[PATCH] mac80211: fix AP/VLAN PS buffer race

[PATCH] mac80211: fix AP/VLAN PS buffer race

[Johannes Berg]

From: Johannes Berg <johannes.berg@intel.com>

When an AP interface is removed without the
AP/VLAN interfaces having been removed before
already, the AP-VLAN interface might still
have sleeping stations and buffer multicast
frames which will happen on the AP interface.
Thus, we need to remove AP/VLAN interfaces
before purging buffered broadcast frames.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 net/mac80211/iface.c |   10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

--- a/net/mac80211/iface.c	2011-09-09 08:52:27.000000000 +0200
+++ b/net/mac80211/iface.c	2011-09-09 08:58:28.000000000 +0200
@@ -460,17 +460,15 @@ static void ieee80211_do_stop(struct iee
 		synchronize_rcu();
 		kfree(old_beacon);
 
-		/* free all potentially still buffered bcast frames */
-		while ((skb = skb_dequeue(&sdata->u.ap.ps_bc_buf))) {
-			local->total_ps_buffered--;
-			dev_kfree_skb(skb);
-		}
-
 		/* down all dependent devices, that is VLANs */
 		list_for_each_entry_safe(vlan, tmpsdata, &sdata->u.ap.vlans,
 					 u.vlan.list)
 			dev_close(vlan->dev);
 		WARN_ON(!list_empty(&sdata->u.ap.vlans));
+
+		/* free all potentially still buffered bcast frames */
+		local->total_ps_buffered -= skb_queue_len(&sdata->u.ap.ps_bc_buf);
+		skb_queue_purge(&sdata->u.ap.ps_bc_buf);
 	}
 
 	if (going_down)

Re: [PATCH] mac80211: fix AP/VLAN PS buffer race

[Luis R. Rodriguez]

On Tue, Sep 20, 2011 at 8:40 AM, Johannes Berg
<johannes@sipsolutions.net> wrote:
> From: Johannes Berg <johannes.berg@intel.com>
>
> When an AP interface is removed without the
> AP/VLAN interfaces having been removed before
> already, the AP-VLAN interface might still
> have sleeping stations and buffer multicast
> frames which will happen on the AP interface.
> Thus, we need to remove AP/VLAN interfaces
> before purging buffered broadcast frames.
>
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>

Curious, what was happening with the inverse?

  Luis

Re: [PATCH] mac80211: fix AP/VLAN PS buffer race

[Johannes Berg]

On Tue, 2011-09-20 at 10:48 -0700, Luis R. Rodriguez wrote:
> On Tue, Sep 20, 2011 at 8:40 AM, Johannes Berg
> <johannes@sipsolutions.net> wrote:
> > From: Johannes Berg <johannes.berg@intel.com>
> >
> > When an AP interface is removed without the
> > AP/VLAN interfaces having been removed before
> > already, the AP-VLAN interface might still
> > have sleeping stations and buffer multicast
> > frames which will happen on the AP interface.
> > Thus, we need to remove AP/VLAN interfaces
> > before purging buffered broadcast frames.
> >
> > Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> 
> Curious, what was happening with the inverse?

I never ran into this -- purely by code inspection. What could've
happened is that frames are still queued for an interface that's dead,
probably just causing skb leaks.

johannes