From: Johannes Berg <johannes@sipsolutions.net>
To: John Linville <linville@tuxdriver.com>
Cc: linux-wireless@vger.kernel.org
Subject: [PATCH 2/7] mac80211: fix station destruction problem
Date: Tue, 06 Apr 2010 11:18:43 +0200 [thread overview]
Message-ID: <20100406092141.321900265@sipsolutions.net> (raw)
In-Reply-To: 20100406091841.549805267@sipsolutions.net
When a station w/o a key is destroyed, or when
a driver submits work for a station and thereby
references it again, it seems like potentially
we could reference the station structure while
it is being destroyed.
Wait for an RCU grace period to elapse before
finishing destroying the station after we have
removed the station from the driver and from
the hash table etc., even in the case where no
key is associated with the station.
Also, there's no point in deleting the plink
timer here since it'll be properly deleted just
a bit later.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
---
net/mac80211/sta_info.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
--- wireless-testing.orig/net/mac80211/sta_info.c 2010-04-06 09:07:33.000000000 +0200
+++ wireless-testing/net/mac80211/sta_info.c 2010-04-06 09:08:15.000000000 +0200
@@ -645,9 +645,6 @@ static int __must_check __sta_info_destr
* may mean it is removed from hardware which requires that
* the key->sta pointer is still valid, so flush the key todo
* list here.
- *
- * ieee80211_key_todo() will synchronize_rcu() so after this
- * nothing can reference this sta struct any more.
*/
ieee80211_key_todo();
@@ -679,11 +676,17 @@ static int __must_check __sta_info_destr
sdata = sta->sdata;
}
+ /*
+ * At this point, after we wait for an RCU grace period,
+ * neither mac80211 nor the driver can reference this
+ * sta struct any more except by still existing timers
+ * associated with this station that we clean up below.
+ */
+ synchronize_rcu();
+
#ifdef CONFIG_MAC80211_MESH
- if (ieee80211_vif_is_mesh(&sdata->vif)) {
+ if (ieee80211_vif_is_mesh(&sdata->vif))
mesh_accept_plinks_update(sdata);
- del_timer(&sta->plink_timer);
- }
#endif
#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
next prev parent reply other threads:[~2010-04-06 9:22 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-06 9:18 [PATCH 0/7] mac80211 fixes Johannes Berg
2010-04-06 9:18 ` [PATCH 1/7] mac80211: annotate station rcu dereferences Johannes Berg
2010-04-06 9:18 ` Johannes Berg [this message]
2010-04-06 9:18 ` [PATCH 3/7] mac80211: remove irq disabling for sta lock Johannes Berg
2010-04-06 9:18 ` [PATCH 4/7] mac80211: remove ieee80211_sta_stop_rx_ba_session Johannes Berg
2010-04-06 9:18 ` [PATCH 5/7] mac80211: rename WLAN_STA_SUSPEND to WLAN_STA_BLOCK_BA Johannes Berg
2010-04-06 9:18 ` [PATCH 6/7] mac80211: clean up/fix aggregation code Johannes Berg
2010-04-06 9:18 ` [PATCH 7/7] mac80211: fix some RX aggregation locking Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100406092141.321900265@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).