mac80211: sync acccess to tx_filtered/ps_tx_buf queues
These are accessed without a lock when ending STA PSM. If the sta_cleanup timer accesses these lists at the same time, we might crash. This may fix some mysterious crashes we had during ieee80211_sta_ps_deliver_wakeup. Cc: stable@vger.kernel.org Signed-off-by: Arik Nemtsov <arik@wizery.com> Signed-off-by: Ido Yariv <ido@wizery.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This commit is contained in:
parent
bca1e29fb5
commit
987c285c2a
@ -961,6 +961,7 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
|
||||
struct ieee80211_local *local = sdata->local;
|
||||
struct sk_buff_head pending;
|
||||
int filtered = 0, buffered = 0, ac;
|
||||
unsigned long flags;
|
||||
|
||||
clear_sta_flag(sta, WLAN_STA_SP);
|
||||
|
||||
@ -976,12 +977,16 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
|
||||
for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
|
||||
int count = skb_queue_len(&pending), tmp;
|
||||
|
||||
spin_lock_irqsave(&sta->tx_filtered[ac].lock, flags);
|
||||
skb_queue_splice_tail_init(&sta->tx_filtered[ac], &pending);
|
||||
spin_unlock_irqrestore(&sta->tx_filtered[ac].lock, flags);
|
||||
tmp = skb_queue_len(&pending);
|
||||
filtered += tmp - count;
|
||||
count = tmp;
|
||||
|
||||
spin_lock_irqsave(&sta->ps_tx_buf[ac].lock, flags);
|
||||
skb_queue_splice_tail_init(&sta->ps_tx_buf[ac], &pending);
|
||||
spin_unlock_irqrestore(&sta->ps_tx_buf[ac].lock, flags);
|
||||
tmp = skb_queue_len(&pending);
|
||||
buffered += tmp - count;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user