure's lifetime is managed by RCU, assignments to 180 * This structure's lifetime is managed by RCU, assignments to
180 * the array holding it must hold the aggregation mutex. 181 * the array holding it must hold the aggregation mutex.
@@ -199,6 +200,7 @@ struct tid_ampdu_rx {
199 u16 timeout; 200 u16 timeout;
200 u8 dialog_token; 201 u8 dialog_token;
201 bool auto_seq; 202 bool auto_seq;
203 bool removed;
202}; 204};
203 205
204/** 206/**
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-16 12:56:42 -0500