mac80211: fix station destruction problem
When a station w/o a key is destroyed, or when a driver submits work for a station and thereby references it again, it seems like potentially we could reference the station structure while it is being destroyed. Wait for an RCU grace period to elapse before finishing destroying the station after we have removed the station from the driver and from the hash table etc., even in the case where no key is associated with the station. Also, there's no point in deleting the plink timer here since it'll be properly deleted just a bit later. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
parent
1c3652a573
commit
e64b379574
1 changed files with 9 additions and 6 deletions
|
@ -632,9 +632,6 @@ static int __must_check __sta_info_destroy(struct sta_info *sta)
|
|||
* may mean it is removed from hardware which requires that
|
||||
* the key->sta pointer is still valid, so flush the key todo
|
||||
* list here.
|
||||
*
|
||||
* ieee80211_key_todo() will synchronize_rcu() so after this
|
||||
* nothing can reference this sta struct any more.
|
||||
*/
|
||||
ieee80211_key_todo();
|
||||
|
||||
|
@ -666,11 +663,17 @@ static int __must_check __sta_info_destroy(struct sta_info *sta)
|
|||
sdata = sta->sdata;
|
||||
}
|
||||
|
||||
/*
|
||||
* At this point, after we wait for an RCU grace period,
|
||||
* neither mac80211 nor the driver can reference this
|
||||
* sta struct any more except by still existing timers
|
||||
* associated with this station that we clean up below.
|
||||
*/
|
||||
synchronize_rcu();
|
||||
|
||||
#ifdef CONFIG_MAC80211_MESH
|
||||
if (ieee80211_vif_is_mesh(&sdata->vif)) {
|
||||
if (ieee80211_vif_is_mesh(&sdata->vif))
|
||||
mesh_accept_plinks_update(sdata);
|
||||
del_timer(&sta->plink_timer);
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
|
||||
|
|
Loading…
Reference in a new issue