5 files changed, 51 insertions, 23 deletions

diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
index 9e5762ad307d..a24e59816b93 100644
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -381,6 +381,14 @@ static void ieee80211_agg_splice_packets(struct ieee80211_local *local,
                 &local->hw, queue,
                 IEEE80211_QUEUE_STOP_REASON_AGGREGATION);
 
+        if (!(sta->ampdu_mlme.tid_state_tx[tid] & HT_ADDBA_REQUESTED_MSK))
+                return;
+
+        if (WARN(!sta->ampdu_mlme.tid_tx[tid],
+                 "TID %d gone but expected when splicing aggregates from"
+                 "the pending queue\n", tid))
+                return;
+
         if (!skb_queue_empty(&sta->ampdu_mlme.tid_tx[tid]->pending)) {
                 spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
                 /* mark queue as pending, it is stopped already */
diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index ce267565e180..659a42d529e3 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -67,6 +67,8 @@ static DECLARE_WORK(todo_work, key_todo);
  *
  * @key: key to add to do item for
  * @flag: todo flag(s)
+ *
+ * Must be called with IRQs or softirqs disabled.
  */
 static void add_todo(struct ieee80211_key *key, u32 flag)
 {
@@ -140,9 +142,9 @@ static void ieee80211_key_enable_hw_accel(struct ieee80211_key *key)
         ret = drv_set_key(key->local, SET_KEY, &sdata->vif, sta, &key->conf);
 
         if (!ret) {
-                spin_lock(&todo_lock);
+                spin_lock_bh(&todo_lock);
                 key->flags |= KEY_FLAG_UPLOADED_TO_HARDWARE;
-                spin_unlock(&todo_lock);
+                spin_unlock_bh(&todo_lock);
         }
 
         if (ret && ret != -ENOSPC && ret != -EOPNOTSUPP)
@@ -164,12 +166,12 @@ static void ieee80211_key_disable_hw_accel(struct ieee80211_key *key)
         if (!key || !key->local->ops->set_key)
                 return;
 
-        spin_lock(&todo_lock);
+        spin_lock_bh(&todo_lock);
         if (!(key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE)) {
-                spin_unlock(&todo_lock);
+                spin_unlock_bh(&todo_lock);
                 return;
         }
-        spin_unlock(&todo_lock);
+        spin_unlock_bh(&todo_lock);
 
         sta = get_sta_for_key(key);
         sdata = key->sdata;
@@ -188,9 +190,9 @@ static void ieee80211_key_disable_hw_accel(struct ieee80211_key *key)
                        wiphy_name(key->local->hw.wiphy),
                        key->conf.keyidx, sta ? sta->addr : bcast_addr, ret);
 
-        spin_lock(&todo_lock);
+        spin_lock_bh(&todo_lock);
         key->flags &= ~KEY_FLAG_UPLOADED_TO_HARDWARE;
-        spin_unlock(&todo_lock);
+        spin_unlock_bh(&todo_lock);
 }
 
 static void __ieee80211_set_default_key(struct ieee80211_sub_if_data *sdata,
@@ -437,14 +439,14 @@ void ieee80211_key_link(struct ieee80211_key *key,
 
         __ieee80211_key_replace(sdata, sta, old_key, key);
 
-        spin_unlock_irqrestore(&sdata->local->key_lock, flags);
-
         /* free old key later */
         add_todo(old_key, KEY_FLAG_TODO_DELETE);
 
         add_todo(key, KEY_FLAG_TODO_ADD_DEBUGFS);
         if (netif_running(sdata->dev))
                 add_todo(key, KEY_FLAG_TODO_HWACCEL_ADD);
+
+        spin_unlock_irqrestore(&sdata->local->key_lock, flags);
 }
 
 static void __ieee80211_key_free(struct ieee80211_key *key)
@@ -547,7 +549,7 @@ static void __ieee80211_key_todo(void)
          */
         synchronize_rcu();
 
-        spin_lock(&todo_lock);
+        spin_lock_bh(&todo_lock);
         while (!list_empty(&todo_list)) {
                 key = list_first_entry(&todo_list, struct ieee80211_key, todo);
                 list_del_init(&key->todo);
@@ -558,7 +560,7 @@ static void __ieee80211_key_todo(void)
                                           KEY_FLAG_TODO_HWACCEL_REMOVE |
                                           KEY_FLAG_TODO_DELETE);
                 key->flags &= ~todoflags;
-                spin_unlock(&todo_lock);
+                spin_unlock_bh(&todo_lock);
 
                 work_done = false;
 
@@ -591,9 +593,9 @@ static void __ieee80211_key_todo(void)
 
                 WARN_ON(!work_done);
 
-                spin_lock(&todo_lock);
+                spin_lock_bh(&todo_lock);
         }
-        spin_unlock(&todo_lock);
+        spin_unlock_bh(&todo_lock);
 }
 
 void ieee80211_key_todo(void)
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index aca22b00b6a3..07e7e41816be 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -721,7 +721,7 @@ void ieee80211_dynamic_ps_timer(unsigned long data)
 {
         struct ieee80211_local *local = (void *) data;
 
-        if (local->quiescing)
+        if (local->quiescing || local->suspended)
                 return;
 
         queue_work(local->hw.workqueue, &local->dynamic_ps_enable_work);
diff --git a/net/mac80211/pm.c b/net/mac80211/pm.c
index 7a549f9deb96..5e3d476972f9 100644
--- a/net/mac80211/pm.c
+++ b/net/mac80211/pm.c
@@ -55,15 +55,6 @@ int __ieee80211_suspend(struct ieee80211_hw *hw)
 
         rcu_read_unlock();
 
-        /* flush again, in case driver queued work */
-        flush_workqueue(local->hw.workqueue);
-
-        /* stop hardware - this must stop RX */
-        if (local->open_count) {
-                ieee80211_led_radio(local, false);
-                drv_stop(local);
-        }
-
         /* remove STAs */
         spin_lock_irqsave(&local->sta_lock, flags);
         list_for_each_entry(sta, &local->sta_list, list) {
@@ -111,7 +102,22 @@ int __ieee80211_suspend(struct ieee80211_hw *hw)
                 drv_remove_interface(local, &conf);
         }
 
+        /* stop hardware - this must stop RX */
+        if (local->open_count) {
+                ieee80211_led_radio(local, false);
+                drv_stop(local);
+        }
+
+        /*
+         * flush again, in case driver queued work -- it
+         * shouldn't be doing (or cancel everything in the
+         * stop callback) that but better safe than sorry.
+         */
+        flush_workqueue(local->hw.workqueue);
+
         local->suspended = true;
+        /* need suspended to be visible before quiescing is false */
+        barrier();
         local->quiescing = false;
 
         return 0;
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index de5bba7f910a..0936fc24942d 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2453,6 +2453,18 @@ void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb,
                 return;
         }
 
+        /*
+         * If we're suspending, it is possible although not too likely
+         * that we'd be receiving frames after having already partially
+         * quiesced the stack. We can't process such frames then since
+         * that might, for example, cause stations to be added or other
+         * driver callbacks be invoked.
+         */
+        if (unlikely(local->quiescing || local->suspended)) {
+                kfree_skb(skb);
+                return;
+        }
+
         if (status->flag & RX_FLAG_HT) {
                 /* rate_idx is MCS index */
                 if (WARN_ON(status->rate_idx < 0 ||