From: Stefano Brivio <stefano.brivio@polimi.it>
To: Johannes Berg <johannes@sipsolutions.net>,
Michael Wu <flamingice@sourmilk.net>, Jiri Benc <jbenc@suse.cz>
Cc: linux-wireless@vger.kernel.org
Subject: [RFC PATCH 7/7] mac80211: fix sta_info locking
Date: Sun, 23 Dec 2007 05:08:44 +0100 [thread overview]
Message-ID: <20071223050844.4e6b8c13@morte> (raw)
In-Reply-To: <20071223033633.710907923@polimi.it>
While tinkering with a sta_info refcounting bug in rc80211-pid algorithm, I
discovered that calling sta_info_get() and then sta_info_put() right after
would cause a kernel panic on my uniprocessor, preemptible kernel. I
couldn't set up netconsole, however, most of the trace is reported below
(my camera did its best, as the trace wouldn't fit on the screen and I
couldn't scroll, so wasn't able to see the first part with naked eyes :).
EIP at delay_tsc+0x22/0x50
[couldn't read the EBX and such, but I guess you won't care]
panic+0xf9/0x100
die+0x1e0/0x1f0
do_page_fault+0x357/0x640
autoremove_wake_function+0x1b/0x50
__wake_up_common+0x3e/0x70
do_page_fault+0x0/0x640
error_code+0x6a/0x70
sta_info_get+0x3a/0x60 [mac80211]
__ieee80211_rx+0x290/0x1830 [mac80211]
skb_queue_tail+0x3b/0x70
ieee80211_rx_irqsafe+0x30/0x80 [mac80211]
ssb_pci_write32+0x22/0x70 [ssb]
ieee80211_tasklet_handler+0xaf/0xe0 [mac80211]
hrtimer_run_queues+0xf6/0x1a0
process_timeout+0x0/0x10
tasklet_action+0x27/0x60
__do_softirq+0x54/0xb0
do_softirq+0x7b/0xe0
handle_level_irq+0x0/0x110
irq_exit+0x30/0x40
do_IRQ+0x83/0xd0
common_interrupt+0x23/0x20
[...]
So I guessed that locking was lacking somewhere. The following patch fixes
the issue for me, but I'm not sure at all that it's the right fix. Thanks.
NOT-Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it>
---
Index: wireless-2.6/net/mac80211/sta_info.c
===================================================================
--- wireless-2.6.orig/net/mac80211/sta_info.c
+++ wireless-2.6/net/mac80211/sta_info.c
@@ -105,6 +105,7 @@ static void sta_info_release(struct kref
struct ieee80211_local *local = sta->local;
struct sk_buff *skb;
+ write_lock_bh(&local->sta_lock);
/* free sta structure; it has already been removed from
* hash table etc. external structures. Make sure that all
* buffered frames are release (one might have been added
@@ -118,6 +119,8 @@ static void sta_info_release(struct kref
}
rate_control_free_sta(sta->rate_ctrl, sta->rate_ctrl_priv);
rate_control_put(sta->rate_ctrl);
+ write_unlock_bh(&local->sta_lock);
+
kfree(sta);
}
--
Ciao
Stefano
next prev parent reply other threads:[~2007-12-23 4:11 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20071223033633.710907923@polimi.it>
2007-12-23 3:39 ` [PATCH 1/7] rc80211-pid: export human-readable target_pf value to debugfs Stefano Brivio
[not found] ` <20071223120124.39050@gmx.net>
[not found] ` <20071223131135.391cc0bb@morte>
2007-12-23 12:19 ` Mattias Nissler
2007-12-23 12:41 ` Stefano Brivio
2007-12-23 3:40 ` [PATCH 2/7] rc80211-pid: add kerneldoc for tunable parameters Stefano Brivio
2007-12-23 3:41 ` [PATCH 3/7] rc80211-pid: simplify and fix shift_adjust Stefano Brivio
2007-12-23 3:43 ` [PATCH 4/7] rc80211-pid: fix sta_info refcounting Stefano Brivio
2007-12-23 10:15 ` Johannes Berg
2007-12-23 3:44 ` [PATCH 5/7] rc80211-pid: pf_target tuning Stefano Brivio
2007-12-23 3:46 ` [PATCH 6/7] rc80211-pid: add MAINTAINERS entry Stefano Brivio
2007-12-23 4:08 ` Stefano Brivio [this message]
2007-12-23 7:38 ` [RFC PATCH 7/7] mac80211: fix sta_info locking Johannes Berg
2007-12-23 10:18 ` Stefano Brivio
2007-12-23 10:36 ` Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071223050844.4e6b8c13@morte \
--to=stefano.brivio@polimi.it \
--cc=flamingice@sourmilk.net \
--cc=jbenc@suse.cz \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).